{"id":7370,"date":"2025-11-05T06:39:41","date_gmt":"2025-11-05T12:39:41","guid":{"rendered":"https:\/\/pmaworks.com\/observations\/?p=7370"},"modified":"2025-12-04T06:42:52","modified_gmt":"2025-12-04T12:42:52","slug":"ask-lisa-compliance-201-your-shield-against-bad-risk","status":"publish","type":"post","link":"https:\/\/pmaworks.com\/observations\/ask-lisa-compliance-201-your-shield-against-bad-risk\/","title":{"rendered":"Ask Lisa – Compliance 201: Your Shield Against Bad Risk"},"content":{"rendered":"

\"complianceAs a follow-up to our previous compliance articles, I thought what I\u2019d do this month is put together a FAQ list for my dear readers and call it Compliance 201. Keep reading to learn about upcoming new requirements in the compliance\/cybersecurity world to keep you at least safe-guarded when you are hit with a cybersecurity incident. Special thanks and credit goes out to ChiroArmour and Dr. Scott Muensterman for his research and presenting at the Chiropractic Society of Wisconsin Fall Experience last month on some of the content in my FAQ.<\/p>\n

Q:<\/strong> What is HIPAA and HITECH?
\nA:<\/strong> HIPAA is the acronym for Health Insurance Portability and Accountability Act of 1996, in which uniform standards and requirements for the electronic transmission of certain health information were put into place and made into law. HITECH is the acronym for Health Information Technology for Economic and Clinical Health Act of 2009, a countrywide adoption and standardization of information technology to securely support the sharing of clinical data.<\/p>\n

Q:<\/strong> What is Cybersecurity?
\nA:<\/strong> Cybersecurity is the practice of protecting digital systems, networks, and data from malicious attacks, damage, and unauthorized access.<\/p>\n

Q:<\/strong> Is there a checklist available to ensure we are in compliance?
\nA:<\/strong> Yes.\u00a0Current and Active PM&A clients have access to our HIPAA\/HITECH compliance checklist, on the PMA Members Site<\/span><\/a>, and compliance services are included upon request from the client.\u00a0\u00a0If you are currently inactive or not a client, we can provide you with the checklist for a nominal fee.\u00a0Please keep in mind your staff are already very busy, so ask yourself who is going to take on ensuring compliance at your office and going through the checklist?\u00a0We can help.<\/p>\n

Q:<\/strong> Isn\u2019t it a matter of IF a cyberattack at my office occurs, not WHEN as you stated above?
\nA:<\/strong> On average there are 11 to 12 cyberattacks happening per minute in the US. So in today\u2019s world yes, it is a matter of when, not if. And after research, it has been found that small businesses are more of a target for an attack than large organizations mainly because large organizations can put more dollars into security measures.<\/p>\n

Q:<\/strong> What does Windows 10 and Windows 11 have to do with compliance?
\nA:<\/strong> Windows 10 no longer supports the security patches it used to support, effective 10\/25\/2025, so all of your computers must be operating on Windows 11 at minimum by this time. You CAN extend your Windows 10 protection for 1, 2, or 3 years at a significant price, but your software vendor may not honor the upgrade.<\/p>\n

Q:<\/strong> I heard that there is something called an OIG Exclusions report \u2013 what is this and does it affect me and my practice?
\nA:<\/strong> The OIG Exclusions database is a reporting site listing every individual who is prohibited from seeing Medicare\/Medicaid patients due to prosecution of a criminal activity, which can include being found guilty of fraud against Medicare\/Medicaid, non-compliance of court-ordered child support payments, and illegal drug convictions. It is and will be a requirement to run a report MONTHLY on every person in your office including owners, subcontractors, and upon a new hire.<\/p>\n

Here\u2019s the link to check names:\u00a0https:\/\/exclusions.oig.hhs.gov\/<\/span><\/a><\/span>
\nIf you don\u2019t see your name, that\u2019s a good thing. Some of you are already running and checking this report due to insurance contract requirements. Save or print and file the results page.<\/p>\n

Q:<\/strong> How can I confirm if my practice management program is fully compliant?
\nA:<\/strong> The website for verifying compliant healthcare software programs is down as of this writing, so for peace of mind if you are not 100% certain, call your software company or IT person.<\/p>\n

Q:<\/strong> When do changes\/new requirements occur?
\nA:<\/strong> As of now, no date has been set by HHS, but if you are doing the above steps and have written policies in place, you should not worry, but watch for future communications. You can subscribe to HHS email notifications here: https:\/\/cloud.connect.hhs.gov\/subscriptioncenter<\/p>\n

Q:<\/strong> What does Medicare documentation have to do with cybersecurity?
\nA:<\/strong> To avoid a documentation audit and subsequent potential visit from the OIG to further audits on compliance with HIPAA and your cybersecurity policies, keep your documentation and billing practices solid per Medicare chiropractic documentation standards, and make sure to securely send your notes to Medicare upon audit (and any other payer group who requests) to ensure you are staying HIPAA compliant.<\/p>\n

Q:<\/strong> Can my staff be our Security officer?
\nA:<\/strong> By law, yes, but you as the doctor owner are always ultimately responsible for any attack or breaches, and payments to the government, so it is strongly recommended that the doctor owner be the compliance security officer for the business.<\/p>\n

That concludes our FAQ for now. I know you\u2019ll have additional questions. Feel free to reach out with those we\u2019ll respond within three calendar days!<\/p>\n

Stay Secure,<\/p>\n

Lisa<\/p>\n

References: ChiroArmour<\/span><\/a><\/p>\n

 <\/p>\n

\n