As a follow-up to our previous compliance articles, I thought what I’d do this month is put together a FAQ list for my dear readers and call it Compliance 201. Keep reading to learn about upcoming new requirements in the compliance/cybersecurity world to keep you at least safe-guarded when you are hit with a cybersecurity incident. Special thanks and credit goes out to ChiroArmour and Dr. Scott Muensterman for his research and presenting at the Chiropractic Society of Wisconsin Fall Experience last month on some of the content in my FAQ.
Q: What is HIPAA and HITECH?
A: HIPAA is the acronym for Health Insurance Portability and Accountability Act of 1996, in which uniform standards and requirements for the electronic transmission of certain health information were put into place and made into law. HITECH is the acronym for Health Information Technology for Economic and Clinical Health Act of 2009, a countrywide adoption and standardization of information technology to securely support the sharing of clinical data.
Q: What is Cybersecurity?
A: Cybersecurity is the practice of protecting digital systems, networks, and data from malicious attacks, damage, and unauthorized access.
Q: Is there a checklist available to ensure we are in compliance?
A: Yes. Current and Active PM&A clients have access to our HIPAA/HITECH compliance checklist, on the PMA Members Site, and compliance services are included upon request from the client. If you are currently inactive or not a client, we can provide you with the checklist for a nominal fee. Please keep in mind your staff are already very busy, so ask yourself who is going to take on ensuring compliance at your office and going through the checklist? We can help.
Q: Isn’t it a matter of IF a cyberattack at my office occurs, not WHEN as you stated above?
A: On average there are 11 to 12 cyberattacks happening per minute in the US. So in today’s world yes, it is a matter of when, not if. And after research, it has been found that small businesses are more of a target for an attack than large organizations mainly because large organizations can put more dollars into security measures.
Q: What does Windows 10 and Windows 11 have to do with compliance?
A: Windows 10 no longer supports the security patches it used to support, effective 10/25/2025, so all of your computers must be operating on Windows 11 at minimum by this time. You CAN extend your Windows 10 protection for 1, 2, or 3 years at a significant price, but your software vendor may not honor the upgrade.
Q: I heard that there is something called an OIG Exclusions report – what is this and does it affect me and my practice?
A: The OIG Exclusions database is a reporting site listing every individual who is prohibited from seeing Medicare/Medicaid patients due to prosecution of a criminal activity, which can include being found guilty of fraud against Medicare/Medicaid, non-compliance of court-ordered child support payments, and illegal drug convictions. It is and will be a requirement to run a report MONTHLY on every person in your office including owners, subcontractors, and upon a new hire.
Here’s the link to check names: https://exclusions.oig.hhs.gov/
If you don’t see your name, that’s a good thing. Some of you are already running and checking this report due to insurance contract requirements. Save or print and file the results page.
Q: How can I confirm if my practice management program is fully compliant?
A: The website for verifying compliant healthcare software programs is down as of this writing, so for peace of mind if you are not 100% certain, call your software company or IT person.
Q: When do changes/new requirements occur?
A: As of now, no date has been set by HHS, but if you are doing the above steps and have written policies in place, you should not worry, but watch for future communications. You can subscribe to HHS email notifications here: https://cloud.connect.hhs.gov/subscriptioncenter
Q: What does Medicare documentation have to do with cybersecurity?
A: To avoid a documentation audit and subsequent potential visit from the OIG to further audits on compliance with HIPAA and your cybersecurity policies, keep your documentation and billing practices solid per Medicare chiropractic documentation standards, and make sure to securely send your notes to Medicare upon audit (and any other payer group who requests) to ensure you are staying HIPAA compliant.
Q: Can my staff be our Security officer?
A: By law, yes, but you as the doctor owner are always ultimately responsible for any attack or breaches, and payments to the government, so it is strongly recommended that the doctor owner be the compliance security officer for the business.
That concludes our FAQ for now. I know you’ll have additional questions. Feel free to reach out with those we’ll respond within three calendar days!
Stay Secure,
Lisa
References: ChiroArmour
With the increase in notes requested from third party payers, more recently Medicare secondary plans, it is good time to review the process once you receive a request.
Dear Chiropractors and Staff:
