Tag Archives: hipaa

HIPAA – The 6 Types of PHI You Never Even Thought Of

Today we are gonna talk about the 18 different types of protected health, inform information and how to relate to it in your office and how to protect it, most importantly, so that you don’t get yourselves in trouble.

Click here to download the transcript.

Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.

Hi, everybody. Good morning, good afternoon, whatever it may be for you. My name is Perry Barnhill with the Fearless Acupuncturist, and I want to give a big thanks to the American Acupuncture Council for bringing this to you. Today we are gonna talk about the 18 different types of protected health, inform information and how to relate to it in your office and how to protect it, most importantly, so that you don’t get yourselves in trouble.

Click here for the best Acupuncture Malpractice Insurance

Slideshow please. Okay. Like I said, my name is Perry Barnhill. We teach hipaa. We’re certified in HIPAA certifications and compliance. Myself and Julie McLaughlin, we want to protect you. We want to educate you and we wanna defend you. So that you don’t get yourselves in trouble with HIPAA or with the government.

Get a Quick Quote and See What You Can Save

So we’re gonna talk about some of the things that could potentially get yourselves in hot water and how to prevent those. Like I said earlier, we’re gonna talk about different types of protected health information and sometimes you may hear me say EPHI, and all that means is. Electronic protected health information.

This is the information that we have with our patients in our devices, on our computers, on our laptops, and things such as that. So believe it or not, there are 18 different types of protected health information of which we would literally go through. Each and every one of them, because there’s many of ’em you would never think are actually considered PHI.

So let’s talk about that kind of a little quiz here. We like to call the fearless quiz. What do you think are some of the different types of protected health information that you have with your patients? I’ll give you a little clue to get you started here. We all know, or most of us realize that the patient’s name would be considered part of the protective health information.

What about some other things? Just for a second, start. Start thinking about that. Okay, so we are gonna go through and we’re gonna identify each of those 18 different types. Here we go, and I’ll actually read these to you. Like I said earlier, the name of the patient or the individual or the patient’s child if you’re taking care of the child.

So obviously names are gonna be protected. Health information, an address, anything smaller than the state of residence, any date. And you know what? It includes dates that identify their onset admission, discharge date, birth dates. Even be careful with people and patients that are deceased. Okay? Bottom line is this.

As we go through these, the reason I’m bringing this to your attention is that if you are aware of all the different types of PHI, these are things that you need to be very careful about who you disclose this information to. Because if you disclose any of this information to people that shouldn’t see it or hear it, that’s actually considered a breach.

And believe it or not, we have to report the breaches. These are things we don’t want to have to do because the last thing we want to happen is have the OCR, the Office of Civil Rights, looking at all of our stuff. So let’s prevent these things in the first place so that they don’t happen. Telephone numbers, fax numbers, email addresses, even.

Social security numbers. I know most of us realize that this is a pretty important one. They’re medical record numbers. Be careful with that one. Health insurance plan, beneficiary numbers, their numbers that are on their ident, their insurance cards for identification, even account numbers, certificates or license numbers, things such as their driver’s license.

And of course, I think most of us realize that driver’s licenses can be considered PHI. The thing is that a lot of us take copies of those things, so be very careful who gets that information. Even a CPR certification number, believe it or not, passports. I think that makes sense to most of us.

But what about this one, VIN numbers or even license plate numbers? And the thing I wanna elaborate about, the license plate numbers are, many of us will do patient testimonials. Sometimes we’ll do videos of the office and in the office parking lot there’s cars. But in that same video or in the same photo is the car in your office name.

So guess what? Somebody could go online. Check that license number, and I’m not saying they were going they will, but it’s possible and the government doesn’t care whether it was possible, probable, or very likely. If it’s something that you accidentally disclosed and it was linked to the patient and their information somehow was breached, then you’re the one that gets in trouble.

So be very aware of that. Here’s some more device identifiers or serial numbers on the medical devices and treatments that you use during procedures. Web, universal, URLs, internet protocols or IP addresses, biometric identifiers, facial recognition, fingerprint scans, even tattoos. Be careful. You have to be so careful that let’s say for example, someone has a tattoo on their arm and you take a picture and maybe put it up on the internet or somehow it gets out.

And it gets linked back to your office, that could potentially be considered a breach. So be very aware of that. Full face photos, yes, if you do full face photos or you’re doing testimonials, this is where the supplies is. You have to get your patient’s authorization to do and guess what? In our HIPAA program, we have patient authorization video forms, all the things that you need to do that or any other uniquely identifi, num, numbers, characteristics, or even codes.

So here’s my big point on this. Know the different types of PHI. If you know what they are, the likelihood that you’re going to disclose those inadvertently or accidentally are gonna become much less. Therefore, the odds are reduced, that you’ll have the government in there looking at your manuals and everything like that.

That doesn’t excuse the fact to not have one. But of course, we wanna prevent accidents, if you will, from happening before they occur, and then life is much better for all of us. One of the things we talk about all the time is the importance, not just the importance, but the requirement, the legality that we’re required to do monthly, or let me say this ongoing required training for hipaa.

So we do what we call monthly HIPAA training. Each and every month we do a training. And guess what? This can be one of your monthly trainings. You can scan the QR code right there, and then what’ll pop up is this form. This form has those 18 different types of unique identifiers on there. For PHI, you sit down with your staff document.

Remember, if you don’t document it, it didn’t happen, document your training with your staff. If you have a staff, if it’s just you, it’s easy, but you still need to document that. You did the training on different types of PHI. This will help you go a long ways. In the case of an audit, it’s not the only thing you need, obviously, but it’s one of the pieces of the puzzle.

Like I said earlier, document your monthly training in your manual. You can download HIPAA compliance checklist. We have these ’cause a lot of practitioners ask us, I’m not sure if I’m have compliant. One of the things I will say, if you’re not sure, the likelihood is that you’re probably not.

That’s why you may be asking that question. This is a great checklist. Go through these things. If you can’t check off every one of these. It’s very unlikely that you’re HIPAA compliant, so make sure you do this. You can scan this QR code here and you’ll get this list to check for yourself in your office.

If you have any questions, don’t ever hesitate to reach out to us. Couple different things you can do here. If you want to schedule a demo and check out the HIPAA program and all the training that we have, just go to go dot fearless provider.com. Slash demo or you can simply scan the QR code over there.

The other thing too is if you just want to get started and make sure you become HIPAA compliant, you can go to ww dot fearless acupuncturist.com. And like I said, if you have any questions, more than happy to help you. Myself and Julia, more than happy to help. You can contact me at Dr. Perry at better HIPAA blueprint.

Dot com. Don’t hesitate to reach out. In the meantime, everybody, I want to say thank you again and thanks to the A A C for hosting this short webinar on the 18 different points of protected health information. And everybody, have an amazing day. Have an amazing rest of your week, and I will talk to you later.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

HIPAA – Immediate Nationwide Update Alert – Dr. Perry Barnhill

Click here to download the transcript.

Hi, everybody. Good morning. Good afternoon. This is Perry Barnhill with the Fearless Acupuncturist. Today I want to give a big thanks to the American Acupuncture Council for bringing this to you. Today we are going to talk about HIPAA and as it applies to reproductive healthcare. Many of you acupuncturists deal with reproductive healthcare, even for those of you that don’t in your files, in your patient’s histories, in the forms that the very patients fill out.

Click here for the best Acupuncture Malpractice Insurance

There will be things regarding reproductive healthcare, like contraception, pregnancy management, fertility, sterilization, and also sexual health. Just as a reminder of what reproductive healthcare means in the context of hipaa, slideshow, please. Okay, so how fast things change. Literally at the beginning of the year, we had some new laws regarding reproductive healthcare, and now, like just within the last few weeks on June 18th, it’s changed.

Get a Quick Quote and See What You Can Save

Some of those things have changed for most of the states out there, but not all of them. And this is what we’re gonna talk about. And again, things change very quickly. Sometimes you really need to stay on top of all the HIPAA laws, new, old, and the changing ones as they’re coming down the pipe.

Strengthening reproductive healthcare privacy under the new HIPAA privacy rule. Now, again, like I talked about a little bit before, there was the new requirements that we talked about in December and also in January, but now there’s some new requirements regarding attestations, or shall I say, some things you may not need to do, and we’re gonna talk about the action steps and specifically how it applies to you and how it applies to compliance and relationship to hipaa.

Here’s what happened on June 18th, so just a few weeks ago, a US district court judge for the Northern District of Texas, federal judge has invalidated the 2024 HIPAA reproductive health modifications to the privacy rule decision is immediate and it applies nationwide. This is how we’re saying there can be a law, and then several months later that law no longer exists, or you no longer have to do certain or specific things within that particular law.

The Texas judge, this is what the Texas judge said. He said that HHS had overstepped its bounds, and he cited three main legal issues, which we’ll just talk about briefly. One, the rule unlawfully restricted public health laws. Two, it redefined terms like person and public health in ways that exceeded the federal authority.

And three, it addressed politically charged issues like abortion without clear congressional approval. A violation of a major questions doctrine. And again, let me just remind you what the reproductive healthcare law that I was talking about just a little bit before, things like contraception, pregnancy management fertility, sterilization, sexual health.

So those was what specifically they stated was fell under that umbrella of reproductive healthcare law. However, some of the things we had to do, like I said earlier, like attestation statements. Most of us will not need to do any longer. Okay, so let’s just keep going here. HIPAA related entities, covered entities like you and your business associates.

Remember, business associates are folks that you do business with or basically people that have access to your patient’s information or basically anything that you have that you share with somebody else in relationship to a business associate for protective health information have to follow state laws.

Regarding that particular reproductive health. All right, so now let me say this. It does get a little confusing. It gets confusing for everybody. Federal law. There’s federal law as we know, and then there’s state law. When it comes to hipaa, actually state laws will supersede or become in addition to.

Federal law. So you can have a federal law, but your particular state may have it more strict, it may be more detailed, or you may have to do additional things regarding that particular law. So we always say stay on top of your state laws as well. So in the absence of hipaa, reproductive health rule, some states, not only many states are increasing.

HIPAA privacy protections for the residents. So here’s some of the states that you need to pay attention to that will likely, or I wouldn’t, going to suggest to you to keep doing what you’re supposed to be doing in regards to reproductive healthcare and providing attestation statements, which we’ll get into just a second.

So anyways, New York, California. Washington, Nevada, and Connecticut, and there may be some more to come. We’ll see. How does this impact you? Here’s the thing. Covered entities, at least most of them in those state or in most states, are no longer required to seek attestations from requesters regarding protected healthcare or rather protective health information related to reproductive healthcare.

So what does that mean? Basically because of this new law. The states that I didn’t mention, you follow the federal law, okay? You do not have to provide an attestation statement if someone asked for those certain things regarding reproductive healthcare. All right? What that means is if you did what you were supposed to at the beginning of the year with all the new updates that came down the pipe and you change your privacy notices, now you would actually take that out.

’cause now it no longer applies to you. But if you’re in those states that are going to continue to follow this. You need to keep it in there. If you don’t know what I’m talking about, make sure you reach out to me so we can make, tell you the things that you need to know regarding this and many other things that changed at the beginning of the year.

So double check your state now, navigation or navigate the prohibition on disclosing protected health information for the purpose of investigating or imposing liability unlawful reproductive healthcare imposed by your state. Let me put that in some different words here for you. If you have patient files, which we have patient files that do in fact many times contain the very things that I detailed regarding the big umbrella of reproductive healthcare, and if somebody like from law enforcement or a judicial BA branch, we listed these things before, requested that information, we were supposed to by law actually send them this model attestation form, which basically said, Hey, listen, we’re sending you some information here.

You have to fill this out. Actually, let me reverse here. We’re not gonna send you this information, this protective healthcare information until you fill this form out and basically promise to us that you’re not going to punish anybody for whatever was in those particular files regarding reproductive healthcare.

So now, because that federal state judge said what he said. Most states no longer have to do this. All righty? So make sure you pay attention to your state. This is why we always talk about hipaa. It’s not like you can just do HIPAA and you can just fill out this manual and you’re good to go and you just sit back and you forget about.

It’s constantly evolving and it’s constantly changing as you can see and what happened in Texas is just a real simple reminder that a single court ruling can unravel. A lot of the new guidelines that were literally just presented and required six months ago. It’s evolving from reproductive privacy rules and think about this, cybersecurity, look at ai, artificial intelligence, and all the new things that are coming down with computer systems and privacy and cybersecurity threats and phishing.

It gets really scary at times. This is why. Monthly training isn’t optional. It’s your, it’s literally your lifeline such that you have to stay on top of these things. And I’ll be very clear, it’s not like the government says, Hey, by law, you have to absolutely do one monthly HIPAA training a month.

That’s not what they say. What they say is you need to do continuous training throughout the year for yourself and to all of your employees and even to your business associates, believe it or not. What I’ve also heard other people say that teach the things that we teach is that even the government suggests that you do HIPAA training.

To about two times a month. Now, is that a law? It’s not a law, but it’s what we’ve heard for suggestions. We step back and say, Hey, you should be doing things at least once a month. All right, so staying informed protects your license. It’s your patience and your peace of mind. And believe me, if you don’t have these things dialed in like you’re supposed to and someone comes knocking on the door for an audit, it’s something that you don’t want to go through because I talk to doctors all the time.

I talk to acupuncturists all the time. That get scared because they don’t have the things that they should have. So it’s really easy to get the things that you need to have, and I’ll talk to you about that here in just a second. HIPAA compliance, again, you can’t just check a box and be like, okay, cool, I’m HIPAA compliant, or fill out a particular form.

It can get a little bit involved. It’s about staying ready for whatever comes next. Keep learning. Keep updating the things. Stay fearless. We want you to be fearless so you can focus on your patients. That’s why you became an acupuncturist, is to focus on your patients. We can help you with the HIPAA side of things, so what are some of the next steps that you can do?

Couple things here. HIPAA checklist, if you’re wondering like, ah, I wonder if I’m HIPAA compliant, or I wonder if I’m even close to being HIPAA compliant, you can scan the QR code and get this checklist, or you can just look at it here and go through these questions. You can’t answer these questions, or if you’re not doing these things on these questions, you’re not HIPAA compliant.

It’s not worth the risk. So if you want to, you can set up a demo with us, where we can talk to you, we can show you the HIPAA compliance program that we have and how easy it is to navigate through this. Just go to go dot fearless provider.com/demo. You can scan the QR code here as well.

Sometimes acupuncture, you just wanna get started. So you can go to ww dot fearless acupuncturist.com to get started. Or. A lot of times people just wanna reach out and ask me questions, and I am more than happy to answer any questions that you may have, and you can contact me there at that email, Dr.

perry@betterhipaablueprint.com. If you have any questions, like I said, reach out to us. We are absolutely more than happy to sit down and talk to you and spend some time with you and clear up any questions or confusion that HIPAA presents with many of the times. In the meantime, everybody have an amazing day and we will talk to you soon.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

HIPAA Warning – Verifying Employee Eligibility – Perry Barnhill

Click here to download the transcript.

Hi everybody. This is Perry Barnhill with the Fearless Acupuncturist. Today we are gonna talk about OIG and an exclusion list and what it means to you and why you need to be aware of it. Wanna give a big thanks to the American Acupuncture Council? Go to slideshow please.

Click here for the best Acupuncture Malpractice Insurance

Okay, here we go. Understanding and using the OIG exclusion list. This is about performing certain exclusion checks. On your staff regarding the Office of Inspector General. Let’s talk about that. This is something that we want to check every single month. Now put it in perspective here for you.

We got Health and Human Services at the top, HHS, you’ve heard of that. And then we have OIG, the Office of Inspector General. Now they’re very closely related to the OCR, which is the Office of Civil Rights, and this is where all the HIPAA stuff comes in. These two are basically sisters to each other, and they’re so important that you need to be aware of.

Get a Quick Quote and See What You Can Save

That’s why we’re talking about this right now. What is the OIG exclusion list and why do we need to check it? Okay, so here’s what it is. The exclusion list is a list of individuals that the government collects that basically shouldn’t be employed in your office. If you’re accepting any federally funded programs such as Medicare, for example, or even if you’re in some acupuncture networks for P-P-O-H-M-O or insurance networks.

Now, if they’re on this list. Is something we need to be aware because we may not keep them employed. This is something we want to ensure compliance with Medicare, Medicaid, like I said, certain contract requirements by regularly verifying employees. Who do we need to check? Okay, now everybody that we need to check is pretty much anybody in our office that’s involved in any kind of patient care or has any kind of access to protected health information.

So you got your staff that’s involved with your patient care. Any employees handling any kind of billing procedures or protocols, personnel. Anybody who has access to protective health information, I’m not talking about a janitorial service or a cleaning service. Those folks though, if you don’t know already, they need or you need to have them fill out certain forms such as non-disclosure statements and agreements.

Because even janitors that come into our office may accidentally see protected health information. And that’s something just on a side note that you need to be aware of and you should have protected and you should be speaking to them about. The Medicare exclusion list. This is a list of an OIG website that I want you all to go to.

Here it is exclusion dotig.hhs.gov. You need to go here, and this is where you need to start doing some check-in. Go in there and enter your employee’s last name and first name, and if you need to, because some people have similar names or same names, use additional details such as their date of birth. If you have other providers in the office, you need to check on them as well to narrow the results.

So how do we interpret these results if their name actually pops up? The good news is if it doesn’t pop up, they’re good to go. You don’t need to worry about it, but if one of your employees or your personnel’s name pop up, make sure you click to verify and redo, review additional details again to make sure it’s not the same person that you have in your office.

So you can enter date of birth NPI numbers if they’re providers for confirmation. And believe it or not, there’s another exclusion list that I want you to check. Even though I’m talking about this and there seems like it’s overwhelming, at least a little bit. It’s easy. It’s very fast. You literally go to those websites, you check in their names.

It pops up very fast, and their name’s either on there or it’s not on there. I. The other one is the SAM exclusion list. This is the next website you want to go to and just double check and make sure nobody in your office is on this list. sam.gov. Just go there. Check how to search is very similar.

You use the entity verification search function and again, you enter the information of the employee’s name or any personnel that you have in your office to make sure they’re not on that list. Some verification tips. Provide as much identifying information as possible. Again, to make sure maybe you got two people with the same name, confirm the details and make sure that they match.

The last thing I want y’all to check is your state-based exclusion checklist. So we got the government, we got the SAM list and then also double check any kind of exclusion list. And again, just to reiterate this, if you accepting any federally funded programs, you have to make sure that none of your employees or anybody in your office is on this list or even other providers.

’cause if they’re on this list and you hire them and they’re employed and they find out. You can get in some big trouble and the fines are pretty steep. So again, where to check for state specific list? Use your state specific portal. Alrighty, and make sure that they’re not on that list as well. How to search?

Very similar. Locate the sections for OAG provider sanctions and you enter your employee’s name and other identifying details if needed and if possible, reviewing the information. Check details again to ensure that it matches the individual. Again, making sure it’s not the person in your office. Maybe they got a same name, and I know I said that a thousand times, but just double check.

Note any active sanctions or exclusions relative to state Medicaid programs. Here’s some best practices for verification. Always verify with multiple data points for the reasons we’ve just talked about. Cross-reference your results. Check the OIG, the Sam and State Base to confirm accuracy and just as important, make sure you document everything as if it’s not documented, they will say, you never ever did it. So make sure you do that and make sure you do it monthly. The importance of regular exclusion lists, compliance meets Medicare, Medicaid, and also many insurance contracts. You have to make sure they’re on this list. Risk management helps prevent potential fraud and abuse.

’cause if those folks are on this list, it’s likely they have some kind, they’ve been convicted of some kind of criminal action, and there’s something going on that you definitely may not want them in your office. All right? Quality insurance ensures that other qualified personnel have access to sensitive patient care and information.

So you gotta be safe there. You gotta protect that information. So here’s some next steps. Just to recap, use OIG website and Medicare exclusion list checks to make sure they’re not on the list. The SAM exclusion list. And also check your state. Record this in your manual. Make sure you record it in your manual.

’cause again, like I said, if it’s not checked, it’s not done and you need to do it monthly. It doesn’t take long. So just make sure you get in there and you get that done. Additional resources, I’ve went over these, but here’s a screen just to check again, different spots you can check. If you don’t know if you’re HIPAA compliant, the likelihood is that you’re probably not.

Many providers may have a form or two in the office, and they think that means that they’re HIPAA compliant. So this is why we came up with the checklist here. Go over this checklist. Look at the boxes here. If you’re not checking every box, the likelihood is very high. Likelihood is that you’re not HIPAA compliant.

Make sure you do so because the fines associated with any HIPAA noncompliance are very scary. You can scan the QR code as well. If you want to schedule a demo, you can go to fearless provider.com right here as you see, and we can go over a demo with you, show you how the program looks, what exactly it looks like on the inside, how to navigate it, how to have your staff navigate if you choose not to.

If you wanna just get started, you can go to fearless acupuncturist.com. You can get started that way as well. If you want to contact me. If you wanna reach out to me ’cause you have questions or concerns or anything like that, please feel free to do i’m more than happy to jump on the phone and jump on the site, go over a demo with you and answer any questions that you may have.

You can contact me at Dr. perry@betterhipaablueprint.com. Also, you can scan the QR code here as well. If you got questions, reach out to me please. I am more than happy to help any and all of you. In the meantime, everybody, have an amazing day and we will talk to you soon.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

Why Google Reviews Matter to HIPAA – Perry Barnhill

Click here to download the transcript.

Good morning. Good afternoon, everybody. Welcome to Fearless Acupuncturists. This is Dr. Perry Barnhill, and today we’re gonna talk about Google reviews and how to respond to them properly. Properly go to slides.

Click here for the best Acupuncture Malpractice Insurance

Again, this is Dr. Perry Barnhill and I wanna welcome to the webinar on how to respond to Google reviews in a HIPAA compliant way, such that you keep yourselves outta trouble. That’s the goal. We wanna respond to reviews properly and legally in a positive way, and at the same time keeping ourselves out of trouble with any kind of HIPAA violations.

All right, here we go. So why do Google Reviews matter? We know these reviews impact our online reputation. They’re very important. We know it builds positive engagement with potential patients, even existing patients we know patients check reviews out all the time. As a matter of fact, we check reviews out and Google reviews on primary, people we go to see, doctors we go to see.

Get a Quick Quote and See What You Can Save

So it’s really important. It builds. Engagement with the SEOs and compliance with HIPAA is very crucial, as we all know in all patient communications, especially public facing communications such as Google reviews. So understanding HIPAA in online interactions, and let me just go over a little bit of HIPAA overview.

As we know, HIPAA protects. Patient health information, just the acronym PHI Protected Health Information and PHI includes all kinds of things that can identify the patients. Things such as their name. We know that’s pretty basic. Their IP address, their face. There’s so many things that it can be related back to the patient.

It is protected health information and violations. I know you hear about this a lot, but this is true. Violations can result in big fines and it can damage your reputation. Okay, so here’s what we want to do. We want the dos and the don’ts and responding to reviews. Now the dos, we want to keep our responses generic and professional.

We wanna focus on customer service, not their acupuncture care. Now, the don’ts, we never want to confirm or imply that the reviewer is a patient in our office. We don’t wanna mention any details about their care, including anything regarding about their family members. Like just be very safe about it and just don’t do anything like that.

Alright, so creating a safe response to positive reviews. And here’s an example. Dr. Joe and his team are fantastic. They always make me feel comfortable. Here would be a sample response. Thank you so much for your kind words. We strive to provide a comfortable and welcoming experience for everyone who visits our office.

Now, how do we handle negative reviews? Let me give you an example here. I had a disappointing experience with the wait time at Dr. Sally’s office, and here’s a good response. We always appreciate any feedback. We take concerns like this seriously and would like to learn more. Please contact our office directly so we can address this issue.

So one thing to notice is we’re not referring back to you or any way that can imply that this patient even came to our office. These are very generic responses, but these are the responses that we need to have in order to stay compliant, navigating complex reviews. Here’s an example of a review. The whole family.

Love seeing Dr. Steve. Here’s an example. Response. We love taking care of families. Here’s the key. I didn’t directly say we take care of your family. We love taking care of families as just a generic response as compared to I. We love taking care of your family. So that’s the distinction there. And again, this response is safe.

’cause it doesn’t reveal or directly imply that we’re taking care of their family. We just love taking care of families. So here’s some common mistakes to avoid. Just re going over the skin, acknowledging that the patient or their family members in any way confirms their status in our office, providing any additional information about their care, even if they mention it first.

Don’t, just don’t respond to it in that way at least. And here’s another thing, and I see this often, don’t engage in back and forth discussions that might inadvertently disclose more details. And where I see a lot of providers getting themselves in or potentially hot water, they have this back and forth almost argument about the care or the wait time or whatever it was in the office.

So don’t even go there. Alright, HIPAA compliance and best practices. Always thank the reviewer without confirming any details. Keep your responses focused on general customer service. Encourage offline communications for specific concerns. Where we said, Hey, please contact our office. Don’t go there online and in front of everybody.

Train your team. Also, this is so important. Train your team and how to handle reviews in a compliant MA manner. I would suggest that if you have team members responding, make sure before they respond. They get back with you and you approve that response before it goes out. Handling potential HIPAA violations.

This is what we don’t want to have to deal with, but if we accidentally disclose PHI take that review offline immediately, get rid of the trail. Consult with your compliance officer for guidance. Ask to see what you should do from there. Report the incident to necessary authorities If required, however, ask first.

Don’t just start reporting things to hipaa. If you don’t know for sure if it was a violation, ask someone like myself. Ask someone like Dr. Julie. Find out first before you go reporting things. So here’s some final tips for success. You wanna respond promptly. Thoughtfully and you want to regularly review your HIPAA policies related to online interactions, and this is where I say you need to train the staff.

It’s part of the training, it’s part of the requirements we have for hipaa. We have to train the staff on how to respond to situations like this, for example, and encourage our satisfied patients to leave positive reviews and then bury the bad reviews with good reviews. Remember protecting patient privacy.

It’s not just a legal requirement, it’s commitment to the trust your patient’s place in you. So some next steps here, you can all go to and download this HIPAA compliance checklist. You can go to this, the website here, or you can scan the QR code, check out this list. If you go through this list and you can’t safely mark all those boxes, you’re not in compliance with hipaa and we don’t wanna be there.

You don’t have to be there. It doesn’t have to be complicated, it doesn’t have to be confusing, but it’s a process. So make sure you are, because if you’re not, the consequences are what we don’t wanna talk about. You don’t have to be in that boat. If you want, you can schedule a demo with us. You can go to fearless acupuncture.com.

There’s a demo there. You can scan the QR code. You can go to our website@ww.fearlessacupunctures.com or always feel free to contact me at Dr. perry@betterhipaablueprint.com. And again, thank you so much, the American Council acupuncture Council. It’s a mouthful. A CN. How’s that for allowing us to provide you with this webinar?

And in the meantime, everybody have an amazing day.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

HIPAA – Regarding Reproductive HealthCare

Click here to download the transcript.

Hi everybody. This is Dr. Perry Barnhill with a Fearless Acupuncturist, and today we are gonna talk about something that is so important. There’s some new HIPAA changes that are coming down the pipe regarding reproductive healthcare. A lot of you are very much involved with fertility and reproduction and pregnancy and things like that, so make sure you stay tuned for this.

Click here for the best Acupuncture Malpractice Insurance

Also big thanks to the American Acupuncture Council for having us here. We are pleased to give you the information that you need to have now Slideshow please. Okay, here we go. This is all about strengthening reproductive healthcare under the privacy and the new HIPAA privacy rule. So there’s new requirements.

Just like I said, there are forms, and when I talk about attestation, I am specifically referring to a form that we’re gonna need to have and send out before we send out any information. We’ll get in some details on that and some action steps so you know exactly what it is you need to do. Let’s talk about some of these new changes.

Get a Quick Quote and See What You Can Save

Now, if you’ll remember, maybe you don’t know, but you need to know they are, there are seven new laws for HIPAA in 2025. We’re not gonna get any of these, but they’ve actually added to that, believe it or not. So they have talked about some modifications to the privacy rule. Specifically to better protect reproductive healthcare privacy.

We’re gonna define what this reproductive healthcare privacy is, and a lot of you are involved with this. What it does is this, it prohibits use or disclosure of PHI protected health information. Remember, these are the records we have on our patients, including our intake forms. All righty? So even if some of you may not be involved with this, which I know a lot of you are.

Still, a lot of this information is actually on the intake forms that the patients fill out when they come to the office. So what it does is this prohibits user or disclosure, PHI, solely to investigate or penalize lawful reproductive healthcare. It requires this form I’m talking about, so it requires and obtaining written attestations before we disclose this reproductive healthcare.

Information or records in certain circumstances, or I’ll talk about certain scenarios that you, we will go over and covered entities, which is all of us have to update our notice of patient privacy practices accordingly. What is reproductive healthcare? This reproductive healthcare is a very broad definition, and federal registry. This is some of the stuff that comes from the Federal Registry to help better define what reproductive healthcare is, and it’s a exclusive list. What I’m going to do is, I’m just gonna go through the main things here. You can read all the details behind it, but it’s contraception, it’s management of pre pregnancy, which a lot of your doing.

It’s fertility and infertility again and family planning. It’s still sterilization issues. And sexual health to include many things there. So make sure you understand what this is. Who is affected? Guess what? All of us as healthcare providers are affected. All of us are healthcare clearinghouses are affected, affected health plans.

So all insurance companies are business associates. You know the people that have access to your records, they’re affected. So you need to make sure they’re aware of these things. Also, through your business associate agreements. Here are the situations that require attestation. So I’ll just summarize a little bit.

Reproductive healthcare, if these scenarios occur, meaning these folks ask for records from your patients or from you that you have on your patients and your records re have. Any of that reproductive healthcare definitions on it, or in it, including intake forms. You’re gonna have to send out the form, the attestation form.

So here are the scenarios, or here are some examples of if these people ask for records that contain that reproductive healthcare, you’ll have to send out one of those attestations Health oversight activities. Again, you’re gonna validate that the disclosures are not. Used for punishing lawful care.

That’s how You do it through the attestation statement. Judicial administrative proceedings confirm that the request is not investigative or punitive in nature. The way you do this is through that form, which we’ll talk about here in a second, and also law enforce enforcement requests. So law enforcement, you have to also use this attestation form before you release any of this information, or at least information that has reproductive healthcare in it.

Coroners medical examiners here, again, you’ll have to use this form as well before you release the information. We have a form I should say we, I’m referring to the government. I’m obviously not the government, but we’re talking about a form, they call it the model attestation form. So why not use the form that they actually say we can use, and this is the requirement, it’s the required step we have to do before we disclose reproductive healthcare information or records, and it ensures that whoever’s asking for it.

So those scenarios I just showed you, like the law enforcement, coroners, medical examiners. We send this form to them, they gotta fill it out and send it back to us, and basically saying they’re not gonna do anything or punish them by law for doing the things in the reproductive definitions that I showed you.

Here’s the form, and basically what this form is this, and I know you probably can’t see this on the slides, but the next slide, I’ll have a link for you so you can download this form for yourself, for your offices, and for your staff. But basically, this is the form that we would send out. So let’s say law enforcement, here’s a scenario.

Law enforcement, like I said, in those scenarios, they ask for protected health information from what on. That you have in record of one of your patients. And those records happen to include some of those reproductive definitions in there. So before we send them any information, we have to send this form out and they have to fill it out.

And basically it says that they’re not gonna use any of the information that they acquire from your patient records to punish the patient. Alrighty. Here is the link so you can get this form. I’ll bring the sync up again here a little bit later, but you can just scan it and then I’ll get you right to the link.

Lots of things you gotta do here. So let’s go over some of the main ones. You have to document everything, as always, as you always know, with everything we do in our offices. Hipaa, reproductive healthcare obviously is a big one. In fact, it’s mandatory. We have to keep records of our policy updates, so make sure you keep a record of this.

In fact, keep a record of this for your training log. This could be something you can show your staff, the test station, that form that we have to have. You gotta keep that on file disclosures. And what I mean by disclosures is, believe it or not, every single time that we release information on a patient, we have to record that because patients have a right to come back and say, Hey, I want to see everybody that you ever sent my information to.

So we gotta have that readily accessible. We have to train, we have to educate the staff, and here’s what this looks like. Identifying protected health information that Reque requests or PHI requests that will trigger the use of that form. Kinda like we talked about the reproductive healthcare. Talk to your staff.

Distinguish lawful reproductive healthcare from investigating request. So when those people are asking, and I say those people, the people that I was talking about in those scenarios, ask for reproductive healthcare, PHI on your patients. A testation form goes out, so you have to know how to locate and use the form and document the disclosures, and of course, you have to retain the testation forms to keep copies of everything.

Make sure you train your staff on this. In fact, a lot of officers are deciding and telling the staff. If you have any requests for protected health information from any of those people, let me know so you all can check it over and make sure that attestation form is sent out and then sent back to you before you release any of that information.

You have to update your notice of patient privacy practices. That form the big old packet that we’re supposed to have in our office for all the patient’s rights. Those things have to be readily available for patients. And again, it must reflect. So there’s gonna be changes in there if you had those forms, which you all need to have those prior to 2025.

Guess what? Those forms are no longer good. So you have to get a new, you have to get new notice of patient privacy policies to provide patients with clear and updated information about their rights and how their information is protected. All to align with the updates of the final rule guidelines.

Basically all to align with everything that’s come down the pipe with these new laws. Here’s some next steps for you. Here’s another. Opportunity to download that QR code if you’d like to, so you can go right to it and get that model attestation form, which you have to have. You need to have this in your manuals.

One of the things that we’ve done is we’ve put together a HIPAA compliance checklist. So you can go through, look at this checklist. ’cause a lot of people, they think, oh, I think I’m compliant, or I, maybe I have this form, I have that form, but maybe you’re not really sure. Maybe you didn’t know. You need to do a bunch of assessments and analysises throughout the year.

So we’ve created this form here, just this checklist. You can go through it, check it out, and if you can’t answer these questions or if you’re not doing the things on this form, then guess what? You’re not compliant and you do not wanna be in that position. Believe me, don’t be in that position. Get it dialed in.

Protect yourself. If you’d like to, you can schedule a demo or you can just get started. You can go to this website here. You can schedule demo, go dot fearless provider.com/demo. Of course, you can scan the QR code there to your right. If you just wanna get started with the HIPAA program, we have everything you need for hipaa, all the forms, all the trainings.

We have ’em in videos, we have downloads, we have closed caption, we have transcripts. We have. Everything in there to make it learn as easily as possible for you and your staff, or I’m more than happy to talk to you. You can contact me at Dr. perry@betterhipaablueprint.com. Again, thank you all so much for being here.

We hope you hope the best for all of you. In spite of all these changes. Just make sure you go out there, get the process going, and make sure you have this in play. In the meantime, have an amazing day, everybody.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

Why HIPAA Matters in an Acupuncture Office

Click here to download the transcript.

Hi, everybody. Good morning. Good afternoon. My name is Dr. Perry Barnhill, and welcome to the Fearless Acupuncturist. First, I want to thank the AAC Info Network for having us here to discuss with you the importance of HIPAA and how it relates to your office. Slides, please. Why HIPAA matters in the acupuncturist’s office, protecting your practice and protecting your patients.

Click here for the best Acupuncture Malpractice Insurance

Again, my name is Perry Barnhill. I have certifications in coding, certified medical auditing, certified professional compliance, and certified HIPAA privacy and security. Meaning, I can see what the HIPAA auditors are looking for. And this is why we’ve designed HIPAA program for you acupuncturists because we live in a world where we take care of patients as well.

So in regards to HIPAA, what is it that most of us think? A lot of us think that it’s talking, not talking about rather patients outside of the office. It’s not leaving patients names or their files or their charts in plain sight. We don’t discuss their diagnoses or their conditions out loud.

Get a Quick Quote and See What You Can Save

What about sign in sheets? A lot of us think that we don’t have a sign in sheet that’s visible for everybody to see. So maybe we’re good. Or maybe you have a manual. And it’s on the shelf. It’s getting dust all over it. And we’ve never touched it. Some people think that, hey, if we have a manual, if it’s filled out, we’re good to go.

Or sometimes we think, hey, listen, I already have an appointed compliance officer. They’re doing everything they’re supposed to. Actually, you hope where they’re doing everything they’re supposed to. And so that means I’m good. So what does compliance HIPAA compliance specifically mean? What it means is this a compliance program.

It’s a continuous living breathing program. It’s something that has to be implemented upon, meaning we have to act upon it. We can’t just, like I said earlier, have it, fill it out and deal with it once and then just leave it alone. It’s not cookie cutter. It can be customized to each individual office, depending on how you do things.

Again, it must be routinely referenced, and it doesn’t matter, even if you spend a ton of money on it. 3, 000, some people spend money on these things. Even if it was an expensive manual, it still has to be filled out, it has to be acted upon, and we have to make sure we’re doing the things that we’re supposed to be doing.

Is compliance mandatory? This is a question that I get all the time. A lot of providers or acupuncturists are only doing cash. A lot of you don’t participate in any insurance company. A lot of you don’t do any kind of Medicare at all, but it’s still mandatory. HIPAA compliance mandatory, even if you’re full cash, even if you have nothing to do with insurance, and even if you have nothing to do with Medicare.

A lot of times we wonder with the HIPAA audits, what is a HIPAA audit all about? How does it come about as well? They can be random. And guess what? Recently the OCR, you’ll hear me refer to the office of civil rights, the acronym OCR. Those are the police of HIPAA. And they literally just recently announced that they are going to really start ramping up random audits and offices.

So again, this is another reason we’re going to really need to be on our toes and make sure. that we’re doing the things that we’re supposed to be doing because it’s not worth the risk by not doing them, which we will talk about here in just a moment. Another way that we get audited from HIPAA or the OCR is complaints from patients.

Sometimes, if a patient complains, they have to investigate by law and they will. We can have staff members, usually it’s a former staff member, someone who’s not happy with things, calls and complains about something, and here comes the OCR. Other providers, other doctors in the community, it can be a variety of healthcare providers that may call and complain for you, on to you, for whatever reason that may be.

Usually though, most HIPAA audits are the result of breaches and we’ve all heard about cyber attacks. It can be the phishing attacks that we have. You’ve heard about hackers, we’ve heard about ransomware. Ransomware meaning that they steal, these hackers steal all the stuff from your computer, hijack it, and then they ask for large amounts of money for you to regain all that information you had in your computer system.

The PHI, the protected health information. Sometimes providers get themselves in big trouble because of physical thefts, theft. Somebody walks away with a file, you lose a file, something happens. That’s a breach too. That’s something where we would have to by law report. And then again, if we don’t have our ducks in a rope, we don’t have a manual, if it’s not filled out, we’re not doing that ongoing training, we could potentially be in big trouble.

And then we have business associates, these third party vendors that a lot of issues that have access to protected health information like a lot of you may use outside billing people or billing companies. Those folks have to also be HIPAA compliant. And if they’re not, you could potentially be liable too for any mistakes or breaches that they may have.

Years ago, the OCR knew that providers were not doing what they were supposed to be doing. So guess what? They implemented a audit program where they were going to start doing Random audits. And again, it began a long time ago and guess what? Big surprise, right? Covered entities such as yourselves.

Didn’t do so well as with many other providers out there in the healthcare industry. Most of them, in fact, all of them didn’t do that good. The results were not good. So then of course, they did another phase and they got the same and similar results. And ironically, recently within the last month or so, they’ve implemented more random audits as well.

They basically said, Hey, listen, we know people are not doing what they’re supposed to be doing. So we’re going to increase the amount of random audits. Again, another reason you need to make sure you have these things. Going in the right place in the right direction, having your manuals, and it’s not as complicated as it has to be, and I’m going to talk to you about that here in just a second.

Here’s the number one reason for finding penalties, and they’re all the same thing. They’re basically the risk assessments and analysis, the lack of doing them for lack of a better way to explain it. We’re not doing our security risk and assessments. We’re not having these physical safeguards that we’re taking care of and making sure are in place.

technical safeguards, the computer side of things or the administrative safeguards, the things that we have with our staff or what they refer to as the ICER, the information system activity review, basically making sure that all these protections are in place to protect the health information that we have with our patients.

I’m not going to take a long time on this, but I do want you to understand how bad these fines can be if we’re not doing what we should be doing. And they go into tiers tier one. We were unaware that we had a HIPAA violation, but we exercise reasonable due diligence, minimum fines, 141. But they can get up to 35, 000 in a year.

And then we have tier two where there’s reasonable cause and actions and we’re not willfully neglectful, meaning we were doing most of the things we’re supposed to be doing, but still not doing some of the things we should be, but we weren’t totally neglectful, but still you can see here a minimum 1, 400 plus 142, 000 a year.

Now we get into these other tiers, tier three willfully neglectful. But you actually attempted to fix things within 30 days. Now, if you fall into that category, again, you can see this, these fines can be devastating to any kind of practice. Tier four definitely don’t want to be in tier four. You were willfully neglectful, meaning you did not do what you should have been doing.

And here’s what I mean by this. And this is what the government says. To use the excuse that we didn’t know what we were supposed to be doing is not an excuse anymore at the level of your education, they expect you to know these things and they expect that you do these things properly. So number four, tier four, you don’t want to be there.

Meaning you didn’t do what you should have been doing and you didn’t attempt to fix it within 30 days. You can see the fines here are quite devastating, 71, 000. And up to over two million dollars in a year. So this is why these things are very important Here’s some questions. I want you to ask yourself and also to ask your staff You know who is your compliance officer?

And you know what you have to have an appointed compliance officer and it has to be on paper. Our HIPAA program is It’s all in there. We have the policies, we have the procedures, we have the HIPAA appointment compliance officer form. So these things have to be done. When is the last time you updated your privacy and information security policies and procedures?

These things have to be done routinely. Do you have regular training and do you have proof that you have this training? Meaning the OCR, the office civil rights, they think, okay, cool. You have a manual, it’s all filled out. That’s great. But if you can’t prove that you’re doing ongoing training, we provide monthly training, by the way, ongoing training, they say, not me.

They say it’s just as bad as not having a manual at all. Ridiculous. Yes, I agree. But this is what they say. So we do not want to fall into that category because think of all those tiers. That’s where we’ll put ourselves. Potentially. Have you performed vulnerability on tests on your networks? Meaning are you making sure that your computers, your systems, your service, That they’re all secure and do we have documented incident plans if in case there’s a breach And we have to notify patients by the way So if we have breaches by law We have to notify patients and you have to have policies and procedures in place for this A few other things, like I talked about earlier, do you have business associates?

Well, a lot of us have business associates. For example, like I said earlier, third party billers. If we have somebody that is billing for the services that we provide, they have to make sure that they are also doing what they should be in regards to protecting patient health information. Therefore, we have to give them what we refer to as a business associate agreement.

And we have this, it’s the form, you fill it out, you send it to them, and that helps add a Big layer protection in case they’re not doing what they’re supposed to be doing. In fact, if you have a business associate And let’s say they have a breach and something happens and the ocr finds out that you did not have a business associate agreement I’ll file with them.

You’re going to get fined. So we don’t want to be there. Do you have physical safeguards, locks? I know it seems very simplistic but Physical safeguards, locks. There’s other things, administrative safeguards, like passwords, making sure the passwords are certain length and in characters and certain kind of special characters.

There’s all kinds of things there. It’s not complicated. I say this a lot of times too. This is a new language for most of us. But it doesn’t have to be complicated because we walk you through a step by step process so you can understand it, you can appoint one of your staff to help you out with these things, but once you understand the process and once you start thinking about things, you’ll feel a lot better that you’re doing what you’re supposed to be doing so you avoid all those tears.

Here’s some thoughts I want you to leave with, and a lot of us think that, and again, like I said earlier, we don’t understand this, so we ignore it, it’s a language I just don’t get it, and I hope that it doesn’t happen to me, and you know what, I hope it doesn’t happen to you either, I hope it doesn’t happen to any healthcare provider out there, because our main focus as healthcare providers is to take care of our patients, that’s what we went to all the schooling we went to for, and that’s what we’re best at.

What’s what we’re best at doing but the reality is this we have to do these things And we do not want to be that ostrich what we put our head in the sand and hope that it happens to us Because you know what it is gonna happen to some of us And we don’t want to be there. We don’t want to be vulnerable.

It’s usually not if but it’s when here’s the cool thing You can delegate one of your staff members to do this so that you can focus on your patients You can take care of the things as you that you’re really good at It’s simple enough to have a staff member take care of it. It’s a step by step process.

There’s modules. There’s chapters It’s just very user friendly You need someone to help? Here’s some next steps. You can download the HIPAA compliance checklist here. You can click the QR code and this compliance checklist is a list that you go to. Now if you can’t answer yes, if you can’t say that you’re doing all those things, this means you’re not HIPAA compliant and this means that you’re at risk.

This means this is a position that you do not want to be in and you want to make sure you get it corrected and fixed. Couple different ways you can get a hold of me. One, you, everybody, you can schedule a demo, demo if you’d like to. You can scan the QR code here. Let’s take you straight to a demo. You can also go to fearlessacupunctures.

com. You can check that out, or if you want to, you can contact me at Dr. Perry at Better Hippo Blueprint. I am more than willing to talk to you, to discuss with you, because I don’t want you to be in a position where you’re potentially going to be fine. I also don’t want your patient’s information at risk.

Just like we, us, when we go to our providers, our dentists, whoever that may be, we don’t want our information leaked, like our social security, you as being in practice, that all of you are. We don’t want you to have those fines. It’s way too much risk. So in the meantime, I do want to thank again, the AAC info network for having us here and discussing with you the vital importance of HIPAA and HIPAA compliance.

And in the meantime, like I said, if you want to, I’m more than happy to discuss things with you and click on the QR codes, check things out and have an amazing day.