Tag Archives: hipaa

HIPAA – Ransomware – Not if…WHEN

Click here to download the transcript.

Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.

Hi everybody. This is Perry Barnhill with the Fearless Acupuncturist. Good morning to you, or good afternoon, whatever it may be. Today we want to give a big thanks to the American Acupuncture Council for sponsoring this video that we’re about to show you in regards to ransomware. Next slide, please.

Click here for the best Acupuncture Malpractice Insurance

Again, a big thank you to the American Acupuncture Council for sponsoring this. All right, here we go, everybody. Ransomware, you’ve heard about this. You’ve probably heard TV shows talking about it in regards to the computer things that happen, and it’s not if it’s going to happen to you. It’s when, so what I wanna talk about today is how do you plan for it?

Get a Quick Quote and See What You Can Save

How do you prepare and how do you protect yourselves if these things happen or maybe when these things happen? Myself again, Perry Barnhill. Julie McLaughlin in the background as always, much help. We are here as healthcare providers just like you with certifications in compliance and hipaa. Okay, so ransomware, let me just take a moment.

I want to share a story with you. This is an actual event of what happened. Now, it’s a hospital situation, but these things happen in private practices. All right? So keep that in mind. They happen often, unfortunately, so I’ll just go over this little story with you. It was approaching midnight on Sunday and the head of an IT person at Florida.

The hospital had a problem. The emergency room of this 100 bed facility called to report that it couldn’t connect to the charting system that the doctors and providers were using to look up the patient’s medical histories. So a Florida hospital IT director soon realized that the charting software, which was maintained by an outside vendor, was infected with ransomware and that he didn’t have much time to keep the computer virus from spreading.

So guess what? The hospital shut down his computer system. On his advice, and here’s what he said. He said, if we hadn’t stopped, it would’ve probably spread throughout the entire hospital. And what had to happen was the hospital had to revert back to their paper records, which I know a lot of offices have paper records.

But this is all applicable because not if you just have paper records. You generally, and almost always have at least something regarding the patient in your computer. So even if you’re just using paper charts, you still have patient’s financial information in the computers, a lot of times you have their histories in their computer.

In the computer all the time. Something’s there. So if the computer gets infected by ransomware, they can access that and they can hold it for ransom. So what is ransom, or at least what do most of us think ransomware is? It’s extortion software and it locks your computer and then they ask money for it, or they ask a ransom for it.

So in simple terms, what happens is the malware gains access to device, your, to your device, the computers, and depending on the type of ransomware, either your entire system, your entire operating system. Or individual files are encrypted, and then what they do, these cyber crooks, they demand a ransom from you or sometimes even the victims from patients.

So just some simple facts with ransomware. I think a lot of us are aware of these things. Basically, they can massively impact your practice. One little ransomware effect can cause chaos in our practices. In some cases, these ransomware, these cyber criminals can demand excess of a thousand, or rather, I wish only a thousand, but million dollars so that you can get this information back.

Now, that doesn’t mean you pay, okay, I’m not saying that, but let me do this first. Let’s go over a quiz and just go through this. So is this true or false? According to an IBM report in 20, in 2022, do you think the frequency of ransom breaches has increased from previous rare years? True or false?

I bet you know the answer. It’s definitely true. Most of us realize that these computer, these hackers these cyber criminals are creating more problems for us as time goes on. Yeah, 7.8 in percent breaches in 2021, and then 11% in 2022, and it continues to increase each year. How about this one, the impacts.

Ransom of a ransomware attack can be crippling to include monetary, permanent closures of especially smaller organizations like our offices. They delete files, they even patient procedures and testing can be canceled, so what can you, as an individual office or provider do to help these things or prevent these things from happening?

A. Participate and complete any required training. B, ensure your network security is in place. C have your IT administrator or your computer person contact information easily accessible, or is it all the above? Yeah it’s definitely all the above. Each of us. Each of those things we have to do, they play a critical role in patient care and patient safety.

Remember, cybersecurity it is patient safety and together we can protect our practices and the patient data we are entrusted to secure. So how can ransomware impact us as providers? This is a big one. This is massive. Monetary impacts the amount of money we’ll have to pay, one to resolve these things.

Two, maybe the fines and penalties that could come as a result of it. If we don’t have our HIPAA policies and procedures in place impact to our organization. Sometimes depending on the type of breaches that happen or the amount of breach that’s affected, we have to report these things publicly.

To disclose to the public that we had a breach in our office. So it really can affect our reputation. It can close our organization or close our offices, especially smaller ones. Deleted files, or you completely have lost them. Delayed patient canceled care. When systems shut down, it can potentially cripple your networks and forcing manual transactions where possible, and it really can cause havoc in our offices.

So these are reasons why you wanna make sure you protect your patient’s health information. So what’s the best defense? Usually the best defense is a good offense. Most ransom attacks are sent in phishing campaign emails. We just did a, we did a class on this. We did a video on this. One of the last times that we did for this.

Regarding phishing and phishing campaign emails, so make sure you watch that if you haven’t. Staying alert when any email asks you to enter your credentials. You have to be extremely careful when emails are sent, making sure you know exactly where they’re sent from, or at least you know it’s a trusted source.

The next one here, installing updates. Whenever you’re prompted to do you have to do these things. ’cause if you don’t and you have a breach, guess what? You’re in trouble and you’re liable. Does your practice have an incident response plan? According to hipaa, and according to all the rules, we have to have an incident response plan.

Meaning if something happens, this is exactly what we do. Do you have training you should be aware of to understand your practice’s security policy? Is there training that you have because you have to have training. This is all part of the HIPAA policies and procedures. You have to have training, you have to be able to document that training as well.

And also, if these things happen, do you have an emergency contact list in order to help resolve these things in order to help get the files back if needed? Some of the resources, a lot of people like to see where the resources come from. They come from the Office of Civil Rights, and if you didn’t know, so the Office of Civil Rights or the OCR, they’re basically the police of hipaa.

These are the folks we don’t want knocking on our doors if something happens. So what are some next steps? What are some things that you can do? One of the things that we talked about is you can download this HIPAA compliance checklist. Click the QR code. You’ll get it that way. Go through these questions, go through these statements and these bullet points.

If you can’t answer, if you can’t say that you’re doing each and every single one of them, not just nine outta 10, for example, you have to do each and every one of them to become HIPAA compliant. So make sure you go through this. If not, we certainly can help you with that. If you have any questions, we are more than happy.

To answer your questions. If you’d like to schedule a demo or just get started with it, just a couple things you can do here. You can scan that QRR code or you can schedule demo. Just go like it says right here to go do fearless provider.com/demo. If you wanna just get started, go to www.fearlessacupuncturist.com.

Or you can contact myself at Dr. perry@betterhipaablueprint.com. You can also talk contact Dr. Julie as well at Dr. julie@betterhipaablueprint.com. I want to thank everybody for attending this program and want to give a big thanks to the American Acupuncture Council for Sponsors. Again, this is Perry Barnhill with the Fearless Acupuncturists and everybody have an amazing day.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

HIPAA – The 6 Types of PHI You Never Even Thought Of

Today we are gonna talk about the 18 different types of protected health, inform information and how to relate to it in your office and how to protect it, most importantly, so that you don’t get yourselves in trouble.

Click here to download the transcript.

Hi, everybody. Good morning, good afternoon, whatever it may be for you. My name is Perry Barnhill with the Fearless Acupuncturist, and I want to give a big thanks to the American Acupuncture Council for bringing this to you. Today we are gonna talk about the 18 different types of protected health, inform information and how to relate to it in your office and how to protect it, most importantly, so that you don’t get yourselves in trouble.

Click here for the best Acupuncture Malpractice Insurance

Slideshow please. Okay. Like I said, my name is Perry Barnhill. We teach hipaa. We’re certified in HIPAA certifications and compliance. Myself and Julie McLaughlin, we want to protect you. We want to educate you and we wanna defend you. So that you don’t get yourselves in trouble with HIPAA or with the government.

Get a Quick Quote and See What You Can Save

So we’re gonna talk about some of the things that could potentially get yourselves in hot water and how to prevent those. Like I said earlier, we’re gonna talk about different types of protected health information and sometimes you may hear me say EPHI, and all that means is. Electronic protected health information.

This is the information that we have with our patients in our devices, on our computers, on our laptops, and things such as that. So believe it or not, there are 18 different types of protected health information of which we would literally go through. Each and every one of them, because there’s many of ’em you would never think are actually considered PHI.

So let’s talk about that kind of a little quiz here. We like to call the fearless quiz. What do you think are some of the different types of protected health information that you have with your patients? I’ll give you a little clue to get you started here. We all know, or most of us realize that the patient’s name would be considered part of the protective health information.

What about some other things? Just for a second, start. Start thinking about that. Okay, so we are gonna go through and we’re gonna identify each of those 18 different types. Here we go, and I’ll actually read these to you. Like I said earlier, the name of the patient or the individual or the patient’s child if you’re taking care of the child.

So obviously names are gonna be protected. Health information, an address, anything smaller than the state of residence, any date. And you know what? It includes dates that identify their onset admission, discharge date, birth dates. Even be careful with people and patients that are deceased. Okay? Bottom line is this.

As we go through these, the reason I’m bringing this to your attention is that if you are aware of all the different types of PHI, these are things that you need to be very careful about who you disclose this information to. Because if you disclose any of this information to people that shouldn’t see it or hear it, that’s actually considered a breach.

And believe it or not, we have to report the breaches. These are things we don’t want to have to do because the last thing we want to happen is have the OCR, the Office of Civil Rights, looking at all of our stuff. So let’s prevent these things in the first place so that they don’t happen. Telephone numbers, fax numbers, email addresses, even.

Social security numbers. I know most of us realize that this is a pretty important one. They’re medical record numbers. Be careful with that one. Health insurance plan, beneficiary numbers, their numbers that are on their ident, their insurance cards for identification, even account numbers, certificates or license numbers, things such as their driver’s license.

And of course, I think most of us realize that driver’s licenses can be considered PHI. The thing is that a lot of us take copies of those things, so be very careful who gets that information. Even a CPR certification number, believe it or not, passports. I think that makes sense to most of us.

But what about this one, VIN numbers or even license plate numbers? And the thing I wanna elaborate about, the license plate numbers are, many of us will do patient testimonials. Sometimes we’ll do videos of the office and in the office parking lot there’s cars. But in that same video or in the same photo is the car in your office name.

So guess what? Somebody could go online. Check that license number, and I’m not saying they were going they will, but it’s possible and the government doesn’t care whether it was possible, probable, or very likely. If it’s something that you accidentally disclosed and it was linked to the patient and their information somehow was breached, then you’re the one that gets in trouble.

So be very aware of that. Here’s some more device identifiers or serial numbers on the medical devices and treatments that you use during procedures. Web, universal, URLs, internet protocols or IP addresses, biometric identifiers, facial recognition, fingerprint scans, even tattoos. Be careful. You have to be so careful that let’s say for example, someone has a tattoo on their arm and you take a picture and maybe put it up on the internet or somehow it gets out.

And it gets linked back to your office, that could potentially be considered a breach. So be very aware of that. Full face photos, yes, if you do full face photos or you’re doing testimonials, this is where the supplies is. You have to get your patient’s authorization to do and guess what? In our HIPAA program, we have patient authorization video forms, all the things that you need to do that or any other uniquely identifi, num, numbers, characteristics, or even codes.

So here’s my big point on this. Know the different types of PHI. If you know what they are, the likelihood that you’re going to disclose those inadvertently or accidentally are gonna become much less. Therefore, the odds are reduced, that you’ll have the government in there looking at your manuals and everything like that.

That doesn’t excuse the fact to not have one. But of course, we wanna prevent accidents, if you will, from happening before they occur, and then life is much better for all of us. One of the things we talk about all the time is the importance, not just the importance, but the requirement, the legality that we’re required to do monthly, or let me say this ongoing required training for hipaa.

So we do what we call monthly HIPAA training. Each and every month we do a training. And guess what? This can be one of your monthly trainings. You can scan the QR code right there, and then what’ll pop up is this form. This form has those 18 different types of unique identifiers on there. For PHI, you sit down with your staff document.

Remember, if you don’t document it, it didn’t happen, document your training with your staff. If you have a staff, if it’s just you, it’s easy, but you still need to document that. You did the training on different types of PHI. This will help you go a long ways. In the case of an audit, it’s not the only thing you need, obviously, but it’s one of the pieces of the puzzle.

Like I said earlier, document your monthly training in your manual. You can download HIPAA compliance checklist. We have these ’cause a lot of practitioners ask us, I’m not sure if I’m have compliant. One of the things I will say, if you’re not sure, the likelihood is that you’re probably not.

That’s why you may be asking that question. This is a great checklist. Go through these things. If you can’t check off every one of these. It’s very unlikely that you’re HIPAA compliant, so make sure you do this. You can scan this QR code here and you’ll get this list to check for yourself in your office.

If you have any questions, don’t ever hesitate to reach out to us. Couple different things you can do here. If you want to schedule a demo and check out the HIPAA program and all the training that we have, just go to go dot fearless provider.com. Slash demo or you can simply scan the QR code over there.

The other thing too is if you just want to get started and make sure you become HIPAA compliant, you can go to ww dot fearless acupuncturist.com. And like I said, if you have any questions, more than happy to help you. Myself and Julia, more than happy to help. You can contact me at Dr. Perry at better HIPAA blueprint.

Dot com. Don’t hesitate to reach out. In the meantime, everybody, I want to say thank you again and thanks to the A A C for hosting this short webinar on the 18 different points of protected health information. And everybody, have an amazing day. Have an amazing rest of your week, and I will talk to you later.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

HIPAA – Immediate Nationwide Update Alert – Dr. Perry Barnhill

Click here to download the transcript.

Hi, everybody. Good morning. Good afternoon. This is Perry Barnhill with the Fearless Acupuncturist. Today I want to give a big thanks to the American Acupuncture Council for bringing this to you. Today we are going to talk about HIPAA and as it applies to reproductive healthcare. Many of you acupuncturists deal with reproductive healthcare, even for those of you that don’t in your files, in your patient’s histories, in the forms that the very patients fill out.

Click here for the best Acupuncture Malpractice Insurance

There will be things regarding reproductive healthcare, like contraception, pregnancy management, fertility, sterilization, and also sexual health. Just as a reminder of what reproductive healthcare means in the context of hipaa, slideshow, please. Okay, so how fast things change. Literally at the beginning of the year, we had some new laws regarding reproductive healthcare, and now, like just within the last few weeks on June 18th, it’s changed.

Get a Quick Quote and See What You Can Save

Some of those things have changed for most of the states out there, but not all of them. And this is what we’re gonna talk about. And again, things change very quickly. Sometimes you really need to stay on top of all the HIPAA laws, new, old, and the changing ones as they’re coming down the pipe.

Strengthening reproductive healthcare privacy under the new HIPAA privacy rule. Now, again, like I talked about a little bit before, there was the new requirements that we talked about in December and also in January, but now there’s some new requirements regarding attestations, or shall I say, some things you may not need to do, and we’re gonna talk about the action steps and specifically how it applies to you and how it applies to compliance and relationship to hipaa.

Here’s what happened on June 18th, so just a few weeks ago, a US district court judge for the Northern District of Texas, federal judge has invalidated the 2024 HIPAA reproductive health modifications to the privacy rule decision is immediate and it applies nationwide. This is how we’re saying there can be a law, and then several months later that law no longer exists, or you no longer have to do certain or specific things within that particular law.

The Texas judge, this is what the Texas judge said. He said that HHS had overstepped its bounds, and he cited three main legal issues, which we’ll just talk about briefly. One, the rule unlawfully restricted public health laws. Two, it redefined terms like person and public health in ways that exceeded the federal authority.

And three, it addressed politically charged issues like abortion without clear congressional approval. A violation of a major questions doctrine. And again, let me just remind you what the reproductive healthcare law that I was talking about just a little bit before, things like contraception, pregnancy management fertility, sterilization, sexual health.

So those was what specifically they stated was fell under that umbrella of reproductive healthcare law. However, some of the things we had to do, like I said earlier, like attestation statements. Most of us will not need to do any longer. Okay, so let’s just keep going here. HIPAA related entities, covered entities like you and your business associates.

Remember, business associates are folks that you do business with or basically people that have access to your patient’s information or basically anything that you have that you share with somebody else in relationship to a business associate for protective health information have to follow state laws.

Regarding that particular reproductive health. All right, so now let me say this. It does get a little confusing. It gets confusing for everybody. Federal law. There’s federal law as we know, and then there’s state law. When it comes to hipaa, actually state laws will supersede or become in addition to.

Federal law. So you can have a federal law, but your particular state may have it more strict, it may be more detailed, or you may have to do additional things regarding that particular law. So we always say stay on top of your state laws as well. So in the absence of hipaa, reproductive health rule, some states, not only many states are increasing.

HIPAA privacy protections for the residents. So here’s some of the states that you need to pay attention to that will likely, or I wouldn’t, going to suggest to you to keep doing what you’re supposed to be doing in regards to reproductive healthcare and providing attestation statements, which we’ll get into just a second.

So anyways, New York, California. Washington, Nevada, and Connecticut, and there may be some more to come. We’ll see. How does this impact you? Here’s the thing. Covered entities, at least most of them in those state or in most states, are no longer required to seek attestations from requesters regarding protected healthcare or rather protective health information related to reproductive healthcare.

So what does that mean? Basically because of this new law. The states that I didn’t mention, you follow the federal law, okay? You do not have to provide an attestation statement if someone asked for those certain things regarding reproductive healthcare. All right? What that means is if you did what you were supposed to at the beginning of the year with all the new updates that came down the pipe and you change your privacy notices, now you would actually take that out.

’cause now it no longer applies to you. But if you’re in those states that are going to continue to follow this. You need to keep it in there. If you don’t know what I’m talking about, make sure you reach out to me so we can make, tell you the things that you need to know regarding this and many other things that changed at the beginning of the year.

So double check your state now, navigation or navigate the prohibition on disclosing protected health information for the purpose of investigating or imposing liability unlawful reproductive healthcare imposed by your state. Let me put that in some different words here for you. If you have patient files, which we have patient files that do in fact many times contain the very things that I detailed regarding the big umbrella of reproductive healthcare, and if somebody like from law enforcement or a judicial BA branch, we listed these things before, requested that information, we were supposed to by law actually send them this model attestation form, which basically said, Hey, listen, we’re sending you some information here.

You have to fill this out. Actually, let me reverse here. We’re not gonna send you this information, this protective healthcare information until you fill this form out and basically promise to us that you’re not going to punish anybody for whatever was in those particular files regarding reproductive healthcare.

So now, because that federal state judge said what he said. Most states no longer have to do this. All righty? So make sure you pay attention to your state. This is why we always talk about hipaa. It’s not like you can just do HIPAA and you can just fill out this manual and you’re good to go and you just sit back and you forget about.

It’s constantly evolving and it’s constantly changing as you can see and what happened in Texas is just a real simple reminder that a single court ruling can unravel. A lot of the new guidelines that were literally just presented and required six months ago. It’s evolving from reproductive privacy rules and think about this, cybersecurity, look at ai, artificial intelligence, and all the new things that are coming down with computer systems and privacy and cybersecurity threats and phishing.

It gets really scary at times. This is why. Monthly training isn’t optional. It’s your, it’s literally your lifeline such that you have to stay on top of these things. And I’ll be very clear, it’s not like the government says, Hey, by law, you have to absolutely do one monthly HIPAA training a month.

That’s not what they say. What they say is you need to do continuous training throughout the year for yourself and to all of your employees and even to your business associates, believe it or not. What I’ve also heard other people say that teach the things that we teach is that even the government suggests that you do HIPAA training.

To about two times a month. Now, is that a law? It’s not a law, but it’s what we’ve heard for suggestions. We step back and say, Hey, you should be doing things at least once a month. All right, so staying informed protects your license. It’s your patience and your peace of mind. And believe me, if you don’t have these things dialed in like you’re supposed to and someone comes knocking on the door for an audit, it’s something that you don’t want to go through because I talk to doctors all the time.

I talk to acupuncturists all the time. That get scared because they don’t have the things that they should have. So it’s really easy to get the things that you need to have, and I’ll talk to you about that here in just a second. HIPAA compliance, again, you can’t just check a box and be like, okay, cool, I’m HIPAA compliant, or fill out a particular form.

It can get a little bit involved. It’s about staying ready for whatever comes next. Keep learning. Keep updating the things. Stay fearless. We want you to be fearless so you can focus on your patients. That’s why you became an acupuncturist, is to focus on your patients. We can help you with the HIPAA side of things, so what are some of the next steps that you can do?

Couple things here. HIPAA checklist, if you’re wondering like, ah, I wonder if I’m HIPAA compliant, or I wonder if I’m even close to being HIPAA compliant, you can scan the QR code and get this checklist, or you can just look at it here and go through these questions. You can’t answer these questions, or if you’re not doing these things on these questions, you’re not HIPAA compliant.

It’s not worth the risk. So if you want to, you can set up a demo with us, where we can talk to you, we can show you the HIPAA compliance program that we have and how easy it is to navigate through this. Just go to go dot fearless provider.com/demo. You can scan the QR code here as well.

Sometimes acupuncture, you just wanna get started. So you can go to ww dot fearless acupuncturist.com to get started. Or. A lot of times people just wanna reach out and ask me questions, and I am more than happy to answer any questions that you may have, and you can contact me there at that email, Dr.

perry@betterhipaablueprint.com. If you have any questions, like I said, reach out to us. We are absolutely more than happy to sit down and talk to you and spend some time with you and clear up any questions or confusion that HIPAA presents with many of the times. In the meantime, everybody have an amazing day and we will talk to you soon.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

HIPAA Warning – Verifying Employee Eligibility – Perry Barnhill

Click here to download the transcript.

Hi everybody. This is Perry Barnhill with the Fearless Acupuncturist. Today we are gonna talk about OIG and an exclusion list and what it means to you and why you need to be aware of it. Wanna give a big thanks to the American Acupuncture Council? Go to slideshow please.

Click here for the best Acupuncture Malpractice Insurance

Okay, here we go. Understanding and using the OIG exclusion list. This is about performing certain exclusion checks. On your staff regarding the Office of Inspector General. Let’s talk about that. This is something that we want to check every single month. Now put it in perspective here for you.

We got Health and Human Services at the top, HHS, you’ve heard of that. And then we have OIG, the Office of Inspector General. Now they’re very closely related to the OCR, which is the Office of Civil Rights, and this is where all the HIPAA stuff comes in. These two are basically sisters to each other, and they’re so important that you need to be aware of.

Get a Quick Quote and See What You Can Save

That’s why we’re talking about this right now. What is the OIG exclusion list and why do we need to check it? Okay, so here’s what it is. The exclusion list is a list of individuals that the government collects that basically shouldn’t be employed in your office. If you’re accepting any federally funded programs such as Medicare, for example, or even if you’re in some acupuncture networks for P-P-O-H-M-O or insurance networks.

Now, if they’re on this list. Is something we need to be aware because we may not keep them employed. This is something we want to ensure compliance with Medicare, Medicaid, like I said, certain contract requirements by regularly verifying employees. Who do we need to check? Okay, now everybody that we need to check is pretty much anybody in our office that’s involved in any kind of patient care or has any kind of access to protected health information.

So you got your staff that’s involved with your patient care. Any employees handling any kind of billing procedures or protocols, personnel. Anybody who has access to protective health information, I’m not talking about a janitorial service or a cleaning service. Those folks though, if you don’t know already, they need or you need to have them fill out certain forms such as non-disclosure statements and agreements.

Because even janitors that come into our office may accidentally see protected health information. And that’s something just on a side note that you need to be aware of and you should have protected and you should be speaking to them about. The Medicare exclusion list. This is a list of an OIG website that I want you all to go to.

Here it is exclusion dotig.hhs.gov. You need to go here, and this is where you need to start doing some check-in. Go in there and enter your employee’s last name and first name, and if you need to, because some people have similar names or same names, use additional details such as their date of birth. If you have other providers in the office, you need to check on them as well to narrow the results.

So how do we interpret these results if their name actually pops up? The good news is if it doesn’t pop up, they’re good to go. You don’t need to worry about it, but if one of your employees or your personnel’s name pop up, make sure you click to verify and redo, review additional details again to make sure it’s not the same person that you have in your office.

So you can enter date of birth NPI numbers if they’re providers for confirmation. And believe it or not, there’s another exclusion list that I want you to check. Even though I’m talking about this and there seems like it’s overwhelming, at least a little bit. It’s easy. It’s very fast. You literally go to those websites, you check in their names.

It pops up very fast, and their name’s either on there or it’s not on there. I. The other one is the SAM exclusion list. This is the next website you want to go to and just double check and make sure nobody in your office is on this list. sam.gov. Just go there. Check how to search is very similar.

You use the entity verification search function and again, you enter the information of the employee’s name or any personnel that you have in your office to make sure they’re not on that list. Some verification tips. Provide as much identifying information as possible. Again, to make sure maybe you got two people with the same name, confirm the details and make sure that they match.

The last thing I want y’all to check is your state-based exclusion checklist. So we got the government, we got the SAM list and then also double check any kind of exclusion list. And again, just to reiterate this, if you accepting any federally funded programs, you have to make sure that none of your employees or anybody in your office is on this list or even other providers.

’cause if they’re on this list and you hire them and they’re employed and they find out. You can get in some big trouble and the fines are pretty steep. So again, where to check for state specific list? Use your state specific portal. Alrighty, and make sure that they’re not on that list as well. How to search?

Very similar. Locate the sections for OAG provider sanctions and you enter your employee’s name and other identifying details if needed and if possible, reviewing the information. Check details again to ensure that it matches the individual. Again, making sure it’s not the person in your office. Maybe they got a same name, and I know I said that a thousand times, but just double check.

Note any active sanctions or exclusions relative to state Medicaid programs. Here’s some best practices for verification. Always verify with multiple data points for the reasons we’ve just talked about. Cross-reference your results. Check the OIG, the Sam and State Base to confirm accuracy and just as important, make sure you document everything as if it’s not documented, they will say, you never ever did it. So make sure you do that and make sure you do it monthly. The importance of regular exclusion lists, compliance meets Medicare, Medicaid, and also many insurance contracts. You have to make sure they’re on this list. Risk management helps prevent potential fraud and abuse.

’cause if those folks are on this list, it’s likely they have some kind, they’ve been convicted of some kind of criminal action, and there’s something going on that you definitely may not want them in your office. All right? Quality insurance ensures that other qualified personnel have access to sensitive patient care and information.

So you gotta be safe there. You gotta protect that information. So here’s some next steps. Just to recap, use OIG website and Medicare exclusion list checks to make sure they’re not on the list. The SAM exclusion list. And also check your state. Record this in your manual. Make sure you record it in your manual.

’cause again, like I said, if it’s not checked, it’s not done and you need to do it monthly. It doesn’t take long. So just make sure you get in there and you get that done. Additional resources, I’ve went over these, but here’s a screen just to check again, different spots you can check. If you don’t know if you’re HIPAA compliant, the likelihood is that you’re probably not.

Many providers may have a form or two in the office, and they think that means that they’re HIPAA compliant. So this is why we came up with the checklist here. Go over this checklist. Look at the boxes here. If you’re not checking every box, the likelihood is very high. Likelihood is that you’re not HIPAA compliant.

Make sure you do so because the fines associated with any HIPAA noncompliance are very scary. You can scan the QR code as well. If you want to schedule a demo, you can go to fearless provider.com right here as you see, and we can go over a demo with you, show you how the program looks, what exactly it looks like on the inside, how to navigate it, how to have your staff navigate if you choose not to.

If you wanna just get started, you can go to fearless acupuncturist.com. You can get started that way as well. If you want to contact me. If you wanna reach out to me ’cause you have questions or concerns or anything like that, please feel free to do i’m more than happy to jump on the phone and jump on the site, go over a demo with you and answer any questions that you may have.

You can contact me at Dr. perry@betterhipaablueprint.com. Also, you can scan the QR code here as well. If you got questions, reach out to me please. I am more than happy to help any and all of you. In the meantime, everybody, have an amazing day and we will talk to you soon.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

Why Google Reviews Matter to HIPAA – Perry Barnhill

Click here to download the transcript.

Good morning. Good afternoon, everybody. Welcome to Fearless Acupuncturists. This is Dr. Perry Barnhill, and today we’re gonna talk about Google reviews and how to respond to them properly. Properly go to slides.

Click here for the best Acupuncture Malpractice Insurance

Again, this is Dr. Perry Barnhill and I wanna welcome to the webinar on how to respond to Google reviews in a HIPAA compliant way, such that you keep yourselves outta trouble. That’s the goal. We wanna respond to reviews properly and legally in a positive way, and at the same time keeping ourselves out of trouble with any kind of HIPAA violations.

All right, here we go. So why do Google Reviews matter? We know these reviews impact our online reputation. They’re very important. We know it builds positive engagement with potential patients, even existing patients we know patients check reviews out all the time. As a matter of fact, we check reviews out and Google reviews on primary, people we go to see, doctors we go to see.

Get a Quick Quote and See What You Can Save

So it’s really important. It builds. Engagement with the SEOs and compliance with HIPAA is very crucial, as we all know in all patient communications, especially public facing communications such as Google reviews. So understanding HIPAA in online interactions, and let me just go over a little bit of HIPAA overview.

As we know, HIPAA protects. Patient health information, just the acronym PHI Protected Health Information and PHI includes all kinds of things that can identify the patients. Things such as their name. We know that’s pretty basic. Their IP address, their face. There’s so many things that it can be related back to the patient.

It is protected health information and violations. I know you hear about this a lot, but this is true. Violations can result in big fines and it can damage your reputation. Okay, so here’s what we want to do. We want the dos and the don’ts and responding to reviews. Now the dos, we want to keep our responses generic and professional.

We wanna focus on customer service, not their acupuncture care. Now, the don’ts, we never want to confirm or imply that the reviewer is a patient in our office. We don’t wanna mention any details about their care, including anything regarding about their family members. Like just be very safe about it and just don’t do anything like that.

Alright, so creating a safe response to positive reviews. And here’s an example. Dr. Joe and his team are fantastic. They always make me feel comfortable. Here would be a sample response. Thank you so much for your kind words. We strive to provide a comfortable and welcoming experience for everyone who visits our office.

Now, how do we handle negative reviews? Let me give you an example here. I had a disappointing experience with the wait time at Dr. Sally’s office, and here’s a good response. We always appreciate any feedback. We take concerns like this seriously and would like to learn more. Please contact our office directly so we can address this issue.

So one thing to notice is we’re not referring back to you or any way that can imply that this patient even came to our office. These are very generic responses, but these are the responses that we need to have in order to stay compliant, navigating complex reviews. Here’s an example of a review. The whole family.

Love seeing Dr. Steve. Here’s an example. Response. We love taking care of families. Here’s the key. I didn’t directly say we take care of your family. We love taking care of families as just a generic response as compared to I. We love taking care of your family. So that’s the distinction there. And again, this response is safe.

’cause it doesn’t reveal or directly imply that we’re taking care of their family. We just love taking care of families. So here’s some common mistakes to avoid. Just re going over the skin, acknowledging that the patient or their family members in any way confirms their status in our office, providing any additional information about their care, even if they mention it first.

Don’t, just don’t respond to it in that way at least. And here’s another thing, and I see this often, don’t engage in back and forth discussions that might inadvertently disclose more details. And where I see a lot of providers getting themselves in or potentially hot water, they have this back and forth almost argument about the care or the wait time or whatever it was in the office.

So don’t even go there. Alright, HIPAA compliance and best practices. Always thank the reviewer without confirming any details. Keep your responses focused on general customer service. Encourage offline communications for specific concerns. Where we said, Hey, please contact our office. Don’t go there online and in front of everybody.

Train your team. Also, this is so important. Train your team and how to handle reviews in a compliant MA manner. I would suggest that if you have team members responding, make sure before they respond. They get back with you and you approve that response before it goes out. Handling potential HIPAA violations.

This is what we don’t want to have to deal with, but if we accidentally disclose PHI take that review offline immediately, get rid of the trail. Consult with your compliance officer for guidance. Ask to see what you should do from there. Report the incident to necessary authorities If required, however, ask first.

Don’t just start reporting things to hipaa. If you don’t know for sure if it was a violation, ask someone like myself. Ask someone like Dr. Julie. Find out first before you go reporting things. So here’s some final tips for success. You wanna respond promptly. Thoughtfully and you want to regularly review your HIPAA policies related to online interactions, and this is where I say you need to train the staff.

It’s part of the training, it’s part of the requirements we have for hipaa. We have to train the staff on how to respond to situations like this, for example, and encourage our satisfied patients to leave positive reviews and then bury the bad reviews with good reviews. Remember protecting patient privacy.

It’s not just a legal requirement, it’s commitment to the trust your patient’s place in you. So some next steps here, you can all go to and download this HIPAA compliance checklist. You can go to this, the website here, or you can scan the QR code, check out this list. If you go through this list and you can’t safely mark all those boxes, you’re not in compliance with hipaa and we don’t wanna be there.

You don’t have to be there. It doesn’t have to be complicated, it doesn’t have to be confusing, but it’s a process. So make sure you are, because if you’re not, the consequences are what we don’t wanna talk about. You don’t have to be in that boat. If you want, you can schedule a demo with us. You can go to fearless acupuncture.com.

There’s a demo there. You can scan the QR code. You can go to our website@ww.fearlessacupunctures.com or always feel free to contact me at Dr. perry@betterhipaablueprint.com. And again, thank you so much, the American Council acupuncture Council. It’s a mouthful. A CN. How’s that for allowing us to provide you with this webinar?

And in the meantime, everybody have an amazing day.

Click here for the best Acupuncture Malpractice Insurance

Get a Quick Quote and See What You Can Save

HIPAA – Regarding Reproductive HealthCare

Click here to download the transcript.

Hi everybody. This is Dr. Perry Barnhill with a Fearless Acupuncturist, and today we are gonna talk about something that is so important. There’s some new HIPAA changes that are coming down the pipe regarding reproductive healthcare. A lot of you are very much involved with fertility and reproduction and pregnancy and things like that, so make sure you stay tuned for this.

Click here for the best Acupuncture Malpractice Insurance

Also big thanks to the American Acupuncture Council for having us here. We are pleased to give you the information that you need to have now Slideshow please. Okay, here we go. This is all about strengthening reproductive healthcare under the privacy and the new HIPAA privacy rule. So there’s new requirements.

Just like I said, there are forms, and when I talk about attestation, I am specifically referring to a form that we’re gonna need to have and send out before we send out any information. We’ll get in some details on that and some action steps so you know exactly what it is you need to do. Let’s talk about some of these new changes.

Get a Quick Quote and See What You Can Save

Now, if you’ll remember, maybe you don’t know, but you need to know they are, there are seven new laws for HIPAA in 2025. We’re not gonna get any of these, but they’ve actually added to that, believe it or not. So they have talked about some modifications to the privacy rule. Specifically to better protect reproductive healthcare privacy.

We’re gonna define what this reproductive healthcare privacy is, and a lot of you are involved with this. What it does is this, it prohibits use or disclosure of PHI protected health information. Remember, these are the records we have on our patients, including our intake forms. All righty? So even if some of you may not be involved with this, which I know a lot of you are.

Still, a lot of this information is actually on the intake forms that the patients fill out when they come to the office. So what it does is this prohibits user or disclosure, PHI, solely to investigate or penalize lawful reproductive healthcare. It requires this form I’m talking about, so it requires and obtaining written attestations before we disclose this reproductive healthcare.

Information or records in certain circumstances, or I’ll talk about certain scenarios that you, we will go over and covered entities, which is all of us have to update our notice of patient privacy practices accordingly. What is reproductive healthcare? This reproductive healthcare is a very broad definition, and federal registry. This is some of the stuff that comes from the Federal Registry to help better define what reproductive healthcare is, and it’s a exclusive list. What I’m going to do is, I’m just gonna go through the main things here. You can read all the details behind it, but it’s contraception, it’s management of pre pregnancy, which a lot of your doing.

It’s fertility and infertility again and family planning. It’s still sterilization issues. And sexual health to include many things there. So make sure you understand what this is. Who is affected? Guess what? All of us as healthcare providers are affected. All of us are healthcare clearinghouses are affected, affected health plans.

So all insurance companies are business associates. You know the people that have access to your records, they’re affected. So you need to make sure they’re aware of these things. Also, through your business associate agreements. Here are the situations that require attestation. So I’ll just summarize a little bit.

Reproductive healthcare, if these scenarios occur, meaning these folks ask for records from your patients or from you that you have on your patients and your records re have. Any of that reproductive healthcare definitions on it, or in it, including intake forms. You’re gonna have to send out the form, the attestation form.

So here are the scenarios, or here are some examples of if these people ask for records that contain that reproductive healthcare, you’ll have to send out one of those attestations Health oversight activities. Again, you’re gonna validate that the disclosures are not. Used for punishing lawful care.

That’s how You do it through the attestation statement. Judicial administrative proceedings confirm that the request is not investigative or punitive in nature. The way you do this is through that form, which we’ll talk about here in a second, and also law enforce enforcement requests. So law enforcement, you have to also use this attestation form before you release any of this information, or at least information that has reproductive healthcare in it.

Coroners medical examiners here, again, you’ll have to use this form as well before you release the information. We have a form I should say we, I’m referring to the government. I’m obviously not the government, but we’re talking about a form, they call it the model attestation form. So why not use the form that they actually say we can use, and this is the requirement, it’s the required step we have to do before we disclose reproductive healthcare information or records, and it ensures that whoever’s asking for it.

So those scenarios I just showed you, like the law enforcement, coroners, medical examiners. We send this form to them, they gotta fill it out and send it back to us, and basically saying they’re not gonna do anything or punish them by law for doing the things in the reproductive definitions that I showed you.

Here’s the form, and basically what this form is this, and I know you probably can’t see this on the slides, but the next slide, I’ll have a link for you so you can download this form for yourself, for your offices, and for your staff. But basically, this is the form that we would send out. So let’s say law enforcement, here’s a scenario.

Law enforcement, like I said, in those scenarios, they ask for protected health information from what on. That you have in record of one of your patients. And those records happen to include some of those reproductive definitions in there. So before we send them any information, we have to send this form out and they have to fill it out.

And basically it says that they’re not gonna use any of the information that they acquire from your patient records to punish the patient. Alrighty. Here is the link so you can get this form. I’ll bring the sync up again here a little bit later, but you can just scan it and then I’ll get you right to the link.

Lots of things you gotta do here. So let’s go over some of the main ones. You have to document everything, as always, as you always know, with everything we do in our offices. Hipaa, reproductive healthcare obviously is a big one. In fact, it’s mandatory. We have to keep records of our policy updates, so make sure you keep a record of this.

In fact, keep a record of this for your training log. This could be something you can show your staff, the test station, that form that we have to have. You gotta keep that on file disclosures. And what I mean by disclosures is, believe it or not, every single time that we release information on a patient, we have to record that because patients have a right to come back and say, Hey, I want to see everybody that you ever sent my information to.

So we gotta have that readily accessible. We have to train, we have to educate the staff, and here’s what this looks like. Identifying protected health information that Reque requests or PHI requests that will trigger the use of that form. Kinda like we talked about the reproductive healthcare. Talk to your staff.

Distinguish lawful reproductive healthcare from investigating request. So when those people are asking, and I say those people, the people that I was talking about in those scenarios, ask for reproductive healthcare, PHI on your patients. A testation form goes out, so you have to know how to locate and use the form and document the disclosures, and of course, you have to retain the testation forms to keep copies of everything.

Make sure you train your staff on this. In fact, a lot of officers are deciding and telling the staff. If you have any requests for protected health information from any of those people, let me know so you all can check it over and make sure that attestation form is sent out and then sent back to you before you release any of that information.

You have to update your notice of patient privacy practices. That form the big old packet that we’re supposed to have in our office for all the patient’s rights. Those things have to be readily available for patients. And again, it must reflect. So there’s gonna be changes in there if you had those forms, which you all need to have those prior to 2025.

Guess what? Those forms are no longer good. So you have to get a new, you have to get new notice of patient privacy policies to provide patients with clear and updated information about their rights and how their information is protected. All to align with the updates of the final rule guidelines.

Basically all to align with everything that’s come down the pipe with these new laws. Here’s some next steps for you. Here’s another. Opportunity to download that QR code if you’d like to, so you can go right to it and get that model attestation form, which you have to have. You need to have this in your manuals.

One of the things that we’ve done is we’ve put together a HIPAA compliance checklist. So you can go through, look at this checklist. ’cause a lot of people, they think, oh, I think I’m compliant, or I, maybe I have this form, I have that form, but maybe you’re not really sure. Maybe you didn’t know. You need to do a bunch of assessments and analysises throughout the year.

So we’ve created this form here, just this checklist. You can go through it, check it out, and if you can’t answer these questions or if you’re not doing the things on this form, then guess what? You’re not compliant and you do not wanna be in that position. Believe me, don’t be in that position. Get it dialed in.

Protect yourself. If you’d like to, you can schedule a demo or you can just get started. You can go to this website here. You can schedule demo, go dot fearless provider.com/demo. Of course, you can scan the QR code there to your right. If you just wanna get started with the HIPAA program, we have everything you need for hipaa, all the forms, all the trainings.

We have ’em in videos, we have downloads, we have closed caption, we have transcripts. We have. Everything in there to make it learn as easily as possible for you and your staff, or I’m more than happy to talk to you. You can contact me at Dr. perry@betterhipaablueprint.com. Again, thank you all so much for being here.

We hope you hope the best for all of you. In spite of all these changes. Just make sure you go out there, get the process going, and make sure you have this in play. In the meantime, have an amazing day, everybody.