Workforce Compliance Reference

HIPAA & OSHA
Compliance Guide

Policies, procedures, and best practices for every member of the workforce. Know your responsibilities — and stay compliant.

HIPAA Privacy & Security Bloodborne Pathogens Hazard Communication Emergency Preparedness PPE Requirements
⚠️

Disclaimer

This document is intended as a general reference guide only and does not constitute legal advice, nor does it represent official HIPAA or OSHA compliance certification. Regulatory requirements may vary based on your state, locality, and the specific nature of your practice or organization. This guide should not be relied upon as a complete or authoritative statement of applicable law. Organizations are strongly encouraged to consult a qualified attorney, compliance officer, or regulatory specialist to ensure full compliance with all federal, state, and local requirements applicable to their specific circumstances.

🔒

HIPAA Compliance Program

Protected Health Information (PHI)

What Is PHI? PHI is any information that identifies a patient and relates to their physical or mental health, healthcare services, or payment for those services.

Examples of PHI

  • Names
  • Addresses & phone numbers
  • Email addresses
  • Dates of birth
  • Medical records
  • Insurance information
  • Photographs

Minimum Necessary Standard

  • Access only what you need to do your job
  • Scheduling staff: appointment info only
  • Billing staff: insurance & payment info only
  • Never view records of family, friends, or coworkers without a job-related need

Workforce Responsibilities

Required

  • Access only information necessary for assigned duties
  • Maintain patient confidentiality at all times
  • Log off unattended workstations
  • Secure paper records
  • Report suspected breaches immediately

Prohibited

  • Sharing passwords with anyone
  • Accessing records without a business purpose
  • Discussing patient info in public areas
  • Leaving records unattended

Patient Rights

Patients Have the Right To:

  • Receive a Notice of Privacy Practices
  • Request access to their records
  • Request amendments to their records
  • Request restrictions on disclosures
  • Receive an accounting of disclosures
  • File privacy complaints without retaliation

Security Rule: Required Safeguards

🏢 Administrative

  • Annual risk assessments
  • Written policies & procedures
  • Annual workforce training
  • Regular access permission reviews
  • Incident response procedures

🏗 Physical

  • Secure workstations
  • Restrict access to records areas
  • Locked storage where appropriate
  • Proper disposal of confidential documents

💻 Technical

  • Unique user credentials
  • Strong passwords (12+ characters)
  • Multifactor authentication
  • Audit logs maintained
  • Encrypted devices & backups
  • Automatic screen locking

Password Policy

  • Minimum 12 characters long
  • Must include letters, numbers, and symbols
  • Must be unique to each system
  • Must never be shared
  • Change immediately if compromise is suspected

Email & Electronic Communication

Required

  • Verify recipients before sending PHI
  • Use secure communication methods
  • Report misdirected communications immediately

Prohibited

  • Sending PHI through unsecured channels

Business Associate Agreements (BAAs)

Requirement A signed BAA must be on file with every vendor that accesses PHI — including IT providers, cloud services, billing companies, practice management software, and any marketing vendors handling patient information. BAAs are reviewed annually.

Breach Reporting Procedure

Report Immediately Lost devices · Misdirected emails · Unauthorized access · Improper disclosures · Stolen records
1
Investigate the incident
2
Determine breach status
3
Document all findings
4
Coordinate required notifications
5
Implement corrective action

Training Requirements

Training Is Required:

  • During onboarding
  • Annually thereafter
  • Following major policy changes
  • Following significant security incidents
🧤

OSHA Compliance Program

Universal Precautions Treat all blood and bodily fluids as potentially infectious — without exception. This includes blood, saliva containing blood, human tissue, and other potentially infectious materials (OPIM).

Personal Protective Equipment (PPE)

Approved PPE Includes

  • Gloves
  • Masks
  • Protective eyewear
  • Face shields
  • Protective clothing

PPE Requirements

  • Wear PPE whenever required
  • Replace damaged PPE immediately
  • Dispose of contaminated PPE properly
  • Wash hands after glove removal
  • Follow CDC hand hygiene guidelines

Sharps Safety

Required

  • Use safety-engineered devices when available
  • Dispose of sharps immediately after use
  • Use only approved sharps containers

Prohibited

  • Recapping needles using two hands
  • Overfilling sharps containers
Sharps Container Standards Containers must be puncture resistant, properly labeled, and replaced before they become overfull.

Exposure Incident Procedure

1
Immediately wash the affected area
2
Notify a supervisor
3
Complete incident documentation
4
Obtain a medical evaluation
5
Follow post-exposure protocols

Hepatitis B Vaccination

OSHA Requirement All eligible employees must be offered the Hepatitis B vaccine at no cost. Documentation of acceptance, declination, or vaccination records must be maintained.
⚗️

Hazard Communication Program

Chemical Inventory

  • Maintain a current chemical inventory at all times
  • Keep Safety Data Sheets (SDS) updated
  • SDS documents must remain readily accessible

Every Employee Must Know

  • Where SDS documents are located
  • Emergency response procedures for chemical exposure
  • Safe handling procedures for chemicals in use

Container Labeling

  • All containers must be properly labeled
  • Labels must not be removed or defaced
  • Replacement labels must be applied immediately if removed
🔥

Fire & Emergency Preparedness

Covered Emergency Scenarios

  • Fire emergencies
  • Severe weather events
  • Medical emergencies
  • Utility failures
  • Security threats

Equipment — Routine Inspection Required

  • Fire extinguishers
  • Emergency exits (clear and accessible)
  • First aid supplies
  • AED equipment (if applicable)
📋

Incident Reporting

Report All of the Following Immediately to Designated Management Injuries · Exposure incidents · Safety hazards · Security incidents · Privacy incidents
🗂

Record Retention

Record Type Category
Risk assessmentsHIPAA
Policies and proceduresHIPAA
Training recordsHIPAA OSHA
Breach investigationsHIPAA
Business Associate AgreementsHIPAA
Exposure incidentsOSHA
Vaccination recordsOSHA
Safety inspectionsOSHA
Exposure Control PlansOSHA
Retention Period All records must be retained according to applicable federal and state legal requirements.

Annual Compliance Checklist

🔒 HIPAA
🧤 OSHA