First Healthcare Compliance CONNECT August 2022

CONNECT 

August 2022 

 

A Monthly Publication for the Healthcare Compliance Community 

FAQ: Why should we 

have confidentiality 

agreements with our 

employees? 

Infographic: The 4 

Outs to Survive an Active 

Shooter in a Healthcare 

Facility 

Bipartisan Legislation 

Introduced to Ban Selling 

Health and Location Data 

Q & A: Employment 

and Labor Law 

1st Talk Compliance: The 

Insecurity of Everything: 

The Vital Importance of 

Hardware Data Security

Got a Minute? Please Rate Us! 

The health of our company depends on the members 

of our community spreading the word about us. 

Share Your Success Story 

An endorsement by you is the greatest compliment 

we could receive! Please take a moment of your time 

to rate us online so that others can benefit from your 

experience. It’s a simple way to help us grow and 

improve. 

We appreciate your support and look forward to 

hearing from you! 

In This Issue: 

FAQ Corner: Why should we have 

confidentiality agreements with our 

employees? 

Infographic: The 4 Outs to Survive an Active 

Shooter in a Healthcare Facility 

Bipartisan Legislation Introduced to Ban 

Selling Health and Location Data 

Q & A: Employment and Labor Law 

2 

First Healthcare Compliance, LLC © 2022

Compliance Super Ninja 

Gail Little-Osberg, Practice Manager 

Attachment and Trauma Center of Nebraska 

How would you describe your experience with First Healthcare Compliance? 

Great, the initial training was very good, and the ongoing compliance for staff and practitioners is 

comprehensive but doesn’t bury them in the weeds either. 

I appreciate the many webinars and how thorough you all have been in addressing things such as COVID and 

the changes that have occurred over the past 2 years in Healthcare. 

What do you enjoy most about working with Attachment and Trauma Center of 

Nebraska? 

The variety of taking care of a practice, working with a great team of therapists and of course, staying up to 

date on HIPAA and Compliance. 

Would you rather have a photographic memory or have the best social skills of all 

time? Why? 

Both, I am finding the memory is getting a little more sketchy as 

the years roll by, so that would be fantastic. 

Social Skills are something that should be taught from birth 

throughout one’s life, especially now, so this is always a MUST. 

1st Talk Compliance: The Insecurity of 

Everything: The Vital Importance of Hardware 

Data Security 

Contact Toll Free: 888-54-FIRST 3

FAQ Corner 

Why should we have confidentiality agreements with our employees? 

The purpose of the employee confidentiality agreement is to ensure that an employee of a provider will 

maintain the confidentiality of protected health information. Employers that are regulated under HIPAA 

typically require employees to sign an employee confidentiality agreement to verify that they know the 

rules and restrictions on patient data. It also helps document that the employer took the necessary steps 

to educate employees about the HIPAA policy for employees. The employee confidentiality agreement 

can help protect organizations from claims that employees were not advised and trained on rules and 

regulations in the event of a disclosure. 

Explore the FAQs tab in your compliance solution 

to find answers to your compliance questions! 

CLIENT 

ALERT 

The Most Comprehensive 

Healthcare Compliance Course 

The Fundamentals is a user-friendly, four-module 

online course designed to help healthcare professionals 

understand the essential principles and practices of 

compliance. 

BUY COURSE NOW 

4 



Bipartisan Legislation Introduced to 

Ban Selling Health and Location Data 

Guest Author: Rachel V. Rose, JD, MBA 

The new legislation would tighten the 

use of patients’ health and location 

information. 

The HIPAA Privacy Rule, which had the U.S. 

Department of Health and Human Services 

(HHS) modify certain standards on August 14 

2002, established parameters for certain types 

of marketing and the sale of protected health 

information (PHI). Found at 45 CFR §§ 164.501, 

164.508(a)(3), the HIPAA Privacy Rules provides 

individuals with certain privacy rights and important 

controls over how their PHI is used and disclosed. 

As HHS iterates on its website, “[w]ith limited 

exceptions, the Rule requires an individual’s written 

authorization before a use or disclosure of his or 

her protected health information can be made for 

marketing. So as not to interfere with core health 

care functions, the Rule distinguishes marketing 

communications from those communications about 

goods and services that are essential for quality 

health care.” There are different applications 

of “marketing” and the one that constitutes 

the disclosure of PHI “in exchange for direct or 

indirect remuneration, for the other entity or its 

affiliate” requires the express written consent of 

the individual patient, which must be prominently 

placed on the HIPAA Authorization Form and give 

the patient (or the patient’s legal representative) 

the option of “opting out” of the sale at any time. 

And, depending on the nature of the relationship 

between the covered entity, business associate, and/ 

or subcontractor, a business associate agreement 

(BAA). 

In 2018, HHS Office for Civil Rights (OCR) 

announced a $100,000 settlement with Filefax, 

Inc. – a company that once provided storage and 

disposal services for medical records – for allowing 

an unauthorized person to remove PHI, leave it 

unsecured outside the facility, and attempting to 

sell the PHI without the patient’s express written 

authorization. The take-away – its not legal. 

Fast forward to June 2022, in light of Roe v. Wade 

being overturned, privacy rights which have been 

protected under the 14th Amendment of the 

U.S. Constitution under an individual’s “zone of 

privacy” are at risk. A bipartisan group of Senators 

introduced the Health and Location Data Protection 

Act, which, if passed, may mitigate the effects 

of Roe v. Wade being overturned and would fill a 

significant gap in U.S. privacy law. The data broker 

6 


industry is a $200 billion dollar a year industry. 

Three of the key features of the bill are as follows: 

Ban data brokers from selling or transferring location 

data and health data. The bill forbids data brokers 

from selling or transferring location data and health 

data and requires the Federal Trade Commission to 

promulgate rules to implement the law within 180 

days, while making exceptions for HIPAA-compliant 

activities, protected First Amendment speech, and 

validly authorized disclosures. 

Ensure robust enforcement of the bill’s protections. 

The bill empowers the Federal Trade Commission, 

state attorneys general, and injured persons to sue 

to enforce the provisions of the law, allowing for 

remedies such as damages and 

injunctions to stop any illegal 

practices. 

Provide funding to the Federal 

Trade Commission to act. The bill 

provides $1 billion to the Federal 

Trade Commission over the next 

decade to carry out its work, 

including the enforcement of this 

law. 

In the meantime, HIPAA’s 

Privacy Rule coupled with the 

14th Amendment’s “zone of privacy” may be a 

solution. Individual states have also begun to follow 

California’s lead and pass legislation similar to the 

California Privacy Protection Act (CCPA). Regardless 

of an individual’s stance on abortion, all Americans 

should take issue with companies, whether medical 

device companies, big tech companies, or data 

brokers (among others), selling or disclosing 

information without the express written consent 

of the person in a manner that does not constitute 

a contract of adhesion. Rare situations, such as a 

grand jury subpoena, exist for the government to 

directly request such information without violating 

a person’s individual Constitutional rights, which is 

why both substantive and procedural due process 

exist. It is critical that patients are aware of their 

rights and that companies are aware of what’s legal 

and have adequate compliance programs in place. 

About the Author 

Rachel V. Rose, JD, MBA, advises clients 

on compliance, transactions, government 

administrative actions, and litigation 

involving healthcare, cybersecurity, 

corporate and securities law, as well 

as False Claims Act and Dodd-Frank 

whistleblower cases. She also teaches 

bioethics at Baylor College of Medicine in 

Houston. Rachel can be reached through 

her website, www.rvrose.com. 

Originally posted on: physicianspractice.com 

Navigating Workplace 

Violence Prevention Under 

Workplace violence is a serious issue, especially in healthcare facilities. The 

OSHA workplace violence prevention guidelines help employees and employers 

alike by providing the necessary steps to maintain a safe work environment. 

DOWNLOAD NOW 


Q & A: Employment 

and Labor Law 

Catherine Short 

Catherine Walters, Partner 

at Bybel Rutledge LLP, is 

a management side labor 

and employment attorney 

representing employers of 

all sizes. As a member of the 

First Healthcare Compliance 

editorial council, Catherine 

is a frequent presenter at 

educational events. For more information 

regarding this topic please view a related 

webinar and listen to an episode of 1st 

Talk Compliance for further discussion and 

learning. 

Below Catherine answers some common questions 

and provides explanations of a few timely topics 

related to employment and labor law. 

Could you explain what the OFCCP is and 

discuss the related issues? 

The OFCCP means Office of Federal Contract 

Compliance Programs. It’s basically considered to 

be the federal watchdog with respect to federal 

(Continuted on page 10) 

contractors who receive federal monies 

to perform work or provide products. The 

OFCCP enforces a number of laws as to 

employers. Primarily it enforces Executive 

Order 11246, which requires affirmative 

action on behalf of minorities and 

females. Then there’s the Rehabilitation 

Act, Section 504 of the Rehabilitation 

Act, which requires employers to provide 

affirmative action and equal opportunity 

to individuals with disabilities. There’s also 

the Vietnam Veterans, VEVRAA. OFCCP enforces 

the Vietnam Veterans law as well, and it requires 

affirmative action on behalf of protected veterans. 

It’s not just Vietnam veterans at this point, affirmative 

action is typically applicable to federal contractors 

with varying sizes of federal contracts, and numbers 

of employees 50 or more employees, and you must 

have a written plan. What we see on an annual basis 

is employers who must update their affirmative 

action plans. Annually, a federal contractor will 

update those plans. The OFCCP is the one that not 

only monitors those plans but accepts charges of 

discrimination and investigates those. They’re really 

focused on discrimination and much of their focus is 

on systemic discrimination, as opposed to individual 

8 


COVID-19 Healthcare 

Compliance Toolkit 

Healthcare compliance amidst COVID-19 presents new challenges for 

hospitals and healthcare providers. At top importance is the question 

of how to slow or stop the spread of COVID-19, while ensuring that your 

organization stays compliant. 

Now more than ever, your compliance department needs to have the necessary tools to help track, 

analyze, and respond to compliance challenges. To help navigate the process, we’ve gathered our 

best COVID-19 resources below. If you need further assistance, please contact us here. 

VIEW TOOLKIT 

COVID-19 Healthcare 

Compliance Updates 

In response to the global outbreak of the novel coronavirus 

disease (COVID-19), the Secretary of Health and Human 

Services declared a public health emergency on January 31, 

2020. Federal agencies have taken action by issuing updates 

and guidance to navigate the crisis. This ebook provides 

healthcare providers with important developments and 

resources that impact federal healthcare laws. 

DOWNLOAD NOW 


discriminations. What you’ll have in many situations 

is what we call disparate treatment versus disparate 

impact. Disparate treatment is where you treat one 

person differently from another or one group or class 

of employees differently from another. 

What are the new SAM requirements? 

SAM, is the System for Award Management 

database. Federal contractors must sign up with 

that portal to qualify for government contracts. This 

has never happened in the past, but we have a 

new affirmative action plan reporting requirement 

that will go into effect. In essence, under the SAM 

declarations page, contractors are going to have 

to begin affirming that they have developed and 

maintained affirmative action programs at each 

establishment as applicable. This was where the 

OFCCP lacked teeth. In many instances, in the past, 

employers were able to get away with not having 

their programs in place or updating their plans on a 

regular basis. A lot of contractors think they have an 

affirmative action plan and it’s in some dusty binder 

on some dusty shelf in some closet somewhere. 

It’s an annual exercise and it must be done at least 

annually and be done even more regularly. You can 

have short plans, but you can’t have a plan that goes 

beyond 12 months. This will require people to give 

more thought to making these certifications, because 

to make a certification is very important. Under SAM, 

if you lie about it, you could be disbarred. 

Can you explain briefly about restrictive 

covenants? 

Restrictive Covenants include things like noncompetition 

agreements, non-solicitation agreements, 

non-interference, and non-contact and so forth. 

Typically, employers use them to prevent valued 

employees from leaving them and going and 

competing with them at another workplace. In recent 

years, we’ve seen a lessening of the use of the 

noncompetition restriction, meaning that that person 

can go work somewhere else, but still, a use of nonsolicitation, 

meaning that even though you can go 

to a competitor, you may not solicit clients or other 

customers that you had when you worked for me, 

and you can’t reach out to our employees and ask 

them to come with you. Basically, you can’t interfere 

with my relationships that I had, either before you 

were here, or while you were here, and you can’t 

do it for a year or two. Of course, that dovetails 

with confidentiality agreements, and the protection 

of confidential information and trade secrets for 

employers. With respect to restrictive covenants, 

some states in the United States have legislation 

against restrictive covenants in the employment 

field. It’s clear that restrictive covenants prevent 

employees from moving around, and this inability to 

move around or go to a competing employer prevents 

them from increasing wages and benefits as quickly 

as they might otherwise be able to do and it prevents 

them from growing in their careers in many cases. 

Restrictive covenants, while they’re legislated in 

many states, they aren’t legislated in others. So, 

there’s no consistent legislation about restrictive 

covenants in the United States. Some states, you can 

use them to your heart’s content, other states you 

can use them in very limited fashion, and in other 

states, they’re prohibited. 

Is remote work here to stay? 

In a word, yes. At least for employers who can 

accommodate remote work. There are a lot of 

employers that can’t accommodate remote work. 

And then of course, there’s the hybrid type where 

some workers must be in person and others can 

be remote. Some of the big issues really are about 

adapting your employment processes to this new 

normal. Issues such as recruiting, interviewing, 

onboarding, and measuring performance are all 

impacted by the change to remote work. 

Do you have advice for employers working 

through challenges of today’s working 

environment? 

It’s not about where people work. It’s what they do. 

And that’s kind of the new normal, where they work 

what they do, and productivity is the key. 

10 


Risk Management Considerations for 

the Healthcare Compliance Officer: 

Training, Incident Management, Governing 

Boards, and Measures Unique to COVID-19 

It’s no secret that healthcare is one of America’s 

most heavily regulated industries with 

substantial fines and penalties for noncompliance. 

Complex regulations and mandates 

make compliance management a necessity. 

DOWNLOAD NOW 

Referral Appreciation Program 

Receive a $50 gift card* when you refer a client! 

First Healthcare Compliance is delighted to offer 

a Referral Appreciation Program to say thank you 

for helping us to continue to grow. For each new 

1st Professional or 1st Premium client originating 

from a referral, First Healthcare Compliance will 

provide a $50 gift card as a token of appreciation. 

LEARN MORE 


hosted by Catherine Short 

1st Talk Compliance features guest John Shegerian, Chairman and CEO of ERI, the largest cybersecurityfocused 

hardware destruction and electronic waste recycling company in the United States and co-author of 

the cybersecurity book, “The Insecurity of Everything” on the topic of “The Insecurity of Everything: The 

Vital Importance of Hardware Data Security.” He will share some of the latest information about the very 

real problem of hardware hacking in the world of healthcare and beyond and how that issue became even 

more serious during the pandemic, with so many people working from home. He will also be explaining critical 

information for health-related businesses to help them keep their private data – and the data of their patients 

and customers – protected! 

Listen weekdays at 

7:30am, 3:30pm, 11:30pm ET 

Check out our Show Page! 

Looking for the latest compliance insights? 

Subscribe to our feed and don’t miss a thing! 

12 


WORD SEARCH 

X H E V O S T B N Q Y N K Q J R N Z L M 

Z W C M O H Q D A V P G Q Q F D C M Y E 

T H O D X Q L E G I S L A T I O N X I Z 

N F M R U Q H H L N B Q I Z N N V N X M 

E R M N E Z H G T N Z T F F W L F G E A 

M G U O X F E D E R A L I T U O W X S Q 

T K N I Y Q A F Q H A D U Y R U P R K C 

R U I T Z U L H T U E L T M H E E F R A 

A H C A P U T W E N Z A A Z R Y J K U B 

P X A Z M M H N T X I T L I O M D T U N 

E O T I V N C I I D I M E L G O H V M O 

D Q I R P G A K H O F N P U R O G T X I 

C U O O Z L R G N N C M G D R D H U W S 

K U N H I Z E L E E E K J I I L Y C D S 

S H S T J K B W E D Z W Z Z S B N M S I 

T T Y U C P D N O I T A L U G E R Y L M 

U B K A X V R H K S T A N D A R D S W M 

V R V X C O M P L I A N C E N H B Y V O 

I A F X D C D L O M V N X R C X G F M C 

L E U U A C B N U R T T V J R Y E A J X 

EXPERIENCE HEALTHCARE COMPLIANCE 

CONFIDENTIALITY EMPLOYERS REGULATION 

LEGISLATION DEPARTMENT STANDARDS 

AUTHORIZATION COMMUNICATIONS AUTHORIZATION 

COMMISSION FEDERAL INFORMATION 


Upcoming and On-Demand Webinars 

Training 

SEPT 13, 2022 

OCT 13, 2022 

DEC 13, 2022 

ON DEMAND 

ON DEMAND 

Automatic Dispensing Cabinets, Patient Care, & the 

Actual Sentence in the RaDonda Vaught Case 

Preserving and Protecting Assets In Healthcare 

Health Data, A Value Proposition: Legal Risks with 

Innovative Data Sharing Projects 

The Dobbs Opinion, the Repealing of Roe, & the Impact on 

the Privacy & Security of Patient Information 

Workplace Civility: What Non-Unionized Employers Need 

to Know to Navigate the NLRA 

Register 

Register 

Register 

All Upcoming Webinars 

All On Demand Webinars 

IMPORTANT 

In the interest of your security, login credentials are 

for individual use only and not to be shared. Please 

contact Client Services if you require additional 

manager level users and/or if there has been a change 

in contact information. 

NEW FEATURES! 

Employee Zone/Compliance Detail 

Initial Data - Free text comment field has been added. 

COVID Vaccination Status - Additional fields have 

been added for Second Booster 

COVID Vaccination Status/ COVID Testing - 

Additional fields have been added to assist 

you with tracking COVID vaccination and 

CLIENT 

ALERT 

COVID Testing. Contact Client Services if you have any questions 

or would like to turn COVID alerting off. 

Training Zone - Employee Activated Status has been added to the 

Training Zone landing page view. 

Employee Incident Reporting - This new feature will provide 

the option for Employees to open/create an Incident Report. 

When employee incident reports are created you can review, 

update, track and manage them within the Incident Reporting 

Zone. Contact Client Services if you are interested in adding this 

additional feature to your Incident Reporting Zone. 

Join us on Social Media! 

Contact our Client Services Team with your questions! 

888.54.FIRST or clientservices@1sthcc.com 

14

First Healthcare Compliance CONNECT August 2022

Create successful ePaper yourself

Delete template?

Save as template?