Put These Plans in Writing

For some government programs, it is not acceptable to have only a compliance strategy; each practice must have a written plan as well. A good written plan can reduce the number of innocent mistakes and will go a long way toward audit avoidance. 

And, if your practice ends up as the target of allegations, having an up-to-date compliance plan - and demonstrating how you followed it - can help your outcome tremendously. Here are some of the written plans you have to have in your office. 

Patient Billing

State law requires physicians to have written billing policies that cover possible patient discounts for charity care and the uninsured, whether late payments will incur interest, and your billing complaint process and procedures. Details (PDF) are available on the TMA website along with a downloadable notice (PDF) you can print and post in your office as required. 

HIPAA Privacy and Security

Required written privacy policies and procedures should provide guidance for practice staff who deal with protected health information (PHI) and have responsibility for privacy compliance. Required written security policies and procedures outline the administrative, physical, and technical safeguards your practice uses to protect electronic PHI. The document must explain how you assessed risks and decided on the specific security measures.

In addition, you must have a written notice of privacy practices for patients, a plain-language description of how you use, disclose, and protect patients' PHI, and patients' rights with respect to the information. TMA members can download a sample notice of privacy practices from the TMA website (log-in required).

Occupational Safety and Health Administration (OSHA)

The OSHA Bloodborne Pathogens standard requires a written exposure control plan (PDF), to be updated annually. This document lists job classifications in your practice in which staff have occupational exposure, the tasks and procedures they perform that result in their exposure, and how you are minimizing the risk and meeting all requirements of the standard.

OHSA also requires a written hazard communication program (PDF). It must indicate how you fulfill the requirements for labels for hazardous chemicals, safety data sheets, and employee information and training, and include a list of the hazardous chemicals in your office.

OSHA has samples of both (PDF) these written plans that you can customize. Or, you can use the OSHA Program Manual for Medical Facilities  available in the TMA Education Center to develop your complete safety program.

Federal Health Plans

The Affordable Care Act says physicians must establish an antifraud compliance program, with specific core elements, as a condition of enrollment in Medicare or Medicaid. That means having a formal (written) process that addresses key factors in rules and regulations for billing, such as proper coding, medical necessity, appropriate documentation, and proper referral practices. The federal government has not yet issued an enforcement date for compliance plans for Medicare. State law requiring compliance plans for Medicaid took effect in 2012. TMA advises any practice that accepts payment from a government program to have a formal compliance plan (PDF) as risk protection.

In fact, good, standard practices mitigate risk in many areas. Medical practices have to follow many laws, not just those that require a written plan, like hiring and firing laws. The Texas Medical Liability Trust's Risk Management Guide for Physician Practices (PDF) says, "Risk management is an overall philosophy for the entire office."

The above written compliance plans don't all have to be separate documents on your shelf. A better approach is to incorporate them into you practice's policies and procedures manual to help your practice be both compliant and efficient in day-to-day operations.

TMA Can Help

  • Browse through the TMA Education Center. You'll find webinars, publications, and books that delve into various aspects of compliance, some with sample written plans.
  • Mark your calendar for May 8. TMA's live seminar, Commit to Compliance: Meeting the Challenge, will cover coding, billing, human resources, and HIPAA. It will be in Austin, 9 am-3 pm (CT). Registration is open.
  • TMA's Policies and Procedures: A Guide for Medical Practices, which you can customize, incorporates HIPAA privacy and security compliance, and compliance with fraud and abuse laws, along with a full complement of office policies and procedures.
  • If you need help, call on TMA Practice Consulting for a Compliance Review or a HIPAA Gap Analysis and Training. TMA consultants can review your existing policies and procedures and provide recommendations for the development of an ongoing monitoring program. Or if you are concerned about your coding and documentation practices, ask for a Coding and Documentation Review. For more information, contact a consultant at (800) 523-8776 or practice.consulting[at]texmed[dot]org.


Published Feb. 6, 2015

TMA Practice E-tips main page



Last Updated On

December 20, 2016

Related Content

Fraud and Abuse | Legal | OSHA | Risk Management