PYA Covid-19 Information Hub
Published May 26, 2020

COVID-19: Compliance Implications for Physician Practices

Business interruptions, significant changes to care delivery, financial hardships, and a deluge of regulatory guidance are making it more difficult for physician practices to keep up during the pandemic.  Healthcare compliance has always been complex; and now, in light of COVID-19, the pace of change has increased exponentially. PYA has identified six areas in which to focus compliance efforts to best support practice operations and patient care now and into the foreseeable future.

  1. Relief funds and loan proceeds – Providers are receiving much-needed relief in the form of Small Business Administration (SBA) loans and other forms of funding; however, each of these funding sources comes with a unique set of rules and guidelines. Regardless of funding source, practices must implement a robust expense tracking mechanism to ensure they use funds compliantly and avoid double counting expenses. Additionally, practices should consider the following:

Paycheck Protection Program (PPP)

    • Retain thorough documentation justifying the practice’s need to apply for and retain/use PPP funding. Document factors considered, such as existing and anticipated cash on hand, decreases in volume and receivables, anticipated payment delays, monthly expenses, inability to fully utilize and pay staff, etc.
    • Ensure approved payroll costs, as defined in the CARES Act, comprise at least 75% of the borrower’s use of loan funds to avoid deterioration of loan forgiveness.
    • Ensure remaining funds are used appropriately for allowable expenses, such as rent and utilities.
    • Document a clear trail of funds’ use.
    • Maintain documentation to support the impact of any staffing changes, including changes in full-time equivalent (FTE) counts, salary reductions, etc. on PPP use of funds or forgiveness calculations.
    • Determine the process for applying for loan forgiveness; evaluate data requirements and calculations, and review attestation requirements.
    • See PYA’s “Paycheck Protection Loan Program for Small Businesses” for additional guidance.

Economic Injury Disaster Loan (EIDL)

    • Evaluate whether EIDL funds can be refinanced as part of a PPP loan, if a PPP loan is obtained.
    • Ensure loan proceeds, including the $10,000 emergency advance/grant, if obtained, are not used for the same purposes as the allowable uses of the PPP loan.
    • Ensure emergency advance/grant are used for payroll, sick leave, increased supply costs, rent/mortgage payments, and certain other allowed items.
    • Track expenditures and maintain supporting documentation showing how each loan’s funds are used.

CARES Act Provider Relief Fund General Distribution (First and Second Rounds)

    • Review terms and conditions, and attest to compliance with same as well as to receipt of funding—applies to both rounds, whether funds were automatically sent by the Department of Health and Human Services (HHS) for both rounds, or, in the case of second round funding, applied for by the entity.
    • Submit required supporting documentation as part of Round 2 attestation.
    • Ensure funds are not used to reimburse expenses or losses that have been reimbursed from other sources or that other sources are obligated to reimburse. For example, the portion of salary expenses listed under the PPP for purposes of loan forgiveness cannot also be claimed as an expenditure of relief fund payments.
    • See PYA’s “Relief Fund Payments Arriving in Provider Bank Accounts with Strings Attached” and “Latest Updates – $100 Billion COVID-19 Provider Relief Fund.”
  1. Infection control and emergency preparedness – Safety of employees is crucial at all times, but the COVID-19 pandemic has shed light on additional areas where practices should focus to protect providers and staff. The Department of Labor and HHS have released guidance on preparing workplaces for COVID-19.
    • Develop and implement an infectious disease preparedness and response plan, and be sure to include it in your policies and procedures. Train all staff (depending on risk level and likelihood of exposure) on patient care protocols and changes to existing workflows or processes.
    • Create policies and procedures surrounding increased absenteeism that may result from the COVID-19 pandemic, with consideration given to Families First Coronavirus Response Act (FFCRA) requirements, as applicable. Develop contingency plans that outline how care should be delivered with a reduced staffing complement or lack of resources.
    • Implement preventive measures to reduce infection within your practice and among employees. Promote frequent hand washing, provide hand sanitizer in all clinical and patient-facing spaces, and ramp up existing housekeeping practices.
    • Mitigate workplace hazards by providing ample personal protective equipment (PPE) needed by staff to deliver care. Ensure patient rooms have sufficient gloves, masks, and soap/sanitizer. When preparing rooms for the next patient, be sure all hazardous waste is disposed of appropriately, linens or paper liners are removed and replaced, and the room is thoroughly sanitized.
    • Consider providing online or virtual training to all employees regarding OSHA and emergency preparedness. This is a good time to refresh staff on appropriate protocols and provide an opportunity to ask questions or raise concerns, particularly as many practices have not previously dealt with infectious disease matters of this scale.
  1. Billing, coding, and documentation – Compliant billing and coding practices are always important, but with the emergence of temporary guidance and newly covered services and healthcare delivery options, the task may become more challenging. Many practices are working with a reduced staffing complement, making it more difficult to implement internal training and auditing processes. In light of COVID-19, it is vital that practices stay up to date on payer-specific and locality-specific regulations that impact billing, coding, and documentation requirements.
    • Review payer and state-specific guidance for services added during the COVID pandemic to ensure they are provided, documented, and billed in a compliant manner.
    • Telehealth services –
    • Update your billing systems and processes to ensure you do not balance bill any out-of-network patient for COVID-19-related treatment if you received CARES Act Provider Relief Funding.
    • Evaluate the amount of COVID-19 care provided to uninsured individuals and the process for billing the Health Resources & Services Administration (HRSA) for its COVID-19-related care. If it makes sense from a cost (time, resources)/benefit perspective, then follow the outlined process, including provider enrollment and claim filing via the HRSA portal established for that purpose. The funding pool is not unlimited, so providers wishing to submit claims should do so sooner rather than later.
    • Educate billing and collections staff on these regulations, and monitor denials and patient-responsible balances to identify potential risk areas. Modify procedures to ensure the practice does not pursue collections activity for patients or services protected by regulatory constraints or loan terms and conditions.
    • Ensure all criteria are met for claims submission for any out-of-state providers rendering services on behalf of the practice subject to CMS provider credentialing and enrollment requirement waivers. Update CMS enrollment records with any changes, including additional or closed locations.
  1. HIPAA privacy and security – While some flexibility is offered related to the provision of telehealth services, practices are still expected to comply with HIPAA privacy and security rules. Practices must be diligent in monitoring administrative, physical, and technical safeguards in place, particularly as the work environment shifts from the practice to remote and back.
    • Monitor Office of Civil Rights (OCR) guidance for any changes to its temporary suspension of violation enforcement; the OCR issued a Notification of Enforcement Discretion that stated covered healthcare providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the “good faith” provision of telehealth during the COVID-19 public health emergency. As a result, providers are currently able to utilize social media video conferencing platforms (i.e., FaceTime, Facebook Video, Skype, etc.) to provide telehealth services to patients.
    • Ensure the practice is not applying this Notification of Enforcement Discretion to HIPAA responsibilities related to the delivery of other services.
    • Evaluate long-term telehealth plans and the potential for increased adoption of, and coverage related to, telehealth on a go-forward basis. If your practice anticipates higher demand for these services, deploy a HIPAA-compliant telehealth solution now that can also be used in the future, once the Notice of Enforcement Discretion has expired.
    • Ensure devices used by employees to conduct business from home are encrypted, and any remote access to practice systems is secure (i.e., virtual private network [VPN], two-factor authentication, etc.).
    • Update current policies and procedures to include specific guidance for remote workers, including adding language that highlights expectations for secure access and storage to protected health information (PHI) when working from home.
    • Monitor access logs on a more frequent basis, paying close attention to any unauthorized or unnecessary access to patient records or other PHI.
    • Transmit medical records via secure methods only, even when working with a reduced staffing complement or experiencing a high volume of requests. Avoid the temptation to eliminate or reduce the safeguards in place to protect this information. As referenced earlier, the enforcement discretion applies to telehealth services only, and practices are still expected to comply with HIPAA as it relates to medical records maintenance and transmission.
    • Consider providing online or virtual training to all employees regarding HIPAA rules and practice policies and procedures. This is a good time to refresh staff on what is expected of them and provide an opportunity to ask questions or raise concerns, particularly as staff navigate telework.
    • See “COVID-19 Compliance Today and Tomorrow” for more information on HIPAA in the midst of COVID-19.
  1. Financial controls – While workflows and processes in place may be disrupted by the COVID-19 pandemic, practices should continue to enforce financial controls and communicate accordingly with employees to protect cash flows.
    • Continue segregating duties such that those employees taking payment are not the same employees performing final batch reconciliation or deposit preparation, even if you are working with a reduced staffing complement.
    • Establish policies for staff who may temporarily be working remotely and taking and posting patient credit card payments.
    • Maintain all appropriate payment documentation, and enforce batch reconciliation or end-of-day processes.
    • Inform staff of all changes if updating payment plan parameters to accommodate patient financial challenges; require authorization for any case-by-case variations.
    • Ensure your ordering process has the proper checks and balances in place such that orders require approval, and discretionary or non-essential spending is limited.
    • Perform invoice reconciliation, and ensure any checks for accounts payable are signed, or reviewed if paid via online banking, by the appropriate personnel (i.e., physician owners, practice administration, etc.). The reviewer should have access to the corresponding invoice for review prior to payment approval.
    • Revisit any changes your practice made to its financial controls as office operations resume. In the meantime, practices should continue communicating with staff regarding expectations and diligently monitor these processes to the extent possible.

PYA has nearly four decades of experience in supporting medical practices. With extensive proficiency in auditing compliance and developing policies, procedures, and workflows for physician practices, PYA helps clients navigate through the COVID-19 pandemic.

If you would like additional guidance related to COVID-19, visit PYA’s COVID-19 hub. If you have any questions regarding these key compliance areas, or require assistance in developing action plans for implementing them, contact one of our PYA executives below at (800) 270-9629.

Executive Contacts

Interested in Learning More?

Sign Up for Our Insights, Including COVID-19 Bulletins!



    Select Your Subscriptions