Regulatory Compliance Applies to More Than Medicare

Office supplies
By Mary R. Daulong, PT, CHC, CHP*

When we talk about compliance the first thing that comes to mind is Medicare.

But Medicare is just the tip of the iceberg. There are so many regulations that health care providers must be aware of and comply with, so let’s just start with fundamental law: the regulation of our profession at the state level.

Most individuals working in a physical therapy entity should have a working knowledge of their state’s Physical Therapy Practice Act or minimally the rules that impact the practice of physical therapy. Why, you ask? Because there are so many ways to go awry and the consequences can be severe and business changing. One of the reasons so many state licensing boards have oversight of continuing competency requirements is because they know “out of sight, out of mind.” Think about it, would you take the time to review your practice act and rules if you didn’t have to take a test to renew your license?

Some of the rules that physical therapists and physical therapist assistants should know off the tip of their tongue are:

  • Scope of practice and role delineation of the physical therapist; for example: Can a physical therapist perform dry needling or diagnostic studies like ultrasonography, dispense over-the-counter vitamins/supplements, utilize telehealth/telecommunication, etc.? Can a physical therapist assistant own or be the director of a physical therapy clinic, modify a plan of care, perform tests and measures or functional outcome standardized tests, etc.?
  • Referral requirements or direct access rights and the parameters of each
  • Type and amount of supervision by the physical therapist regarding physical therapist assistants, technicians, student therapists, and other licensees (massage therapists, athletic trainers) to meet the general and direct supervision requirements, etc.
  • Documentation requirements: Daily notes, evaluations, interim reports like progress reports, reevaluations, and plans of care; frequency of reports; co-signing obligations and requisites for documenting conferences with physical therapist assistants or other licensees and documentation restrictions of these individuals
  • License renewal terms and frequency (e.g., exams, amount of continuing competency units, updated profile, etc.)
  • License posting and/or name badge requirements
  • Patient abandonment criteria

This list is certainly not all-inclusive, so a personal review of the state law and rules is critically important for licensees. Here’s a tip: An easy way to stay current is by signing up for the licensing board’s e-newsletters or the like.

So, on to the next regulation, the Health Insurance Portability and Accountability Act (HIPAA). HIPAA mandates workforce education upon employment followed by regular updating and training, including evaluation annually separate from or as part of an annual performance review. HIPAA mandates the drafting of entity-specific policies and procedures; appointment of a HIPAA officer; compliance monitoring, investigation, and corrective action (disciplinary measures and breach reporting); and the rendering of business associate contracts to those who are not part of the workforce but use/access protected health information on the entity’s behalf.

So how do we ensure that our employees start out and remain knowledgeable? One approach is to hold an annual general orientation or review for all your staff members that covers HIPAA’s Privacy and Security Rules. Provide position-specific educational modules for those who have a need to understand the law in greater detail.

The Privacy Rule’s general orientation should include:

  • Privacy notice
  • Protected health information (PHI) and identifiers
  • PHI retention and destruction
  • Access to PHI (i.e., uses and disclosures)
  • Patient rights
  • Minimal necessary determination
  • Patient authorization for access to PHI
  • Business associates
  • PHI breaches
  • Workstation privacy and password utilization

The Security Rule’s general orientation should include:

  • Security Incident Disclosure
  • Remote use of/access to E-PHI
  • Employees’ role in contingency and disaster recovery plans
  • Electronic signatures
  • E-PHI breaches
  • Electronic device utilization
  • Security measures including but not limited to:
    • Passwords
    • Anti-malware
    • Firewalls
    • Encryption at rest and in transit

Position-specific education might include the development and implementation of procedures and processes related to the preceding bullet items.

Now on to the third category of regulations that we often forget to employ: OSHA (Occupational Safety and Health Administration)! Yes, OSHA regulations apply to outpatient settings, and audits typically occur because of complaints from employees and patients. All of the standards in the following list have mandatory orientation requirements, but the Bloodborne Pathogens Standard also requires annual updates and training.

A few items to have on your checklist are:

  • Development of an Exposure Control Plan that is based on the Bloodborne Pathogens Standard:
    • Employee health (e.g., infection control, TB awareness, necessary vaccinations such as for Hepatitis B)
    • Exposure determination
    • Standard precautions
    • Housekeeping checklist and procedures
    • Exposure control reporting and recording
    • Licensed Healthcare Provider consultation
    • Exposure barriers (e.g., Personal Protective Equipment/Supplies; engineering and work practice controls)
  • Development of a Hazard Communication Plan
    • Hazard identification and inventory
    • Hazard Assessment of workforce
    • Safety Data Sheets
    • Container and substance signs and labeling
    • Exposure barriers and engineering and work practice controls (see under Development of Exposure Control Plan)
    • Emergency intervention (clean-up/spill management)
    • Hazard Communication reporting and recording
  • Safety, Injury Prevention, and Management (Internal and External Disaster)
    • First aid
    • Cardiopulmonary arrest management
    • Facility evacuation
    • Fire prevention and control
    • Disaster management and recovery
    • Facility and equipment safety procedure implementation
    • Safety Incident reporting and recording
  • General Duty Clause
    • Safe working environment that is free from hazards and any type of harassment. Examples and discussion of harassment, as well as company policy on the subject, should be included in compliance orientation and reviews.

Just a word about the Americans with Disabilities Act (ADA). We are required to have accessible facilities, which includes the physical plant as well as access to services. So, while checking off the ADA physical plant access don’t forget to include access to services as described in an enhancement of the civil rights law1 that protects individuals from discrimination. The short list requires that:

  • We must post the federal poster on Patient Rights in our facilities, on our websites, and within certain marketing pieces.
  • We must provide effective communication with and accessibility for individuals with limited English proficiency.
  • We must ensure that individuals are not discriminated against because of sexual preferences or dispositions within our facilities.
  • We must provide effective communication with and accessibility to services for individuals with hearing, sight, or speech disabilities.

This law is being heavily enforced and certainly deserves your attention if you have any deficiencies related to its requirements.

I have not addressed employment regulations in this article for three reasons, the first of which is the extensiveness of the material, the second is state-to-state variations, and the final reason is that it has been well covered in previous issues of Impact. If this is a weak point for you and your practice, just let the Impact editor know of your interest and they may consider additional articles on this subject.

In summary, I hope your takeaway is that health care regulatory compliance comprises much more than Medicare and most, if not all, regulations require documented policies and procedures, evidence of education, and implementation of the required provisions. Additionally, federal and state officials expect to see that you actively monitor compliance with the statute and investigate concerns and complaints, taking corrective action as needed.


1Federation of State Boards of Physical Therapy: Accessed August 2019.

United States Department of Health & Human Services: HIPAA for Professionals, Accessed August 2019.

United States Department of Labor: Occupational Safety & Health Administration


Bloodborne Pathogens Standard: Accessed August 2019.

Hazard Communication Standard Accessed August 2019.

United States Department of Health & Human Services: Office for Civil Rights Accessed August 2019.

Healthcare Compliance Pros: Types of OSHA Citations and Fines, January 17, 2012

United States Department of Labor: Occupational Safety & Health Adminstration


Most Common OSHA Violations in Healthcare, 2017

HCCA Clinical Practice Compliance Conference: Security Risk Assessment for Small Practices: Tools & Case Studies, Joette Derricks, September 7, 2015

TrueVault: What is the Penalty for a HIPAA Violation? Morgan Brown, January 9, 2014

Mary R. Daulong

Mary R. Daulong, PT, CHC, CHP, is the president and chief executive officer of Business & Clinical Management Services, Inc. She can be reached at

*This author has a professional affiliation with this subject.

Copyright © 2018, Private Practice Section of the American Physical Therapy Association. All Rights Reserved.

Are you a PPS Member?
Please sign in to access site.
Enter Site!