|PRODUCT SPECS & INFO|
|ACCESSING, OPENING & USING THE MANUAL|
|ALTERING/CUSTOMIZING THE MANUAL|
|PROFESSIONAL ETHICS / CODE OF CONDUCT|
|BUSINESS ASSOCIATES & VENDOR AGREEMENTS|
|PATIENT PRIVACY PROCEDURES|
|ELECTRONIC DATA SECURITY|
|EMPLOYEE-RELATED COMPLIANCE QUESTIONS|
|SOCIAL MEDIA USAGE|
Originally I wrote the manual to cover my own assets, but after a couple of colleagues saw what I had produced, they suggested putting it out there for other doctors, and they wanted one too! I'm expecting at least two more audits within the next couple of years, so I wanted it to be air tight. I'm confident that my new manual will give me the best defense I could have.
Of course, the bottom line is that unless you use the manual and the self-audits, it won't protect you just by your buying it and putting it on the shelf behind your desk. I designed the package to be simple to put in place and spaced out so it didn't overwhelm the staff, especially the Office Manager. I developed this so it would protect me and my colleagues. Back to top
You'll find in our terms that we have made every effort to provide a complete compliance package - not just HIPAA updated with OMNI, PPACA and Business Associate Agreement forms, but all of the other required manuals/components as well - Safety, HR, Operations, and a system for keeping audit logs. Further, the compliance set was designed after extensive researchon the topic by Dr. Cross, a practicing DC and Certified Professional Compliance Officer who needed to be sure his own practice met the new requirements.
When it comes to practice compliance, you won't find a product or a consultant (or lawyer) that will offer a guarantee of the outcome of an audit. The biggest reason for this is compliance is a process - not just a manual. A compliance manual if done per guidelines becomes a 'living document' and thus requires the business owner to make updates, have forms completed, keep records, complete audit logs, etc. The implementation is the job of the office - we provide the tool to do it in the most efficient way possible.
Ultimately, in the event of an audit, you'll want to be able to pull a 'living' manual from the shelf, and show your policies and procedures, etc, proof of ongoing training, and audit logs to demonstrate you've made every effort to comply with the regulations.
If your office would like a starting point for meeting the new regulations (requiring compliance by Sept, 2013), we have great resource links here:
Does the total number of employees that work for your practice total more than 15? If not, this program provides you with everything you need. The program covers not only all the HIPAA/HITECH,and Compliance program requirements, but also the various employer regulations as well (ie, ADA, OSHA, EEOC, FMLA, etc.). Many federal regulations change when you have more than 15 employees, and this program is written for offices with less than 15 employees. Back to top
If you have MD or DO on your staff, then that would require additional policies and procedures not included in this manual. MD/DO's have many more federal regulations controlling how they practice, handle drug samples, prescribe medications, etc. My manual does not cover those specific areas. While the policies and procedures included would cover MD/DO's, they would need more policies and procedures not included. Back to top
With your purchase, you will receive notification of changes, forms, or alerts that you need to stay compliant.
Since the manual launched in Sept, we have updated the materials, streamlined the generator, added a 2nd business associate agreement,sent out an alert for a new requirement, held three additional content webinars and sent the first quarterly update. All free to our network with the included 12 month newsletter subscription.
Keeping up with these updates requires daily reading of new items from CMS, HHS and other sources. We have developed a complete solution, with staff agendas and audit logs - and we do the reading to apply updates. Back to top
The complete compliance set includes everything you need. It's very comprehensive, and we've done the work. This is NOT a guide to writing your own.
The manuals are already written. When you open the file - in the first section you are filling in only details specific to your practice - name, name of compliance manager, that sort of thing. You print those pages and prepare the binders. Then you answer a series of questions to customize the manuals content to your practice. Your only job is defining the areas that do or don't apply. Those pages are printed and placed in the binders you assembled earlier. Back to top
The OCCM program meets all of the requirements for HIPAA and all 7 components of the OIG Compliance program as well. We've got it covered! Back to top
PRODUCT SPECS & INFO
The product description states that the binders shown in the picture are not included. With your purchase you will receive a suggested list of supplies, including types of binders and dividers. Back to top
The $129 product is for practices that already have updated current HIPAA compliance, HR, Safety/Facility and Operations manuals, as well as the new forms for privacy, business associate disclosure, etc. It includes only the tools necessary to audit the manuals and documentation process.
The $499 product includes everything, including the audit tools. Back to top
The products are identical. One is shipped via USPS Mail, and the other is delivered immediately as an electronic download. Back to top
Yes, follow these directions:
OCCM for MAC users
1. Update to current versions of both Adobe Reader, AND Adobe Flash. This is very important.
2. Open Adobe Reader (double click the icon— It can be found in Applications folder or from Launchpad)
3. In Adobe Reader, click on the FILE top menu, click OPEN, and navigate to the file named 1 Quick Start Read First. Double-click to open and print out this file.
4. In Adobe Reader, click on the FILE top menu, click OPEN, and navigate to the file named
2 OCCM Policy and Procedure Portfolio. Double-click to open. Then follow directions, beginning with Launch.pdf
PC User? Click here.
Choose 'Completed Orders" and click the (Download Files) link found at the end of the product name. This will open 3 files for download.
It's important to start with Quick Start Guide. The first step is to make sure you have Adobe Reader 9.0 or greater (free). We have included the link on the Quick Start Guide to download. Using a current version of Reader will provide the most seamless user experience. If you don't have a current reader, I recommend updating now: http://get.adobe.com/reader/
You will need to load Adobe Reader and Adobe Flash - most current to your computer. Then open the file with Adobe Reader (not Acrobat).
They are PDF files, so you can save to a thumb drive. However, we recommend you save them to a computer where you'll be working on the manual. That computer will need to be updated with the most current version of Adobe Reader and Adobe Flash. Once you fill out the fields and print the manuals, you'll ultimately be working from the hard copy. Back to top
• Our main clinic is at one address; however we have a satellite clinic that at this time we go to 3 days a week. The Doctors, the CT and the staff are the same at both clinics. Would we have to buy 2 compliance manuals or will one work for both offices (meaning, when filling out the information if we include both Drs and staff, do we need a copy in both offices or just in the main office)?
Based upon the limited information provided, I would recommend that you purchase one manual, then add a few policies and procedures to indicate that both offices are under the same management and the same operating procedures. If you have employees that only work in one location, be sure that they receive the same training as the staff at the main office (this would be one of the new P&P's). When you are doing your self-audits, it would be wise to do separate audits for both offices (another new P&P). Back to top
The license number we provided to you is the password, and it doesn't change. Check to see if one of these is occurring:
• You are attempting to access the website with the file password
• You are attempting to access the file with your website password
• You have not entered the password/license no. into the file EXACTLY as it appears (CAPS etc)
• You are not opening the file with Adobe – but some other pdf reader.
• How do I assemble the manual. Do you have a getting started how-to video?
Yes, for instructions on opening the file, filling out fields, assembling the manuals and a general getting started overview watch the video on this page.
The Clinic Director has final authority over any decision within your clinic, and your manual states that. Some of the policies in the manual are required by federal regulations, some are basic business principles, and some cover aspects of "best practices." There are others that provide you with protection in case you are named in a legal action.
From a legal protection point of view, you don't want to "mark out" any section, but instead keep them in place with an addendum stating that "current business operations" do not require their use. At the end of each manual is a "blank" page. In that area, create an "Addendum:" section. In your addendum, you can add a list of Policy and Procedures that are "not being utilized at this time, and if at some time in the future the operations of this clinic are modified to include these, all staff will be notified by memo of the change." Include this specific language in your addendum for each P&P you list.
For example, if you are amending or want to remove a specific P&P, let’s say 2.33, then label your addition as 2.33a and add your modifications. A word of caution: be sure you write your new policies in the same format at the rest of the manual including the numbering of each.
If you think any of the P&P's that "you do not utilize at this time" may be required, then double check with me before listing them in your addendum. Many "little" things that are included may actually be included in the manual due to an employment law or a federal regulation. Any time you list a P&P that is "not utilized' in your addendum, you increase your risk of not being compliant with some federal regulation/law.
Unfortunately, there isn’t an “easier” way to do it, but it was a cost vs. risk decision on our part. We are currently working on the second generation of the product, and we will be looking into this as we go forward.
Remember that if it's in the manual, there is a reason. Back to top
The OCCM is written in such a manner asto protect you and help you prevent legal actions against you. If the manual was written to allow wholesale changes, then these protections would be eliminated. The areas that allow editing are set up to allow you to customize your manual to your clinic and how you operate.
The policies and procedures in the OCCM manual were written to follow the applicable laws. Consequently you may need to change your operations (which is part of the compliance process) in order to operate properly under the laws, rather than edit the manual to your personal needs.
Any changes to the basic OCCM manual should be focused on adding your clinic's previous polices to the new OCCM manual, so long as they do not alter/eliminate the policies in the OCCM manual. Back to top
If you don't use a petty cash account/system now, then you just add an addendum policy at the end of the Operations manual section that basically states, "at this time no petty cash system is being utilized in the Clinic, and at such time when it becomes necessary to use one, it will be operated per the Petty Cash policy and procedure, see number 1.6." Back to top
The EFT is a "best practices" issue and is not required by law; however if you do offer it, then you have to do so within certain federal regulations. Becoming "compliant" will require you to add procedures to your current methods of operation. Back to top
Add an addendum policy at the end of the operations manual, including a statement that should your practice "employ sufficient staff to meet the regulations for mandatory WC insurance, the Clinic will follow all state regulations as stated in policy 1.8." Back to top
Take out the list and enter instead "Please see current complete list as provided in Appendix ___." Then just add an appendix with your current list. Be sure to date it. Back to top
Reference your appendix by stating “Please see current complete dress code requirements as provided in Appendix (??)." Then add an appendix that lays out your requirements in detail – be sure to date this. Back to top
In order to change the word throughout all the policies and procedures would require extensive private customization work. While it is possible, the estimated cost to a practice would be over 4 times what you originally paid for the manual. Back to top
It is possible that you missed or did not select an appropriate response to this section of the customization questionnaire. Please go back and review the questions and determine if the correct choice was selected for this procedure. If after your review and edit, you still feel that they policy doesn't match up with your current one, then add an addendum policy. I suggest you check with an employment attorney to make sure your addendum policy abides by all of the state and federal regulations concerning employee benefits. Back to top
NIST, the government agency that HHS directed to develop security guidelines for small businesses, has been very clear about the security of the entrances to healthcare offices. It was written that way to meet the requirements. Your facility should keep a master key for every lock in the building, and especially for the exterior doors. Your master keys should be kept secure in some manner. Your "key cabinet" can be a brown envelope if that is satisfactory for your operation. You decide what is your "key cabinet." Back to top
This is actually an easy fix. Simply add a new policy that states that at this time due to current methods of operation a Business Manager is not utilized. You can then add similar statements in order to "line up" the job titles to your position descriptions. Back to top
• In the training of chiropractic assistants, it states that a chiropractic assistant will be trained on therapies that we do not do in our office. Additionally, there are other procedures that we do train that are not listed.
When the customization questions were answered, there were specific drop down menus to choose which modalities were performed in your office, etc. Please review this section and double check that the correct ones where chosen. If after review/altering those menus, you still need to add other therapies, then add a new policy to list those. BE VERY CAREFUL to only list modalities that can be legally performed by a non-licensed paraprofessional. Incorrectly written, these can cause substantial risk and liability for your doctor. Back to top
If you will go to the Resources tab on our website, you will find numerous links to various government websites discussing or providing information about the new regulations. These links connect to CMS, OIG and even the SBA. Hopefully the information they provide will answer your questions and address your concerns.
No. PPACA - privacy, safety, human resources, and operations guidelines apply to all practices that see patients... cash, PI, insurance, or otherwise. The OCCM Compliance Manuals offered at the seminar is appropriate for chiropractic practices with 1 to 14 people on staff. Back to top
In your C.A.T. file, place a short memo stating what date you actually customized and printed out the manuals. Include a statement like, "The manuals were customized and printed for review by (NAME) on (DATE). After reviewing the manuals, (NAME) chose a formal adoption date of (DATE) Back to top
On at least an annual basis is required, and I would recommend semi-annually if you have a stable staff. If you have significant turn-over, then you need to do quarterly training. The training should be at least 2 to 4 hours annually, if not more. Back to top
If by equipment you mean "tables, e-stim units, etc.,” then the answer is "not yet." If you are including the office's hard box firewall, router, wifi equipment, then that needs to be reviewed and logged. Back to top
PROFESSIONAL ETHICS / CODE OF CONDUCT
• What is the difference between the Statement of Professional Ethics and the Code of Conduct? Also, is it "your" code & statement, or is it something that our office should have on its own? We already have a code of honor and an office handbook.
Each office should have a Code of Conduct (per the OIG), which is a general statement concerning the overall philosophy of ethical operations by all employees. The Code of Conduct is usually not more than a paragraph or two. The Statement of Professional Ethics is also required by the OIG, but it is a more specific document that gives the employee's specific directions concerning ethical and legal behaviors while working. While they say basically the same thing, one is general and one is more specific. You can create your own, of course, but please make sure it covers all of the same points that OCCM's Statement of Professional Ethics covers. (The OIG has given "guidance" about what they feel should be in your Statement, which is what OCCM's is based upon.) Back to top
In the case of one person offices, you are of course the compliance officer. So, you'd enter your own name in those fields.Rules and documentation, billing procedures, business associate agreements, patient privacy, it all still applies. Back to top
The main requirement is that you have a Compliance Manager, which is required by the new regulations – this can be you. Remember, having a policy covering something you don't currently do is okay - it is there if you ever need it.
In the manual, appoint yourself as Compliance Manager, then in the additional P&P section, include a statement that "at this time,Name of Your Clinic, does not employ a separate employee to perform the duties of a Business Manager, Office Manager, or Accountant, and Your Name currently performs those duties." Date, and then you and the doctor sign it. Back to top
• Compliance staff meeting agenda 1 says to appoint a safety manager. What do they sign? Is there a document? If so where is that document located? After they sign or document the safety manager where do they put that form?
When you appoint a safety manager, create a memo just like the appointment of the Compliance Manager, then have the new Safety Manager sign the form. Place one copy in the employee's personnel file, one copy in the Safety Manual, and the staff member is given a copy as well. Back to top
BUSINESS ASSOCIATE & VENDOR AGREEMENTS
The Business Associate Agreement is written to cover any person/entity that has access to your PHI. If your massage therapist, IT, and bookkeepers are employees, then a BAA is unnecessary - they should sign the confidentiality statements just like all the other employees. If they are independent contractors, just renting space, then they do need a BAA signed. Back to top
If your mail person/FedEx/UPS driver goes behind your front desk where they might see an open computer screen, or an open file on a desk, then you need to have them sign the confidentiality statement. The business associate agreement is for vendors or someone who is working for your clinic. When you are getting a delivery, the delivery person is not working for you, but technically working for the person that paid for the package to be delivered. Having them sign a confidentiality agreement, however, covers the security of the PHI. Back to top
The simplest answer is only if there is a change in staff. So if a business has a new president/manager, then a new one needs to be signed at the annual review. In other words if the "principles" who have entered into the agreement has changed, then a new contract/agreement must be signed. Back to top
PATIENT PRIVACY PROCEDURES
• When documenting/logging when a patient’s file or notes are copied, would mailing supporting documentation to an insurance company count and need to be logged? Would it also need to be logged if an insurance company or referring physician called & needed patient information?
Any time you send out information about a patient, it must be logged. Even if it is to Medicare, you must log it.
REMEMBER, you should NEVER give out information over the phone to someone that called you. The phone is the least secure method of transmitting information. If someone calls, you must instruct them that you need to have a signed release from the patient faxed or emailed to you. You should never even acknowledge someone is a patient over the phone (unless you made the call and have verified that the person you called is the person you are speaking with). Legally you cannot even tell an adult mother that her adult child is present in your office unless you have previously been instructed in writing to release any information to the parent. Back to top
The referral should first appear in the doctor's treatment note: that takes care of it being in the patient's file. Then it should be entered into the Referral Log so the staff can follow through on making the appointment and verifying that the patient attended their appointment. When the records are sent out, the records transmission should be logged in the Information Transmission Log. Some offices will place a transmission log in the patient's file as well. The regulations do not require it being documented and logged more than once. Back to top
The new "HIPAA Form" for the patients to sign is called "Acknowledgment Receipt of Privacy Polices." Back to top
If the patient names on the files can be read by patients standing at the front desk, then yes they need to keep the curtain drawn as much as possible. If the files are far enough away that the names can't be read, then it is not a concern. Back to top
ELECTRONIC DATA SECURITY
• In regards to the 22 character password, is this the requirement for a Windows password to log onto the computer, for our EHR patient documentation software, for our patient billing/scheduling software, or all of the above?
Every office is different; however, there are basics that apply to all. Logging into your computer the first time of the day, should have at least an 8 digit password, 16 is better and 22 is the most secure. Logging into your EHR for patient notes or billing for the first time should be the 22 digit password. Then during the day when your screen saver turns on, you need at least an 8 digit password to regain access to the computer.
Remember, when in doubt, always be the most secure. Back to top
• Our IT guy, familiar with HIPAA, says that since our fax is on a dedicated line, no one can hack in and encryption is not required. He also seems to feel that our emails are secure as long as we use anti-spyware & anti-virus programs. Is encryption a LEGAL requirement? If so, what is recommended?
Fax sent over a dedicated line should be considered secure; however, the danger arises in making sure that the receiving phone number is correct. If you misdial, then you could expose protected health information. This has not been considered a major concern as of yet.
Email that contains protected health information must be encrypted. The feds have stressed this in their training materials repeatedly. There are numerous software encryption programs available. Some free, some not. It is your choice to pick one that your staff feels comfortable with using. Remember the anti-spyware and anti-virus software protects your office only: once the email is sent out of your office, it is no longer protected by those systems. Back to top
The Computer Usage section of the manual is written to meet the basic requirements that were developed by NIST (National Institute for Standards of Technology) for CMS to disseminate and the OIG to use in their audits. The specific OCCM policies and procedures were written to allow each individual office some leeway in how they apply them. They are not an outline, but do meet the requirements and individual offices can choose to add more restrictions if they choose, but they are "covered" by the basic requirements in the P&P's supplied. Back to top
EMPLOYEE-RELATED COMPLIANCE QUESTIONS
• We have a massage therapist in the chiropractic office. She does the laundry produced (sheets/blankets/pillow cases) from the massage at her home using her laundry detergent, her washer and dryer. Is this OK or do we need to have all laundry done at an outside laundry service that is OSHA compliant?
OSHA and the CDC have directed that no laundry produced by the clinic is to be washed at anyone's home. They consider any linens that have come into contact with a patient as "contaminated" and therefore must be washed on site, or at an OSHA compliant laundry service. Back to top
There is no "yes or no" answer for this question. In a nut shell, it depends on the risk of the situation and the cost for the background check. A second part to this is the level of background check. The levels range from simply checking references, plus checking the OIG's Exclusions Database (which you should always do!), to adding a credit check and a criminal background check. It is your decision to make based upon the risk and the cost. The fines that could result from a privacy breach start at $150,000 each. Back to top
There are a few specific policies and procedures that are included because there are strict government regulations covering certain procedures in our offices. So some policies may not directly represent your procedures today. The Direct Deposit policy and procedure is one such. In limited situations, you may add a later policy and procedure, as there is space at the end of each section of the manual for this. Simply write a policy that states you do not offer direct deposit at this time, and should you ever offer this service in the future, you will do so in compliance with the above policy and procedure and then reference it. Then send/give each employee a memo stating you are adding the new policy and procedure to your manual. Have them sign that they have read and understand it, and then place those into their personnel file. This is the procedure you need to follow for any P&P's that you add to the manual. Back to top
SOCIAL MEDIA USAGE
Social Media is covered in the Policy and Procedure Manual under 1.4 Social Media (Confidentiality, Online Identity, Online Limitations, Creating and Managing Content and Enforcement). There are additional items covered in 1.13 Information Technology and in 1.21 Computer Use and Internet policy. Back to top
The number of documents/files to be utilized in a self-audit is determined by the volume of the office. For example, an office that sees 100 patients per week should audit each document type in the 6 to 10 range, but an office that sees 200 per week should do 24 to 30.
The next step is to determine the amount of errors discovered. If numerous errors are found in the first 6 to 10, then a second set should be completed to see if the trend is widespread. And the opposite is true if you find very few errors, then you can stop with the 6 to 10. Back to top
• On the audit timeline there is an item, "Documentation audit: Exam, SOAP." I found, "Treatment Documentation Audit, Treatment/SOAP Note," but I can't find the exam audit. Where I will find it in the Manual?
As part of the Medical Records Chart Audits form, the Initial Documentation review contains the audit information for both the initial examination report audit and the audit for follow-up examinations. Back to top
• Is there an annual “policy checklist” of things to do? If I assume all those are covered in the manual, and I abide by it, am I covered? Or am I expected to write a paragraph for each of these items?
The Audit and Assessment Timeline will help keep all your audits up to date, and then annually perform your Initial Compliance Assessment to document your complete facility review. The facility review is several pages long, but it is a "must do" to ensure you are compliant. That covers the basic requirements. Back to top