First Healthcare Compliance CONNECT September 2022

CONNECT 

September 2022 

 

A Monthly Publication for the Healthcare Compliance Community 

FAQ: Is recapping of 

needles allowed? 

Infographic: Causes 

vs. Reasons for Data 

Breaches 

Content of a 

BAA Q & A 

Event: The Virtual HIPAA 

Privacy and Security 

Workshop 2022 

Press Release: Panacea 

Healthcare Solutions, a Leading 

Healthcare Mid-Revenue Cycle 

Technology and Services Company, 

Receives Growth Investment from 

Firmament 

1st Talk Compliance: 

How New Legislation 

Impacts Privacy

Got a Minute? Please Rate Us! 

The health of our company depends on the members 

of our community spreading the word about us. 

Share Your Success Story 

An endorsement by you is the greatest compliment 

we could receive! Please take a moment of your time 

to rate us online so that others can benefit from your 

experience. It’s a simple way to help us grow and 

improve. 

We appreciate your support and look forward to 

hearing from you! 

In This Issue: 

FAQ: Is recapping of needles allowed? 

Infographic: Causes vs. Reasons for Data 

Breaches 

Content of a BAA Q & A 

Event: The Virtual HIPAA Privacy and Security 

Workshop 2022 

1st Talk Compliance Podcast: How New 

Legislation Impacts Privacy 

2 

Panacea Healthcare Solutions LLC © 2022

Compliance Super Ninja 

Sandra Curd, COO 

Professional Eye Associates 

How would you describe your experience with First 

Healthcare Compliance? 

First Healthcare Compliance has made keeping up with certifications, licenses 

and training so much easier. The OIG automation really is helpful; I can’t imagine 

having to manually enter all my employees and vendors each time this is done. I 

have found them to be proactive and timely in onboarding new products. 

I appreciate the many webinars and how thorough you all have been in addressing things such as COVID and 

the changes that have occurred over the past 2 years in Healthcare. 

What do you enjoy most about working with Professional Eye Associates? 

The comradery I experience daily with my coworkers is great. We are all working in different ways to help 

achieve the same goal and we appreciate what others bring to the clinic. This is imperative to quality patient 

care. 

Would you rather have a constant supply of the best coffee 

in the world at your office or a constant supply of the best 

snacks in the world at your office? Why? 

I believe I would prefer snacks. I could share them with my coworkers. Some 

do not drink coffee. 

Press Release: Panacea Healthcare Solutions, 

a Leading Healthcare Mid-Revenue Cycle 

Technology and Services Company, Receives 

Growth Investment from Firmament 

Contact Toll Free: 888-54-FIRST 3

FAQ Corner 

Is recapping of needles allowed? 

Bending, recapping, or removing contaminated needles is prohibited, except under certain circumstances. 

When the employer can demonstrate that bending, removal or recapping is required by a specific medical or 

dental procedure or that no alternative is feasible, such actions are permitted. However, such actions must 

be accomplished by some method other than the traditional two-handed procedure (e.g., a mechanical 

device or a one hand scoop method). For example, these actions may be necessary when performing 

blood gas analyses; when inoculating a blood culture bottle; or when administering incremental doses of 

a medication to the same patient. Where no alternative to bending, recapping, or removing contaminated 

needles is feasible or such action is required by a specific medical or dental procedure there must be a 

written justification to that effect included as part of the exposure control plan. On the basis of reliable 

evidence, this justification must state the reason for the employer’s determination that no alternative is 

feasible or must specify that a particular medical or dental procedure requires, for example, the bending of 

the needle and the use of forceps to accomplish this task. Shearing or breaking contaminated needles is 

completely prohibited by the standard. 

How should reusable sharps (e.g., large bore needles, scalpels, saws, etc.) be handled? 

Reusable sharps must be placed in containers which are puncture-resistant, leakproof on the sides and 

bottom, and properly labeled or color-coded until they are reprocessed. Contaminated reusable sharps must 

not be stored or reprocessed in a manner that would require the employee to reach by hand into containers. 

https://www.osha.gov/laws-regs/standardinterpretations/1993-02-01-0 

Explore the FAQs tab in your compliance solution 

to find answers to your compliance questions! 

CLIENT 

ALERT 

4 


Causes vs. Reasons for Data Breaches 

Cause 

Reason 


Content of a BAA Q & A 

Catherine Short 

Rachel V. Rose, JD, MBA, principal with Rachel V. 

Rose – Attorney at Law, P.L.L.C., Houston, TX, has a 

unique background, having worked in many different 

facets of healthcare, securities, cybersecurity, as 

well as international law and business throughout 

her career. Her practice focuses on a variety of 

cybersecurity, health care and securities law issues 

related to industry compliance and transactional 

work, as well as representing plaintiffs in Dodd- 

Frank/False Claims Act whistleblower claims. As 

a member of the First Healthcare Compliance 

Editorial Council, Rachel is a frequent presenter at 

educational events. For more information regarding 

this topic please view a related webinar for further 

discussion and learning. 

Below, Rachel answers some common questions 

and provides explanations of a few timely topics 

related to the education surrounding business 

associate agreements. 

Could you give us an overview of what 

a BA or Business Associate Agreement 

is and who or what it involves? 

Absolutely. And not surprisingly, that is a very 

detailed question. A business associate agreement, 

which is referred to in 45CFR160.504.E as a 

business associate contract is just that – it’s an 

agreement between two parties to do three primary 

things: first, ensure that both parties are utilizing the 

appropriate technical, administrative and physical 

safeguards in order to ensure that the confidentiality, 

integrity and availability of the protected health 

information remains intact. Additionally, it relates 

to the Privacy Rule, the entire security role and 

the breach notification rules being adhered to. The 

second element that always jumps out at me is the 

notification to the other party and then potentially, 

to HHS patients and the media in breaches of 500 or 

more individuals, and making sure that the parties 

designate the timeline that party, typically the party 

who’s the breach occurred on tells party B about 

this and then what transpires after that. The last 

main requirement or part of a business associate 

agreement is what to do when the relationship 

between the parties terminates. Now, that might 

seem simple, oh, I just need to either return and 

or destroy the data in a manner that complies 

with the HIPAA Security Rule, and preferably with 

NIST, that’s part of it. But as we all know, there 

are situations where we can’t just return or destroy 

information. Some of those may be obligations of 

a legal hold, or a government investigation or a 

6 


THE VIRTUAL 

HIPAA Privacy and 

Security Workshop 

2022 

Thu, November 3, 2022 

12:45 PM – 4:15 PM EDT 

The Virtual HIPAA Privacy and Security Workshop 2022 is hosted by First 

Healthcare Compliance to provide resources for legal and healthcare 

professionals facing the challenges of complying with HIPAA regulations. 

This half-day event will be held on November 3, 2022, and will include 

CEU credits. Registration is available to the public. 

Experts and attorneys will engage with attendees to discuss timely 

questions and real-life scenarios related to HIPAA privacy and security 

including Notice of Privacy Practices, Business Associates, employee 

training, patient rights, safeguards, electronic health records, breaches, 

cybersecurity and more. 

REGISTER NOW 

Earlybird 

Tickets 

Available 


lawsuit that might be in play. All of those are issues 

that are very, very important to appreciate. 

Now, having said that, your first question was really 

who does it apply to and under federal HIPAA, it 

applies to covered entities, which are healthcare 

providers, health care, claims, clearing houses, 

and insurance companies, and then their business 

associates, and then a subcontractor of that 

business associate. The easiest way to think about 

this is a straight line where you have a circle that 

says covered entity and then a line and then a circle 

that says business associate and then a line and 

then a circle that says subcontractor. And on that 

line, you should be thinking if I am A or B, or B or 

C, I need to make sure I have a business associate 

agreement in place because there is some type of 

agreement to create, retain or maintain, receive, or 

transmit protected health information. Those are the 

entities to whom it applies. 

Having said that a lot of state laws such as Texas 

House Bill 300 may have differing definitions of a 

covered entity. And in Texas, we have one definition 

and a covered entity covers. Any person who 

creates receives, maintains or transmits protected 

health information. Therefore, it’s prudent for any 

entity in Texas to make sure that they have the 

appropriate business associate agreement in place 

that also references the Texas Health and Safety 

Code as well as the Texas Business and Commerce 

code. 

What is the primary purpose of a BAA? 

As I mentioned, there are typically three main 

areas. But first and foremost, when you think 

of any contract, first, you need to define who 

the parties are at the very top, and which one 

assumes what role, whether it’s a covered entity 

in business associate or business associates and 

The Most Comprehensive 

Healthcare Compliance Course 

The Fundamentals is a user-friendly, four-module 

online course designed to help healthcare professionals 

understand the essential principles and practices of 

compliance. 

BUY COURSE NOW 

8 


subcontractor. All of that is exceptionally important. 

So just something to be conscientious about 

there. Then you delve into the three overarching 

areas or purposes behind the Business Associate 

Agreement to ascertain that both parties each 

have been given reasonable assurances that the 

technical, administrative, and Physical Safeguards, 

as well as the privacy rule, security rule and Breach 

Notification Rule, and compliance and requirements 

are being met. 

Another item that relates to that now is the 21st 

Century Cures Act in the ability to give patients their 

medical records in formats such as smartphone 

apps that weren’t necessarily available before but 

along with that related to information blocking, are 

situations where a provider or a business associate 

may say, what the general rule is that we have to 

provide this, but this is not an app that is secure 

or that we’re familiar with and for the safety of the 

entity and for structure, we’re not going to provide 

that. So it’s important now to reference state laws 

and other relevant laws such as a 21st Century 

Cures Act. 

The next main area, has to do with notification 

to the other party if you have a reportable cyber 

security incident, typically known as a breach, in 

accordance with the Breach Notification Rule. And 

there are really two steps to that. First, you want to 

have a timeframe set out between the parties as to 

when party A, if they’re the breaching party, has to 

notify party B, that there has been a breach. That’s 

important because their IT department needs to 

take appropriate steps in order to safeguard certain 

things or go to plan B to go to backups. So it’s really 

mutual in nature along those lines. And then the 

second part of a reportable breach would then be 

under the Breach Notification Rule, to report to HHS 

to report to the patients and to report to the media if 

the breach itself affects 500 individuals or more. 

Can you explain reasonable 

assurances in relation to business 

associate agreements and HIPAA? 

Reasonable assurances in HIPAA is the first part of 

the business associate aid agreement. Both parties, 

giving assurances that they meet the technical, 

administrative and physical safeguards in order to 

ensure the confidentiality, integrity and availability 

of the data. What would give someone peace of 

mind and also give them something legally, that 

they could say, what we know that we do not have 

a right to go in and inspect everything. I have seen 

situations where, given the size of the contract, or 

the particular service that was at stake, sometimes, 

one entity will agree to let another entity come on 

site and view their operations, which is only one 

part of that. What I do is I have my clients get a 

signature on an attestation. And the purpose behind 

it is that these reasonable assurances are being 

provided in order to give peace of mind that the 

party is adhering to the requirements of HIPAA in 

the HITECH Act. And if people can answer these 

five questions in earnest, you should walk away 

with a good feeling that they’re doing everything 

that needs to be done. The first question is, does 

the party undergo an annual risk analysis that 

is comprehensive? Second, do they train their 

workforce annually? Third is PHSI insensitive PII 

encrypted both at rest and in transit? Fourth, are 

business associate agreements in place, and 

are they recorded? And lastly, are policies and 

procedures at least reviewed annually, and are they 

comprehensive? So with that, that is a how I define 

and think of a reasonable assurance? And secondly, 

how I advise my clients to protect themselves. And 

then lastly, the types of reasonable assurances are 

those five that I honed in on? 

What are indemnification provisions 

and what language should be used in 

indemnification provisions? 

It’s typically thought of as a contractual obligation 

of one party to compensate the loss incurred to the 

other party, due to certain acts of the indemnitor or 

any other party, the duty to indemnify is usually but 

not always, coexisting with the contractual duty to 


hold harmless or safe, harmless. So, let’s step back 

for a moment. So typically, first, before you draft an 

indemnification provision, you want to make sure 

that you have an appreciation of a variety of different 

state laws, whether it is derived from common law, 

or whether it is like California set forth in a statute. 

Typically, the way a lot of indemnification provisions 

are written are to indemnify defend and hold 

harmless. And if you don’t have that exact language, 

depending on the jurisdiction that you’re in, you may 

or may not have to defend someone and pay for 

those costs. 

You asked me how I would draft one of these. And 

it’s so specific to the facts and circumstances 

in general that I’m trepidatious just to throw out 

any language surrounding that, but I will say that 

it’s important to appreciate the significance of an 

indemnification provision and some indemnification 

provisions. I read and I’m like, “Oh my gosh, I would 

not advise anyone to sign that it’s because it’s so 

one sided, that only one party is held harmless.’ And 

in the event of a breach regardless of whether or not 

for example, a business associate cause the breach 

some of these endemic indemnification provisions 

read that the business associate is responsible for all 

of the costs. So that should be one of the provisions 

that any person reads very, very carefully, because 

it could contradict with your other contracts that you 

have in place. 

B, you could be shouldering all of the liability even if 

you’re not responsible for the breach or the bad act. 

When I write them, I typically make them mutual that 

if one is being indemnified, the other one’s going to 

indemnify if they’re at fault. So mutual defend is the 

key term that I discuss with the party. And typically, 

the party will go back to the other entity if they are 

in a negotiation. And oftentimes, they’ll say, “You 

know what, we’ll just agree to be responsible for 

Referral Appreciation Program 

Receive a $50 gift card* when you refer a client! 

First Healthcare Compliance is delighted to offer 

a Referral Appreciation Program to say thank you 

for helping us to continue to grow. For each new 

1st Professional or 1st Premium client originating 

from a referral, First Healthcare Compliance will 

provide a $50 gift card as a token of appreciation. 

LEARN MORE 

10 


Risk Management Considerations for 

the Healthcare Compliance Officer: 

Training, Incident Management, Governing 

Boards, and Measures Unique to COVID-19 

It’s no secret that healthcare is one of America’s most heavily regulated 

industries with substantial fines and penalties for non-compliance. Complex 

regulations and mandates make compliance management a necessity. 

DOWNLOAD NOW 


our own attorneys fees on this.” So that’s what will 

happen there. 

And then the last part of that, that something I’ve 

been doing for a few years now, is to really carve 

out and there, there are two schools of thought on 

this. But when I carve out specific indemnification 

provisions related to a breach, it’s the breaching 

party has the obligation to pay for the notification to 

government entities, to the media into the individual 

patients. But that’s where the liability and so there’s 

no payment of attorney’s fees, there’s no payment 

of ransomware. There’s no paying for a deductible 

on an insurance policy or anything like that. What 

my clients and actually when I’ve been on the phone 

with opposing parties as well, what they’ve said is 

that we like this, because we know upfront what 

we’re responsible for, and it’s limited to this, and it’s 

balanced for both of us. 

take it word by word with the parties that you’re 

dealing with. 

Did you have any other thoughts 

that you wanted to share with us 

concerning BAAs? 

Just be aware that BAs are not cookie cutter, 

however, there are certain terms and certain 

provisions, which you’ll see over and over again. And 

that’s because they’re required by the statute and 

then recommended by HHS on their website. 

There’s no cookie cutter way to draft an 

indemnification provision, you just have to literally 

Navigating Workplace Violence 

Prevention Under OSHA 

Workplace violence is a serious issue, especially 

in healthcare facilities. The OSHA workplace 

violence prevention guidelines help employees 

and employers alike by providing the necessary 

steps to maintain a safe work environment. 

DOWNLOAD NOW 

12 


Press Release 

Panacea Healthcare Solutions, 

a Leading Healthcare Mid- 

Revenue Cycle Technology 

and Services Company, 

Receives Growth Investment 

from Firmament 

ST. PAUL, MINNEAPOLIS, August 24, 2022 / 

EINPresswire.com/ -- Panacea Healthcare 

Solutions (“Panacea”) announced today that 

it has received growth capital from Firmament, 

a leading provider of structured equity capital 

solutions to small- and medium-sized enterprises. 

Panacea provides strategic pricing, price 

transparency, chargemaster, compliance, and midrevenue 

cycle software and consulting services to 

healthcare companies across the full continuum of 

care. Firmament’s investment will fuel innovation 

and expand Panacea’s product suite through the 

acquisition of Holliday & Associates and First 

Healthcare Compliance. The combined company 

will be a leading provider of healthcare revenue 

cycle and compliance software and services to over 

600 hospitals, health systems, physician practices, 

and accountable care organizations across the 

United States. 

The executive management teams of Panacea, 

Holliday & Associates, and First Healthcare 

Compliance will remain in place, together with the 

majority of their former shareholders. Panacea CEO 

Frederick Stodolak will continue to serve as Chief 

Executive Officer of the combined platform and will 

expand his role to become an active Chairman of 

the Board. 

Stodolak stated, “We are proud to partner with 

Firmament and are excited for our future growth 

and continued product innovation. With the 

acquisition of Holliday & Associates, we are excited 

that our customers will benefit from access to a 

comprehensive suite of chargemaster software 

tools from a single vendor. Furthermore, we look 

forward to expanding First Healthcare Compliance’s 

popular learning platform to leverage Panacea’s 

expertise in inpatient, outpatient, and physician 

coding and compliance.” 

Rosemary Holliday, Managing Partner at Holliday 

& Associates, stated, “We have been partners 

with Panacea for many years and are thrilled to 

formally combine our two companies. With this step, 

our clients will benefit greatly as we integrate to 

become one of the industry’s most comprehensive 

providers of revenue cycle software solutions.” 

“First Healthcare Compliance clients will benefit 

from the wide array of coding compliance and 

revenue cycle software solutions that Panacea 


offers,” Julie Sheppard, President of First Healthcare 

Compliance, commented. “Our team looks forward 

to continuing to support our amazing clientele 

through expanded product offerings and continued 

investments into our compliance platform.” 

Green Campbell, Vice President at Firmament, stated, 

“Healthcare providers today are overburdened by 

complex coding, pricing, and compliance rules. 

Panacea’s price transparency, strategic pricing, 

coding, and compliance solutions sit at the forefront 

of the most relevant regulations impacting the 

healthcare industry today. We are proud to partner 

with the teams at Panacea, Holliday & Associates, 

and First Healthcare Compliance to support their 

continued growth and investments in cutting edge 

software and tech-enabled services.” 

About Panacea Healthcare Solutions 

Panacea (www.panaceainc.com) provides software 

and tech-enabled services that help healthcare 

organizations improve their revenue cycle, coding, 

and compliance with front-line expertise in midrevenue 

cycle management. In an era where 95% of 

provider revenue is driven by accurate coding and 

defensible yet optimal pricing, clients trust Panacea 

to deliver unparalleled value in strategic pricing, price 

transparency, chargemaster, compliance, and revenue 

cycle solutions. 

About Firmament 

Firmament (www.firmament.com) provides structured 

equity capital solutions to small- and mediumsized 

enterprises. Firmament is a value-added 

partner to entrepreneurs, management teams and 

business owners and curates solutions by deploying 

versatile capital in a user-friendly way. Firmament 

concentrates on and services businesses with 

significant scaling potential in the healthcare, logistics, 

wellness and environmental sectors. With offices 

across the United States and in the United Kingdom, 

Firmament is focused on turning small business into 

COVID-19 Healthcare Compliance 

Updates 

In response to the global outbreak of the novel coronavirus 

disease (COVID-19), the Secretary of Health and Human 

Services declared a public health emergency on January 31, 

2020. Federal agencies have taken action by issuing updates 

and guidance to navigate the crisis. This ebook provides 

healthcare providers with important developments and 

resources that impact federal healthcare laws. 

DOWNLOAD NOW 

14 


COVID-19 Healthcare 

Compliance Toolkit 

Healthcare compliance amidst COVID-19 presents new challenges for 

hospitals and healthcare providers. At top importance is the question 

of how to slow or stop the spread of COVID-19, while ensuring that your 

organization stays compliant. 

Now more than ever, your compliance department needs to have the necessary tools 

to help track, analyze, and respond to compliance challenges. To help navigate the 

process, we’ve gathered our best COVID-19 resources below. If you need further 

assistance, please contact us here. 

VIEW TOOLKIT 


hosted by Catherine Short 

1st Talk Compliance features guest Rachel V. Rose, JD, MBA, principal with Rachel V. Rose – Attorney at Law, 

P.L.L.C., Houston, TX, on the topic of “How New Legislation Impacts Privacy.” The Dobbs Opinion repealed 

fifty years of precedent under Roe. The implications of the Opinion extend beyond women’s reproductive rights 

and impact the privacy rights of all Americans. The purpose of this episode is to explain the key aspects of the 

Dobbs Opinion related to privacy from both the Majority and the Dissent’s perspective, address the current 

legislative initiatives, HHS Guidance, and Executive Orders, as well as appreciate the role HIPAA plays in 

navigating Dobbs. 

Listen weekdays at 

7:30am, 3:30pm, 11:30pm ET 

Check out our Show Page! 

Looking for the latest compliance insights? 

Subscribe to our feed and don’t miss a thing! 

16 


WORD SEARCH 

H U P D U V C Y B E R S E C U R I T Y B 

Y A S P J Q X G W X M B Y E L E I M S G 

U B E C I U U C J R V P W Z V I R B A V 

M C C U S V V S L N O F E L G Z G I N N 

C L N N F B U B I R U C J O B G I I G X 

M A A C L O E C N E I R E P X E N W E G 

M N T V O D F C D W N F D I O S O M B E 

Y O S J V M W X E L L Q U E K A I P G T 

K I M U U F P S M J U P Z A X P T R X A 

T S U A Z U H L N K T D M S R P A I H I 

J S C S O L U T I O N S X C M R M V H C 

W E R O F H B E F A F Y W L E E O A A O 

E F I U E V N S I U N I G R Z C T C X S 

W O C M V N S F C V O C A W L I U Y J S 

P R W X Q E N P A I R W E N T A A M X A 

C P N E N F S V T J T W Q H Z T S A G X 

S R Q I E N G I I F V K L J V I B P I S 

Z K S I R U B L O E D P A G U O S V E B 

L U W C R E W S N N N J K V L N A V E X 

B D J F H S E R A C H T L A E H Z Y Z R 

EXPERIENCE HEALTHCARE COMPLIANCE 

AUTOMATION PROFESSIONAL CIRCUMSTANCES 

CYBERSECURITY BUSINESS RISK 

PRIVACY ASSOCIATE INDEMNIFICATION 

APPRECIATION SOLUTIONS SOFTWARE 


Upcoming and On-Demand Webinars 

Training 

OCT 13, 2022 

DEC 13, 2022 

ON DEMAND 

ON DEMAND 

ON DEMAND 

Preserving and Protecting Assets In Healthcare 

Health Data, A Value Proposition: Legal Risks with 

Innovative Data Sharing Projects 

Automatic Dispensing Cabinets, Patient Care, & the 

Actual Sentence in the RaDonda Vaught Case 

The Dobbs Opinion, the Repealing of Roe, & the Impact on 

the Privacy & Security of Patient Information 

Workplace Civility: What Non-Unionized Employers Need 

to Know to Navigate the NLRA 

Register 

Register 

All Upcoming Webinars 

All On Demand Webinars 

IMPORTANT 

In the interest of your security, login credentials are 

for individual use only and not to be shared. Please 

contact Client Services if you require additional 

manager level users and/or if there has been a change 

in contact information. 

NEW FEATURES! 

Employee Zone/Compliance Detail 

Initial Data - Free text comment field has been added. 

COVID Vaccination Status - Additional fields have 

been added for Second Booster 

COVID Vaccination Status/ COVID Testing - 

Additional fields have been added to assist 

you with tracking COVID vaccination and 

CLIENT 

ALERT 

COVID Testing. Contact Client Services if you have any questions 

or would like to turn COVID alerting off. 

Training Zone - Employee Activated Status has been added to the 

Training Zone landing page view. 

Employee Incident Reporting - This new feature will provide 

the option for Employees to open/create an Incident Report. 

When employee incident reports are created you can review, 

update, track and manage them within the Incident Reporting 

Zone. Contact Client Services if you are interested in adding this 

additional feature to your Incident Reporting Zone. 

Join us on Social Media! 

Contact our Client Services Team with your questions! 

888.54.FIRST or clientservices@1sthcc.com 

18

First Healthcare Compliance CONNECT September 2022

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?