How to Meet Your Medical Compliance Requirements
As a medical business, there are certain compliance requirements you must consider. Medical compliance consists of meeting two federally mandated laws, HIPAA (Medical Privacy Act) and OSHA. Some medical specialties that work with potentially hazardous materials, such as dental, have more stringent regulations than others.
HIPAA Medical Compliance Requirements
Regardless of what kind of medical specialty your business works in, your HIPAA (Medical Privacy Act) requirements will be the same. To meet the requirements of the HIPAA regulations, healthcare organizations must implement a HIPAA compliance program.
HIPAA medical compliance consists of:
- Conducting accurate and thorough security risk assessments
- Implementing remediation plans to address compliance deficiencies
- Creating and implementing policies and procedures
- Conducting employee HIPAA training
- Having signed business associate agreements
- Creating a system for detecting, responding to, and reporting breaches
Security Risk Assessments, Gap Identification, and Remediation
To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.
HIPAA Policies and Procedures
To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.
Employee HIPAA Training
HIPAA imposes employee training requirements that are the same regardless of the state the healthcare organization operates in. HIPAA training must be provided to each employee that has the potential to access PHI. Training must be provided annually, in which employees must legally attest that they understand and agree to adhere to the training material.
Business Associate Agreements
Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers.
You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, it cannot be used for business associate services.
Incident Management
To comply with the HIPAA Breach Notification Rule, you must have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect a breach has occurred.
OSHA Medical Compliance Requirements
OSHA medical compliance standards include:
- Hazard Communication Standard
- Bloodborne Pathogens Standard
- Ionizing Radiation Standard
- Exit Routes Standards
- Electrical Standards
- Emergency Action Plan Standard
- Fire Safety Standard
- Medical and First Aid Standard
The following are some of the key OSHA standards that apply to many healthcare employers:
Hazard Communication Standard
The Hazard Communication Standard is meant to ensure that employees and employers are aware of hazardous chemicals that may be in the workplace and how they can protect themselves. When employees have been potentially exposed to hazardous chemicals, employers must implement a written Hazard Communication Program.
Bloodborne Pathogens Standard
This OSHA standard was created to protect employees from potential exposure to the health hazards of exposure to bloodborne pathogens. When employers are subject to OSHA’s Bloodborne Pathogens standard they must create a written exposure control plan to reasonably prevent employee exposure to blood and other infectious material. Employers must also provide training to employees who could potentially be exposed, and comply with all other requirements of the standard.
Ionizing Radiation Standard
The Ionizing Radiation Standard applies to organizations that have an x-ray machine. Employers must conduct a survey of the types of radiation used, including x-rays, and designate restricted areas to limit exposure to employees. Employees working in designated restricted areas must also wear personal radiation monitors. Equipment and radiation areas are also required to be labeled with caution signs.
Exit Routes Standards
All employers must comply with OSHA’s requirements for exit routes in the workplace.
Electrical Standards
OSHA’s electrical standards include safety practices and electrical design requirements. When an organization uses flammable gases, they may also need to install special wiring and equipment.
Emergency Action Plan Standard
All employers should have an Emergency Action Plan. An Emergency Action Plan provides guidelines to employees for their safety in emergency situations.
Fire Safety Standard
All employers should have a Fire Prevention Plan. When required by an OSHA standard a plan is mandatory.
Medical and First Aid Standard
Employers must provide medical supplies and first-aid personnel in accordance with the hazards of the workplace. Details of the workplace medical and first-aid program differ depending on the circumstances of the employers.
Personal Protective Equipment (PPE)
An assessment must be performed of operations in the workplace to determine if employees are required to wear PPE. However, work practices and engineering controls are preferred for employee protection – PPE is generally considered to be the least desirable means to control employee exposure.
Medical Office Compliance Checklist: Meeting HIPAA and OSHA Requirements
This medical office compliance checklist is composed of general questions about the measures your organization should have in place to state that you are HIPAA & OSHA compliant, and does not qualify as legal advice. Successfully completing this checklist does not certify that you or your organization are HIPAA & OSHA compliant.
Medical Office Compliance Checklist: HIPAA (Medical Privacy Act)
- Conduct six required annual audits
- Implement remediation plans
- Create policies and procedures
- Conduct annual employee HIPAA training
- Sign business associate agreements
- Report HIPAA breaches
Medical Office Compliance Checklist: OSHA Healthcare
The following OSHA compliance checklist is based on information on the OSHA website. This list is not comprehensive – additional OSHA standards may apply to your workplace. Be sure to review OSHA’s general industry standards (29 CFR 1910) for other requirements. In addition, section 5(a)(1) of the Occupational Safety and Health Act, known as the General Duty Clause, requires employers to provide their employees with a workplace that is free of recognized hazards likely to cause death or serious physical harm.
Hazard Communication Standard
- Read a fact sheet. Steps to an Effective Hazard Communication Program for Employers that Use Hazardous Chemicals.
- Review a booklet. Small Entity Compliance Guide for Employers That Use Hazardous Chemicals. OSHA Publication 3695 (2014)
- See a sample program. Small Entity Compliance Guide for Employers That Use Hazardous Chemicals – Appendix A. (OSHA Publication 3695) [Disclaimer]
- Read the standards.
- Learn more.
Bloodborne Pathogens Standard
- Review OSHA’s Quick Reference Guide to the Bloodborne Pathogens Standard.
- Review OSHA publications.
- See a sample program. Model Plans and Programs for the OSHA Bloodborne Pathogens and Hazard Communications Standards). OSHA Publication 3186 (2003). [Disclaimer]
- Review Safety and Health Information Bulletins and other guidance:
- FDA, NIOSH and OSHA Joint Safety Communication on Blunt-Tip Surgical Suture Needles (2012, May 30)
- Use of Blunt-Tip Suture Needles to Decrease Percutaneous Injuries to Surgical Personnel (2007, November). (Spanish Version)
- Disposal of Contaminated Needles and Blood Tube Holders Used for Phlebotomy. (2003, October 15).
- Potential for Occupational Exposure to Bloodborne Pathogens From Cleaning Needles Used in Allergy Testing Procedures. (1995, September 21).
- Read the standards.
- Review OSHA’s standard interpretation letters. OSHA’s standard interpretations for 29 CFR 1910.1030
- Learn more.
Ionizing Radiation Standard
- Read the standards.
- Learn more
Exit Routes Standards
- Read a fact sheet. OSHA Fact Sheet: Emergency Exit Routes
- Read the standards. 29 CFR 1910.34, 29 CFR 1910.35, 29 CFR 1910.36, 29 CFR 1910.37
- Review design and construction requirements for exit routes.
- Review maintenance, safeguards, and operational features for exit routes.
Electrical Standards
- Review an OSHA booklet. Controlling Electrical Hazards. OSHA Publication 3075 (2002).
- Read the standards.
- Learn more
Emergency Action Plan Standard
- Does this apply to me? OSHA eTool: Evacuation Plan and Procedures – Do I need an Emergency Action Plan?
- Read a fact sheet. OSHA Fact Sheet: Planning and Responding to Workplace Emergencies
- Review OSHA booklets.
- Principal Emergency Response and Preparedness – Requirements and Guidance. OSHA Publication 3122 (2004).
- How to Plan for Workplace Emergencies and Evacuations. OSHA Publication 3088 (2001).
- Create your own plan. OSHA eTool: Evacuation Plan and Procedures – Introduction to the Emergency Action Plan Expert System
- Read the standards. 29 CFR 1910.38
- Other applicable standard: 29 CFR 1910.1047, Ethylene Oxide
- Learn more. OSHA eTool: Evacuation Plan and Procedures
Fire Safety Standard
- Read a fact sheet. OSHA Fact Sheet: Fire Safety in the Workplace (2020, August).
- Review plan requirements. OSHA eTool: Evacuation Plans and Procedures – Fire Prevention Plan (FPP)
- Read the standards. 29 CFR 1910.39
- Learn more. OSHA Safety and Health Topics Page: Fire Safety
Medical and First Aid Standard
- Read the standards.
- Review an OSHA booklet. Best Practices Guide: Fundamentals of a Workplace First-Aid Program. OSHA Publication 3317 (2006)
- Learn more. OSHA Safety and Health Topics Page: Medical and First Aid
Personal Protective Equipment (PPE)
- Read a fact sheet. OSHA Fact Sheet: Personal Protective Equipment
- Watch videos:
- Review OSHA booklets.
- Personal Protective Equipment. OSHA Publication 3151 (2004).
- Small Entity Compliance Guide for the Revised Respiratory Protection Standard. OSHA Publication 3384 (2011).
- Read the standards
- Learn more
What is a Medical Compliance Certification?
You may be wondering what a medical compliance certification is and how you can get one. Well, the answer is not that simple. There is no such thing as medical compliance certification as the requirements of both HIPAA and OSHA are ongoing.
As a healthcare organization, you must continually assess your risks, train employees, and implement new measures to address risks that arise. With HIPAA, Compliancy Group offers third-party verification and validation that an organization has made a “good faith effort” to comply with the law. While not a medical compliance certification, the Seal of Compliance is an industry-recognized symbol of verified HIPAA compliance.
Our automated compliance software solution eases the process of HIPAA and OSHA compliance. Find out more about how Compliancy Group can help you simplify your compliance.
