BCG Vaccine and TB Skin Testing

/in /by

The Bacille Calmette-Guérin (BCG) Vaccine is a vaccine for tuberculosis disease, often given in countries where TB is common. It is not commonly given in the US, due to the lower risk of TB infection, and because it has variable effectiveness against adult pulmonary TB.

The vaccine has the potential to cause a false positive TB skin test reaction, and there is no way to distinguish a positive TB skin test reaction caused by BCG vaccination from a reaction caused by a true TB infection. The effect wanes after about five years from vaccination, but repeated skin testing may boost reactivity in vaccinated people. Therefore, if you have a new hire who has received the BCG vaccine in the past five years, it is recommended to use the blood test and not the skin test when conducting baseline TB testing. BCG vaccination does not induce positive results when the blood test is used.

It would be helpful to ask new hires whether they’ve received the BCG vaccine prior to their start dates to avoid false positives and possible duplication of testing.

Risk Management for HIPAA Security

/in /by

Note: This is an abridged version of the article. For more details regarding risk management, technical assessments, and additional resources, please sign in to Member Services.

Risk Management for HIPAA Security

In a recent video, the Office for Civil Rights (OCR) announced that it is expanding its Security Risk Analysis (SRA) enforcement initiative to include Risk Management (RM). RM is a requirement within HIPAA’s Security Rule at paragraphs 164.306(a), and 164.308(a)(B), and is intended to ensure that actions are taken to reduce risks and vulnerabilities to a reasonable, appropriate level.

Before risk management (RM) activities begin, entities should:

  • identify risks and vulnerabilities
  • consider risks and vulnerabilities to all EPHI created, received, maintained or transmitted

One of the best ways to identify and consider risks and vulnerabilities is to conduct an SRA on a regular basis (annually and/or whenever significant changes are made to the network or information systems). An SRA can help inform the RM decisions, because the SRA process brings risks and vulnerabilities to light, and allows entities to document what is currently in place and see where improvement is needed.

Understanding Risks

Although the Security Rule is flexible and scalable, and no one technology or solution is required to achieve compliance, some commonly utilized approaches address known risks, and therefore should be implemented.  No specific type of approach is required, but safeguards must be in place and evaluated to determine whether they are properly reducing risk.

It’s not enough to just do “something.” The action taken must reduce risk to a reasonable, appropriate level. For example, let’s say an entity implements a requirement for password length, but the requirement is weak. Does a four-character password sufficiently reduce risk?  The answer is no.

Many known threats can be reasonably anticipated, such as power outages, natural disasters and cyberattacks. In 2025, 76% of large breaches were caused by hackers/cyberattacks. An important part of RM is to review security measures and modify them as needed to protect against new strains of ransomware and recently discovered vulnerabilities.

If an entity were investigated, OCR would send a data request asking for RM policies and procedures, and evidence that security measures were implemented.  Policies and procedures are important but alone are not evidence of implementation.  For example, an entity could have policies but not be following them. In addition, remediation and corrective actions are often delayed year after year.

Implementing Risk Management

If implementation is not completed, then the entity is not in compliance with the RM standard.  Prioritizing RM in the constraints of budget and operational capability allows entities to consider factors such as size, complexity and capability, technical infrastructure, costs of security measures and probability of potential risks. Cost is not meant to free an entity completely from obligations under the Security Rule. OCR would assess whether risks and vulnerabilities were reduced to a reasonable and appropriate level. Mitigation plans, time frames, approvals and status reports can help an entity to demonstrate that it is taking steps to implement RM.

Technical Assessments

The Security Rule does not require third parties to perform assessments, so an internal IT team or your existing IT vendor could be used to provide assessments, reports, etc.  Third parties can help to verify and assess network and system security and can be a useful tool.

Resources

Note that subscribers to Eagle Associates HIPAA Compliance System (HCS) have access to polices, an implementation guide, staff training, and a Security Risk Analysis tool, along with support for questions.

Video Tips for Compliance Officers

/in /by

Eagle Associates offers short-form videos featuring tips for compliance officers! Topics span the full range of our compliance programs (HIPAA, OSHA Safety, and OIG) and are based on common questions that we receive.

Recent video tips include:

Video Tips can be found on each individual program page in Member Services, under “Compliance Officer Resources.”

Not yet a subscriber? Get access to these resources and more with Eagle Associates’ comprehensive compliance services. Request more information today!

Federal Department of Labor Posters

/in /by

Employers are required to display a number of posters concerning federal labor laws in the workplace. Fortunately, every required poster is available free of charge for download from the Department of Labor website: https://www.dol.gov/general/topics/posters

If you know what posters you need, simply use the links provided in the list under the “Compliance Assistance Materials” heading. If you are unsure of what is required for your workplace, click on the first link titled “FirstStep – Poster Advisor.” The Poster Advisor will walk you through a series of questions, and then present you with a list of required posters that you may download and print. Many posters are also available in other languages if needed.

Note that OSHA’s Job Safety & Health – It’s The Law poster must be at least 8.5”x14”. If your printers are not capable of printing legal size, you may order a free copy from the OSHA Publications web page: https://www.osha.gov/publications/publication-products?publication_title=It%27s+the+Law+Poster

Hazard Communication Standard Compliance Dates Extended

/in /by

In a Federal Register notice dated January 15, 2026, OSHA announced that some of the compliance dates for the Hazard Communication Standard changes that were published on May 20, 2024 will be extended. OSHA has indicated that it has been working to finalize key guidance but was unable to finish the guidance in time for affected entities to benefit from it by the original compliance dates.

Compliance dates are extended as follows in 1910.1200 paragraphs (j)(2) and (3):

(j)(2)

(i) Manufacturers, importers, and distributors, evaluating substances shall be in compliance with all modified provisions of this section no later than May 19, 2026.

(ii) For substances, all employers shall, as necessary, update any alternative workplace labeling used under paragraph (f)(6) of this section, update the hazard communication program required by paragraph (h)(1) of this section, and provide any additional employee training in accordance with paragraph (h)(3) of this section for newly identified physical hazard, or health hazards or other hazards covered under this section no later than November 20, 2026.

(j)(3)

(i) Chemical manufacturers, importers, and distributors evaluating mixtures shall be in compliance with all modified provisions of this section no later than November 19, 2027.

(ii) For mixtures, all employers shall, as necessary, update any alternative workplace labeling used under paragraph (f)(6) of this section, update the hazard communication program required by paragraph (h)(1) of this section, and provide any additional employee training in accordance with paragraph (h)(3) of this section for newly identified physical hazards, health hazards, or other hazards covered under this section no later than May 19, 2028.

So, for employers, the extension affects updating alternative workplace labeling (if applicable) for substances and mixtures and training for newly identified hazards. Alternative workplace labeling is only required if you take a product out of its primary, labeled container and put it into a secondary, unlabeled container.

Eagle Associates has provided a system for alternative workplace labeling for subscribers of the Custom Safety Program. This can be found in the “Hazard Communication” section of the “Safety Archive” page in the Member Services area of the website. Navigate there by logging in to Member Services and scrolling to the end of the Custom Safety Program main page. If you need assistance, call or email our office at (800) 777-2337, info@eagleassociates.net. You may need to provide additional employee training for newly identified hazards by November 20, 2026 for substances and by May 19, 2028 for mixtures, as identified in newly updated Safety Data Sheets that will be provided by manufacturers and suppliers on or before their new deadlines.

Please note that subscribers to Eagle Associates Custom Safety Program have already received policy updates, and updated training materials. Subscribers to the American Practice Advisor® and the e-Compliance Training Program have also received updated training materials.

Artificial Intelligence & Cybersecurity

/in /by

Many health and dental care organizations have already begun implementation of various forms of artificial intelligence (AI) technology into their operations (e.g., AI phone menus, AI transcription, etc.). Although the use of AI has its benefits, cybersecurity must be considered, because under HIPAA’s Security Rule, you are required to ensure the security of all PHI that is received, stored, and transmitted.

The National Institute of Standards and Technology (NIST) is an organization that develops best practices and standards for infrastructure, systems, networks and more. NIST has developed guidelines for cybersecurity in the AI era titled “Cybersecurity Framework Profile for Artificial Intelligence.” You can find the guidelines here. These guidelines focus on ways that organizations can secure their AI systems, defend against cyberattacks, and thwart AI threats.

It can be very helpful to share NIST guidance with your IT vendor, who should also be involved in implementation of AI technologies. Your IT vendor can identify areas of risk and help to mitigate them. Some of the NIST guidance may be difficult to understand for those who are not IT experts. However, the guidance may assist you in identifying risks you hadn’t even considered when adopting AI.

Foundationally, you should have a business associate agreement (BAA) with any vendor that provides AI services, and which will access, transmit, store, or work with EPHI. Be sure to obtain the BAA prior to granting any access to EPHI.

In addition, all AI technologies should be evaluated as part of your Security Risk Analysis (SRA) to identify any vulnerabilities and risks associated with the products. Corrective actions may be identified during the SRA to reduce/mitigate risks that are present. Again, your IT vendor will be an important resource in this area.