Risk Management In Healthcare Part 3: Compliance Risk

Last week’s article focused on the financial risk in your business.

I talked about a number of issues: from problems with taxes to proper management of money flowing in and out of your practice. There are lots of “opportunities” to get yourself and your practice in trouble, putting your business in the danger zone.

If you didn’t have a chance to read the first two articles in this series, you can read them by clicking the following links: “Risk Management in Healthcare Part 1” and “Risk Management in Healthcare: Part 2”.

Today I’ll talk about managing the risk of “not staying in compliance”. There are many rules and regulations affecting your small practice. It’s imperative you maintain compliance with them all.

Maintaining compliance can be a challenge…

  1. First, you must know the rules and regulations regarding compliance.
  2. Then you must know what steps to take to get into compliance.
  3. Next, you must know what to do to remain in compliance.

I hope you had a chance to go through your office and take stock of where you are with respect to compliance.

If not, now would be a good time to get started and take stock of where you stand.

But let’s assume you’ve done your assessment, How well did you do?

If you were to get audited tomorrow, would your practice pass? Or would you have to make corrections or even pay a fine?

HIPAA, OSHA, and Human Resources

Today we’ll focus on three crucial areas for your small practice… HIPAA, OSHA, and Human Resources (if you have employees).

Without exception, every practice is affected by HIPAA and OSHA rules. And if you have employees in your office, additional Human Resource rules apply as well.

There may be other areas of compliance affecting your business. Depending on the type of practice you operate and where your practice is located, requirements vary.

As I said before, it doesn’t matter how good the care is you provide to your patients. If you don’t pay attention to compliance, taxes, or finances in your practice, chances are you’ll get yourself in trouble at some point.


Let’s start our discussion with HIPAA, the Health Insurance Portability and Accountability Act of 1996. As you know, it is legislation directing data privacy and security to safeguard medical information.

The agency responsible for the enforcement of the standards is the Department of Health & Human Services (HHS), specifically the Office for Civil Rights (OCR).

No doubt, since you’re handling protected health information (PHI), you need to stay in compliance with HIPAA.

So let me ask you…

  1. Is your office in compliance with HIPAA?
  2. Are your relationships with business associates HIPAA compliant?
  3. Do you know what is required of you to stay in compliance?
  4. Do you have a designated privacy officer in your practice?

Since you are a covered entity, you are to maintain HIPAA compliance at all times and are held responsible if you fail to do so.

Penalties for non-compliance can be substantial. They may include civil monetary penalties and/or criminal penalties.

Chances are your office is already doing pretty good when it comes to HIPAA. After all, HIPAA is not a new regulation but has been with us for some time now.

Unfortunately, that doesn’t mean everything is always done by the book… We all have a tendency to fall back on “old” habits.

So, if they should knock on your door tomorrow, would you pass an audit?

  • Are your employees HIPAA trained?
  • Is the training documented?
  • Is everyone in the office following rules and regulations related to HIPAA?
  • Do some employees ignore parts of HIPAA?
  • Is all electronic patient communication HIPAA compliant?
  • Will your HIPAA practices protect you from a complaint filed by a dissatisfied patient?
  • What would you do in case of a breach? Do you have any plan in place?

HIPAA rules apply to four broad areas:

  1. HIPAA Privacy Rule
  2. HIPAA Security Rule
  3. HIPAA Enforcement Rule
  4. HIPAA Breach Notification Rule

Be sure to follow all HIPAA privacy and security rules. And if there should ever be a breach… make sure you provide notification to your patients without delay.

Get more details and read the specific requirements for all 4 categories, by going to this address. It will tell you if what you do today is adequate and what to do if it’s not.

Keep in mind, HIPAA compliance is not a one-time event, but an ongoing process. It’s good practice to review your process and procedures on a routine basis and make the necessary adjustments.

Make sure you provide HIPAA training to all employees when they first start. Follow up with “refresher” training to ensure no one slips back into old habits. And of course, document it all. 

NPBO™ Members get More!
Inside NPBO™ Members will find complete programs for HIPAA, OSHA, and Human Resources! Login today!

Human resources

If you don’t have employees, you are free to skip this part. But if you do employ staff, even if just one, please read the following.

The United States Department of Labor (DOL) is responsible for the administration and enforcement of laws regulating almost all aspects of employment. This includes:

  • Hiring and firing
  • Wages: minimum wage and overtime
  • Discrimination: race, religion, gender, age, pregnancy
  • Safety in the workplace
  • Unemployment and benefits
  • And much more

There are many laws dictating what you must do to maintain compliance.

To some degree, this is based on the industry of and the size of your business. For example, some laws only apply to businesses employing over 50 individuals.

Regardless how many employees you have, you are required to display labor laws posters. Display them where employees can clearly see them.

The posters inform employees of their rights in the work place. Additionally, they contain information about what to do if an employee feels that his or her rights have been violated.

You can purchase these labor law posters from a number of companies for a fee. Alternatively, you can get the posters free from the department of labor @ https://www.dol.gov/oasam/boc/osdbu/sbrefa/poster/matrix.htm.

On its website, the DOL offers a “First Employment Law Advisor”. The “Advisor” helps you determine which employment laws apply to your business, complete with recordkeeping and reporting requirements.

It also tells you which employment posters you need to display. Access the “FirstStep Employment Advisor” by clicking the link.

Depending on where your office is located, there may be additional state laws affecting you… minimum wage, minimum rest, etc.

The DOL maintains a central access point web page for the various State Labor laws. You will find the page here: State Labor Laws.

In closing… are your employment practices up to standard?

  • Do you meet all legal requirements?
  • Do you observe all applicable federal and state labor laws?
  • Do you have the correct employment posters displayed where employees can see them?
  • Are you legal in your hiring and firing of employees?
  • Do you collect, file, and pay all employee taxes?
  • Do you file all reports in a timely fashion?
  • Do you pay employees on time?
  • Do you maintain employee records for the appropriate length of time?


There is an agency within the US Department of Labor responsible for defining and enforcing safe working conditions. This agency, of course, is the Occupational Safety and Health Administration, referred to as OSHA.

Under current law, employers have the responsibility to provide a safe workplace to employees.

Employers must:

  • Provide a workplace free from serious recognized hazards and comply with standards, rules and regulations issued under the OSH Act.
  • Examine workplace conditions to make sure they conform to applicable OSHA standards.
  • Make sure employees have and use safe tools and equipment and properly maintain this equipment.
  • Use color codes, posters, labels or signs to warn employees of potential hazards.
  • Establish or update operating procedures and communicate them so that employees follow safety and health requirements.
  • Employers must provide safety training in a language and vocabulary workers can understand.
  • Employers with hazardous chemicals in the workplace must develop and implement a written hazard communication program and train employees on the hazards they are exposed to and proper precautions (and a copy of safety data sheets must be readily available). See the OSHA page on Hazard Communication.
  • Provide medical examinations and training when required by OSHA standards.
  • Post, at a prominent location within the workplace, the OSHA poster (or the state-plan equivalent) informing employees of their rights and responsibilities.
  • Keep records of work-related injuries and illnesses. (Note: Employers with 10 or fewer employees and employers in certain low-hazard industries are exempt from this requirement.

These are just some of the employer responsibilities listed on the OSHA website. You can get the full listing of requirements right here.

The Federal Occupational Safety and Health Act of 1970 allows for states to administer their own job safety and health programs. All state plans must be approved and monitored by OSHA.

At this time there are 22 states administering plans for both private and public sector employees. Most states follow OSHA guidelines. However, there are a few states that have developed tighter OSAH standards (including Oregon, Washington, California). To get additional details on the various state plans, go to this site.

The moral of the story… depending on your location, you will need to follow federal or state OSHA guidelines. It is up to you, the business owner to determine what your exact responsibilities are.

So here is the $1,000,000 questions… is your office OSAH compliant?

  • Is your staff adequately trained to meet OSHA requirements?
  • Do you maintain data safety sheets?
  • Do you and your staff observe universal precautions regarding bloodborne pathogens?
  • Do you provide universal precautions training to your employees?
  • Do you have a written exposure control plan in place?
  • Would your OSHA practices, training, and documentation pass an audit?

Here’s what to do next:

Go through your office and check your existing policies and procedures. Are they current and adequate, keeping you in compliance? Or do they need to be updated to reflect new laws?

When is the last time you trained your staff? Perhaps this is a good time to update the training and bring everybody up to speed.

Next week’s article will wrap up this series on risk management. In Part 4 we’ll discuss managing the various medical risks present in your practice.

In the meantime, we’d love to hear from you…

Tell us what you think. Why not share with us what YOU do to better manage risk in your office?

Bt Johanna Hofmann, MBA, author of “Smart Business Planning for Clinicians” and regular contributor to the NPBusiness blog.

Leave a Reply

Your email address will not be published. Required fields are marked

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Hi Barb! Love the articles!
    Q: What is the quickest, best and least expensive way to get my practice up to snuff with compliance (employee education, training and documentation)? I really don’t want to re-invent the wheel, or spend a lot of time that I could be with patients figuring this out. Do you have a solution?

  2. Hey Carolyn,

    There are several done-for-you programs available on the internet that can be purchased. Inside the NPBO™ Members Portal there are programs set up for OSHA we have all the templates you need for OSHA. Additionally, OSHA & HIPAA has many of the forms the DIY NP. Thanks for asking! Hope to connect soon!


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}