Back to Resourcesplaybook

"Healthcare Compliance Playbook"

"Healthcare compliance: 8 baseline + HIPAA SRA, BAA tracking, BBP, ATD. Dual Cal/OSHA + OCR framework, patient handling, clinical violence prevention."

Apr 13, 2026healthcare

Healthcare is the only industry in California that operates under two independent federal compliance frameworks simultaneously — OSHA and HHS/OCR — on top of the state Cal/OSHA requirements that apply to every employer. You are regulated by agencies that do not talk to each other, do not coordinate their inspections, and do not care what the other agency requires.

A Cal/OSHA inspector does not give you credit for your HIPAA compliance. An OCR auditor does not care about your IIPP. And both of them will penalize you independently for failures in their respective domains. The fines stack. The corrective actions stack. The operational disruption of responding to two separate regulatory investigations at the same time can paralyze a practice.

This playbook covers the full compliance architecture for California healthcare employers: the eight baseline programs, the healthcare-specific Cal/OSHA programs, the HIPAA compliance requirements, and the operational integration that keeps all of it running without consuming every hour of your administrative staff's existence.

The 8 Baseline Programs (Healthcare Context)

Every baseline program takes on specific characteristics in a healthcare environment. Generic versions of these programs — the kind a consultant copies from a template library — will fail healthcare-specific inspection criteria.

**1. IIPP.** Your healthcare IIPP must address clinical hazards: needlestick injuries, chemical exposure from cleaning and sterilization products, patient handling injuries (the number one source of musculoskeletal injuries in healthcare), slip hazards from fluid spills, and the ergonomic demands of clinical work. An IIPP that does not reference these hazards is an IIPP written for a different industry.

**2. WVPP.** Healthcare workers face a higher rate of workplace violence than any other industry — four times the rate of the private sector overall. Your WVPP must address all four types of workplace violence, with particular emphasis on Type 2 (patient/visitor) and Type 4 (personal relationship). De-escalation training for clinical staff is not optional — it is the front line of your violence prevention program.

**3. Heat Illness Prevention.** Primarily relevant for facilities with outdoor workers (grounds maintenance, loading dock operations) and indoor environments without adequate climate control (some older facilities, laundry operations). Do not assume this does not apply to you — evaluate every work area.

**4. HazCom.** Healthcare facilities use a staggering number of chemicals: cleaning agents, sterilization chemicals, laboratory reagents, pharmaceutical compounds, anesthetic gases. Your SDS collection will dwarf most other industries. The organizational challenge is keeping it current as products are added, removed, and reformulated.

**5. Emergency Action Plan.** Healthcare emergency plans are uniquely complex because you cannot evacuate patients the way you evacuate a factory floor. Your plan must address patient evacuation or shelter-in-place by acuity level, continuity of care during emergencies, medication and equipment access during evacuation, and coordination with emergency services.

**6. Incident Investigation.** Healthcare incident investigation must navigate the intersection of worker safety events and patient safety events. A needlestick injury is both an employee safety incident (OSHA) and potentially a patient safety event (if it affects clinical decision-making or involves patient blood). Your investigation process must satisfy both frameworks without creating documentation that inadvertently waives peer review or quality improvement protections.

**7. OSHA 300 Log.** Healthcare recordkeeping requires particular attention to needlestick and sharps injury recording (the Needlestick Safety and Prevention Act added specific requirements), patient handling injury classification, and workplace violence injury recording.

**8. Training Records.** Healthcare training requirements are voluminous: OSHA-required safety training, HIPAA training, BBP training, ATD training, patient handling training, equipment-specific training, emergency procedure training. Tracking it all — who was trained, on what, when, by whom, and when it needs renewal — is an administrative undertaking that most practices underestimate.

Healthcare-Specific Cal/OSHA Programs

Bloodborne Pathogens (BBP) Exposure Control Plan

Section 5193. If your employees have occupational exposure to blood or other potentially infectious materials — and in healthcare, they almost certainly do — you must maintain a written Exposure Control Plan.

This is not a general awareness program. It is a specific, detailed plan that includes:

**Exposure determination.** Job classifications where all employees have exposure, and job classifications where some employees have exposure, with a list of the specific tasks and procedures that create exposure. "Clinical staff" is not specific enough. "Medical assistants performing venipuncture, wound care, and specimen handling" is specific enough.

**Methods of compliance.** Universal precautions (treating all blood and body fluids as infectious), engineering controls (needleless systems, sharps containers, self-sheathing needles), work practice controls (hand hygiene, no eating/drinking in clinical areas, specimen handling procedures), and PPE (gloves, gowns, face shields, masks).

**Sharps injury log.** A separate log from the OSHA 300 log, recording the type and brand of device involved, the department or work area, and a description of how the incident occurred. This log is used to evaluate engineering controls — if a particular device is generating injuries, it needs to be replaced with a safer alternative.

**Annual review.** The Exposure Control Plan must be reviewed and updated annually, and whenever new tasks or procedures affect occupational exposure. The annual review must specifically consider new engineering controls and evaluate whether current controls remain effective.

**Post-exposure evaluation.** When an exposure incident occurs, the employer must provide a confidential medical evaluation, including hepatitis B vaccination status review, source individual testing (with consent), exposed employee testing, post-exposure prophylaxis counseling, and follow-up testing.

Aerosol Transmissible Diseases (ATD)

California's ATD standard (Section 5199) is the most comprehensive airborne disease protection standard in the country. It applies to healthcare facilities, laboratories, public health services, and other settings where employees may be exposed to aerosol transmissible diseases including tuberculosis, measles, varicella, COVID-19, and novel respiratory pathogens.

Your ATD program must include:

**Written procedures.** Specific to your facility, describing how you identify, isolate, and manage patients with suspected or confirmed aerosol transmissible diseases. Not generic — specific to your physical layout, your patient flow, your ventilation capabilities.

**Source control measures.** How you identify potentially infectious patients at intake (screening questions, signage, triage protocols), how you implement respiratory hygiene and cough etiquette, and how you isolate patients who screen positive.

**Engineering controls.** Airborne infection isolation rooms (AIIRs) with negative pressure and appropriate air changes per hour. If your facility does not have AIIRs, your program must describe how you manage suspected ATD cases — including transfer protocols to facilities with appropriate isolation capacity.

**Respiratory protection.** N95 or higher respirators for employees with ATD exposure risk. This means a complete respiratory protection program: medical evaluation, fit testing, training, and program administration. Annual fit testing for every employee who may need to wear a respirator.

**Medical surveillance.** TB screening for employees with exposure risk, at minimum. Vaccination status tracking for vaccine-preventable aerosol transmissible diseases.

**Surge procedures.** What happens when the number of suspected or confirmed ATD cases exceeds your isolation capacity? COVID-19 taught every healthcare facility this lesson the hard way. Your program must have documented surge procedures.

Patient Handling / Safe Patient Mobility

California's Hospital Patient and Health Care Worker Injury Protection Act (SB 1300) requires healthcare facilities to implement safe patient handling programs. Musculoskeletal injuries from patient handling — lifting, transferring, repositioning — are the number one injury in healthcare by frequency and by cost.

Your safe patient handling program must include:

**Patient handling assessment.** Evaluate every patient handling task in your facility: transfers, repositioning, ambulation assistance, bathing, toileting, transport. Identify which tasks create ergonomic risk and which patient populations present the highest handling demands.

**Mechanical lift equipment.** Ceiling-mounted lifts, floor-based lifts, sit-to-stand devices, lateral transfer aids. The standard requires that equipment be available — not just purchased, but accessible where and when it is needed.

**Training.** All patient handling staff must be trained on proper body mechanics, equipment use, patient assessment for mobility needs, and the facility's safe patient handling policy. Training must be hands-on — a PowerPoint about lift equipment does not teach anyone how to use lift equipment.

**No-lift policy.** Many facilities have adopted policies that prohibit manual lifting of patients except in emergency situations. Whether you adopt a formal no-lift policy or not, your program must demonstrate that you are moving away from manual lifting and toward mechanical assistance.

HIPAA Compliance Framework

HIPAA compliance operates on a parallel track to your occupational safety programs. Same facility, same employees, completely different regulatory framework, completely different enforcement agency.

Security Risk Assessment (SRA)

The HIPAA Security Rule requires a comprehensive risk assessment of your electronic protected health information (ePHI). This is the most important HIPAA compliance activity, and it is the one most healthcare organizations either skip or perform inadequately.

The SRA must evaluate:

**All systems that create, receive, maintain, or transmit ePHI.** This is not just your EHR. It includes email, text messages, fax transmissions, billing systems, scheduling systems, patient portals, mobile devices, removable media, cloud storage, and every other system that touches patient data.

**Threats and vulnerabilities.** What could go wrong? Unauthorized access, malware, ransomware, lost devices, employee snooping, business associate breaches, physical theft, natural disasters, system failures.

**Current security measures.** What controls are in place? Access controls, encryption, audit logs, backup systems, physical security, workforce training, incident response.

**Risk level determination.** For each identified threat/vulnerability combination, assess the likelihood and impact. This is not a checklist exercise — it is an analytical process that evaluates your specific environment, your specific threats, and your specific controls.

**Risk management plan.** For each identified risk above your acceptable threshold, document the planned remediation: what you will do, when you will do it, who is responsible, and how you will verify effectiveness.

The SRA must be performed at least annually and whenever significant changes occur in your environment (new EHR system, new locations, significant staffing changes, security incidents).

**The enforcement reality:** HHS/OCR investigated over 800 healthcare breaches in the last three years. In nearly every investigation, the first document requested is the Security Risk Assessment. If you do not have one, or if your SRA is a purchased template with your name on it, the investigation escalates immediately. OCR has levied penalties ranging from $100,000 to $16 million specifically for SRA deficiencies.

Business Associate Agreement (BAA) Tracking

Every third party that accesses, creates, receives, maintains, or transmits PHI on your behalf is a business associate. Every business associate must have a current, executed BAA before they touch any PHI.

The BAA tracking challenge in healthcare:

  • EHR vendors
  • Billing companies
  • Clearinghouses
  • IT service providers (including cloud hosting, managed services, backup providers)
  • Shredding companies
  • Collection agencies
  • Transcription services
  • Legal counsel (when accessing PHI for legal matters)
  • Accountants (when accessing PHI for auditing)
  • Answering services
  • Email service providers (if they can access email containing PHI)
  • Communication platforms (telehealth, secure messaging)

Most healthcare organizations undercount their business associates by 30-50%. Every uncovered business associate is an unmanaged risk vector and a HIPAA violation.

**Tracking requirements:** Maintain a master BA inventory with: entity name, services provided, BAA execution date, BAA renewal/expiration date, key contact, and breach notification provisions. Review quarterly for completeness. Update immediately when vendor relationships begin or end.

Breach Notification

When a breach of unsecured PHI occurs — or when you suspect one has occurred — the HIPAA Breach Notification Rule imposes specific timelines and requirements:

  • **Individual notification:** Within 60 days of discovery for breaches affecting the individual
  • **HHS notification:** Within 60 days for breaches affecting 500+ individuals; annual report for breaches affecting fewer than 500
  • **Media notification:** Within 60 days for breaches affecting 500+ individuals in a single state or jurisdiction
  • **Documentation:** All breach analyses, notifications, and corrective actions documented and retained for six years

"Discovery" is a legal term — it means when you knew or should have known about the breach. Ignorance is not a defense if a reasonable organization would have detected the breach through normal security monitoring.

Clinical Violence Prevention

Healthcare workplace violence deserves special attention beyond your general WVPP because the risk profile is fundamentally different from other industries.

**Patient-generated violence** accounts for the majority of healthcare workplace violence incidents. Patients in pain, under the influence of substances, experiencing psychiatric crises, or suffering from cognitive impairment can become violent with little or no warning. Your clinical violence prevention program must:

  • Screen patients for violence risk at intake and at transitions of care
  • Flag charts of patients with violence history
  • Provide de-escalation training specific to clinical settings (restraint is a last resort, not a first response)
  • Establish safe room protocols for clinical areas
  • Ensure panic buttons or duress alarms are installed and functioning in treatment areas, waiting rooms, and parking structures
  • Staff treatment areas to avoid lone worker situations, particularly during evening and night shifts
  • Develop protocols for managing visitors who become threatening

**Post-incident support** in healthcare must be clinically appropriate — your employees are clinicians who may minimize their own psychological injuries because they are trained to prioritize patient needs. Mandatory check-ins after violent incidents, EAP referrals, and peer support programs are operational necessities, not optional benefits.

Dual-Framework Integration

The operational challenge for healthcare employers is not understanding each individual requirement — it is running all of them simultaneously without duplication, contradiction, or gaps.

**Training integration.** Your employees need Cal/OSHA safety training, HIPAA privacy and security training, BBP training, ATD training, workplace violence prevention training, patient handling training, and clinical competency training. If you schedule each as a separate training event, your staff will spend more time in training rooms than in clinical areas. Integrate where possible: BBP and infection control can share a session. WVPP and clinical violence prevention are natural companions. HIPAA security and cybersecurity awareness overlap significantly.

**Documentation integration.** Your incident investigation process should capture both OSHA-reportable and HIPAA-reportable elements in a single workflow, then route the appropriate information to the appropriate program files. You do not need two separate investigation processes — you need one process with two output streams.

**Audit integration.** Schedule your annual IIPP review, your annual WVPP review, your annual HIPAA SRA, your annual BBP plan review, and your annual ATD program review in the same quarter. Not the same day — but the same quarter, so that annual compliance is a concentrated effort rather than a perpetual trickle that never quite gets completed.

Protekon Manages the Dual Framework

Healthcare compliance is not twice as complex as other industries — it is exponentially more complex because two independent regulatory frameworks create interaction effects that neither framework addresses on its own.

Protekon manages both tracks as an integrated compliance system: Cal/OSHA programs and HIPAA programs running on coordinated schedules, with unified documentation, integrated training tracking, and a single view of your compliance status across both frameworks.

When the Cal/OSHA inspector arrives, your safety programs are current. When the OCR auditor arrives, your HIPAA programs are current. When both arrive in the same month — and they will, eventually — you are not scrambling to rebuild documentation from memory. The system is running. The records exist. The programs are real.

That is what healthcare compliance looks like when it is managed as a system instead of endured as a burden.