This is where you may upload reports you receive from your IT vendors, OIG (Office of Inspector General) exclusion lists, security incidents, non-employee agreements, and miscellaneous documents you want to store for future HIPAA requirements.
Once you click on the Upload tab from your Profile page, select what type of documentation you are uploading. Select the file from your computer to upload.
NOTE: When naming your files BEFORE you upload load them, we suggest starting each file with a date.
For example:
220201 IT summary report or 2023 0201 IT summary report
220622 OIG Smith Mary New hire or 220601 OIG Annual report
220115 Security Incident - malware found
210315 Non-Employee - Cleaning company agreement
IT Vendors:
Request monthly reports from your IT company. Depending on the system they use, these reports will vary. Such as:
Access logs (if they provide this service)
Asset management summary
Device health report
Network audit report
Software list
Again, labeling these reports in chronological order is helpful to be able to locate them should you need them.
Example: 220601 or 2023 0601 "REPORT NAME"
OIG Exclusions list:
It is very important to make sure you do not hire anyone that has committed Medicare or Medicaid fraud or been convicted of elder abuse. Be sure to check this list before you hire new employees. This link is located in the Employee (Workforce) Clearance Checklist.
https://exclusions.oig.hhs.gov/
- The database only includes the name known to OIG at the time the individual was excluded, any former names used by the individual (e.g., maiden name, previous married name, etc.) should be searched in addition to the individual's current name.
- An individual with a hyphenated name should be checked under each of the last names in the hyphenated name (e.g., Jane Smith-Jones should be checked under Jane Smith and Jane Jones, in addition to Jane Smith-Jones).
- If checking only a few names, use the Online Searchable Database to search up to five names at once.
- If checking many names, consider downloading the Downloadable Database into a spreadsheet or database program. This will enable the user to use that program's search functions to crosscheck the names against the thousands of names on the LEIE. Verify the correct spelling of any names before starting a search.
- For a potential match, verify the results by entering the SSN for an individual or EIN for an entity on the Online Searchable Database. (Note: The Privacy Act prohibits the distribution of SSNs so they cannot be included in the Downloadable Database).
The OIG would like to you check this list monthly, but that is very difficult to keep up with if you have a larger organization. We recommend selecting a few employees each month to check. Then, checking all employees annually. NOTE: If you have an employee that is acting strange, or is having financial difficulties, it is suggested to check their name more often.
After your search, use the “PRINT SCREEN” key on the top of your keyboard to copy the screen. Use “CTRL” “V”, to paste in a word document.
If you receive a name that is on the Exclusion list, you will need to verify the person with the social security number you have on file. If it is NOT the same person, just make a note of this on your word document.
If they ARE on the list, they must be terminated immediately. It is best to check this list BEFORE hiring any new employees. If you are audited by CMS, they can and will deduct all Medicare and Medicaid payments made for all patients that this person was in contact with. This can be devastating if this person worked in billing.
When saving the file, we recommend using a consistent format, such as starting with the year, month, day.
For example: “2023 0512 OIG Smith Mary” or for annual “2023 0115 OIG Annual”.
To upload your file to the 7-Step HIPAA Keeper™ system, go to your Profile page and on the right side click on UPLOADS.
Add new, Click *Type and choose OIG Checklists from the dropdown.
*Files – click on the Drop Files here to upload and choose the file from your computer.
Then, Click Create Upload.
Security Incidents:
If you were to experience a security incident, these should be documented utilizing the Security Incident Form under Step 2. Examples of incidents are a lost or stolen device, malware, unusual activity in your network, suspected data breach or confirmed breach. Again, using the date format mentioned above, this will keep your documentation in chronological order.
Example: 220115 or 2023 0115 Security Incident - malware found
Non-employee agreements:
When you hire a cleaning company or an intern, you should consider requiring them to sign a confidentiality agreement for a non-employee so they understand their requirements.
Miscellaneous documents:
Any other supporting documentation that could assist in on-going compliance efforts may be uploaded here. Be sure to name the files accordingly.
