Compliance Basics


HIPAA Basics

  • HIPAA stands for Health Insurance Portability and Accountability Act.
  • Passed and federally implemented in 1996, HIPAA is designed to reduce costs, simplify administrative processes/burdens, and improve the privacy and security of patients’ information. It is enforced by the Department of Health and Human Services, Office for Civil Rights.
  • HIPAA applies to covered entities and business associates.
  • A covered entity is a Healthcare provider, a Health plan, or a Healthcare Clearinghouse.
Examples: Doctors, Nurses, All Healthcare Employees, Health Insurance Companies, HMO’s, Pharmacies and Labs.
  • A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Examples: CPA, attorney, consultant, claims processor, IT
  • The HIPAA Privacy Rule states that training must be provided to “each new member of the workforce within a reasonable period after the person joins the covered entity’s workforce” and to “each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures . . . within a reasonable period after the material change becomes effective.”
  • Employees are required to sign Acknowledgements showing they’ve received the training and resources needed to understand their HIPAA responsibilities and that they do understand and agree to follow the HIPAA policies the office requires.

Our Recommendation: All new employees be trained on HIPAA within the first 30 days of their employment and ALL employees get HIPAA training annually.

OSHA Basics

  • OSHA stands for Occupational Safety and Health Administration and was passed by Congress in 1970.
  • OSHA ensures safe and healthful working conditions for any employee or partners by setting and enforcing standards and by providing training, outreach, education and assistance.
  • All healthcare workers are required to complete Bloodborne Pathogens and Hazard Communication training annually. Other training requirements vary based upon State and type of medical profession.
  • Federal OSHA encourages states to run their own OSHA programs. State OSHA exists when a state determines that its workplaces require additional clarification and regulation to ensure the safety of employees.
  • There are currently 22 State Plans covering both private sector and state and local government workers, and there are six State Plans covering only state and local government workers. The remaining states are Federal OSHA states. (View list).

Our Recommendation: All healthcare workers receive annual training in Hazard Communication, Infection Control, Bloodborne Pathogens, and COVID-19 preparedness and response. 


Payment Card Industry (PCI) Basics

  • Payment card industry compliance refers to the technical and operational standards that businesses must follow to protect and secure credit card data provided by cardholders and transmitted through card processing transactions. 
  • The PCI Standards Security Council was formed in 2006 by major card brands (Visa, MasterCard, American Express, Discover Financial Services, JCB International) to regulate, maintain, evolve, and promote PCI Data Security Standard compliance (PCI DSS).
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need to know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for all personnel
  • Complete your Self-Assessment Questionnaire (SAQ) 
  • Set-up a recurring quarterly scan schedule and monitor each quarter for vulnerabilities.
  • Provide an Attestation of Compliance (AOC) annually

Compliance requirements are always changing

Does your practice have an easy way to keep up with everything?