Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hi, everybody. Good morning. Good afternoon. My name is Dr. Perry Barnhill, and welcome to the Fearless Acupuncturist. First, I want to thank the AAC Info Network for having us here to discuss with you the importance of HIPAA and how it relates to your office. Slides, please. Why HIPAA matters in the acupuncturist’s office, protecting your practice and protecting your patients.
Click here for the best Acupuncture Malpractice Insurance
Again, my name is Perry Barnhill. I have certifications in coding, certified medical auditing, certified professional compliance, and certified HIPAA privacy and security. Meaning, I can see what the HIPAA auditors are looking for. And this is why we’ve designed HIPAA program for you acupuncturists because we live in a world where we take care of patients as well.
So in regards to HIPAA, what is it that most of us think? A lot of us think that it’s talking, not talking about rather patients outside of the office. It’s not leaving patients names or their files or their charts in plain sight. We don’t discuss their diagnoses or their conditions out loud.
Get a Quick Quote and See What You Can Save
What about sign in sheets? A lot of us think that we don’t have a sign in sheet that’s visible for everybody to see. So maybe we’re good. Or maybe you have a manual. And it’s on the shelf. It’s getting dust all over it. And we’ve never touched it. Some people think that, hey, if we have a manual, if it’s filled out, we’re good to go.
Or sometimes we think, hey, listen, I already have an appointed compliance officer. They’re doing everything they’re supposed to. Actually, you hope where they’re doing everything they’re supposed to. And so that means I’m good. So what does compliance HIPAA compliance specifically mean? What it means is this a compliance program.
It’s a continuous living breathing program. It’s something that has to be implemented upon, meaning we have to act upon it. We can’t just, like I said earlier, have it, fill it out and deal with it once and then just leave it alone. It’s not cookie cutter. It can be customized to each individual office, depending on how you do things.
Again, it must be routinely referenced, and it doesn’t matter, even if you spend a ton of money on it. 3, 000, some people spend money on these things. Even if it was an expensive manual, it still has to be filled out, it has to be acted upon, and we have to make sure we’re doing the things that we’re supposed to be doing.
Is compliance mandatory? This is a question that I get all the time. A lot of providers or acupuncturists are only doing cash. A lot of you don’t participate in any insurance company. A lot of you don’t do any kind of Medicare at all, but it’s still mandatory. HIPAA compliance mandatory, even if you’re full cash, even if you have nothing to do with insurance, and even if you have nothing to do with Medicare.
A lot of times we wonder with the HIPAA audits, what is a HIPAA audit all about? How does it come about as well? They can be random. And guess what? Recently the OCR, you’ll hear me refer to the office of civil rights, the acronym OCR. Those are the police of HIPAA. And they literally just recently announced that they are going to really start ramping up random audits and offices.
So again, this is another reason we’re going to really need to be on our toes and make sure. that we’re doing the things that we’re supposed to be doing because it’s not worth the risk by not doing them, which we will talk about here in just a moment. Another way that we get audited from HIPAA or the OCR is complaints from patients.
Sometimes, if a patient complains, they have to investigate by law and they will. We can have staff members, usually it’s a former staff member, someone who’s not happy with things, calls and complains about something, and here comes the OCR. Other providers, other doctors in the community, it can be a variety of healthcare providers that may call and complain for you, on to you, for whatever reason that may be.
Usually though, most HIPAA audits are the result of breaches and we’ve all heard about cyber attacks. It can be the phishing attacks that we have. You’ve heard about hackers, we’ve heard about ransomware. Ransomware meaning that they steal, these hackers steal all the stuff from your computer, hijack it, and then they ask for large amounts of money for you to regain all that information you had in your computer system.
The PHI, the protected health information. Sometimes providers get themselves in big trouble because of physical thefts, theft. Somebody walks away with a file, you lose a file, something happens. That’s a breach too. That’s something where we would have to by law report. And then again, if we don’t have our ducks in a rope, we don’t have a manual, if it’s not filled out, we’re not doing that ongoing training, we could potentially be in big trouble.
And then we have business associates, these third party vendors that a lot of issues that have access to protected health information like a lot of you may use outside billing people or billing companies. Those folks have to also be HIPAA compliant. And if they’re not, you could potentially be liable too for any mistakes or breaches that they may have.
Years ago, the OCR knew that providers were not doing what they were supposed to be doing. So guess what? They implemented a audit program where they were going to start doing Random audits. And again, it began a long time ago and guess what? Big surprise, right? Covered entities such as yourselves.
Didn’t do so well as with many other providers out there in the healthcare industry. Most of them, in fact, all of them didn’t do that good. The results were not good. So then of course, they did another phase and they got the same and similar results. And ironically, recently within the last month or so, they’ve implemented more random audits as well.
They basically said, Hey, listen, we know people are not doing what they’re supposed to be doing. So we’re going to increase the amount of random audits. Again, another reason you need to make sure you have these things. Going in the right place in the right direction, having your manuals, and it’s not as complicated as it has to be, and I’m going to talk to you about that here in just a second.
Here’s the number one reason for finding penalties, and they’re all the same thing. They’re basically the risk assessments and analysis, the lack of doing them for lack of a better way to explain it. We’re not doing our security risk and assessments. We’re not having these physical safeguards that we’re taking care of and making sure are in place.
technical safeguards, the computer side of things or the administrative safeguards, the things that we have with our staff or what they refer to as the ICER, the information system activity review, basically making sure that all these protections are in place to protect the health information that we have with our patients.
I’m not going to take a long time on this, but I do want you to understand how bad these fines can be if we’re not doing what we should be doing. And they go into tiers tier one. We were unaware that we had a HIPAA violation, but we exercise reasonable due diligence, minimum fines, 141. But they can get up to 35, 000 in a year.
And then we have tier two where there’s reasonable cause and actions and we’re not willfully neglectful, meaning we were doing most of the things we’re supposed to be doing, but still not doing some of the things we should be, but we weren’t totally neglectful, but still you can see here a minimum 1, 400 plus 142, 000 a year.
Now we get into these other tiers, tier three willfully neglectful. But you actually attempted to fix things within 30 days. Now, if you fall into that category, again, you can see this, these fines can be devastating to any kind of practice. Tier four definitely don’t want to be in tier four. You were willfully neglectful, meaning you did not do what you should have been doing.
And here’s what I mean by this. And this is what the government says. To use the excuse that we didn’t know what we were supposed to be doing is not an excuse anymore at the level of your education, they expect you to know these things and they expect that you do these things properly. So number four, tier four, you don’t want to be there.
Meaning you didn’t do what you should have been doing and you didn’t attempt to fix it within 30 days. You can see the fines here are quite devastating, 71, 000. And up to over two million dollars in a year. So this is why these things are very important Here’s some questions. I want you to ask yourself and also to ask your staff You know who is your compliance officer?
And you know what you have to have an appointed compliance officer and it has to be on paper. Our HIPAA program is It’s all in there. We have the policies, we have the procedures, we have the HIPAA appointment compliance officer form. So these things have to be done. When is the last time you updated your privacy and information security policies and procedures?
These things have to be done routinely. Do you have regular training and do you have proof that you have this training? Meaning the OCR, the office civil rights, they think, okay, cool. You have a manual, it’s all filled out. That’s great. But if you can’t prove that you’re doing ongoing training, we provide monthly training, by the way, ongoing training, they say, not me.
They say it’s just as bad as not having a manual at all. Ridiculous. Yes, I agree. But this is what they say. So we do not want to fall into that category because think of all those tiers. That’s where we’ll put ourselves. Potentially. Have you performed vulnerability on tests on your networks? Meaning are you making sure that your computers, your systems, your service, That they’re all secure and do we have documented incident plans if in case there’s a breach And we have to notify patients by the way So if we have breaches by law We have to notify patients and you have to have policies and procedures in place for this A few other things, like I talked about earlier, do you have business associates?
Well, a lot of us have business associates. For example, like I said earlier, third party billers. If we have somebody that is billing for the services that we provide, they have to make sure that they are also doing what they should be in regards to protecting patient health information. Therefore, we have to give them what we refer to as a business associate agreement.
And we have this, it’s the form, you fill it out, you send it to them, and that helps add a Big layer protection in case they’re not doing what they’re supposed to be doing. In fact, if you have a business associate And let’s say they have a breach and something happens and the ocr finds out that you did not have a business associate agreement I’ll file with them.
You’re going to get fined. So we don’t want to be there. Do you have physical safeguards, locks? I know it seems very simplistic but Physical safeguards, locks. There’s other things, administrative safeguards, like passwords, making sure the passwords are certain length and in characters and certain kind of special characters.
There’s all kinds of things there. It’s not complicated. I say this a lot of times too. This is a new language for most of us. But it doesn’t have to be complicated because we walk you through a step by step process so you can understand it, you can appoint one of your staff to help you out with these things, but once you understand the process and once you start thinking about things, you’ll feel a lot better that you’re doing what you’re supposed to be doing so you avoid all those tears.
Here’s some thoughts I want you to leave with, and a lot of us think that, and again, like I said earlier, we don’t understand this, so we ignore it, it’s a language I just don’t get it, and I hope that it doesn’t happen to me, and you know what, I hope it doesn’t happen to you either, I hope it doesn’t happen to any healthcare provider out there, because our main focus as healthcare providers is to take care of our patients, that’s what we went to all the schooling we went to for, and that’s what we’re best at.
What’s what we’re best at doing but the reality is this we have to do these things And we do not want to be that ostrich what we put our head in the sand and hope that it happens to us Because you know what it is gonna happen to some of us And we don’t want to be there. We don’t want to be vulnerable.
It’s usually not if but it’s when here’s the cool thing You can delegate one of your staff members to do this so that you can focus on your patients You can take care of the things as you that you’re really good at It’s simple enough to have a staff member take care of it. It’s a step by step process.
There’s modules. There’s chapters It’s just very user friendly You need someone to help? Here’s some next steps. You can download the HIPAA compliance checklist here. You can click the QR code and this compliance checklist is a list that you go to. Now if you can’t answer yes, if you can’t say that you’re doing all those things, this means you’re not HIPAA compliant and this means that you’re at risk.
This means this is a position that you do not want to be in and you want to make sure you get it corrected and fixed. Couple different ways you can get a hold of me. One, you, everybody, you can schedule a demo, demo if you’d like to. You can scan the QR code here. Let’s take you straight to a demo. You can also go to fearlessacupunctures.
com. You can check that out, or if you want to, you can contact me at Dr. Perry at Better Hippo Blueprint. I am more than willing to talk to you, to discuss with you, because I don’t want you to be in a position where you’re potentially going to be fine. I also don’t want your patient’s information at risk.
Just like we, us, when we go to our providers, our dentists, whoever that may be, we don’t want our information leaked, like our social security, you as being in practice, that all of you are. We don’t want you to have those fines. It’s way too much risk. So in the meantime, I do want to thank again, the AAC info network for having us here and discussing with you the vital importance of HIPAA and HIPAA compliance.
And in the meantime, like I said, if you want to, I’m more than happy to discuss things with you and click on the QR codes, check things out and have an amazing day.