The Best Way to Prevent an OSHA Inspection

By Debra Gordick, Mediator/Government Liaison, Total Medical Compliance

2022 Alliance sponsor feature article courtesy of Total Medical Compliance

Most OSHA inspections in healthcare practices are brought about by employee complaints. You may think that disgruntled ex-employees are doing the reporting. That does happen frequently, but OSHA is aware of these kinds of retaliatory complaints and weighs that factor into their determination on whether to send you a letter or to show up for an inspection. However, OSHA will always give its attention to a current employee making the complaint. You may be surprised to learn that it is most often your best employee who makes the complaint that leads to an inspection.

Why would your good employees “stab you in the back” like that? Usually, it is because of one of these reasons:

  • The employee raised concerns to you but feels ignored and frustrated.
  • You have, perhaps unknowingly, created a closed-door atmosphere that discourages employees from raising concerns and offering recommendations.

What can you do to change this dynamic? Have a written policy on employee complaints and recommendations in your employee training manuals. Create an open-door culture in your practice. Let employees know this is important to you. Ensure that the policy aligns with any Human Resource policies you have with your company. Make sure you give everyone a copy including managers. Let them know it is important to you.

Most managers are uncomfortable with handling complaints, and this causes avoidance. Here are some recommendations gathered from consulting human resources professionals including a very good article at

  1. Ask for something in writing.
  2. Listen fully to the complaint, even if it seems like a frivolous issue.
  3. Show respect. Don’t belittle their complaint, question their veracity, or do anything to make them feel like you don’t take the issue seriously.
  4. Ask lots of questions.
    • Who – Who is this situation about? Who was involved? Who witnessed it?
    • What – What happened? What else was happening at the time of the incident? What caused the incident? What proof can be provided?
    • When – When did the incident take place? When else could this have happened?
    • Where – Where did this incident take place? Where else could this have happened? Where exactly were employees at the time of the incident?
    • Why – Why did it happen? Why did the employee come forward with this complaint? Why do they think the incident happened?
    • How – How are they feeling after this incident? How has this incident affected others? How can you help them? How can this problem be rectified?
  5. Assure the individual that you will investigate and then take appropriate action as quickly as possible.
  6. Take the appropriate action regarding the complaint. The action should as quick as possible so there won’t be any future issues. Consult a professional if you need advice like your human resources contact or your OSHA consultant depending on the issue.
  7. Set a timeframe for communicating and notify all involved parties of any delays.
  8. Refrain from quick disciplinary action against the complaining employee or any person they’re complaining about. Take the time to find out what happened before you take any action.
  9. Inform the complainant about resolution status but avoid details about other employees.
  10. If the complaint was unfounded, turn the situation into a training opportunity.
  11. Look for patterns of the same complaint from the same person or other employees. You may see another issue that needs to be addressed.
  12. Document. Document. Document.

What NOT to Do When an Employee Complains:

  • Make jokes.
  • Allow distractions. Instead, turn off your phone and close your office door.
  • Make the complaint public.
  • Punish the complainant in ANY way. There are very stringent laws on protecting whistleblowers.

The very best thing you can do to prevent an OSHA inspection is to show your employees respect and listen to their concerns.

Visit for more information and a free quote.

Debra Gordick is the mediator/government liaison for Total Medical Compliance. TMC is a private consulting company providing affordable programs and seminars for health care providers, allowing them to achieve and maintain compliance with government regulations such as HIPAA, OSHA and infection control. TMC services include on-site employee training, customized compliance manuals, office inspections, and ongoing client support through monthly newsletters and a fully staffed Client Service Center. For additional information call 888-862-6742 or email

The HIPAA Privacy Rule’s Right of Access

2020 Alliance sponsor feature article courtesy of Total Medical Compliance

One of the key goals of The Health Insurance Portability & Accountability Act of 1996 (HIPAA) is to ensure patients have the ability to access their protected health information (PHI) in a timely manner and in the format most convenient for them. Some providers have implemented electronic health record systems that offer patients the ability to view and download their health records at any time. However, patients do not always take advantage of that option. Some rather have a hardcopy of their records, or certain records might not be stored electronically. In these cases, a patient will submit a request for a copy of their health records.

HIPAA requires a provider to respond to a request from a patient for their health records (with some exceptions, like psychotherapy notes) as quickly as possible. The provider has up to 30 days to respond to the request, but The U.S. Department of Health & Human Services (HHS) strongly encourages providers to respond sooner, especially if the information is already in electronic format. An extension of 30 additional days is permitted, but the patient must be provided notice of the extension in writing along with the reason for the extension within the first 30 days. Some state laws require requests to be addressed in a shorter period of time.

A provider cannot refuse a patient’s request to send health records to them via unencrypted email if the patient has been informed of and has accepted the risk associated with the unencrypted transmission of their health record. The provider’s access request form should include an area where the patient can acknowledge that they accept the risk of having their records sent via unencrypted email.

Last year, HHS launched an initiative to “vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice.” Since then, the HHS Office for Civil Rights (OCR) has settled 2 cases regarding a patient’s right to access health records. The most recent one was in December 2019. A penalty of $85,000 and a 1-year corrective action plan were imposed by the OCR. The first enforcement action was in September 2019 under the same terms. The decision emphasized, “This right to patient records extends to parents who seek medical information about their minor children.” It is hard to say whether that will be the OCR’s standard enforcement arrangement, but history shows that generally, penalties have been decided on a case by case basis.

A reasonable, cost-based fee can be assessed, but HHS encourages providers to give records (especially if in electronic format) to patients at no cost when possible. It is important to note, though, that a patient does not lose their right to access their health record even if they have an outstanding balance with a provider. The fundamental point is clear: a patient’s access to their health record may not be obstructed or delayed by a provider, so it is important to be diligent and address a patient’s request as soon as possible.

HIPAA Privacy and Coronavirus

2020 Alliance sponsor feature article courtesy of Total Medical Compliance

While preparing and treating patients that have or might have novel coronavirus (2019 nCoV), it is important to remember your patient’s privacy rights. HIPAA permits the sharing of patient’s protected health information (PHI) for public health activities such as this without a patient authorization.

With whom and when can you share PHI for public health activities? Generally, PHI can be shared with:

  • entities that are permitted by law to collect and receive health information for the purpose of preventing or controlling disease such as the CDC or a state or local health department,
  • organizations such as the American Red Cross,
  • others at risk of contracting or spreading a disease or condition if state law authorizes the covered entity to notify others as necessary to prevent or control the spread of the disease, and
  • others involved in the patient’s care such as family and friends. Providers should use their professional judgement here and obtain verbal consent from the patient, if possible.

PHI should not be shared with the media or others not involved in a patient’s care without the patient’s authorization.

The HIPAA minimum necessary standard still applies to the use and disclosure of PHI. The U.S. Department of Health and Human Services says that entities may rely on representations from the CDC or other public health department that the PHI requested by them about all patients exposed to or suspected or confirmed to have novel coronavirus (2019-nCoV) is the minimum necessary. In addition, a covered entity should continue to limit access to PHI to only those workforce members who need it to carry out their duties.

Will the GDPR Affect your Practice?

By Debra Gordick, Total Medical Compliance

2019 Alliance feature article courtesy of Total Medical Compliance (TMC)

What is the GDPR? General Data Protection Regulations (GDPR) is a set of laws passed by the European Union in May 2018, to provide rules for protecting electronic data on individuals in the European Union (EU). These regulations include similar security restrictions for Europe as HIPAA does for the USA. One of the biggest differences is that the information being protected is all private data not just health information. The GDPR also targets the information from companies that track consumer’s internet history for the purpose of marketing products and services.

Why should laws passed in Europe matter to US companies? The GDPR is enforceable to any company that falls within the rules whether they are European or not. Additionally, other countries in Europe, Asia and Africa are starting to adopt the GDPR. This raises two questions:

  • What would make you subject to the GDPR?
  • Will the US adopt the same or similar laws as the GDPR?

1. What would make you subject to the GDPR?

Contrary to what the salespeople are telling you, it is unlikely that you will be covered under the GDPR. The official website of the European Union (EU) states that the GDPR does not apply to your business if: “Your company is a service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”

The National Law Review here in the US says that the GDPR will apply to US healthcare only in the following circumstances:

  • A part of your business is physically located within the EU.
  • Your business offers goods or services (even if for free) to individuals in the EU. The offering of goods or services is more than mere access to a website or an email address. It includes, for example, marketing activities intended to recruit individuals in the EU to be patients at a hospital in the United States.
  • You electronically monitor the behavior of individuals in the EU. This includes monitoring patients after they return to the EU, for example, as part of post-discharge patient engagement to prevent hospital readmission.

Are US healthcare practices subject to GDPR if a European citizen seeks treatment there while traveling or studying in the US? No, protected health information is not Personal Data under the GDPR merely because it concerns an EU citizen. Instead, the data must concern an individual located in a country covered by the GDPR. The data collected from an EU citizen at a location in the United States will be subject to US law unless the data was solicited from an individual while the individual was physically located in the EU or the organization continues to monitor the EU citizen after the citizen returns to the EU, such as part of post-discharge patient engagement programs.

Would a US practice be subject to GDPR if it transmits patient records to a healthcare provider in Europe for a patient seeking treatment here? Again, no. Practices here must follow US law, but the EU health care provider must protect the individual’s privacy in accordance with GDPR while the individual is in the EU.

Are US practices subject to GDPR if it does not intentionally market to the EU but an EU resident visits its website? No. Here is a good example from the GDPR website in the EU. A man in Paris went on the website for a pizza delivery service in Miami in order to purchase a pizza for a friend who lives in Miami. The Miami restaurant obviously doesn’t deliberately market their services and products in Europe. This would be considered incidental and not deliberate. Thus, the pizza place does not fall under the jurisdiction of the GDPR.

To read the full National Law Review article:

2. Will the US adopt the same or similar laws as the GDPR?

This is a topic of much debate here in the US. The general belief among the more credible sources is that America has already passed and will continue to pass laws to protect individual’s private information. It is unlikely that those laws passed will be the same as the GDPR. The political and business culture in the US is very different from most of the world.

About the Author/TMC

GordickDebra Gordick is the Mediator/Government Liaison for Total Medical Compliance. TMC is a private consulting company providing affordable programs and seminars for health care providers allowing them to achieve and maintain compliance with government regulations such as HIPAA, OSHA and Infection Control. TMC services include on-site employee training, customized compliance manuals, office inspections, and ongoing client support through monthly newsletters and a fully staffed Call Center. Information on seminar schedules and products can be found on the TMC web site,  For additional information call 888-862-6742 or email

Demystifying OSHA Inspections

2017 Alliance sponsor feature article

By Debra Gordick, Mediator/Government Liaison for Total Medical Compliance

An OSHA inspection can be a scary experience. One reason is that they are always a surprise. You are going about your day as usual and suddenly you have an inspector at the front desk. Another reason is that you don’t know what to expect or what to do. Being informed about the process before it happens can help you focus and minimize the impact of an inspection.

How does your practice get chosen by OSHA to be inspected?

The most usual way for your practice to be inspected is that an employee, ex-employee or patient has reported you to OSHA for violations of OSHA regulations. This is called a “for cause” inspection. If it was a current employee who reported a true regulation offense then you will be inspected. OSHA takes that type of report very seriously. They are aware that sometimes an ex-employee may be angry and lashing out. If, in their judgment, that is the case OSHA may send you a letter asking for details and an explanation instead of inspecting. Receiving a letter does not mean you can dismiss the issue. You have a limited time to answer. If you do not answer the letter or do not answer it to OSHA’s satisfaction, they will show up to inspect. They will not give you advance notice and you cannot stop them from inspecting. A “for cause” inspection is usually limited in scope to the area or areas reported. They can expand the scope if they notice something wrong during their inspection. It is important not to volunteer information to an inspector unless they ask a question. Something as innocuous as “we have an excellent training program” requires them to expand their scope to your training program.

The second kind of inspection is a “random” inspection. Every year OSHA has a schedule. First they inspect reported violations. Then they generate a random sampling from their computers of business types that are closely watched. Types of businesses on this permanent rotation tend to be high risk for employee injury and death like construction, manufacturing, mining and farming. This list is a compilation of a federal list and, if your state has its own OSHA program, a state list. North Carolina has a strong state program. If they finish all inspections on high risk businesses, OSHA will look at the computer generated list of business types that have not been inspected for awhile. Unlike the “for cause” inspections, random inspections are full scope. The inspectors will look at all areas of regulations.

What are the steps of an OSHA Inspection?


What happens during the actual inspection?

When OSHA decides to inspect your practice the inspector(s) will show up at your door without notice. Get a business card. Ask the inspector to have a seat in the lobby while you notify management and the OSHA Officer. We recommend delaying the inspector no longer than twenty minutes. Additionally, you cannot refuse inspection. They will leave just long enough to get a warrant and the police. The only time we’ve seen an inspection delayed was when the office was not actually open for business and just a small staff was present doing paperwork.

Use your time wisely. Walk-through your office to spot and correct any problems that can be handled quickly such as replace a full sharps container or secure gas cylinders the delivery service missed that day. Grab a camera or camera phone. Greet the inspector. The inspector is going to ask for information about your business such as tax ID # and unemployment insurance #. You should be told if this is a random inspection or you were reported. If that information isn’t volunteered, you should ask. They can tell you what you were reported for but not who reported you. An inspection can take from one hour to multiple days with an average of 3-4 hours. A “for cause” inspection should be shorter and focused on the reported violation(s). The inspector is going to do the following:

  • Ask to see your documentation. This can, and likely will, include your policy and procedure manual, reports of any injuries or illnesses, Hepatitis B vaccination records and training records.
  • Walk through you practice and inspect various areas. (Remember that under HIPAA regulations the inspector cannot enter an occupied treatment room without you getting permission from the patient beforehand.) Never leave an inspector unescorted.
  • Take pictures. Ask them what they are photographing and why.
  • Ask you or other employees questions on how something is handled. (OSHA inspections are performance-based which means that what you are doing should match what your policies and procedures state.)

The inspector may want to talk to employees without management present. This is allowed.

Things you can do during the inspection to minimize citations and lower fines:

  1. Always be polite and courteous. The inspector is just doing their job. Also, you get a 15% reduction in fines for being “cooperative and courteous.”
  2. Take a picture of anything the inspector does for your records.
  3. If asked for something you don’t know the answer to, ask for clarification. It is easier to stop a citation from being written than to get it removed later.
  4. Always answer truthfully but do not volunteer information. By law they must inspect any area you bring up.
  5. At no point should an inspector ask for money. Report this to OSHA immediately. This person is most likely a scam artist.

After the inspection is over, the inspector will have a Closing Meeting to cover the preliminary findings. This meeting can happen immediately after the inspection or can be scheduled for a future date. At the Closing Meeting the inspector will meet with the OSHA Officer (and management if you request it) to go over all issues noted during the inspection. This list of issues is not the official citation list as it may include issues that are noted but so minor that they will not end up on the official list. Feel free to ask questions and to volunteer information that could prove you have addressed the issue. Start fixing the problems identified immediately.

What happens after the inspection?

After the Closing Meeting the inspector will return to their office and write up their results. They may call you to get follow up information. Once the report is written it is submitted to their manager. The manager will review the report and create an official citation letter listing each issue, the regulation that was involved and the amount of the fine for each citation. This letter will include information on your rights to contest the OSHA citations and your responsibilities to post the results for your employees and the dates by which you are required to fix the problems identified. This letter will be sent to you usually within two weeks of the Closing Meeting.

OSHA divides citations into “Serious” and “Non-Serious” categories. Non-Serious violations usually are not fined but can be minimally fined. OSHA increased their fines in August 2016 and again on 1/13/17. Each Serious violation starts at $12,675. There is a series of fine reductions which are available.

  • 60% for small businesses
  • 15% off if you were “courteous and cooperative
  • 10% if you have an OSHA program in place.

However, if OSHA notes that this is a repeated violation from a previous inspection or if they determine that it is a “willful” violation the fine starts at $126,749.

You will then have to submit a form (included in your citation letter) back to OSHA to prove that you have fixed the problems listed within the timeframe allotted. This is called Abatement. Abatement should include a short explanation, supporting documents or even pictures if necessary. You can request an extension if necessary. Failure to abate the citations by the stated date can result in a fine of $12,675.

You also have the right to contest the citations. The first step of this process is to request an Informal Conference with the manager/supervisor who sent you the citation letter. This meeting must be asked for within the timeframe listed (usually 15 days of receipt of the citation letter). It can usually be conducted by phone. It is your chance to state your reasons for removing or reducing citations and/or fines. You ask for this even if you don’t have any explanation but “we’re sorry and we fixed it”. OSHA cannot increase the citations or fines and you do not get on a black list. You can usually get some reduction in fines just by asking.

After the Informal Conference, OSHA will send a Settlement Letter to you. This will list what changes they are willing to make. You then have a limited time to decide whether to accept the settlement, sign it, return it and pay any remaining fines or you can choose to move to the next and final phase, the Formal Hearing.

If you do not accept the Settlement you have only one last recourse. You can request a Formal Hearing. This meeting will be in person before an administrative judge in Raleigh. This step should only be taken if you believe OSHA has violated regulations or if you have a legal reason that you did not violate a regulation. You are allowed to bring a lawyer and your consultant. OSHA will have their lawyers there. Results are final.

On a final note, your best protection from OSHA citations is a strong and continuing OSHA program. You need to understand what is expected from your business. Your program should include policies, procedures, strong documentation, good records, current SDS, annual review of safety devices for sharps, and thorough training.

Debra Gordick is the Mediator/Government Liaison for Total Medical Compliance. TMC is a private consulting company providing affordable turnkey programs and seminars for health care providers allowing them to achieve and maintain compliance with government safety and privacy regulations such as HIPAA, OSHA and Infection Control. A TMC consultant works in partnership with the safety and privacy officers at your location to ensure all aspects of the regulations are addressed. TMC services include on-site employee training, customized compliance manuals, office inspections, and ongoing client support through bi-monthly newsletters and a fully staffed Call Center. Information on seminar schedules and products can be found on the TMC web site,

For additional information call 888-862-6742 or email