Compliance in Small Bites

Your trusted source for digestible insights into healthcare compliance.


With over 40 years of healthcare consulting experience, we bring specialized expertise in regulatory compliance, clinical documentation standards, and telehealth program oversight. This newsletter delivers practical, bite-sized guidance tailored for small to mid-sized healthcare organizations navigating the complexities of Medicaid and Medicare reimbursement.


Each weekly (often multiple issues each week) issue features actionable strategies, coding tips, and updates on encounter coding for primary care, behavioral health, substance use disorder outpatient treatment, OTP, and intensive outpatient programs—designed to help you optimize reimbursement and maintain financial viability in today’s evolving healthcare landscape.
 

Each RAQ (Recently Asked Questions) quarterly issue is tailored to your state’s Medicaid services, if applicable. 


Stay informed. Stay compliant. One bite at a time. 

--------------------------------------------

Subscribe to "Compliance in Small Bites" to have all weekly issues delivered immediately to your in-box AND, if you are one of our first 100 subscribers, get unlimited e-mail questions answered for 12-months (from the date of your subscription). This is a $5000.00 value for the annual newsletter subscription of $1200. We will invoice you. Write to: Dr.Jones@ComplianceConsortium.org

Small Bites

Our most recent Compliance in Small Bites issues. Download as many as you want. 

Interviewing Techniques for Detecting Fraud in Healthcare Organizations
8.13.2025


This Small Bite explores the critical role of interviewing in fraud detection within healthcare organizations. By leveraging structured questioning methods, behavioral analysis, and documentation review, investigators can uncover discrepancies and fraudulent activities. 

This text outlines key techniques, ethical considerations, and best practices for conducting effective fraud detection interviews.
 

Introduction: Healthcare fraud is a pervasive issue that affects both public and private healthcare systems, leading to financial losses, compromised patient care, and legal consequences. Fraudulent 
activities in healthcare typically involve deliberate deception for financial gain, including billing schemes, falsified medical records, and kickbacks.

Copy the link below into your browser to purchase this Small Bite article.

https://payhip.com/b/2MRcx

Tips for Hurdling Outpatient Coding Obstacles 
8.15.2025

In today’s healthcare economy, outpatient coding has become a make-or-break function for your revenue cycle. With value-based care, regulatory shifts, and rapid tech changes, you’re navigating a complex web of requirements while still trying to maintain accuracy and productivity. The outpatient setting adds to the pressure with higher volumes, quicker turnaround times, and a broad mix of services — from ED visits to same-day surgeries. 

This Small Bite breaks down eight of the biggest outpatient coding challenges in 2025 and delivers data-backed strategies to help you overcome them. 

Copy the link below to purchase this Small Bite article.

https://payhip.com/b/GZ89J

Leveraging Paid and Denied Claims Data and Medicaid Benefit Structures to Optimize Outpatient Behavioral Health Workflows
8.25.2025

Unlock the Power of Data with Our Latest Report!

Are you ready to revolutionize your business strategy? Our comprehensive report, " Leveraging Paid and Denied Claims Data and Medicaid Benefit Structures to Optimize Outpatient Behavioral Health Workflows," is packed with insights and data that can transform your approach to operational claims. With 3225 words of in-depth analysis, this report provides you with the tools you need to make informed decisions and stay ahead of the competition.

Discover how leveraging operational claims data can lead to improved efficiency, reduced costs, and enhanced customer satisfaction. Our expert analysis breaks down complex data into actionable insights, making it easier than ever to implement effective strategies.

Don't miss out on this opportunity to gain a competitive edge. Download your copy today and start transforming your business with the power of data! Follow this link for a free pdf copy of the report:

8a5b5b96-a03f-4529-b266-bf66e5adb498

 

The provisions of 45 CFR part 160 and subpart D of 45 CFR part 164 shall apply to part 2 programs ...."

Q. Would you please elaborate on the impact of this new requirement for Part 2 entities? 

 “The provisions of 45 CFR part 160 and subpart D of 45 CFR part 164 shall apply to part 2 programs with respect to breaches of unsecured records in the same manner as those provisions apply to a covered entity with respect to breaches of unsecured protected health information.”

 

A.

Legal Responsibilities

1. Breach Definition and Scope 

Part 2 programs must now treat any impermissible acquisition, access, use, or disclosure of patient records—or “breach”—in the same way HIPAA covered entities do. Under 45 CFR § 164.402, a breach is presumed whenever protected health information is improperly handled unless a documented risk assessment shows a low probability of compromise.

2. Notification Obligations• Notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach.

• Report to HHS:

• For breaches involving 500 or more records, notify HHS and media immediately.

• For breaches involving fewer than 500, submit an annual report to HHS.

• Include prescribed content in notices: description of the breach, steps individuals should take, and mitigation efforts B.

3. Enforcement and Penalties• Subject to HHS Office for Civil Rights (OCR) enforcement.

• Penalties mirror HIPAA tiers for violations due to willful neglect, potentially reaching up to $1.5 million per calendar year, per violation category.

 

Operational Responsibilities

  1. Policies and Procedures

• Revise confidentiality manuals and Part 2 policies to incorporate HIPAA breach-notification provisions (45 CFR Part 160; 45 CFR § 164.400–414).

• Establish clear workflows for breach identification, investigation, risk assessment, and notification.

  1. Risk Assessment and Encryption

• Implement the HIPAA-mandated risk-assessment framework to evaluate each potential breach across four factors:

1. Nature and extent of the information involved.

2. Unauthorized person(s) to whom the disclosure was made.

3. Whether the information was actually acquired or viewed.

4. Extent of mitigation efforts.

• Apply NIST-compliant encryption to render Part 2 records “secure.” Encrypted data are excluded from breach notification requirements.

  1. Workforce Training

• Train all staff—including counselors and administrative personnel—on:

• New breach definitions and exceptions.

• Incident-reporting timelines and required documentation.

• Proper handling and encryption of electronic records.

  1. Business Associate Considerations

• Identify and enter into Business Associate Agreements (BAAs) with any third parties that handle Part 2 records (e.g., EHR vendors, billing services).

• Ensure business associates notify the Part 2 program of breaches within 60 days of discovery.

 

Financial and Resource Impact

• Compliance Costs:

• System upgrades for encryption and logging.

• Development and maintenance of breach-response teams and annual breach-reporting infrastructure.

• Potential Fines: Failure to comply with breach-notification requirements may incur civil monetary penalties up to $1.5 million per violation category per year.

 

Effects on Patient Trust and Confidentiality

• Transparency: Prompt, clear breach notifications can bolster patient confidence by demonstrating accountability.

• Risk of Re-Identification: Despite encryption and mitigation, unauthorized disclosures of substance use disorder (SUD) records remain highly sensitive; robust breach response is essential to preserve the historical confidentiality protections of Part 2.

 

Implementation Challenges and Recommendations

  1. Harmonizing HIPAA and Part 2 Standards

• Conduct gap analyses to resolve conflicts between Part 2’s stringent redisclosure bans and HIPAA’s permitted uses.

2. Timeline for Roll-Out/Establish a staged implementation:

1. Policy revision and staff training (0–3 months).

2. Technical upgrades and risk-assessment process development (3–6 months).

3. Dry-run breach exercises and final compliance audit (6–9 months).

3. Ongoing Monitoring

• Quarterly reviews of breach-response drills.

• Annual audit of breach logs against HHS report filings.

Conclusion

By subjecting Part 2 programs to HIPAA’s breach-notification regime, the rule aims to align the privacy safeguards for substance use disorder records with those for other medical records—but it demands significant legal, operational, and cultural shifts.

If you’d like to dive deeper into any specific operational challenges—such as crafting BAAs for EHR vendors—or explore templates for breach-notification letters tailored to Part 2 confidentiality requirements, visit ComplianceConsortium.org and fill out the “Contact Us” form, or, write to Dr.Jones@ComplianceConsortium.org.

 

©Copyright. All rights reserved.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.