COVID-19 and Compliance: Resources Hiding in Plain Sight

By Nancy J. Beckley, MS, MBA*

Compliance challenges as a result of the COVID-19 pandemic have likely sent therapy practices scrambling for information, only to find information — and misinformation — often a moving and changing target.

Practices have addressed, and are likely still addressing, clinical, operational, and financial challenges. Compliance obligations under HIPAA, Medicare Conditions of Participation, and Section 1557 of the Affordable Care Act have come into play as the Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), and Office for Civil Rights have responded to the Public Health Emergency (PHE) and exercised authority under Section 1135 Waivers. Responding to COVID-19 is also about compliance obligations from related laws and regulations.

As therapists have staged a movement back to the clinic, it should serve to buffer up “response preparation” for other seasonal disasters (e.g., tornadoes, hurricanes, winter storms), unplanned emergencies (e.g., fires, earthquakes, chemical spills), and things we hope to never plan for, including active shooters or another pandemic from an emerging infectious disease (EID).

Practices that have organized as rehab agencies and comprehensive outpatient rehabilitation facilities (CORFs) must comply with Medicare’s conditions of participation, which include the infection control condition of participation and the emergency preparedness condition of participation – both scaled appropriately for outpatient providers. There are no comparable conditions of participation for the physical therapist in private practice.

Rehab agencies and CORFs must also attest to compliance with civil rights laws and Section 1557 of the Affordable Care Act (ACA) related to nondiscrimination. Physical therapists in private practice that participate with Medicaid and/or TRICARE are required to comply with ACA Section 1557.

Providers that are covered entities under HIPAA are required to have policies and procedures in place that address the privacy, security, and breach notification rules.

It’s time for an “inventory” check of policies, procedures, and processes in your practice. The “Inventory Checklist Table” provides a sampling of policies, procedures, and processes for consideration. This is not likely all that a practice will need, and it may be more than is needed for a focus on COVID-19 impacting policies. The table is organized to include:

  1. Emergency preparedness
  2. Infection and environmental control
  3. HIPAA privacy
  4. HIPAA security (administrative, physical, and technical safeguards)
  5. ACA Section 1557 civil rights and nondiscrimination


Start with the consideration of an emergency preparedness plan that begins with an all hazards vulnerability risk assessment to identify hazards likely in your geographic area. Continue with care-related emergencies, equipment and power failures, interruption in communications (including cyber-attacks), the loss of all or a portion of facility, and the loss of all or a portion of supplies. The Kaiser All Hazards Risk Assessment Model is setup to identify probability, preparedness, and impact. That will help drive your training plan and the testing process in your clinic. Add additional policies related to communication, training, testing, the role of staff, safe evacuation, and sheltering in place.


Evaluate and update current infection control policies and procedures. Clinics often have an understanding of infection and environmental policies and procedures, but they may not be in written or updated format, particularly with respect to guidance issued by the Centers for Disease Control and Prevention (CDC) specifically to address COVID-19. There are many online resources to help in assembling policies.


Take an inventory of HIPAA policies and procedures. A HIPAA waiver was issued during the public health emergency that was applicable to the expansion of telehealth that involved enforcement discretion for the use of a non-compliant platform. Don’t be under the misunderstanding that there was a “loosening or waiver of HIPAA.” Ensure your practice has a full setup of HIPAA policies, including policies and procedures that support the Notice of Privacy Practices (NPP) that patients are required to acknowledge. Your NPP must be posted visibly in your clinic, as well as to your website.

A security risk assessment is an annual requirement to and it will support your efforts to ensure secure telehealth/technology-based communications with your patients. Do you have a model business associate agreement (BAA) that you offer to persons and entities that will have access to personal health information? You have likely signed a BAA that was supplied by your EMR vendor, billing company, and telehealth platform. Are you aware of your obligations under these BAAs?


Adapt nondiscriminatory policies and procedures. Start with your statement on discrimination (with respect to patient care) and follow with policies and procedures to ensure the compliance with civil rights laws that meet the standard for nondiscrimination on the grounds of race, color, national origin, sex, age, or disability. The laws include: Title VI of the Civil Rights Act of 1964; Section 504 of the Rehabilitation Act of 1973; Title IX of the Education Amendments of 1972; The Age Discrimination Act of 1975; and, as applicable, the Church Amendments, the Coats-Snowe, the Weldon Amendment, Section 1553 of the Patient Protection and Affordable Care Act, Section 1303(b)(4) of the Patient Protection and Affordable Care Act, and other federal conscience and anti-discrimination laws. As the public health emergency waiver rolled out, the Office for Civil Rights was clear to indicate that discrimination would not be tolerated with respect to access to services for those protected by the various laws. This is not only about clinic-based services, but telehealth and electronic-based patient services.

Section 1557 also mandates requirements for the translation of brochures and important documents to top languages, a website nondiscrimination notice, as well as website nondiscrimination “taglines” in the top 15 languages in your state. If your practice has an obligation under this law be sure to understand and implement all that is required. It has likely been a long and winding road getting back to practice, welcoming patients, and preparing for the new future. Don’t overlook compliance resources that may have been hiding in plain sight. Best of luck. 

compliance table
Nancy Beckley

Nancy J. Beckley, MS, MBA is a compliance consultant located in Milwaukee, Wisconsin. She can be reached at and @nancybeckley.

*The author has a professional affiliation with this subject.

Copyright © 2018, Private Practice Section of the American Physical Therapy Association. All Rights Reserved.

Are you a PPS Member?
Please sign in to access site.
Enter Site!