Message from the NCMGMA Past President Matt Johnson

Dear Members,

Serving as the NCMGMA President this past year has been a great privilege. Without question, the highest reward has been developing new relationships with so many talented leaders and strengthening relationships with old friends. An organization is only as good as its members, and NCMGMA truly stands out with so many giving individuals that are always generous with their time and knowledge.

It isn’t easy to pull together volunteers to sit on committees, be engaged, and share their talents. We are fortunate to have so many willing to serve as chapter officers, committee chairs and members, and board of director officers. It is a time commitment that can pull you from regular day-to-day responsibilities, and your sacrifice to serve is extraordinary. Thank you for your servant leadership and for being an example for us all.

For those yet to serve on a committee or as a chapter officer, I encourage you to do so. Your ideas will be welcomed, and you will be supported regardless of your experience. This is a wonderful way to learn and give back. Please consider this as you progress as an NCMGMA member.

2022 was filled with accomplishments; too many to name them all. Let me highlight a few of them that stand out.

We had an incredibly successful Spring Conference at the Wilmington Convention Center. As meeting in person returned and gained momentum, we had a strong turnout for the event. Our affiliate members and Alliance sponsors showed up in full force, allowing us to host a fantastic experience for participants. Beyond the talented slate of speakers, the networking and roundtable activities provided many excellent exchanges. The conference closed with solid representation from our Advocacy Committee and our friends from the NC Medical Society.

A first for our organization took place later in the Spring when we held our first-ever Master Class in Winston-Salem. Sandra Jarrett and the Education Committee went to great lengths to put together an incredible two-day event featuring renowned speaker Mary Kelly, who knocked everyone’s socks off. This event was so successful that we decided to do it again in 2023. Registration is open so don’t wait long to enroll, as this event will sell out fast!

The final big event of the year was our Fall Conference, held in Cherokee, NC. The newly renovated convention center at Harrah’s Casino made for the perfect venue to meet. Todd Pittman and the Conference Committee once again outdid themselves with the slate of speakers and activities at this conference. The vendor hall was packed, and lots of fun was had by all. The work for the 2023 conferences started almost immediately after the Fall Conference, so stay tuned for more.

In a time when we have seen the competition for employees at its most significant in recent history, we have leaned on each other for ideas for attracting and retaining talent. The listserv has been an incredible resource for us. Additionally, there may not be a more critical time than now to have an up-to-date Salary Survey as we evaluate our current payroll. We are fortunate to have this tool, as many states do not. Participation is crucial for it to continue and to remain relevant. Thank you to Frank Chitty and that Committee for putting this together, and thank you to all who have supplied data.

I thought I could be brief with this update, but there were just too many accomplishments that needed acknowledging, and I’m sure I’m leaving some out.

Another one that stands out for me was watching the growth of our Student Outreach Committee. John Clement and Lee Katherine Ayerhart led this committee to see a greater increase in student participants than we have had in years! We have also seen a resurgence of the Wilmington Chapter, which is very exciting. I can’t wait to see what’s next for our organization.

None of these achievements would be possible without the sage leadership of our Executive Director, Melissa Klingberg. She is a tireless worker and the glue that keeps us all together. Serving beside her was an honor and privilege.

I’ve had the luxury of seeing some previews of things ahead for 2023. With NCMGMA’s 2022-23 president, you can count on a fantastic year with Chad Ghorley at the helm. Please support him, as so many of you have helped me, as we continue to be the “leaders for tomorrow’s healthcare.”

Respectfully Submitted,

Matt Johnson, MA, MBA
NCMGMA Immediate Past President

Connect with NC’s Practice Administrators

Become an NCMGMA 2023 Alliance Sponsor

The NCMGMA 2023 Alliance sponsorship program delivers high-impact marketing and quality face-time with healthcare management decision-makers. Connect, support and engage with the practice managers of North Carolina!

Registration for the 2023 Alliance program is now open. Find participation details below and on our website, and click the button link to register today! Benefits take effect January 1, 2023!

How Alliance Works

Alliance provides a selection of core benefits that gain you access and exposure to the Active members of NCMGMA: the practice managers and administrators of NC’s healthcare industry. PLUS: you select the level-specific benefits package that best fits your marketing goals and objectives.

Alliance Core Benefits

2023 Alliance core benefits include: Affiliate membership in the NCMGMA; Annual Conference exhibit booth; recognition and link on the website and e-news site, NCMGMA News; NCMGMA News article submission; and access to the medical practice decision-makers in North Carolina.

How to Participate

2023 Alliance sponsorship registration is now open. To sign up today, follow the registration link below. 2023 Alliance benefits will take effect January 1, 2023.


If you have any questions about the 2023 Alliance program, please contact the NCMGMA offices at

How Debt Collection Has Changed

By Robert Hale, MBA, Director of Business Development, Receivables Management Corporation

2022 Alliance sponsor article courtesy of Receivables Management Corporation

  1. Regulation F took effect on November 29, 2021. Regulation F is large and complicated. The document containing the final rule and official interpretation is over 350 pages.
  2. Key Points: debt collectors cannot report a Debt to a credit bureau before they contact you. Collection vendors must supply more information in the Notice of Debt.
    • An itemized date can be one of five different dates: the date of the last statement, the charge off date, the date of the last payment applied to the debt, the date of the transaction that gave rise to the debt, and the judgement date if there is court judgement on the debt.
    • Validation Information: the collection vendor must supply the consumer with more extensive validation information, including the debt collector’s name and mailing address, the consumer’s full name and mailing address, the account number associated with the debt, the name of the creditor to which the debt is currently owed, the amount of the current debt, and an itemized list of any payments made.
    • Dispute and Information prompts: the debt validation notice must contain a returnable form. The prompt will allow the consumer to check an “I want to dispute the debt because” option. The consumer can then check one of several boxes, for example, “this is not my debt,” or “the amount is wrong,” or “other.”
    • Disclosure of Rights: the debt validation notice must contain information advising the consumer of their right to dispute the debt and request further information.
    • Regulation F clarifies that email and text messages can be used. It also states the consumer can specify what communication channels the collector can use.
    • Limits on communication: Regulation F puts strict limits on how often a collector can contact a debtor. A collector cannot call a debtor more than seven times within seven consecutive days. If a collector speaks to the debtor on the phone, the collector must wait seven days before calling again.
  3. Additional Changes:
    • Starting July 1, 2022, medical debt that has been paid in full will no longer be included on credit reports from Equifax, Experian, and Trans Union. It is the responsibility of the credit agencies to remove the paid in full medical debt from the consumers credit report. In addition, the credit bureaus are increasing the amount of time before medical debt in collection appears on the debtor’s credit report. Debts will need to be at least one year old before they can be placed on a consumer’s credit report of the credit reporting. Beginning in March of 2023, the three credit reporting agencies will no longer include medical debt in collections under $500.00 on credit reports.

In closing, nearly one in ten adults, or about 23 million Americans, owe at least $250 in medical debt.

Article submitted by:
Robert Hale, MBA
Director of Business Development
Receivables Management Corporation
Cell (803)-414-0103
1-800-849-2201 Ext. 135

2022 NCMGMA Fall Conference Wrap Up: Awards, Photos and More

2022 Fall Conference a Success!

We came together last week in Cherokee – September 14-16, 2022 – for our Fall Conference in the brand new event center of Harrah’s Cherokee Casino Resort. Over 100 attendees, speakers, sponsors, and exhibitors enjoyed continuing education from some of healthcare’s finest thought leaders, participated in essential networking events with peers and old friends, honored outstanding industry achievement with our annual awards, and experienced the sold-out exhibit hall full of Alliance sponsor products and services.

Thank you to everyone who pulled away from their busy practices to join us. Thank you to all our speakers and exhibitors for sharing your knowledge and expertise and thank you to our sponsors for your continued support of our organization: we couldn’t do it without you. And, lastly, thank you to our volunteers for leading the organization and keeping us moving in the right direction: your hard work and dedication does not go unnoticed.

Please browse this post to see all that took place last week and to see what’s in store for NCMGMA—thorugh the end of 2022 and beyond.

Practice of the Year Award

Goldsboro Pediatrics, P.A.

(L-R) Brandy Yeh and Nola Claiborne of Goldsboro Pediatrics are presented the Practice of the Year Award by Andy Shene of First Citizens Bank.

Each year, NCMGMA and First Citizens Bank recognize a medical group practice that has made a significant contribution to their community, patients and/or staff. For our 9th annual award, we are proud to recognize Goldsboro Pediatrics as our Practice of the Year! The award also includes a $3000 donation to the winner’s foundation of choice. Goldsboro Pediatrics selected Communities Supporting Schools of Wayne County as their designated foundation. Congratulations Goldsboro Pediatrics!

President’s Award

Renee Schneider

2021-22 NCMGMA President Matt Johnson presents the President’s Award to Renee Schneider

The President’s Award is given to an individual of NCMGMA for outstanding service and contribution to the association, its members and medical practice management. This year’s award was presented to Renee Schneider of the North Carolina Medical Group Management Association offices.

Service Awards

Meritorious Service Award and Kim Harrah Becker Volunteer Award

(L-R): Fran Sembert, CMPE, 2022 Meritorious Service Award winner, NCMGMA Executive Director Melissa Klingberg, and Steve Parker, 2022 Kim Harrah Becker Volunteer Award winner.

Congratulations to Fran Sembert, CMPE, our 2022 Meritorious Service Award winner and Steve Parker of Curi, our 2022 Kim Harrah Becker Volunteer Award winner. The Meritorious Service Award is given for outstanding service and contribution to the NCMGMA, its members, and medical practice management; and the Kim Harrah Becker Volunteer Award highlights the true meaning of volunteerism for NCMGMA. Both Fran and Steve are outstanding champions of NCMGMA and our many programs and initiatives and we thank them for their selfless dedication to our organization.

Community Service Project

Snack Packs for MANNA FoodBank

Fall Conference attendees, exhibitors, sponsors and volunteers assemble snack packs for children in need in Western North Carolina.

At the close of the morning educational sessions on Thursday, September 15th, NCMGMA teamed up with MANNA FoodBank to make snack packs for children in need in Western North Carolina. MANNA FoodBank is a private, not-for-profit service organization working to end food insecurity in the 16 counties of Western North Carolina, including the Qualla Boundary. In the end, attendees, exhibitors, sponsors, and NCMGMA staff made over 200 snack packs for MANNA FoodBank. Thank you to everyone who participated in this essential service project!

Event Photo Album

NCMGMA member Sandra Jarrett participates in a self-defense demonstration with speaker Johnathan Frisk during his “Surviving an Active Shooter” general session.

Thank you, again, to all our attendees, sponsors/exhibitors, speakers and volunteers for helping to make the 2022 Annual Conference another successful NCMGMA event!

October Zoom Webinar
Using Your Data to Drive Practice Optimization & Growth
October 6, 2022 | 12pm – 1pm

Join us as we explore the most common barriers to analyzing and optimizing data and how to address these barriers in your practice. Presented by Curi Advisory. Click here to register for this free webinar.

Customer Service Interactive Workshop
Customer Service with
Emotional Intelligence

October 25, 2022 | 10am-12pm & 2pm-4pm

Support staff is vital to patient care and every role makes a difference. In this session we explore techniques that promote a compassionate, welcoming, and respectful culture. Click here to register for this workshop.

2023 Master Class
February 23-24, 2023
Graylyn Estate, Winston-Salem, NC

This two-day program is designed to give practice managers a deep dive into professional development in a thoroughly engaging and relaxing setting. Watch for more details coming soon!

Advocacy Days
March 28-29, 2023
Raleigh, NC

Packed full of legislative action and information, Advocacy Days is a great opportunity to hear about the local issues, meet the experts and make your voice heard in Raleigh. Watch for more details coming soon!

2023 NCMGMA Annual Conference
May 17-19, 2023
Marriott Charleston
Charleston, SC

Join us in the heart of downtown Charleston as we go to the Marriott Charleston for our 2023 Annual Conference! Watch for more details coming soon!

October 6th Webinar: Using Your Data to Drive Practice Optimization & Growth

Using Your Data to Drive Practice Optimization & Growth
Presented by Curi Advisory

October 6, 2022 | 12:00 PM – 1:00 PM

Practice leaders face a number of barriers when it comes to effectively tracking, analyzing, and leveraging their own data to make meaningful improvements for their businesses, their staff, and their patients. This presentation will explore the most common barriers and how to address them in your practice. With a deeper understanding of opportunities to maximize your data (and some tools to help along the way), practice leaders will uncover new ways to drive patient volume, increase margin per patient, and optimize the overall performance of your practice.

Webinar Speaker

Richelle Cox
Curi Advisory

Richelle Cox is a Principal with Curi Advisory, Curi’s business unit focused on delivering data-driven business solutions and consulting services that help practices protect, optimize, and grow. She is an experienced executive with a demonstrated history working in both the healthcare practice operations space and the information services industry.  Prior to Curi, Richelle served as the Chief Operating Officer for Arrowlytics, a practice analytics tool that is now part of Curi Advisory and helps practices pull their data from various sources into a single platform for total practice insight.


Registration is complimentary for NCMGMA members and non-members. To register please click the link below and follow the instructions. After registering, you will receive a confirmation email containing information about joining the meeting.


If you have any questions, please contact the NCMGMA offices at

5 Types of Payment Fraud Business Owners Should Know

2022 Alliance sponsor feature article courtesy of First Citizens Bank

Payment fraud is a complex threat—one that can come from inside and outside your small business. To avoid the significant impact fraud can have on your business’s health and viability, vigilance is key. A single instance of fraud can result in the loss of thousands of dollars—not to mention a degree of trust in your company by employees and customers.

Staying vigilant starts with educating yourself on what threats to look out for. Here are five common forms of payment fraud that business owners should know about, as well as some tips to help you protect your business against them.

1. Business credit card fraud
If you issue business credit cards, you need to ensure every employee takes necessary precautions to appropriately protect and use them. The key is to set strict policies about what does and doesn’t qualify as an approved charge.

Review business credit card statements as soon as they arrive. If you notice a charge that looks suspicious, check with the employee to see if there was a mistake on their part. If you believe the card was compromised, contact your bank as soon as possible to dispute the charges and close the account. The longer the card remains valid, the greater your risk will be of accruing additional fraudulent charges.

2. Wire fraud
Another common type of fraud is illegal wire transfers. Criminals try to trick individuals into authorizing a wire transfer from a small-business bank account. They may pose as a customer or vendor to gather information that can help them gain access. Once they identify who can authorize a transfer, they’ll send an email that looks like a legitimate request for funds. Wired funds are settled immediately, which means it can be difficult to recover them after you detect fraud.

Protect your business by verifying any payment requests from a vendor or customer that look unusual. Call the number you have on file rather than using any contact information included with the request. Also, limit the number of employees who have authority to approve or send wire transfers from your account.

3. ACH fraud
Small businesses often use automated clearing house, or ACH, transfers. These can be a convenient way to pay bills and direct deposit an employee’s salary. Unfortunately, they also can open up opportunities for ACH fraud. Hackers may try to obtain your banking information, often through an email phishing scam, and then use it to initiate payments online or over the phone.

To combat this type of fraud, have a special account used for issuing ACH transactions. Get to know your vendors and watch for any activity that seems unusual. Also, set limits on ACH transfer amounts, and review your accounts daily to identify potential fraud immediately.

4. Forgery
Many of today’s transactions are digital, but forgery can still happen. With this type of fraud, someone obtains a company check, makes it out to themselves or an accomplice, and forges the authorized signature. Companies often spot this type of fraud when a check that wasn’t recorded in the accounting system is cashed.

Prevent forgery by keeping checks in a secure place and only accessible by authorized individuals. Also, match payees to bank statements to discover any suspicious activity.

5. Invoice fraud
Finally, invoice fraud is another common scheme that can happen to small business owners. Criminals send false invoices that, at first look, appear to be legitimate charges from vendors for products or services. The hope is that the invoice will be paid without being questioned.

Protect yourself against this type of fraud by cross-referencing invoices with purchase orders and contracts. You can also request that the vendor provide the name of the authorizing agent from your business. Also, be leery of anyone who asks for quick payment outside of your standard invoice terms.

Stay alert
Criminals often target successful small businesses because their owners are juggling several responsibilities and may overlook the charge. You work hard to earn your money and you should keep it. You can help protect your business from fraud by paying close attention to all financial transactions. Implementing strong fraud detection solutions can also go a long way toward helping you stay vigilant against these threats.

5 Best Practices for Keeping Your Patient’s Medical Data Safe

2022 Alliance sponsor feature article courtesy of TowneBank

Medical identity theft has more than tripled over the past five years, as hackers and cyber-criminals target the healthcare industry at alarming rates. So why are medical records so valuable to data thieves? Personal medical data is said to be more than ten times as valuable as credit card information. Just one patient record contains an enormous amount of identity information that hackers can exploit, including:

  • Full name
  • Birth date
  • Social Security number
  • Medicare number
  • Email
  • Phone numbers
  • Home address
  • Prescription information
  • Driver’s license
  • Payment information such as credit card or bank account numbers

This data is incredibly valuable on the black market, just one Medicare number is said to sell for nearly $500. Keeping this patient information safe from cyber-thieves must be a top priority for hospitals, healthcare organizations, and medical offices. The threat of a data breach not only puts an organization or medical practice at risk for a hefty fine or HIPAA violation, but it also threatens the core of the business because it damages patient trust.

The following are five steps to keeping your patient’s medical data safe:

1) Education
Educating your staff may be the best line of defense against data theft. Ensure your employees are informed on privacy policies, security measures, how data breaches occur and how to prevent them. Build staff awareness of medical identity theft and how to keep patient data secure.

2) Mobile devices
Patient data may often be stored on mobile devices. Protecting devices such as laptops, smartphones, and tablets with encryption and passwords is another way to avoid a potential data breach. Also, it is important to ensure employees never leave their mobile devices unattended.

3) Email
Many attempts for data breach occur through unsolicited emails called “phishing.” Be sure to instruct staff not to open any emails that are unfamiliar and never open any attachments or links from an unknown sender.

4) Antivirus
Be sure to keep all software and antivirus programs regularly up to date.

5) Secure your network server and wireless networks
To prevent attacks, practices should make sure their network passwords are secure and changed frequently. Ensure routers and other components are kept up to date. Set up firewalls and antivirus for all devices that connect to the internet. Lock down your network server so that it is difficult to physically remove it from your office and lock up any backup or storage devices.

Common mistakes:

  • Employees sharing workstations or user IDs
  • Leaving screens or workstations unsecured
  • Sending patient medical information via unsecured email
  • Using unsecured laptops, tablets, and smartphones
  • Sending patient medical information through text messaging
  • Speaking about private patient medical information to friends, family, patients, or other medical offices.
  • Failure to obtain the proper release/consent form to release patient medical data.

While there is not one sure way to prevent all data breaches, these best practices will go a long way in keeping your patient data safe and secure from potential theft.

Learn more and access more insights and perspectives through the TowneBank Business Resource Center.

The information provided is not intended to be legal, tax, or financial advice or recommendations for any specific individual, business, or circumstance. TowneBank cannot guarantee that it is accurate, up to date, or appropriate for your situation. Financial calculators are provided for illustrative purposes only. You are encouraged to consult with a qualified attorney or financial advisor to understand how the law applies to your particular circumstances or for financial information specific to your personal or business situation.

Changes Are Coming to the HIPAA Privacy Rule: Are You Prepared?

By Laura M. Cascella, MA, CPHRM

2022 Alliance sponsor article provided courtesy of MedPro Group

With a turn of the calendar year, 2022 will likely usher in the most significant changes to the HIPAA Privacy Rule in almost a decade. These changes will come on the heels of several years of information-gathering, proposals, and public comments, which kicked off December 2018 when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights issued a request for information on HIPAA rules. HHS subsequently released and published the Notice of Proposed Rulemaking (NPRM) in December 2020 and January 2021, respectively. A public comment period on the NPRM followed, which concluded May 6, 2021.1

The proposed changes to the HIPAA Privacy Rule are targeted at helping fulfill HHS’ Regulatory Sprint to Coordinated Care by breaking down barriers to care coordination, information-sharing, and interoperability (in alignment with the 21st Cures Act and the HITECH Act); supporting value-based care; enhancing patient engagement and right of access; and reducing unnecessary administrative and regulatory burdens.2

Some of the significant provisions of the Proposed Rule include introducing and modifying key definitions, strengthening patients’ rights to access their information, supporting information sharing and care coordination, allowing broader disclosures, and modifying policies and information associated with the Notice of Privacy Practices (NPP).

Key Definitions

As part of the Proposed Rule, HHS seeks to add definitions for two key terms — electronic health record (EHR) and personal health application (PHA). Neither of these terms currently is defined in the HIPAA Privacy Rule, although the HITECH Act does include a definition of EHR.

The Proposed Rule seeks to expand on and clarify the HITECH definition, defining EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”3

Likewise, the Proposed Rule aims to build on HITECH’s definition of personal health record by defining PHA as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual . . .”4

The addition of both of these definitions — EHR and PHA — to the Privacy Rule are intended to address the gap in current regulatory definitions as well as clarify and support individuals’ right of access related to electronic protected health information (ePHI).5

The Proposed Rule also addresses confusion regarding the term “healthcare operations.” The current Privacy Rule permits uses and disclosures of PHI for treatment, payment, and healthcare operations without patient authorization. The definitions of treatment and healthcare operations overlap to some extent in terms of the type of activity and who is performing it — for example, case management activities performed by a healthcare provider (treatment) vs. a health plan (healthcare operations). However, the definition of healthcare operations specifically mentions population-based activities but not individual-level care. Thus, HHS proposes to clarify that healthcare operations includes both individual-level and population-based care coordination and case management activities.6

Right of Access

A predominant focus in healthcare legislation and reform is giving patients more access to and control over their health information. The proposed changes to the HIPAA Privacy Rule reflect this goal and aim to enhance patients’ right of access through various provisions, including:

  • Strengthening patients’ right to inspect their PHI in person. The Proposed Rule would allow patients to take notes and use personal resources (e.g., smartphones) to capture images of their PHI, as long as it does not pose unacceptable security risks. However, providers are not required to let patients connect personal devices to their information systems.
  • Condensing the current timeline to respond to requests for PHI. Providers currently have 30 days to response to patients’ requests for PHI, with an optional 30-day extension. The Proposed Rule seeks to shorten the timeframe to 15 days with an optional 15-day extension.
  • Clarifying patients’ right to receive their PHI in the form and format requested, if it is readily producible. Under the Proposed Rule, “readily producible” copies of PHI would include ePHI requested through secure, standards-based application programming interfaces (APIs), using applications chosen by individuals. Providers also would be required to provide copies of PHI in any form and format required by applicable state and other laws.
  • Easing identity verification requirements. Although verifying individuals’ identities is a crucial step when responding to requests for PHI, unreasonable or onerous identity verification requirements can create barriers to patients’ right of access. The Proposed Rule would prohibit covered entities from imposing unreasonable verification measures, such as requiring a notarized signature or showing proof of identification in person (when another credible, more convenient method is available).
  • Providing more information about fees associated with obtaining PHI. The Proposed Rule specifies when PHI must be provided free of charge (e.g., during in-person viewing) and amends fees related to responding to requests to send PHI to third-parties. Providers also would be required to (a) post estimated fee schedules on their websites, (b) offer individualized fee estimates, and (c) provide itemized bills for completed requests.7

Information Sharing and Care Coordination

Certain aspects of the current HIPAA Privacy Rule can be construed as restrictive or limiting the ability of providers to share information in the pursuit of comprehensive, coordinated care for patients. The Proposed Rule seeks to address this issue and break down some of the barriers to information sharing.

As noted earlier, the more detailed definition of healthcare operations facilitates the sharing of individual patient data to support individual-level care coordination and case management. The Proposed Rule also establishes a pathway for patients to direct sharing of ePHI among providers and health plans by allowing patients to request that a provider or health plan submit an access request for PHI in an EHR to another healthcare provider.8 The provider or health plan (the “requester-recipient”) would facilitate requesting the information from the other provider (the “discloser”) and receive an electronic copy of the PHI.

The proposed changes also modify the rules related to “minimum necessary standard.” Under the current Privacy Rule, covered entities must use, disclose, or request only the minimum PHI that is required to accomplish the task at hand. The Proposed Rule makes an exception to the minimum necessary standard for use by, disclosure to, or requests from a covered entity for care coordination and case management.

The Proposed Rule also permits covered entities to disclose PHI to third-party organizations that provide health-related services for the purposes of individual-level care coordination and case management (for treatment or healthcare operations). Examples of such third parties include social service agencies, community-based organizations, home-based and community-based service providers, and other similar organizations. HHS notes that, in some cases, these organizations might not be subject to HIPAA.

Expanded Disclosures

In addition to supporting measures that facilitate sharing information and coordinating care, the Proposed Rule also aims to increase flexibility around the disclosure of PHI to an individual’s family members or other caregivers who are trying to assist the individual with a serious condition or emergency situation. Examples of such conditions and situations include substance use disorders, serious mental illnesses, incapacitation, and health-related emergencies.

To do this, HHS proposes replacing the “exercise of professional judgment” standard with a “good faith belief” standard, which would permit certain uses and disclosures of PHI if they are in the best interests of individuals. HHS also notes that the exercise of professional judgment standard implies disclosure by a licensed healthcare provider, while the good faith belief standard “may be exercised by other workforce members who are trained on the covered entity’s HIPAA policies and procedures and who are acting within the scope of their authority.”9

Five areas of the Privacy Rule would be amended based on this proposal. Those areas relate to disclosing information (1) to parents, guardians, or others acting in loco parentis; (2) for facility directories; (3) when the individual is present; (4) when the individual is not present due to incapacitation or an emergency; and (5) in relation to verification requirements.10

HHS also proposes to increase flexibility in relation to disclosing PHI to family, friends, and caregivers for the purposes of avoiding harm. The current Privacy Rule allows a covered entity to disclose PHI when a threat to health and safety is “serious and imminent.” HHS acknowledges that determining with certainty whether a threat is imminent may be impossible; thus, the Proposed Rule would permit disclosure of PHI when the threat to health and safety is “serious and reasonably foreseeable.” The proposed change would include a definition of “reasonably foreseeable” to help guide decision-making about disclosure.

Notice of Privacy Practices

To help eliminate an administrative burden of the current HIPAA Privacy Rule, the Proposed Rule eliminates the requirement for direct healthcare providers to obtain — or to document their good faith efforts to obtain — patients’ written acknowledgment of receipt of the providers’ NPP. However, to ensure that patients are able to understand and act on information in the NPP, they would have the right to discuss the NPP with a person whom the healthcare provider designates.

Further, HHS proposes modifying the header of the NPP to specify that the notice provides individuals with information about how to access their information, how to file a HIPAA complaint, and their right to receive a copy of the notice. The NPP header also would need to include a phone number and email address for the designated contact person.11

Next Steps

Although the changes detailed in this article are still proposed and not final, healthcare providers (and other covered entities) should be aware of them and their potential implications. These changes will require providers to update their policies, procedures, NPP, authorization and disclosure materials, and contracts.12 Further, the significance and breadth of these modifications will necessitate retraining staff on the HIPAA Privacy Rule.

The proposed changes will become effective 60 days after the Final Rule is published, and providers will have 180 days following the effective date to comply. With less than a year to implement these modifications, taking a proactive approach before the Proposed Rule is finalized can help providers prepare for the changes and identify any issues with current or future processes that could hinder implementation or compliance.

The following strategies may prove helpful:

  • Make sure your current policies and procedures for the HIPAA Privacy, Security, and Breach Notification Rules are complete and up to date. Doing so will make implementing the proposed changes more straightforward and help avoid confusion.
  • Review your current processes related to patients’ requests to inspect and obtain copies of their PHI to determine how well they work and what will need to change based on the Proposed Rule.
  • Be aware of any state laws related to the release or disclosure of PHI. HHS notes that the Privacy Rule does not preempt other law that is more protective of individuals’ privacy.
  • Make sure your identity verification process to access PHI does not impose unreasonable measures on patients, such as requiring a notarized authorization or other burdensome requirements.
  • Consider how the shortened timeframe to respond to patients’ requests for PHI (from 30 days to 15 days) will affect workflow processes. Review your current process and ability to comply with 30-day timeframe to identify potential obstacles for future compliance.
  • Review your current forms, materials, and contracts affected by the Privacy Rule to consider what changes will need to be made and the best way to approach those changes. Consider also what updates you will need to make to your website information.
  • Begin to educate staff members about the changes in the Proposed Rule, and include them in planning efforts and discussions about new processes and workflows.13

More Information

For more complete information and details about all of the proposed changes to the HIPAA Privacy Rule, see the Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement published in the Federal Register on January 21, 2021.


1 Linna, A., & Ishee, J. (2021, October 14). Preparing for major HIPAA changes in 2022 [Webinar]. McGuireWoods. Retrieved from; Sheppard Mullin Richter & Hampton LLP. (2021, May 24). HIPAA Privacy Rule modification – removing barriers and promoting coordinated care at what cost? SheppardMullin Healthcare Law Blog. Retrieved from
2 Ibid; Hales, M. (2021, June 1). HIPAA changes ahead. The HIPAA E-Tool. Retrieved from; Allen, A. L. (2021, August 16). HIPAA at 25 remains a work in progress. The Regulatory Review. Retrieved from
3 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (Jan. 21, 2021) (to be codified at 45 CFR pts. 160 & 164).
4 Ibid.
5 Ibid; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
6 Linna, et al., Preparing for major HIPAA changes in 2022. Hales, HIPAA changes ahead; Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
7 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Hales, HIPAA changes ahead; Compliancy Group. (n.d.). Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS. Retrieved from
8 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Compliancy Group, Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS.
9 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
10 Ibid; Linna, et al., Preparing for major HIPAA changes in 2022.
11 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
12 Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
13 Hales, HIPAA changes ahead; Linna, et al., Preparing for major HIPAA changes in 2022.

The Best Way to Prevent an OSHA Inspection

By Debra Gordick, Mediator/Government Liaison, Total Medical Compliance

2022 Alliance sponsor feature article courtesy of Total Medical Compliance

Most OSHA inspections in healthcare practices are brought about by employee complaints. You may think that disgruntled ex-employees are doing the reporting. That does happen frequently, but OSHA is aware of these kinds of retaliatory complaints and weighs that factor into their determination on whether to send you a letter or to show up for an inspection. However, OSHA will always give its attention to a current employee making the complaint. You may be surprised to learn that it is most often your best employee who makes the complaint that leads to an inspection.

Why would your good employees “stab you in the back” like that? Usually, it is because of one of these reasons:

  • The employee raised concerns to you but feels ignored and frustrated.
  • You have, perhaps unknowingly, created a closed-door atmosphere that discourages employees from raising concerns and offering recommendations.

What can you do to change this dynamic? Have a written policy on employee complaints and recommendations in your employee training manuals. Create an open-door culture in your practice. Let employees know this is important to you. Ensure that the policy aligns with any Human Resource policies you have with your company. Make sure you give everyone a copy including managers. Let them know it is important to you.

Most managers are uncomfortable with handling complaints, and this causes avoidance. Here are some recommendations gathered from consulting human resources professionals including a very good article at

  1. Ask for something in writing.
  2. Listen fully to the complaint, even if it seems like a frivolous issue.
  3. Show respect. Don’t belittle their complaint, question their veracity, or do anything to make them feel like you don’t take the issue seriously.
  4. Ask lots of questions.
    • Who – Who is this situation about? Who was involved? Who witnessed it?
    • What – What happened? What else was happening at the time of the incident? What caused the incident? What proof can be provided?
    • When – When did the incident take place? When else could this have happened?
    • Where – Where did this incident take place? Where else could this have happened? Where exactly were employees at the time of the incident?
    • Why – Why did it happen? Why did the employee come forward with this complaint? Why do they think the incident happened?
    • How – How are they feeling after this incident? How has this incident affected others? How can you help them? How can this problem be rectified?
  5. Assure the individual that you will investigate and then take appropriate action as quickly as possible.
  6. Take the appropriate action regarding the complaint. The action should as quick as possible so there won’t be any future issues. Consult a professional if you need advice like your human resources contact or your OSHA consultant depending on the issue.
  7. Set a timeframe for communicating and notify all involved parties of any delays.
  8. Refrain from quick disciplinary action against the complaining employee or any person they’re complaining about. Take the time to find out what happened before you take any action.
  9. Inform the complainant about resolution status but avoid details about other employees.
  10. If the complaint was unfounded, turn the situation into a training opportunity.
  11. Look for patterns of the same complaint from the same person or other employees. You may see another issue that needs to be addressed.
  12. Document. Document. Document.

What NOT to Do When an Employee Complains:

  • Make jokes.
  • Allow distractions. Instead, turn off your phone and close your office door.
  • Make the complaint public.
  • Punish the complainant in ANY way. There are very stringent laws on protecting whistleblowers.

The very best thing you can do to prevent an OSHA inspection is to show your employees respect and listen to their concerns.

Visit for more information and a free quote.

Debra Gordick is the mediator/government liaison for Total Medical Compliance. TMC is a private consulting company providing affordable programs and seminars for health care providers, allowing them to achieve and maintain compliance with government regulations such as HIPAA, OSHA and infection control. TMC services include on-site employee training, customized compliance manuals, office inspections, and ongoing client support through monthly newsletters and a fully staffed Client Service Center. For additional information call 888-862-6742 or email

No Cost Workshops to Help You be Financially and Professionally Savvy

Summit Credit Union is Here to Help You

2022 Alliance sponsor feature article courtesy of Summit Credit Union

It is never too late to change your financial health and overall wellbeing. As a partnership benefit of Summit Credit Union, we offer no-cost virtual and in-person workshops to our members and non-members. Below are some of our workshops to help you be financially and professionally savvy.

  • Fraud and Identity Theft: We may all be targets, but we do not have to be victims. Find out what schemes crooks are currently using to try and steal your money. Learn how to protect yourself from fraud attempts.
  • Understanding Your Credit Score: Discover how credit scores are determined, how to raise your credit score, and how to avoid common mistakes that lower your score. It’s not always common sense.
  • Diversity and Inclusion in the Workspace: What is diversity and inclusion? Learn how to encourage inclusive actions and behaviors in the workplace. Explore why it makes good business sense to incorporate a diversity and inclusion strategic plan of action, and how it can impact growth and revenue for your company.

Our workshops typically run 45-60 minutes, but can be divided into two parts for shorter sessions. Most can be presented in a Lunch ‘n Learn format, either in-person or online. Visit or contact your Regional Partnership Manager at for more information or to schedule an on-site or virtual workshop for your team.

About Summit Credit Union

Summit Credit Union was established in 1935 and is a full-service not-for-profit financial cooperative, providing services to employees at over 300 companies throughout North Carolina. It has about 37,000 members and approximately $338 million in assets. Summit Credit Union offers a full portfolio of personal financial products, including checking accounts, debit cards, credit cards, online banking, direct deposit, mobile app, ATMs, and more.

For more information, visit and follow us on Facebook, Instagram, Twitter, and LinkedIn.