Eye Care Leadership Live
I speak with eye care and healthcare clinical leaders and the experts who help their clinics succeed.
Eye Care Leadership Live
Are You HIPAA/OSHA Audit Ready? (with Jennifer Cosey)
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
You can do everything “right” for patients all day long and still get blindsided by a privacy complaint, an OSHA inquiry, or a cyber incident. That’s why we invited Jennifer Cosey, President of Eagle Associates, to talk with us about what healthcare compliance looks like when it’s done as real risk management, not just paperwork, posters, and binders on a shelf.
We dig into the practical why behind HIPAA compliance, OSHA compliance, and fraud waste and abuse training, including how a single needle stick can spiral into urgent care visits, paperwork, and stress that nobody needs. Jennifer explains how prevention and communication reduce incidents, save time, and lower costs. We also talk about how complaints actually happen: patients can go directly to the Office for Civil Rights, and employees can contact OSHA when safety concerns feel ignored. Those triggers make your documentation, training records, and day-to-day habits matter fast.
From there, we get specific about what “good” training looks like: solid new-hire onboarding before exposure to hazards, plus ongoing annual training delivered in smaller segments so people retain it. We clarify when quizzes are required, why they help prove effective training, and what OSHA topics many clinics overlook, from chemical hazards and tuberculosis to waste management and workplace violence.
The biggest takeaway is simple and uncomfortable: training alone is not compliance. Jennifer breaks down why written policies must be implemented and why a HIPAA security risk analysis cannot be fully outsourced to an IT vendor. We also cover enforcement trends like the patient right of access and today’s focus on security risk management, including what “reasonable and appropriate” safeguards look like for password policies and scalable cybersecurity. If you found this useful, subscribe, share it with a practice leader, and leave a review so more clinics can reduce risk and protect patients and staff.
Find Jennifer at: www.eagleassociates.net // 800-777-2337 // info@eagleassociates.net
===
This episode is brought to you by Seasoned Advice HR, where I help eye care clinics to hire, retain, and manage better — helping you get Better Results Through People. Learn more at seasoned-advice.com.
Contact me directly at mike@seasoned-advice.com
Get my free HR and leadership downloads here: https://www.seasoned-advice.com/signup-for-free-downloads
Welcome And Guest Introduction
SPEAKER_00Yeah, my guest today here on iCare Leadership Live is Jennifer Kosi. She's the president of Eagle Associates, which is a business that helps healthcare practices and dental practices to stay compliant with OSHA, HIPAA, fraud, waste, and abuse, all important things. So, Jennifer, thanks for joining me.
SPEAKER_01Mike, thank you so much for having me on today. It's really a pleasure to chat with you and talk to practices about what they can do to be better prepared.
SPEAKER_00Awesome. Well, that is a perfect segue because, you know, that's why I wanted to have you on, is because I want practices to be prepared. I have, you know, I've been in that seat where I was the HIPAA officer. And to be honestly, I don't even know, I did not know what I was doing, you know, fully in that role. And then I've had, you know, in HR, because that's the hat I wear, no pun intended, is I I have to administer OSHA rules and OSHA thing documentation. And then there's onboarding people and training. And so sometimes you wonder, and I'm sure practice administrators out there are wondering, like, why am I doing all this stuff? What are these binders for? Like, what are these forms really doing for me? And so just wanted to have you on to help maybe dispel some myths and emphasize, you know, the importance of all this stuff.
SPEAKER_01Absolutely. I would love to. Our whole goal is to simplify things for people because we understand that compliance is one small piece of a huge puzzle for most administrators, compliance officers who've maybe been tasked with being the officer when they didn't really ask for it. And so our whole mission is to simplify and make things a little easier.
SPEAKER_00Great. Well, I know that the administrators out there appreciate that because yes, their jobs are so complicated. So I guess here's my my first question is because you know, they're doing all these things, right? They're trying to staff their clinics and code things correctly and make sure the doctors are happy and everything. And so they and they may be saying, well, you know, geez, like why do I have to why do I have to do all this training? Like, don't people just know this stuff? So, like, what you know, what would you say to someone that just doesn't understand why all the training and the manuals and everything?
Compliance As Risk Management
SPEAKER_01I always say, look at it like a risk management strategy, right? So you're preparing your practice for the possibility of getting investigated by a government agency, for the possibility that a patient complains to the Office for Civil Rights that you violated their privacy, for the possibility that an employee calls OSHA and says there's unsafe working conditions. So all the things you do from training to policies to implementation and certain assessments are done, you know, of course, because you're required to. It's the law. There are standards that require you to do certain things, but also as a risk management strategy to, you know, prepare yourself for possible investigation. But then also on the practical side for OSHA, most practices want to operate in a safe manner. We don't want injuries happening. And so it's actually working to keep everybody safe and preventing injuries and illnesses for staff.
SPEAKER_00Yeah. No, I love that you added that part in at the end, right? It is not only are we trying to protect ourselves, but we can protect ourselves by hopefully preventing any of these things from happening in the first place, right?
Training That Prevents Needle Sticks
SPEAKER_00By training people on how to, you know, how to keep themselves safe. You know, I like for example, in an ophthalmology or really all healthcare, like we have sharps, we have needles, and the there's always the threat of needle stick. I found that just like communication and training was really helpful to reduce the the amount of incidence of needle stick injuries. Do you feel like communication and the training part does make that kind of an impact that reduces absolutely?
SPEAKER_01It's it's effective in so many ways, you know, from the OSHA side of things to reducing incidents, which leads to more time, follow-up, workers comp, all you know, it's it's more costly in the in the end run anyway, in addition to the just wanting to keep people safe, peace saves you time and money in the long run anyway. The prevention, you know, it's just it sounds cliche, but it's really true that prevention does really save.
SPEAKER_00Yeah, you know, it's time consuming to, you know, let's say someone has staying on the topic of needle sticks. If you have to send someone to urgent care, you've got to do the paperwork, you might have to get the pay ask the patient to get tested to see if they have any, you know, things that would that the that this employee needs to know about. And boy, that's and then the then the employee is worried, right? Oh, did I catch something? That's a you know, you just don't want to have to deal with all that stuff. And and then HIPAA. HIPAA is another big one. You know, I'm I'm curious, you know, we talk about like training, for example, and how it can protect you. Has there ever been a time that to that a that a clinic hasn't had some of their ducks in a row, maybe in training or posters or whatever, and it's hurt them when it's come to like a definitely happens where training is not always as robust as as we would like.
SPEAKER_01And then sometimes incidents happen after that. And so there might be a privacy incident that occurs because of a lack of understanding of the privacy protocols or things like that. So there's definitely times when a practice has had to go back and sort of fix a problem that that could have been prevented with proper training.
SPEAKER_00Sure, sure. And they can even can they can can can fines, you know, result if you're not doing the things you're supposed to do? What does that look like?
How HIPAA And OSHA Complaints Start
SPEAKER_01Absolutely. So both from from all three regulatory areas that we work with, fines are a potential issue. So the Office for Civil Rights is the government agency that investigates for HIPAA. And any patient or their representative can file a complaint with the Office for Civil Rights. They don't have to go through the practice first if they don't want to. Of course, we hope that our patients would come to us first, give us that opportunity to make things right, but technically, they can go straight to OCR and say, hey, this is what happened. They violated my privacy by doing XYZ. And then the OCR can investigate that either by sending, believe it or not, an email that says, hey, this is the alleged situation. You have X number of days to respond with documentation that either supports that you didn't do anything wrong or, you know, shows what happened. So that's the HIPAA side. For OSHA, any employee can complain to OSHA that something is unsafe in the workplace. And again, OSHA can send a remote inquiry where they would ask for documentation or they reserve the right to come on site as well.
SPEAKER_00Yeah, it's it's interesting that this is where HR and compliance kind of intersects a little bit because a lot of HR is about communication. And if you're not communicating well and communicating, you know, verbally and listening, you're going to oftentimes have disgruntled employees. They're going to have questions, concerns. And I don't know if you, I'm curious if you've noticed this, but those are the people that tend to be the ones that raise the issues.
SPEAKER_01Right. Yeah. If they're not feeling heard, if they're not feeling like things are being addressed that have been brought up, then that's perfect prime time for someone to possibly file a complaint.
SPEAKER_00Yeah. And so usually you will have little warnings coming up of people talking about things and talking about concerns. And so you have to heed those, you have to heed those warnings. Right. I'm wondering, you know, like on the topic of, you know, because I think training, maybe I keep click clicking on this topic of training, but I think it's it's maybe one of the more concrete things that a practice thinks about and does because they do it every time someone is hired, and hopefully they're doing it
A Smarter Way To Train Staff
SPEAKER_00annually. But maybe that's that's kind of my question is what is what's the gold standard or and maybe what's the minimum standard on how to do training on in these three areas OSHA, HIPAA, and fraud, waste, and abuse.
SPEAKER_01Right. So, of course, as you mentioned, new higher training is foundational. We want to prepare people before they're in situations so that they know what to do correctly. So that new higher training is the foundational aspect that they should receive, you know, not necessarily day one, but within a reasonable time frame of starting, receiving that training. Technically, OSHA says before they're exposed to the hazards that they're going to be working with, which is why a lot of people do do that onboarding, sort of immediately training. And so, yes, the new higher training is really important. And then annual training or ongoing training is also required. And I've always felt like a lot of practices, it's it's a difficult thing to fit in, right? It's like, how are we gonna get everybody trained every year? And so a common thing is to like shut down the office for a day or the afternoon and let's get all our training in, which is not wrong. But what I've found is that people tend not to retain the information as well if it's a giant cram session. So I kind of am in favor of shorter ongoing segments that take place that are easier to digest and retain over time.
SPEAKER_00Mm-hmm. Yeah, I like that. The just the kind of continual drip of information and and quizzing and testing people to make sure that they understand, which I guess brings me to another question. If is it required to test, you know, because I know some platforms will have a test, some some systems may not. Is that a requirement? Is it a benefit?
SPEAKER_01I would say it's not a requirement for OSHA and HIPAA do not require post-training testing. The OIG, it's a very interesting situation. I will try to make a long story short with them. But what they did was a number of years ago, they were trying to simplify things for practices who were trying who were receiving the same training multiple times through different payers. So they were like, let's simplify this. We're gonna create a training at CMS that everyone has to take. And then the payer just has to accept your attestation that, hey, I've already taken this training from CMS. I don't need you to give me the same training, you know, over and over again. And so they had a quiz with that and required a 70% passing score. That's the only quiz requirement in all of the regulatory areas that we deal with. However, I've always felt like a quiz has multiple benefits. Number one, it gives a quick way for you to document that someone participated because they take the quiz, it shows I took the training. And then secondly, it it's an easy way to gauge their general understanding. You know, if they get a very low score, you can say, okay, well, we need to do some additional training or have them meet with somebody or answer some questions and get things to a better level of understanding because the regulations require that your training is effective. And OSHA reserves the right to interview employees if they come on site. They could meet with employees one-on-one and they would expect them to have certain knowledge.
SPEAKER_00Okay, sure.
OSHA Safety Topics To Cover
SPEAKER_00And what is that, you know, like talking? Because I think most people understand with HIPAA, they understand patient privacy, but with OSHA, there's so many elements to safety. You know, there's there's chemicals, there's needle stick, there's bloodborne pathogens. You know, what are the main elements of you know, training that need to be covered in as it relates to OSHA?
SPEAKER_01Right. For healthcare, there's quite a few topics that are relevant. And so you've already mentioned several of them. You know, bloodborne pathogens is is a main, main hazard in healthcare practices. Chemical hazards are number two. Then there are tuberculosis. Surprisingly, a lot of practices don't have that on their radar, but because it's an airborne pathogen, and even though its rates have been on the decline in the US, it is still a hazard that has to be addressed in healthcare. Infectious diseases like influenza, COVID, RSV, that's another hazard that we want to be aware of. Waste management, whether it's pharmaceutical waste, biohazard waste, if you work with hazardous drugs as a lot of ophthalmology practices do, that's another one. Um, then you have natural disasters, so emergency preparedness type safety information, and then workplace violence and harassment. Those are all sort of foundational safety topics. We also cover a couple that are not as common, like ergonomic safety, we have a module for. And then a series of special safety modules based on what the practice is doing.
SPEAKER_00Okay. Okay. Is there, you know, when you are talking to clinics out there and maybe they're they're calling you in a panic because they got in hot water or they have a problem, or maybe you're just making an initial assessment of their compliance program, is there an area that they tend to not understand that they should be doing? Is there a thing that mo that that you think is maybe the you know the top thing that praxis should be doing that they're probably not doing?
SPEAKER_01I think one of the things, and it's really interesting because I don't want to downplay training at all. It's foundational, it's critical. But I think a lot of our clients are like training is compliance. If I've done training, I'm now compliant. And that's simply not true. You know, you have to have a set of written policies that you've actually implemented. So that implementation step, I think is the step that a lot of places stumble on a little bit. And it's difficult because, like I said, time consuming, you know, we've that's something that you have to then dedicate time to ensuring that implementation has actually happened.
SPEAKER_00And what, you know, when you talk about implement like implementing your plan, what you know, so they're probably implementing the training. What are, you know, are there elements of that plan that you think are, you know, neglected or most neglected?
Training Is Not The Whole Program
SPEAKER_01One of the big ones for HIPAA is the security risk analysis piece that a lot of practices are like, oh, well, my IT vendor handles that for me. And although it's true that your IT vendor is really important, they handle a lot of your security aspects for your network, for your systems. And you don't have to become an IT expert yourself if you're in charge of HIPAA for your practice, but they can't do everything. And there are a bunch of areas within the security risk analysis that are administrative. And so it's got to be a joint effort between you, the person who's the security officer, and then your IT vendor to get that security risk analysis completed and then follow through on corrective actions.
SPEAKER_00Gotcha. Um yeah, I think that, you know, that obviously information security is a huge topic right now. Are you seeing that that, you know, are you seeing like hackers and other people, bad actors trying to, you know, get access to data? Is that exposing like weaknesses in the regulatory in the in the compliance plan and things that they should have been doing? Is it exposing issues like that?
SPEAKER_01Absolutely. Because unfortunately, the bad actors and the hackers out there, they know that practices have protected health information. And so that is already a draw for them to attack that area. And I think a lot of smaller practices make a mistake of thinking, well, I'm I'm the little guy. You know, they're not coming after me. Actually, they're coming after wherever there's an easy target or weakness. And so you absolutely could be a target.
SPEAKER_00Yeah, I love that. That that really turns it on its head because you're thinking, oh, I'm a small fish, but you have tons of patient data. Even if you're a one doctor practice, and yeah, if someone makes a phone call to your office and they say something that they shouldn't say, or they click a link that they shouldn't click, then you you're exposing yourself right there. You know, I'm curious about the enforcement trends. I imagine, you know, as the political environment changes, or or I'm not even sure what other what other things influence regulatory enforcement, but do you see trends, you know, in that regard? Like, do you see in the enforcement agencies harping on certain things more so these days?
SPEAKER_01Absolutely.
Enforcement Trends And Key Takeaways
SPEAKER_01So, in fact, they've even announced what their enforcement objectives are, which is helpful. You know, it can certainly help a practice say, okay, well, I know what they're looking for, therefore I know what to do and focus on, which is nice. So for HIPAA, the Office for Civil Rights had had an ongoing enforcement objective to ensure that everyone complies with the patient right of access to their information. There were well over 50 something different enforcement actions related to that principle alone. And then now the current enforcement emphasis is on conducting a thorough security risk analysis and following through on risk management, which means reducing risks to what's called a quote, reasonable and appropriate level, which sounds a little vague, right? But a really good example is one of the items within a risk analysis is you know, do you have a password complexity policy in your organization? Well, if a practice said, Well, yes, I have a password complexity policy. We require four characters. The OCR is gonna say that's not reasonable and appropriate because a four-character password can be hacked instantaneously by a password spraying program. In fact, so can a 10-character password that doesn't have any complexity to it. So they're looking at implementing things that are reasonable and appropriate. But the one good thing about the security rule is that it's flexible and scalable to your organization. So as you mentioned before, a single doc practice does not have to do everything the exact same way that a hospital does. Your complexity is different, and therefore their security rules technology neutral, meaning they're not going to tell you any one specific program that you have to use. You have options, and your IT vendor can help you with finding a solution that fits the complexities and needs of your organization, which is always helpful.
SPEAKER_00Okay. So do your do your risk analysis out there, people. I think that this topic is really under underappreciated. And just you can ask any clinic that has that has had a compliance issue, that has had to deal with a HIPAA breach, or that has had, you know, an OSHA audit. I'm sure those folks know what they should be doing. And you know, they could tell you that this is not something to mess around with. If someone wants to get in touch with with you and Eagle Associates to learn how y'all can help them with these topics, what's the best way for them to reach out to you?
SPEAKER_01Absolutely. So our website is www.eagalassociates.net. Our phone number is 800-777-2337. And then our general email is info at eagleassociates.net. So any of those ways, you are welcome to reach out. We'd be happy to speak with you. And we still answer our phones. We've got humans manning our phones.
SPEAKER_00So oh my goodness. Well, thank you so much. I think that one takeaway at the very least of doing that risk assessment. I think that I don't think 90% of clinics are doing that. And so I think if you're listening to this, to to do that risk assessment is an important thing. It'll probably be eye-opening. Not only will it, you know, help, you know, re you know, improve your documentation, but it will reduce your risk. I think you're gonna learn things through doing something like that. So thank you for sharing that and all of the knowledge, Jennifer. And that's that concludes the show. I really appreciate you joining me.
SPEAKER_01Well, thank you so much for having me. It's been great. It's grown been great to spend some time chatting together, and I look forward to it.
SPEAKER_00Yeah. Awesome. Well, I'm going to stop recording, but we can stay here on. Let me see, where do I s hit that button? Oh, there.
Podcasts we love
Check out these other fine podcasts recommended by us, not an algorithm.