The Best Way to Prevent an OSHA Inspection

By Debra Gordick, Mediator/Government Liaison, Total Medical Compliance

2022 Alliance sponsor feature article courtesy of Total Medical Compliance

Most OSHA inspections in healthcare practices are brought about by employee complaints. You may think that disgruntled ex-employees are doing the reporting. That does happen frequently, but OSHA is aware of these kinds of retaliatory complaints and weighs that factor into their determination on whether to send you a letter or to show up for an inspection. However, OSHA will always give its attention to a current employee making the complaint. You may be surprised to learn that it is most often your best employee who makes the complaint that leads to an inspection.

Why would your good employees “stab you in the back” like that? Usually, it is because of one of these reasons:

• The employee raised concerns to you but feels ignored and frustrated.
• You have, perhaps unknowingly, created a closed-door atmosphere that discourages employees from raising concerns and offering recommendations.

What can you do to change this dynamic? Have a written policy on employee complaints and recommendations in your employee training manuals. Create an open-door culture in your practice. Let employees know this is important to you. Ensure that the policy aligns with any Human Resource policies you have with your company. Make sure you give everyone a copy including managers. Let them know it is important to you.

Most managers are uncomfortable with handling complaints, and this causes avoidance. Here are some recommendations gathered from consulting human resources professionals including a very good article at https://toughnickel.com/business/How-to-Address-Employee-Complaints.

1. Ask for something in writing.
2. Listen fully to the complaint, even if it seems like a frivolous issue.
3. Show respect. Don’t belittle their complaint, question their veracity, or do anything to make them feel like you don’t take the issue seriously.
4. Ask lots of questions.
   • Who – Who is this situation about? Who was involved? Who witnessed it?
   • What – What happened? What else was happening at the time of the incident? What caused the incident? What proof can be provided?
   • When – When did the incident take place? When else could this have happened?
   • Where – Where did this incident take place? Where else could this have happened? Where exactly were employees at the time of the incident?
   • Why – Why did it happen? Why did the employee come forward with this complaint? Why do they think the incident happened?
   • How – How are they feeling after this incident? How has this incident affected others? How can you help them? How can this problem be rectified?
5. Assure the individual that you will investigate and then take appropriate action as quickly as possible.
6. Take the appropriate action regarding the complaint. The action should as quick as possible so there won’t be any future issues. Consult a professional if you need advice like your human resources contact or your OSHA consultant depending on the issue.
7. Set a timeframe for communicating and notify all involved parties of any delays.
8. Refrain from quick disciplinary action against the complaining employee or any person they’re complaining about. Take the time to find out what happened before you take any action.
9. Inform the complainant about resolution status but avoid details about other employees.
10. If the complaint was unfounded, turn the situation into a training opportunity.
11. Look for patterns of the same complaint from the same person or other employees. You may see another issue that needs to be addressed.
12. Document. Document. Document.

What NOT to Do When an Employee Complains:

• Make jokes.
• Allow distractions. Instead, turn off your phone and close your office door.
• Make the complaint public.
• Punish the complainant in ANY way. There are very stringent laws on protecting whistleblowers.

The very best thing you can do to prevent an OSHA inspection is to show your employees respect and listen to their concerns.

Visit https://totalmedicalcompliance.com/ for more information and a free quote.

Debra Gordick is the mediator/government liaison for Total Medical Compliance. TMC is a private consulting company providing affordable programs and seminars for health care providers, allowing them to achieve and maintain compliance with government regulations such as HIPAA, OSHA and infection control. TMC services include on-site employee training, customized compliance manuals, office inspections, and ongoing client support through monthly newsletters and a fully staffed Client Service Center. For additional information call 888-862-6742 or email service@totalmedicalcompliance.com.

Will the GDPR Affect your Practice?

By Debra Gordick, Total Medical Compliance

2019 Alliance feature article courtesy of Total Medical Compliance (TMC)

What is the GDPR? General Data Protection Regulations (GDPR) is a set of laws passed by the European Union in May 2018, to provide rules for protecting electronic data on individuals in the European Union (EU). These regulations include similar security restrictions for Europe as HIPAA does for the USA. One of the biggest differences is that the information being protected is all private data not just health information. The GDPR also targets the information from companies that track consumer’s internet history for the purpose of marketing products and services.

Why should laws passed in Europe matter to US companies? The GDPR is enforceable to any company that falls within the rules whether they are European or not. Additionally, other countries in Europe, Asia and Africa are starting to adopt the GDPR. This raises two questions:

• What would make you subject to the GDPR?
• Will the US adopt the same or similar laws as the GDPR?

1. What would make you subject to the GDPR?

Contrary to what the salespeople are telling you, it is unlikely that you will be covered under the GDPR. The official website of the European Union (EU) states that the GDPR does not apply to your business if: “Your company is a service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”

The National Law Review here in the US says that the GDPR will apply to US healthcare only in the following circumstances:

• A part of your business is physically located within the EU.
• Your business offers goods or services (even if for free) to individuals in the EU. The offering of goods or services is more than mere access to a website or an email address. It includes, for example, marketing activities intended to recruit individuals in the EU to be patients at a hospital in the United States.
• You electronically monitor the behavior of individuals in the EU. This includes monitoring patients after they return to the EU, for example, as part of post-discharge patient engagement to prevent hospital readmission.

Are US healthcare practices subject to GDPR if a European citizen seeks treatment there while traveling or studying in the US? No, protected health information is not Personal Data under the GDPR merely because it concerns an EU citizen. Instead, the data must concern an individual located in a country covered by the GDPR. The data collected from an EU citizen at a location in the United States will be subject to US law unless the data was solicited from an individual while the individual was physically located in the EU or the organization continues to monitor the EU citizen after the citizen returns to the EU, such as part of post-discharge patient engagement programs.

Would a US practice be subject to GDPR if it transmits patient records to a healthcare provider in Europe for a patient seeking treatment here? Again, no. Practices here must follow US law, but the EU health care provider must protect the individual’s privacy in accordance with GDPR while the individual is in the EU.

Are US practices subject to GDPR if it does not intentionally market to the EU but an EU resident visits its website? No. Here is a good example from the GDPR website in the EU. A man in Paris went on the website for a pizza delivery service in Miami in order to purchase a pizza for a friend who lives in Miami. The Miami restaurant obviously doesn’t deliberately market their services and products in Europe. This would be considered incidental and not deliberate. Thus, the pizza place does not fall under the jurisdiction of the GDPR.

To read the full National Law Review article: https://www.natlawreview.com/article/does-gdpr-regulate-clinical-care-delivery-us-health-care-providers

2. Will the US adopt the same or similar laws as the GDPR?

This is a topic of much debate here in the US. The general belief among the more credible sources is that America has already passed and will continue to pass laws to protect individual’s private information. It is unlikely that those laws passed will be the same as the GDPR. The political and business culture in the US is very different from most of the world.

About the Author/TMC

Debra Gordick is the Mediator/Government Liaison for Total Medical Compliance. TMC is a private consulting company providing affordable programs and seminars for health care providers allowing them to achieve and maintain compliance with government regulations such as HIPAA, OSHA and Infection Control. TMC services include on-site employee training, customized compliance manuals, office inspections, and ongoing client support through monthly newsletters and a fully staffed Call Center. Information on seminar schedules and products can be found on the TMC web site, http://www.TotalMedicalCompliance.com.  For additional information call 888-862-6742 or email Service@totalmedicalcompliance.com.