FAQs

Common Compliance Questions

Can't find your question?

Bloodborne Pathogens Standard

a.  The standard applies to all employees who have occupational exposure to blood or other potentially infectious materials (OPIM).

a.  Volunteers are not covered by the standard. Students are covered if they are compensated.

a. The contract employee’s company (lessor employer) has a responsibility to provide the general training outlined in the standard; ensure that employees are provided with the required vaccinations; and provide proper follow-up evaluations following an exposure incident.

b. The client provides site-specific training and personal protective equipment. Additionally, they would have the primary responsibility regarding the control of potential exposure conditions.

a. The exposure control plan is the employer’s written program that outlines the protective measures an employer will take to eliminate or minimize employee exposure to blood and OPIM.

The plan must contain, at a minimum:

  • The exposure determination which identifies job classifications with occupational exposure and tasks and procedures where there is occupational exposure and that are performed by employees in job classifications in which some employees have occupational exposure.
  • The procedures for evaluating the circumstances surrounding exposure incidents;
  • A schedule of how other provisions of the standard are implemented, including methods of compliance, HIV and HBV research laboratories and production facilities requirements, hepatitis B vaccination and post-exposure evaluation and follow-up, communication of hazards to employees, and recordkeeping;
    Methods of compliance include:
    • Universal Precautions;
    • Engineering and work practice controls, e.g., safer medical devices, sharps disposal containers, hand hygiene;
    • Personal protective equipment;
    • Housekeeping, including decontamination procedures and removal of regulated waste.
  • Documentation of:
    • the annual consideration and implementation of appropriate commercially available and effective safer medical devices designed to eliminate or minimize occupational exposure, and
    • the solicitation of non-managerial healthcare workers (who are responsible for direct patient care and are potentially exposed to injuries from contaminated sharps) in the identification, evaluation, and selection of effective engineering and work practice controls.

a. The standard requires an annual review of the exposure control plan. In addition, whenever changes in tasks, procedures, or employee positions affect, or create new occupational exposure, the existing plan must be reviewed and updated accordingly.

a.  Yes, the exposure control plan must be accessible to employees, as well as to OSHA and NIOSH representatives. The location of the plan may be adapted to the circumstances of a particular workplace, provided that employees can access a copy at the workplace during the workshift. If the plan is maintained solely on the computer, employees must be trained to operate the computer.

A hard copy of the exposure control plan must be provided within 15 working days of the employee’s request in accord with 29 CFR 1910.1020.

a. Following an exposure incident, employers are required to document, at a minimum, the route(s) of exposure, and the circumstances under which the exposure incident occurred. To be useful, the documentation must contain sufficient detail about the incident. There should be information about the following:

  • The engineering controls in use at the time and work practices followed;
  • Description of the device in use;  
  • The protective equipment or clothing used at the time of the exposure incident;
  • Location of the incident and procedures being performed when the incident occurred; and
  • Employee’s training.
  • The source individual, unless the employer can establish that identification is infeasible or prohibited by state or local law.

The employer should then evaluate the policies and “failures of controls” at the time of the exposure incident to determine actions that could prevent future incidents.

a.  Standard precautions is OSHA’s required method of control to protect employees from exposure to all human blood or OPIM. The term refers to a concept of bloodborne disease control which requires that all human blood and certain fluids are treated as if known to be infectious.

a.  Engineering controls are devices that isolate or remove the bloodborne pathogen hazard from the workplace. Examples include sharps containers, self-sheathing needles, needle recapping devices, sharps caddy, cassettes, etc.

a.  The standard requires that engineering and work practice controls be used to eliminate or minimize employee exposure. The Exposure Control Plan must document annual consideration and implementation of appropriate, commercially-available and effective engineering controls designed to eliminate or minimize exposure. The employer must solicit and document for this process input from non-managerial employees responsible for direct patient care who are potentially exposed to injuries from contaminated sharps.

a. Reusable sharps must be placed in containers which are puncture-resistant, leakproof on the sides and bottom, and properly labeled or color-coded for transportation back to the sterilization area.

b. Reusable sharps cannot be stored or reprocessed in a manner that would require the employee to reach by hand into containers.

a.  The standard requires that PPE be “appropriate.” PPE will be considered “appropriate” only if it does not permit blood or OPIM to pass through to, or reach, the skin, employees’ underlying garments, eyes, mouth, or other mucous membranes under normal conditions of use and for the duration of time that the PPE will be used. This allows the employer to select PPE based on the type of exposure and the quantity of blood or OPIM which can be reasonably anticipated to be encountered during performance of a task or procedure.

a.  The responsibility for providing, laundering, cleaning, repairing, replacing, and disposing of PPE at no cost to employees rests with the employer. Employers are not obligated under the standard to provide general work clothes to employees, but they are responsible for providing PPE. If laboratory jackets or uniforms are intended to protect the employee’s body or clothing from contamination, they are to be provided at no cost by the employer.

a.  Yes. OSHA requires that personal protective equipment be removed before leaving the work area. While “work area” must be determined on a case-by-case basis, a work area is generally considered to be an area where work involving occupational exposure occurs or where the contamination of surfaces may occur.

a.  Disposable gloves shall be replaced as soon as practical after they have become contaminated, or as soon as feasible if they are torn, punctured, or their ability to function as a barrier is compromised. Hands must be washed after the removal of gloves used as PPE, whether or not the gloves are visibly contaminated.

a.  Hypoallergenic gloves, glove liners, powderless gloves or other similar alternatives must be provided for employees who are allergic to the gloves that are normally provided.

a.  The Bloodborne Pathogens standard uses the term, “regulated waste,” to refer to the following categories of waste which require special handling: (1) liquid or semi-liquid blood or OPIM; (2) items contaminated with blood or OPIM and which would release these substances in a liquid or semi-liquid state if compressed; (3) items that are caked with dried blood or OPIM and are capable of releasing these materials during handling; (4) contaminated sharps; and (5) pathological and microbiological wastes containing blood or OPIM.

a. Sharps containers shall be maintained upright throughout use, replaced routinely and not be allowed to overfill. When removing sharps containers from the area of use, the containers shall be:

  • Closed immediately before removal or replacement to prevent spillage or protrusion of contents during handling, storage, transport, or shipping;
  • Placed in a secondary container if leakage is possible. The second container shall be:
    • Closable;
    • Constructed to contain all contents and prevent leakage during handling, storage, transport, or shipping; and
    • Labeled or color-coded according to paragraph (g)(1)(i) of the standard.
  • Reusable containers shall not be opened, emptied, or cleaned manually or in any other manner which would expose employees to the risk of percutaneous injury.

a.  Sharps containers must be easily accessible to employees and located as close as feasible to the immediate area where sharps are used (e.g., patient care areas) or can be reasonably anticipated to be found

a.  Contaminated laundry means laundry which has been soiled with blood or other potentially infectious materials or may contain sharps.

a.  Employees are not permitted to take their protective equipment home and launder it. It is the responsibility of the employer to provide, launder, clean, repair, replace, and dispose of personal protective equipment.

a.   Contaminated laundry shall be handled as little as possible with a minimum of agitation. Contaminated laundry shall be bagged or containerized at the location where it was used and shall not be sorted or rinsed in the location of use.

a.  There is no OSHA requirement stipulating that employers must purchase a washer and dryer to launder protective clothing. It is an option that employers may consider. Another option is to contract out the laundering of protective clothing. Finally, employers may choose to use disposable personal protective clothing and equipment.

a.  The hepatitis B vaccination series must be made available to all employees who have occupational exposure, except as provided. The employer does not have to make the hepatitis B vaccination available to employees who have previously received the vaccination series, who are already immune as their antibody tests reveal, or for whom receiving the vaccine is contraindicated for medical reasons.

a.  The hepatitis B vaccination must be made available within 10 working days of initial assignment, after appropriate training has been completed. Thus, arranging for the administration of the first dose of the series must be done at a time which will enable this schedule to be met.

a.  The U.S. Public Health Service (USPHS) does not recommend routine booster doses of hepatitis B vaccine, so they are not required at this time.

a. The healthcare professional must be provided with a copy of the standard as well as the following information:

  • A description of the employee’s duties as they relate to the exposure incident;
  • Documentation of the route(s) and circumstances of the exposure;
  • The results of the source individual’s blood testing, if available; and
  • All medical records relevant to the appropriate treatment of the employee, including vaccination status, which are the employer’s responsibility to maintain.

a.  The employer must identify and document the source individual, if known, unless the employer can establish that identification is not feasible or is prohibited by state or local law. The source individual’s blood must be tested as soon as feasible, after consent is obtained, in order to determine HIV, HBC and HBV infectivity. The information on the source individual’s HIV , HBC and HBV testing must be provided to the evaluating healthcare professional. Also, the results of the testing must be provided to the exposed employee. The exposed employee must be informed of applicable laws and regulations concerning disclosure of the identity and infectious status of the source individual.

a.  The employer must obtain and provide to the employee a copy of the evaluating healthcare professional’s written opinion within 15 days of completion of the evaluation. The healthcare professional’s written opinion for hepatitis B is limited to whether hepatitis B vaccination is indicated and if the employee received the vaccination. The written opinion for post-exposure evaluation must include information that the employee has been informed of the results of the evaluation and told about any medical conditions resulting from exposure that may require further evaluation and treatment. All other findings or diagnoses must be kept confidential and not included in the written report.

a.  The medical record includes the name and social security number of the employee; a copy of the employee’s hepatitis B vaccination status including the dates of all the hepatitis B vaccinations and any medical records relative to the employee’s ability to receive the vaccination; copies of all results of examinations, medical testing and follow-up procedures; copies of the healthcare professional’s written opinion; and copies of the information provided to the healthcare professional.

a.  The employer is responsible for the establishment and maintenance of medical records. However, these records may be kept off-site at the location of the healthcare provider.  The employer must ensure that the medical records are kept confidential and are not reported or disclosed without the express written consent of the worker, except as required by the standard or as may be required by law.

a.  Medical records must be kept for the duration of employment plus 30 years.

a.  All employees with occupational exposure must receive initial and annual training. In addition, training must be provided when changes (e.g., modified/new tasks or procedures) affect a worker’s occupational exposure.

a.  Training records must be retained for 3 years from the training date.

Hazard Standard Communication

a.  Yes, it is a required to have a program which helps informs employees on the hazards of their workplace.

a.   Based on OSHA’s Access to Employee Exposure and Medical Records Standard (29 CFR 1910.1020), employers are required to keep some record of the identity of the substances to which their employees were exposed to for 30 years. OSHA recognizes SDSs as an acceptable record. If you choose not to retain the actual SDS, then you must not only have a record of the identity (chemical name), but also information regarding where and when it was used.

a.  OSHA does not specify how the SDS is to be maintained (paper or electronic) as long as employees have immediate and unrestricted access to the SDSs in their work area.

Infection Control Regulations

a.  Disinfection destroys most pathogenic and other microorganisms by physical or chemical means. In contrast, sterilization destroys all microorganisms, including substantial numbers of resistant bacterial spores, by heat (steam autoclave, dry heat, and unsaturated chemical vapor) or liquid chemical sterilants.

a.  Environmental surfaces can be divided into clinical contact surfaces and housekeeping surfaces. Clinical contact surfaces can be directly contaminated from patient materials either by direct spray or spatter generated during dental procedures or by contact with gloved hands of dental health care personnel. These surfaces can subsequently contaminate other instruments, devices, hands, or gloves. Housekeeping surfaces (e.g., walls, floors, sinks) are not directly touched during dental treatment and carry the lowest risk of disease transmission.

a.  When used correctly, commercially available disposable disinfectant wipes, cloths, or towelettes are effective for cleaning and disinfecting environmental surfaces in dental settings. Any disinfectant used in a dental setting should be registered by the Environmental Protection Agency (EPA) and be approved for use in health care settings (i.e., hospital grade).

a.  Handpieces and other intraoral devices that can be removed from the air and waterlines of dental units should be cleaned and heat-sterilized between patients. Follow the manufacturer’s instructions for cleaning, lubricating, and sterilizing these devices. These devices include high-speed, low-speed, electric, endodontic, and surgical handpieces, as well as all handpiece motors and attachments, such as reusable prophylaxis angles, nose cones, and contra-angles.

a.  Biofilm is a thin, slimy film of bacteria that sticks to moist surfaces, such as those inside dental unit waterlines. Biofilm occurs in dental unit waterlines because of the long, small-diameter tubing and low flow rates used in dentistry, the frequent periods of stagnation, and the potential for retraction of oral fluids.

a.  Monitoring dental unit water quality can help identify problems in performance or compliance with maintenance protocols and provides documentation. The EPA and OSAP recommend testing dental unit water at least quarterly. In addition, all major dental unit manufacturers recommend the same. For this reason, Compliance Training Partners recommends that you establish a regular schedule of quarterly dental unit waterline testing to protect both your patients and your business.

a.  Hand hygiene is a way of cleaning one’s hands that substantially reduces potential pathogens (harmful microorganisms) on the hands. Hand hygiene is considered a primary measure for reducing the risk of transmitting infection among patients and health care personnel. Hand hygiene procedures include the use of alcohol-based hand rubs (containing 60%–95% alcohol) and hand washing with soap and water.

a. Always perform hand hygiene in the following situations:

  • Before and after treating each patient (e.g., before and after gloving).
  • After touching with bare hands instruments, equipment, materials, and other objects that are likely to be contaminated by blood, saliva, or respiratory secretions.
  • Before leaving the dental treatment area.
  • When hands are visibly soiled.
  • Before regloving and after removing gloves that are torn, cut, or punctured.

a.  Yes, you may return extracted teeth to patients upon request. Once an extracted tooth is returned to a patient, it is no longer considered a potential risk to dental health care personnel and is no longer subject to the provisions of the Occupational Safety and Health Administration (OSHA) Bloodborne Pathogens Standard.

a.  PPE are special coverings designed to protect dental health care personnel (DHCP) from exposure to or contact with infectious agents. These include gloves, face masks, protective eyewear, face shields, and protective clothing (e.g., reusable or disposable gown, jacket, lab coat).

a.  Dental health care personnel should wear a surgical mask that covers both their nose and mouth during procedures that are likely to generate splashes or sprays of blood or body fluids and while manually cleaning instruments. A surgical mask also protects the patient from microorganisms generated by the wearer. When a surgical mask is used, it should be changed between patients or during patient treatment if it becomes wet.

a.  Dental health care personnel should wear protective eyewear with solid side shields or a face shield during procedures likely to generate splashes or sprays of blood or body fluids or the spatter of debris. Reusable protective eyewear should be cleaned with soap and water, and when visibly soiled, disinfected between patients.

a.  Dental health care personnel (DHCP) should wear protective clothing (e.g., gowns, jackets) to prevent contamination of street clothing and to protect the skin from exposure to blood and body fluids. Sleeves should be long enough to protect the forearms. Protective clothing should be changed when it becomes visibly soiled by blood or other body fluids. DHCP should remove protective clothing before leaving the work area.

a.  Dental health care personnel wear gloves to prevent contamination of their hands when touching mucous membranes, blood, saliva, or other potentially infectious materials and to reduce the likelihood that microorganisms on their hands will be transmitted to patients during patient care. Gloves should be used for one patient only and discarded appropriately after use. Gloves should not be washed for reuse. Always perform hand hygiene immediately after glove removal.

a.  According to the Food and Drug Administration a single-use device, also referred to as a disposable device, is intended for use on one patient during a single procedure. It is not intended to be reprocessed (i.e., cleaned and disinfected or sterilized) and used on another patient.

a.  Cleaning is the necessary first step of any disinfection process. Removal of all visible blood and inorganic and organic matter can be as critical as the germicidal activity of the disinfecting agent. When a surface cannot be cleaned adequately, it should be protected with barriers.

a.  Disinfection destroys most pathogenic and other microorganisms by physical or chemical means. In contrast, sterilization destroys all microorganisms, including substantial numbers of resistant bacterial spores, by heat (steam autoclave, dry heat, and unsaturated chemical vapor) or liquid chemical sterilants. Disinfection does not ensure the degree of safety associated with sterilization processes.

a.  Sterilization procedures should be monitored using biological, mechanical, and chemical indicators. Biological indicators, or spore tests, are the most accepted means of monitoring sterilization because they assess the sterilization process directly by killing known highly resistant microorganisms (e.g., Geobacillus or Bacillus species). However, because spore tests are only done weekly and the results are usually not obtained immediately, mechanical and chemical monitoring should also be done.

a.  A spore test should be used on each sterilizer at least weekly. Users should follow the manufacturer’s directions for how to place the biological indicator in the sterilizer. A spore test should also be used for every load with an implantable device.

a. If the mechanical (e.g., time, temperature, pressure) and chemical (internal or external) indicators suggest that the sterilizer is functioning properly, a single positive spore test result probably does not indicate sterilizer malfunction. Items other than implantable items do not necessarily need to be recalled. However, the sterilizer should be removed from service and sterilization operating procedures reviewed to determine whether operator error could be responsible. Sterilizer operators should repeat the spore test immediately using the same cycle that produced the positive spore test.

b. If the result of the repeat spore test is negative and operating procedures were correct, then the sterilizer can be returned to service. If the repeat spore test result is positive, do not use the sterilizer until it has been inspected or repaired and re-challenged with spore tests in three consecutive fully loaded chamber sterilization cycles. When possible, items from suspect loads dating back to the last negative spore test should be recalled, rewrapped, and re-sterilized. Results of biological monitoring and sterilization monitoring reports should be documented.

a. Records of sterilization monitoring (mechanical, chemical, and biological) should be maintained long enough to comply with state and local regulations. The Centers for Disease Control and Prevention (CDC) does not maintain information on time limits for every state but provides an example of 3 years in its sterilization guidelines, which is the time frame used by the Joint Commission inspection agency.

a. Packaging materials (e.g., wrapped or container systems) allow penetration of the sterilizing agent and maintain sterility of the processed item after sterilization.

a. Before placing packaged instruments in the sterilizer, at a minimum, include the following information on the label:

  • Sterilizer used
  • Cycle or load number
  • Date of sterilization

a. The product should remain sterile until some event causes the item to become contaminated (e.g., a package becomes torn or wet). All packages containing sterile items should be inspected before use to verify that the package is not wet, torn, or damaged in any way. If it is, the instruments should be recleaned, packaged in new wrap, and re-sterilized.

Animal Health Facilities Regulations

a.  OSHA does not have a specific standard for animal handling procedures. OSHA’s General Duty Clause requires employers to provide a safe and healthful workplace for employees, therefore implementing procedures for proper safety measures to follow in the event of an injury from an animal.

a.  Drugs that are packaged for resale to the public are only exempt from the SDS and labeling requirements if that drug is NEVER opened or used in the practice. If the staff is exposed to the drug, and it contains 1% or more of a hazardous substance, then the product is considered hazardous in the veterinary practice. OSHA does exempt some categories of products from the entire regulation, including the need to maintain an SDS.  Those exemptions include medications and drugs ONLY when they are in a solid tablet form. If a drug were otherwise considered hazardous, and it came in a liquid oral form, a tablet form and an injectable form, only the tablet form would be exempt. The other forms would have to be included in the hospital’s HCS program. Capsules, powders and ointments generally do not fit OSHA’s definition of a tablet so they are NOT exempt from the rules.

a.  The determination of a chemical’s hazard status is based on the presence of health or physical hazard to workers.

a.  Yes. The contents are determined by the chemicals present in the hospital and the expected severity of spills that are likely to occur.

a.  If the practice allows staff to store, prepare or consume food on the premises, the practice must provide a place that is free from biological and chemical hazards.

a.  The record keeping rule states that an injury or illness must be considered to be work-related if “an event or exposure in the work environment either caused or contributed to the resulting condition or significantly aggravated a pre-existing injury or illness.” Work-relatedness is presumed for injuries and illnesses resulting from events or exposures occurring on the practice property.

a. Yes, veterinary clinics do need to complete OSHA forms 300, 300A and 301.

Under the rules, all businesses must keep a written record of any incident that results in the injury to a worker.  That written record can be the official OSHA Form 301 – Injury and Illness Incident Report or it can be any other form the business chooses if it contains details such as date, name, description of injury, location and circumstances under which the injury happened, the name of any medical professional or hospital that examined or treated the employee. If the business has continually had 10 or fewer employees during the calendar year, then no other paperwork is required.  If the business has had 11 or more employees at any time in the preceding year, then in addition to the accident form (Form 301), the following records are required for the entire year:

OSHA Form 300 is a log that allows the manager of medium to large businesses to spot trends in workplace accidents.  It’s easy to think of the OSHA 300 log as a “Table of Contents” to all the individual accident forms.  The log must be current to within 6 days.  That means the safety director or manager must post individual cases to the log throughout the year as they happen and not wait until the end of the year to create the log. As with the individual accident forms, the Form 300 log should be treated as confidential and shared only with safety directors or managers with a need to know the information.

OSHA Form 300A must be completed and posted for employees to view no later than February 1 of the year following the data.  It must remain posted until at least April 30 of the year following the data.  Be sure to keep copies of past years’ forms as proof that the business complied with the rules.

a. No matter what the disease, there are precautions that are warranted in almost all situations dealing with a potential zoonotic disease. These are known as “standard precautions.”  They include:

  • Limiting the number of staff allowed to come into contact with the infected animal
  • Practice good personal hygiene after contact with the animal or contaminated surfaces
  • Use of proper personal protective equipment
  • Contain and dispose of contaminated waste properly
  • Clean and disinfect contaminated environmental surfaces

a. Sharps containers shall be maintained upright throughout use, replaced routinely and not be allowed to overfill. When removing sharps containers from the area of use, the containers shall be:

  • Closed immediately before removal or replacement to prevent spillage or protrusion of contents during handling, storage, transport, or shipping;
  • Placed in a secondary container if leakage is possible. The second container shall be:
    • Closable;
    • Constructed to contain all contents and prevent leakage during handling, storage, transport, or shipping; and
    • Labeled or color-coded according to paragraph (g)(1)(i) of the standard.
  • Reusable containers shall not be opened, emptied, or cleaned manually or in any other manner which would expose employees to the risk of percutaneous injury.

a. Sharps containers must be easily accessible to employees and located as close as feasible to the immediate area where sharps are used (e.g., patient care areas) or can be reasonably anticipated to be found.

a. Yes, it is a required to have a program which helps informs employees on the hazards of their workplace.

a. Based on OSHA’s Access to Employee Exposure and Medical Records Standard (29 CFR 1910.1020), employers are required to keep some record of the identity of the substances to which their employees were exposed to for 30 years. OSHA recognizes SDSs as an acceptable record. If you choose not to retain the actual SDS, then you must not only have a record of the identity (chemical name), but also information regarding where and when it was used.

a. OSHA does not specify how the SDS is to be maintained (paper or electronic) as long as employees have immediate and unrestricted access to the SDSs in their work area.

a. The standard requires a list of hazardous chemicals in the workplace as part of the written hazard communication program. The list will eventually serve as an inventory of everything for which you must maintain an SDS.

a. Proper maintenance and weekly testing is necessary to ensure that Emergency Drench Showers and Eyewash Stations are functioning safely and properly. Weekly testing helps clear the supply lines of sediment and bacteria build-up that is caused by stagnant water. The ANSI standard states that plumbed flushing equipment “shall be activated weekly for a period long enough to verify operation and ensure that flushing fluid is available.”

a. The United States Pharmacopeia (USP) sets purity and safety standards for medications and food. Recently, USP updated the handling guidelines for hazardous drugs (HD). These new regulations will affect any facility housing or administering chemotherapeutics or any other hazardous drug. These new guidelines discuss new required engineering controls, PPE, closed system transfer devices (CSTD), employee medical monitoring and even environmental contamination testing.

HIPAA Regulations

a. Any person or organization that stores or transmits individually identifiable health information electronically is considered a “covered entity” and is required by law to comply with HIPAA. This means virtually every dental and medical facility must comply!

a. Protected health information “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:

  • Transmitted by electronic media
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

a. To standardize health care transactions as well as rules which protect the privacy and security of health information.

a.  A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.

a.  A covered entity must obtain authorization to use or disclose protected health information (PHI) unless the Privacy Rule permits or requires the use or disclosure. For example, the Privacy Rule explicitly allows entities to use and disclose PHI for treatment, payment, and health care operations without authorization.

a.  The Privacy Rule permits the covered entity to impose reasonable, cost-based fees. The fee may include only the cost of copying (including supplies and labor) and postage if the patient requests that the copy is mailed. If the patient has agreed to receive a summary or explanation of his or her protected health information, the covered entity may also charge a fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information.

a.  The Privacy Rule does not prohibit covered entities from leaving messages for patients on their phone. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on voicemail. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment or ask the individual to call back.

a.  The Privacy Rule grants parents access to their children’s medical records until the child reaches the age of majority, which is 18 years old.

a.  Email encryption software products are a specialized security technology for protecting the confidentiality and integrity of email messages and attachments while in transit or in storage.

a.  The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user friendly explanation of individuals rights with respect to their personal health information and the privacy practices of health care providers.

a.  The Privacy Rule requires the healthcare practitioner to make a good faith effort to obtain a written acknowledgment. If a patient refuses to sign the acknowledgment, you should document in the medical record the fact that you tried to obtain an acknowledgment and the reason you were unable to do so. Protected health information still may be used for purposes of treatment, payment and health care operations in this case.

a.  In addition to offering the Notice to the patient, it must also be posted in a prominent location for patients to view. It must also be posted on the office website.

a.  The Security Rule applies only to electronic protected health information (ePHI).

a.  Electronic Protected Health Information (ePHI) is protected health information (PHI) that is produced, saved, transferred or received in electronic form.

a. There are different types of data that must be kept secure.

  • Data in motion—data moving through a network (e.g. email)
  • Data at rest—data kept in databases, servers, flash drives, etc.
  • Data in use—data that is in the process of being created, retrieved, updated or deleted
  • Data disposed– data that has been discarded

a.  A “risk analysis” is a systematic and comprehensive assessment of all aspects of information including electronic conversion, processing, storage, or transmission that could potentially compromise the integrity of patient health information. The scope of the risk analysis should address all facets of the covered entity’s and business associate’s computer hardware, software and networks and associated equipment and systems.

a. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.
To complete and order through your distributor, please call Compliance Training Partners at 888.388.4782 and have your distributor information and account number available. If you’d like to complete your purchase with a credit card, please close this message, select "No Distributor", and enter your credit card information.
Scroll to Top