 |
 |
 |
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hi everybody. This is Perry Barnhill with the Fearless Acupuncturist, and we wanna welcome you to another show regarding HIPAA and compliance and how you can protect yourself and your patients in your practice. Slideshow please. First, I’m gonna give a big thanks to the American Acupuncture Council for sponsoring this show.
Okay, so let’s get into this. Let’s talk about loss or theft of equipment and data in our practices. Before I do that. Let me just go over just a couple things here on why myself and why Julie teach hipaa. We understand what it’s like to have an office. We understand what it’s like to take care of patients, and we also understand what it’s like not to really know what it is we’re supposed to know in regards to hipaa.
So that’s why we’ve created a compliance program, specifically addressing HIPAA and the needs in your office as it relates to you as acupuncturists. So before we get started there’s something, I’d like to go over this regarding where you fall within the whole HIPAA world. So what we’ve done is we’ve created a little bit of a quiz here and I’m gonna hop to the next slide here so you can scan this.
So scan this QR code, and this will take you to just a few questions regarding HIPAA and compliance in your office. Now, as you go through these questions, first of all, it’s quick, it’s easy. We’re not gonna share this with a bunch of people, so don’t worry about that. You can grade yourself based on the answers to your questions.
If you’ve gotten an F, just like anything else, you’re not even close to being HIPAA compliant. But let me say this as well, even if you have a B, that’s great and you can commend. You should commend yourself for at least having a B, but that means that there’s still a few things you need to get in play to be totally HIPAA compliant.
These things. Let me just say this. HIPAA is something we don’t wanna mess around with. In fact, I talk to acupuncturists and providers all the time. The biggest risk, believe it or not, I believe we all have in practice these days, is not being HIPAA compliant. And the reason I say that is because the penalties and the fines associated with not being HIPAA compliant.
Huge, and we just don’t want that to happen to us. So make sure you go there, you check this out and see where you fall within the whole world of hipaa. Okay, so seconds count. Here’s a little story about a provider going to a coffee shop. They have their laptop there. They jump on the public wifi, they order a coffee, they sit down, they get called, they go pick up their coffee, they come back and their laptop is gone.
Basically, their laptop got stolen, so as you can imagine, I think all of us would be freaking out because our laptop got stolen and we should be freaking out if our laptop had any kind of protected health information on it or something. You’re hearing me referred to as PHI. Or EPHI, which stands for electronic protected Health Information.
So did you know, and just go through this really fast, a laptop is stolen every 53 seconds, so these things happen all the time. 70 million smartphones lost every single year. Very small percent recovered at only 7%, 4.3 percent of company issued smartphones. Their loss are stolen every single year, and 80% cost of a lost laptop is from data breach.
Last one here, 50%. 52% of all devices are stolen from the workplace. This is a big deal. Physical loss and data loss, so physical awareness of the device. Just as some examples, we misplace our phone, or we leave our laptop like in the coffee shop, or we leave our tablet unattended at work. Or in transit.
We basically lose these things. We can lose data, not sharing or not using proper passwords. How do we do that? If someone can access your systems by using your password that are not supposed to they can access data they shouldn’t have, and that is considered a breach. Sharing passwords, again, don’t share passwords.
Don’t share passwords with anybody. Accessing personal or unauthorized. Non-work, internet access or websites on your work computers be very strict, not just with yourself, but also with your employees regarding the places they can and cannot visit on the computers and on the internet. So let’s do this.
Let’s take a quick little quiz here. And what I want you to do is think about the best answer here. Some of these might be answers, but. Pick the best one here. So here’s a question. Which of the following activities can cause data to be damaged or lost? A. Staying online too long. B. Never. Never fully shutting your computer down.
C. Unauthorized access to a system. D, always keeping your computer charging. Okay, so the best one here, the very best one. Okay, the best answer here is C. Unauthorized access to a system. Anytime somebody accesses our system, meaning they gain access to protected health information that was not authorized to do that’s a breach and that’s something we don’t want to happen. Here’s a really cool chart on how long it takes a hacker to break your password, and these are just examples. Again, I’m not gonna go over all of these. You can screenshot this, you can look for it, but it’s just very interesting. So if you go to the left here, look at the number of characters.
If you just have four characters and they’re only numbers. Are there only lowercase letters or even look at the next box over upper and lowercase letters or that whole row? A hacker can access your system immediately or break your password. So the goals are, and there are very specific requirements according to hipaa.
It’s a law. You have to have certain requirements for your passwords. They have to be so long, meaning so many characters, length, they have to have special characters. So there’s things that have to be done here, but go to the bottom. So check this out. If you had 11 characters and you just slide over to the right hand side, 11 characters with numbers, upper and lowercase letters and symbols.
Take a hacker up to 34 years for them to break your password. This is where we want to be so they don’t break our passwords. So how do you create unique passwords? Make ’em meaningful to use to you and nobody else. Something you could remember. Create past phrases with special characters, and avoid items that can be easily discovered in social media or pictures.
So don’t use your first and last name. Don’t put a one in front of your first and last name. Don’t put a dollar sign behind it. These are way, way too easy to access it. Here’s an example. Fly me to the moon. Now, what does this have? It has many characters. It has upper and lowercase. It has a number, and it also has a special character, which is an explanation point.
So what do you need to know in order or to help prevent loss or theft of your equipment? Make sure you know your organization’s policy. C before removing them from the office. You cannot, or you should not remove any equipment. From the office unless you have very specific policies and procedures in place.
We have these things in your Ma in our manuals. We know this is part of things that providers do. They take their laptops home. Sometimes they allow their staff to do these things. I would suggest do not allow your staff to take. Home any protected health information. All right. But anyways, here’s some questions.
Can you travel with your equipment? You could, but you have to have policies and procedures in place. Can you take your equipment offsite to work remotely? Yeah, you can do these things, but certain things have to be followed, and you have to understand how to access that data or your practice safely and securely.
Can you use a USB or other portable storage devices? You can. But you have to make sure, again, those things are protected. Is the information on the computer or storage device encrypted? If the answer’s no, then you cannot take that device anywhere. It has to be encrypted. How can I use the secure VPN Virtual Private Network password protected wifi to log into a network and work?
So you have to know the answers to these things before you do any of them, has to be in your HIPAA manners. These things have to be part of your policies and procedures. We have these things in there. So is it important to be aware your practices, policies on traveling with equipment or taking equipment home to work remotely?
I pretty much answered that, so here we go. Absolutely. It’s true. We always have to verify our practices, policies, and procedures associated with the use of equipment outside of our office location. This will help ensure that you’re not exposing your laptop or mobile device, mobile devices to unknown risk accessing unsecured networks.
This is a real big deal if these things get breached, if you get accessed by someone that shouldn’t be accessing these things. We have to report these things, and the likelihood is if we don’t have, not the likelihood, but if we don’t have policies and procedures in place, we’re gonna get fines and we’re gonna get penalties.
Really important to have these things in place. Here’s some best practices on how you can protect your devices and your data. Obviously, knowing where your mobile devices are at all times, don’t leave ’em hanging around. Never leaving them unattended or unlock. Don’t leave laptops in a car. Doctors, providers get these things stolen and when you start asking questions like, oh yeah, I left it in the front seat, and every, and then their car gets broken into, you’re in trouble.
If that happens, there’s certain policies and procedures that you have to have in place if you decide to do these things. You have to encrypt sensitive data if it’s not encrypted. It gets stolen or it gets breached, that’s a problem. Being aware of your surroundings, meaning maybe you shouldn’t take your laptop, in a car, depending on where you’re going.
I wouldn’t take it anyways. If I was to go into a store and I have my laptop, I would take it with me. Quite literally. I would take it with me. That’s how concerned I am about these things. Have to make sure your passwords are strong, and like I said, don’t ever share your passwords. And here’s the other thing too.
If something happens, you have to report the loss of this equipment. Immediately you have to report it to hipaa, and if you don’t have certain procedures and policies in place, this is where the fines come into play. And this, quite frankly, is what concerns me the most. So a summary loss or theft of equipment or data can have significant long-term implications that will far outweigh the cost to replace the device.
You have to follow all system instructions regarding secure passwords and updating your software, updating patches to make sure that this is secure as it possibly can be. If something happens, you have to take immediate action. If an event, and when I say event, I mean there’s a breach or maybe there was a breach, meaning there was a compromise, or maybe you’re not really sure if there was or if there wasn’t a breach.
We have questionnaires that assess, breach to say and determine, yes, there was a breach. Maybe there was, or, yes, there definitely was. And then given the answer to those things, what do we do from here? And again, if these things happen, you have to provide as many details as possible related to the incident.
Who do you provide those things to? You’re gonna have to provide them to the OCR, the Office of Civil Rights, which is basically the HIPAA place, and hopefully we never have to go down that road and be in that position. So here’s some next steps. If you have questions for us or if you wanna schedule a demo or quite frankly, just get started, you can do these things.
You can schedule a demo with us. If you go to go dot fearless provider.com/demo, of course you can scan the QR code here to the right. You wanna get started with our program. You can fearless acupuncturist.com. It’s easy. You go there, you sign right up, and you get access to all the manuals, all the information.
All the videos or sometimes people want to contact me ’cause they have some specific specific questions. Please feel free to, you can contact me at Dr. perry@betterhipaablueprint.com. In the meantime, everybody make sure you have all your HIPAA stuff as good as you can, is as dialed in as possible ’cause it’s not worth the risk of not having it.
I want y’all to have an amazing day and I will talk to you next time.
The top three cybersecurity threats. As outlined in the health industry, meaning you, your acupuncture practice and cybersecurity.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hi, everybody. Good morning, good afternoon, whatever it may be for you. This is Perry Barnhill with the Fearless Acupuncturist, and in the background that you don’t see Dr. Julie McLaughlin. We want to give a big thanks to the American Acupuncture Council for bringing you this presentation on the top three cybersecurity threats that you need to be aware of in the context of your practice and hipaa.
Start slideshow please. I am gonna give big thanks to the a, a C for bringing this to you. All right, here we go. Let’s talk about the top three. There’s many tops, but we’re gonna start with the top three. Okay. The top three cybersecurity threats. As outlined in the health industry, meaning you, your acupuncture practice and AC cybersecurity.
Oh, so why do we teach hipaa? We understand what it’s like to have a practice. We understand what it’s like to take care of patients, and we also understand what it’s like to not really know for sure what it is we should know in regards to compliance and in regards to hipaa. So we’re here to teach you this and we’re gonna start going through some of these top three cybersecurity threats.
Again, myself and Julie we’re both he healthcare practitioners, as you can see, and also both have certifications in compliance. Alrighty. So let’s talk about some things, buzzwords, as I would say that you hear probably quite frequently, but don’t really think about in the context of your practice and in hipaa, social engineering.
So what does social engineering mean? Let’s go through this. Social engineering is a form of psychological manipulation that tricks users into making. Security mistakes and giving away sensitive information. It relies on human error. So it relies on things like our staff that may make a mistake and click the wrong link.
What we’ll talk about, and also mistakes that we as the providers may make as well. So in uses humans to make mistakes and instead of specifically using the software or actually your system to make a mistake, it tricks us by exploiting. Our human emotions. So let’s get into some of those things.
One, this is something that you really need to sit down, talk about, train with your staff such that they don’t get themselves in trouble with clicking on the wrong link. Now, what are some things you need to pay attention to? This is what they call phishing. If you’ve ever heard the word phishing, it’s not like catching a fish in the water, but these crooks are out there phishing for us to make mistakes and trick our brains into clicking something we shouldn’t click.
So if for example, number one here, if you don’t recognize the sender in an email, for example, do not click it. Okay? If you’re not expecting an attachment or an email. You may not wanna be clicking it. ’cause if you click it, you might get yourselves in a whole lot of hot water. What about this one?
Does the from address match the message? When you get an email, look at these things closely. You’d be surprised. But the little things here, these little tips, could prevent you from having the compromise of protected health information, which in turn could potentially get you some fines and penalties with HIPAA if you’re not doing the things you’re supposed to be doing.
All right, and number four. What about this one? You get emails that sort of create or invoke a sense of urgency. Double check it. Maybe it’s not a legitimate email. What about the, not recognizing the destination URL or the website, is it a secure website? These are things where I, it professionals help out a ton, but simple little tips like this training our staff and us being aware of them can help prevent massive compromises and breaches of PHI.
Number eight is this email asking for your logging credentials. Seriously, be very cautious. Certainly if you’re not aware that something’s coming across, if anybody asks for your logging information, it’s probably better idea just not to do it unless you’re a hundred percent for sure. Number nine, bad grammar or bad spelling.
I know you’ve seen this. Have you seen emails come across The spelling? Looks a little weird, a little funky. It’s not correct. The grammar doesn’t sound particularly correct as well. Don’t click on it. Just don’t click on it. What about this one? Number 10 is the greeting or signature generic or lack contact info.
Anything that looks funny with emails that are coming across, just don’t click on ’em. ’cause if you do and they’re contaminated and they’re corrupted it’s a lot of energy and it takes a lot of time to make sure that. Compromises of PHI didn’t happen. And you didn’t get hacked. Which kind of brings me to the next one here.
Ransomware. We’ve heard of ransomware. What is ransomware? Ransomware is a threat, to us and to our devices. And what makes this form of malware so unique is the word ransom. Basically, ransom extorts us, these hackers. They’ll steal our information, our protected health information, like our patient’s information, the patient’s files, and they’ll tell us, Hey.
We have this, we’re gonna keep it. You can’t even access it until you pay us X amount of money, and it sometimes is thousands and thousands of dollars. Now I wanna say this, don’t ever pay them until you speak with an IT professional or you speak with someone who you’re very confident, that’s very aware of all of this ransom, this malware don’t do anything until you contact someone, a professional regarding these things.
Okay? So here’s some threat quick tips to be aware of, kinda like we talked about in the phishing side of things. Most ransomware, they’re sent in phishing emails. So you get these funny looking emails, you click on ’em, and guess what? Now they got your information or your patient’s information, and they can hold it ransom.
So don’t click on those things, stay alert when any email prompts you to enter your credentials. If you notice, a lot of these tips are very similar. To the phishing tips. First they gotta get you, and then when they get you, they can hold you for ransom or hold that information for ransom.
So be cautious, before you click any links in any emails that you have, make sure those senders are legitimate and as a proactive measure, check to see whether the computer and network to what you’re connected to have proper intrusion protection systems and software in place. I can’t overemphasize this unless you really need to make sure your computers are secure.
Now that we’ve talked about ransomware, kinda like we talked about phishing and gave you some tips, let’s talk about some tips regarding RAN regarding ransomware and how you can prevent yourselves from getting hacked and having to pay some of these ransom demands. Okay, most ransomware, guess what?
They’re sent in phishing and email campaigns. So be careful if you open up any attachment that may look weird. Funny spelling, grammar, just like we talked about earlier. ’cause once they get that, they can hold your protected health information for ransom. Number two, stay an alert when any email prompts you to enter your credentials.
I know we said this earlier, but it’s really important because these fishers, these scammers, they will check on these things. They will ask for these things and once they have them. They’re into your system and they have your passwords. Be cautious. Before clicking any links looking at the senders and checking the URLs.
Very important. Share all of this information with your staff. ’cause your staff, you may think that, okay, this ain’t gonna happen, but it might if you don’t train your staff on the things they shouldn’t be clicking on and what they need to be aware of as a proactive measure. Check your computer, and make sure the network to which you’re connected have proper intrusion systems and software in place.
It’s so important that you have IT professionals. Help and protect your computer systems. And due to the severity and time sensitivity of ransomware attacks, if you think this is happening, or if you think it happened, or if it’s in the process of happening or something weird is going on with your computer.
Make sure you seek out your IT professionals, because if they get it, it’s a big process of trying to get it back. And then guess what? Now we gotta deal with hipaa. Now we have to deal with the OCR and potential report. And then guess what? We might even have to send notifications to patients. Something we just don’t wanna have to do if it’s not necessary.
So here’s some other things. Preventing loss or theft of equipment or data. Things like taking your laptops or your data in your car. So physical loss of equipment, these things can happen. Or even data access to that you work with daily has to be carefully protected. Alright, so let’s talk about some tips here.
Never leave your laptop or your iPad unattended at work or in transit. Yeah, in transit. What do I mean by that? Like I said, in your vehicles. There are providers that have left their laptops wide open, sitting on the front seat, even sitting on the dash, and they get stolen. It’s not something we want to happen.
Password policies and updating the passwords. These are all things that need to be in your manual. They’re all things that we have to do. They have to be part of your procedures and your policies. If you don’t have these things in play, guess what? You’re not HIPAA compliant and maybe subject to some fines or some penalties.
We don’t want that. It’s not necessary. Don’t share your password with anyone. I know a lot of us, we don’t do these things, but sometimes we do. Staff shouldn’t be, sharing their password with the staff person next to ’em. They need to have unique passwords again. If this is part of your policies and your procedures, USB drives, be very careful if anybody brings in, like a patient, A USB drive.
’cause they want you to look at their files or their imaging. It could be corrupted. So I would avoid. Even going down that road with them, you have to encrypt sensitive data. Of course if you lose anything, number seven here, lose any equipment or if you have any at all suspicious activity on your systems, you have to get on top of this early, seek out the IT people, get ’em to stop it so it doesn’t go any further.
Alerting officials again promptly if something seems suspicious. And keeping your emergency context close by this is so important. I can’t even overemphasize how important this is for you to be aware, but also anybody in your office really needs to be on top of these things. So what are some next steps?
A lot of people say, Hey, I don’t know if I’m compliant or not. Go through a HIPAA download checklist. You can download this right here for your office. You can scan the QR code here, go through and look at these questions. And sometimes they’re not always as a simple yes or no, do you have policies and procedures to protect patient information? A lot of us do. So you could say, oh, I got that one. But do you have. Legitimately written down policies and procedures, what’s the policy? What is it? And the procedure is how do we do it, or how do we implement it?
You have to have all of these in play for everything HIPAA related, even passwords, updating passwords, making sure passwords are strong. All right. A lot of times if you’d ever, if you ever want to, a lot of people like to schedule a demo. They wanna see what our program looks like. So you can do that, you can schedule a demo by going to this go dot fearless provider.com/demo.
You can scan the QR code. We are more than happy to go over it with you. You can look at our program from the inside. A lot of times people just wanna get started. So go to www.fearlessacupuncturist.com. Or you can contact myself at Dr. perry@betterhipaablueprint.com. I’m more than happy to answer any questions that you may have.
So in the meantime, everybody have an amazing day, and thank you so much for joining us here. Take care.
…we are going to talk about something you may have heard before, social engineering and how it could affect your practice in regards to HIPAA.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hey everybody. Good morning, good afternoon, whatever it may be for you. This is Perry Barnhill with the Fearless Acupuncturist. Want to first give a big thanks to the American Acupuncture Council for sponsoring this show, and we are going to talk about something you may have heard before, social engineering and how it could affect your practice in regards to HIPAA.
Go to slideshow please. Okay. Again, another big thanks to the American Acupuncture Council for bringing this show to you. Okay. Social engineering, you may have heard of this before, so it’s all about, we’ve talked about this in our previous shows. We wanna plan, we want to prepare, and we want to protect ourselves and our practice from things like this, and so it doesn’t happen.
Or if it does happen, we can mini minimize the effects of it. So why do Julie and I teach hipaa? We understand what it’s like to have practices. We understand what it’s like to be concerned about hipaa. We also understand that HIPAA is a very complicated subject. We try to break it down to help minimize the stress in your offices, because if you know what it is you need to know for hipaa, it makes things much, much better.
Okay, so in the meantime, as people are starting to hop on this show, we want you to look at this and maybe consider taking this little quiz. So this quiz, it’s quick, it’s easy. One of the reason we did this quiz is because so many of the providers are not aware of exactly where they stand with hipaa. And simply by doing this quiz, you can see what your grade is.
It’s a few questions. It doesn’t take long, and it’ll give you a grade. Obviously, if you’re F or D, you need a lot of help. If you’re B, you may still need some help, so make sure you check it out and see where you’re at. You can scan the QR code here, or you can simply go to the website that we got listed below.
So what is social engineering and how does it work? Social engineering, it’s a form of psychological manipulation that tricks users. Users meaning us as providers in our offices and our staff, into making mistakes and giving away sensitive information. What do I mean by sensitive information?
Sensitive information in this context is. Patient information, anything you have on your patients be their name. It could be their address, it could be their email address, not just their conditions or not just a treatment that you provided for ’em. It can literally be any one of those things. So what happens is it relies on human error instead of vulnerabilities and software and in the operating systems by exploiting human emotions.
And here’s some examples. If you got an email that says it’s sent by a quote unquote friend, make sure you double check that before you respond. Messages relaying a troubling story about someone you may know or a message saying that time is running out messages that seem too good to be true, or offers that seem too good to be true and messages or offers of giving you help of things that you had never requested.
The sender, you can’t confirm their identity. So these just, these alone, if you pay close attention to ’em and you avoid clicking on the wrong thing, can save you so much time, so much stress, and a ton of money, and a ton of potential fines when it comes to hipaa. So the impacts to healthcare these days for these hacking incidences, it’s huge.
It’s responsible up to 75%. Of all the incidences in 2022, they include phishing, email, attach, and ransom, and malware incidents. 80% of all breached patient records in 2022, they were caused by hacking. This is why it’s a big deal to avoid this. Here’s the other thing, and if you ever wondered why are they doing this?
Guess what? They can sell files a single medical record. And when I say they, the cyber criminals, the crooks out there that steal this information for 250 bucks a file. So you can imagine 10 files. It’s a lot of money. A hundred files. It’s a lot of money. And most of us have all this information in our offices, so we have to protect it.
Common clues in social engineering, things that they trick you into, revealing information. Again, patient information, they can install malware onto your computers. And like I said earlier, it re relies on human error. Human errors from us as providers, human errors from our staff as well, not the software, the operating systems.
They trick us. They trick our brains. Here’s a little quiz I want you to think about and take hackers like to use social engineering techniques to trick you into making a security mistake like I’ve just talked about. They do this by adding these words or phrases to a message. Select the answer from the list below, sending a message with a sense of urgency.
Be including words that say, quick and time. Is running out c mentioning an illness of a family member or a friend, or what about all of the above? I think most of you probably got this. Yeah. The answer’s all the above. They do all kinds of things. They have this sense of urgency. They trick you into think it’s your family or your friends.
They’ll do anything they can to steal that protected health information. ’cause like I said earlier, it’s very valuable when they get it. What are the most common forms of social engineering? If you’ve watched some of our shows before, we talked about phishing, so make sure you see those things, those shows in the past.
But it’s social engineering uses email or malicious websites to solicit personal information by posing as a trustworthy organization. And now they’re doing this thing called spearfishing, and that’s also a form of folks. Social engineering. It targets a narrow audience, hence the word spear. These attacks, they’re more coordinated these days.
We’re getting SMS, we’re getting text messages, even staff, and they can trick staff through their phones to give things out that they shouldn’t be giving out. That could potentially get yourself some hot water. Here’s some examples. If you’ve ever got these before, whether it’s in an email or whether it’s in your text where they say, Hey, your bank account is locked.
You have, it’s a message claiming to be one of your credit cards. Maybe it’s American Express Chase, or whatever it may be, you know about some activity. That you may won a prize and if you click on it, if you click on any of these things, boom. They may be able to get into your systems. It must be a fake, but it’s also a funny attack.
Sometimes things are funny. You click on ’em and they trick you into going to these sites that we shouldn’t be going to. Unusual activity account messages that say you need to click to secure your data. So these five things here is just some of the things that. I would encourage you to talk to your staff about, so they play, a little extra closer attention to not clicking on the wrong sites or maybe asking you before they click on them.
Here’s a few boxes here. This alone can serve as a HIPAA training for you, yourself and your staff. Make sure you talk to these, your staff about these. And you be aware of these things, recognizing and reporting phishing. So four things to check when you suspect that an email might be a phishing attempt.
I’m not gonna read all the bullet points, but I want you to be aware the sender’s unfamiliar or unexpected, go through those bullet points, read those things, or the message doesn’t look right, it sounds funny, maybe the grammar isn’t correct. Double check those. Check the from address, you know who sent it.
Does it look legitimate? A lot of times you can spot a fake just because it just doesn’t look legitimate at all. Don’t click on that. Inspecting links and attached files. So again, share this with your staff because if we can prevent. An attack from happening, then we never have to report it. But if it happens, guess what?
We have to report it. We even have to tell the patients, sometimes you have to take ads out in newspapers to tell the public it happened depending on the sizes of these things, and that’s not to mention the fines of penalties that could happen as a result of this. Here’s a checklist, and again, this is a really good thing to share with your staff and for you to make mental notes of print it out, talk to the staff about these things, not recognizing the sender, not expecting an email or an attachment.
The from address looks funnier. It doesn’t match it. Invokes or sensing invoking a sense of urgency, not recognizing the destination. URL, is it a accurate website or not asking for login credentials. Bad grammar, bad spelling. It’s a greeting. The signature, is it generic or does it lack contact information?
Again, make sure that you share this with your staff. Now, of course, this isn’t enough to be HIPAA compliant, but again, if we can prevent these things from happening, we’ll be far better off in the end. So what are some next steps that you can do? What about questions? Couple things you can do. You can schedule a demo if you’d like to.
You can get started right away. You can go to fearless provider.com and slash demo, ask for one of the demos. We’re happy to hop on there and show you what we have here with our HIPAA program. You can scan the QR code here. Go right to it. You can get started. Just go to fearless acupuncturist.com. Get started with the HIPAA program.
Or you can contact me at Dr. perry@betterhippoblueprint.com. In the meantime, everybody, I hope you learn from the show here. Please pay close attention to those things and please share this information with your staff. In the meantime, I hope you all have an amazing day.
Today we are gonna talk about the 18 different types of protected health, inform information and how to relate to it in your office and how to protect it, most importantly, so that you don’t get yourselves in trouble.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hi, everybody. Good morning, good afternoon, whatever it may be for you. My name is Perry Barnhill with the Fearless Acupuncturist, and I want to give a big thanks to the American Acupuncture Council for bringing this to you. Today we are gonna talk about the 18 different types of protected health, inform information and how to relate to it in your office and how to protect it, most importantly, so that you don’t get yourselves in trouble.
Slideshow please. Okay. Like I said, my name is Perry Barnhill. We teach hipaa. We’re certified in HIPAA certifications and compliance. Myself and Julie McLaughlin, we want to protect you. We want to educate you and we wanna defend you. So that you don’t get yourselves in trouble with HIPAA or with the government.
So we’re gonna talk about some of the things that could potentially get yourselves in hot water and how to prevent those. Like I said earlier, we’re gonna talk about different types of protected health information and sometimes you may hear me say EPHI, and all that means is. Electronic protected health information.
This is the information that we have with our patients in our devices, on our computers, on our laptops, and things such as that. So believe it or not, there are 18 different types of protected health information of which we would literally go through. Each and every one of them, because there’s many of ’em you would never think are actually considered PHI.
So let’s talk about that kind of a little quiz here. We like to call the fearless quiz. What do you think are some of the different types of protected health information that you have with your patients? I’ll give you a little clue to get you started here. We all know, or most of us realize that the patient’s name would be considered part of the protective health information.
What about some other things? Just for a second, start. Start thinking about that. Okay, so we are gonna go through and we’re gonna identify each of those 18 different types. Here we go, and I’ll actually read these to you. Like I said earlier, the name of the patient or the individual or the patient’s child if you’re taking care of the child.
So obviously names are gonna be protected. Health information, an address, anything smaller than the state of residence, any date. And you know what? It includes dates that identify their onset admission, discharge date, birth dates. Even be careful with people and patients that are deceased. Okay? Bottom line is this.
As we go through these, the reason I’m bringing this to your attention is that if you are aware of all the different types of PHI, these are things that you need to be very careful about who you disclose this information to. Because if you disclose any of this information to people that shouldn’t see it or hear it, that’s actually considered a breach.
And believe it or not, we have to report the breaches. These are things we don’t want to have to do because the last thing we want to happen is have the OCR, the Office of Civil Rights, looking at all of our stuff. So let’s prevent these things in the first place so that they don’t happen. Telephone numbers, fax numbers, email addresses, even.
Social security numbers. I know most of us realize that this is a pretty important one. They’re medical record numbers. Be careful with that one. Health insurance plan, beneficiary numbers, their numbers that are on their ident, their insurance cards for identification, even account numbers, certificates or license numbers, things such as their driver’s license.
And of course, I think most of us realize that driver’s licenses can be considered PHI. The thing is that a lot of us take copies of those things, so be very careful who gets that information. Even a CPR certification number, believe it or not, passports. I think that makes sense to most of us.
But what about this one, VIN numbers or even license plate numbers? And the thing I wanna elaborate about, the license plate numbers are, many of us will do patient testimonials. Sometimes we’ll do videos of the office and in the office parking lot there’s cars. But in that same video or in the same photo is the car in your office name.
So guess what? Somebody could go online. Check that license number, and I’m not saying they were going they will, but it’s possible and the government doesn’t care whether it was possible, probable, or very likely. If it’s something that you accidentally disclosed and it was linked to the patient and their information somehow was breached, then you’re the one that gets in trouble.
So be very aware of that. Here’s some more device identifiers or serial numbers on the medical devices and treatments that you use during procedures. Web, universal, URLs, internet protocols or IP addresses, biometric identifiers, facial recognition, fingerprint scans, even tattoos. Be careful. You have to be so careful that let’s say for example, someone has a tattoo on their arm and you take a picture and maybe put it up on the internet or somehow it gets out.
And it gets linked back to your office, that could potentially be considered a breach. So be very aware of that. Full face photos, yes, if you do full face photos or you’re doing testimonials, this is where the supplies is. You have to get your patient’s authorization to do and guess what? In our HIPAA program, we have patient authorization video forms, all the things that you need to do that or any other uniquely identifi, num, numbers, characteristics, or even codes.
So here’s my big point on this. Know the different types of PHI. If you know what they are, the likelihood that you’re going to disclose those inadvertently or accidentally are gonna become much less. Therefore, the odds are reduced, that you’ll have the government in there looking at your manuals and everything like that.
That doesn’t excuse the fact to not have one. But of course, we wanna prevent accidents, if you will, from happening before they occur, and then life is much better for all of us. One of the things we talk about all the time is the importance, not just the importance, but the requirement, the legality that we’re required to do monthly, or let me say this ongoing required training for hipaa.
So we do what we call monthly HIPAA training. Each and every month we do a training. And guess what? This can be one of your monthly trainings. You can scan the QR code right there, and then what’ll pop up is this form. This form has those 18 different types of unique identifiers on there. For PHI, you sit down with your staff document.
Remember, if you don’t document it, it didn’t happen, document your training with your staff. If you have a staff, if it’s just you, it’s easy, but you still need to document that. You did the training on different types of PHI. This will help you go a long ways. In the case of an audit, it’s not the only thing you need, obviously, but it’s one of the pieces of the puzzle.
Like I said earlier, document your monthly training in your manual. You can download HIPAA compliance checklist. We have these ’cause a lot of practitioners ask us, I’m not sure if I’m have compliant. One of the things I will say, if you’re not sure, the likelihood is that you’re probably not.
That’s why you may be asking that question. This is a great checklist. Go through these things. If you can’t check off every one of these. It’s very unlikely that you’re HIPAA compliant, so make sure you do this. You can scan this QR code here and you’ll get this list to check for yourself in your office.
If you have any questions, don’t ever hesitate to reach out to us. Couple different things you can do here. If you want to schedule a demo and check out the HIPAA program and all the training that we have, just go to go dot fearless provider.com. Slash demo or you can simply scan the QR code over there.
The other thing too is if you just want to get started and make sure you become HIPAA compliant, you can go to ww dot fearless acupuncturist.com. And like I said, if you have any questions, more than happy to help you. Myself and Julia, more than happy to help. You can contact me at Dr. Perry at better HIPAA blueprint.
Dot com. Don’t hesitate to reach out. In the meantime, everybody, I want to say thank you again and thanks to the A A C for hosting this short webinar on the 18 different points of protected health information. And everybody, have an amazing day. Have an amazing rest of your week, and I will talk to you later.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hi, everybody. Good morning. Good afternoon. This is Perry Barnhill with the Fearless Acupuncturist. Today I want to give a big thanks to the American Acupuncture Council for bringing this to you. Today we are going to talk about HIPAA and as it applies to reproductive healthcare. Many of you acupuncturists deal with reproductive healthcare, even for those of you that don’t in your files, in your patient’s histories, in the forms that the very patients fill out.
There will be things regarding reproductive healthcare, like contraception, pregnancy management, fertility, sterilization, and also sexual health. Just as a reminder of what reproductive healthcare means in the context of hipaa, slideshow, please. Okay, so how fast things change. Literally at the beginning of the year, we had some new laws regarding reproductive healthcare, and now, like just within the last few weeks on June 18th, it’s changed.
Some of those things have changed for most of the states out there, but not all of them. And this is what we’re gonna talk about. And again, things change very quickly. Sometimes you really need to stay on top of all the HIPAA laws, new, old, and the changing ones as they’re coming down the pipe.
Strengthening reproductive healthcare privacy under the new HIPAA privacy rule. Now, again, like I talked about a little bit before, there was the new requirements that we talked about in December and also in January, but now there’s some new requirements regarding attestations, or shall I say, some things you may not need to do, and we’re gonna talk about the action steps and specifically how it applies to you and how it applies to compliance and relationship to hipaa.
Here’s what happened on June 18th, so just a few weeks ago, a US district court judge for the Northern District of Texas, federal judge has invalidated the 2024 HIPAA reproductive health modifications to the privacy rule decision is immediate and it applies nationwide. This is how we’re saying there can be a law, and then several months later that law no longer exists, or you no longer have to do certain or specific things within that particular law.
The Texas judge, this is what the Texas judge said. He said that HHS had overstepped its bounds, and he cited three main legal issues, which we’ll just talk about briefly. One, the rule unlawfully restricted public health laws. Two, it redefined terms like person and public health in ways that exceeded the federal authority.
And three, it addressed politically charged issues like abortion without clear congressional approval. A violation of a major questions doctrine. And again, let me just remind you what the reproductive healthcare law that I was talking about just a little bit before, things like contraception, pregnancy management fertility, sterilization, sexual health.
So those was what specifically they stated was fell under that umbrella of reproductive healthcare law. However, some of the things we had to do, like I said earlier, like attestation statements. Most of us will not need to do any longer. Okay, so let’s just keep going here. HIPAA related entities, covered entities like you and your business associates.
Remember, business associates are folks that you do business with or basically people that have access to your patient’s information or basically anything that you have that you share with somebody else in relationship to a business associate for protective health information have to follow state laws.
Regarding that particular reproductive health. All right, so now let me say this. It does get a little confusing. It gets confusing for everybody. Federal law. There’s federal law as we know, and then there’s state law. When it comes to hipaa, actually state laws will supersede or become in addition to.
Federal law. So you can have a federal law, but your particular state may have it more strict, it may be more detailed, or you may have to do additional things regarding that particular law. So we always say stay on top of your state laws as well. So in the absence of hipaa, reproductive health rule, some states, not only many states are increasing.
HIPAA privacy protections for the residents. So here’s some of the states that you need to pay attention to that will likely, or I wouldn’t, going to suggest to you to keep doing what you’re supposed to be doing in regards to reproductive healthcare and providing attestation statements, which we’ll get into just a second.
So anyways, New York, California. Washington, Nevada, and Connecticut, and there may be some more to come. We’ll see. How does this impact you? Here’s the thing. Covered entities, at least most of them in those state or in most states, are no longer required to seek attestations from requesters regarding protected healthcare or rather protective health information related to reproductive healthcare.
So what does that mean? Basically because of this new law. The states that I didn’t mention, you follow the federal law, okay? You do not have to provide an attestation statement if someone asked for those certain things regarding reproductive healthcare. All right? What that means is if you did what you were supposed to at the beginning of the year with all the new updates that came down the pipe and you change your privacy notices, now you would actually take that out.
’cause now it no longer applies to you. But if you’re in those states that are going to continue to follow this. You need to keep it in there. If you don’t know what I’m talking about, make sure you reach out to me so we can make, tell you the things that you need to know regarding this and many other things that changed at the beginning of the year.
So double check your state now, navigation or navigate the prohibition on disclosing protected health information for the purpose of investigating or imposing liability unlawful reproductive healthcare imposed by your state. Let me put that in some different words here for you. If you have patient files, which we have patient files that do in fact many times contain the very things that I detailed regarding the big umbrella of reproductive healthcare, and if somebody like from law enforcement or a judicial BA branch, we listed these things before, requested that information, we were supposed to by law actually send them this model attestation form, which basically said, Hey, listen, we’re sending you some information here.
You have to fill this out. Actually, let me reverse here. We’re not gonna send you this information, this protective healthcare information until you fill this form out and basically promise to us that you’re not going to punish anybody for whatever was in those particular files regarding reproductive healthcare.
So now, because that federal state judge said what he said. Most states no longer have to do this. All righty? So make sure you pay attention to your state. This is why we always talk about hipaa. It’s not like you can just do HIPAA and you can just fill out this manual and you’re good to go and you just sit back and you forget about.
It’s constantly evolving and it’s constantly changing as you can see and what happened in Texas is just a real simple reminder that a single court ruling can unravel. A lot of the new guidelines that were literally just presented and required six months ago. It’s evolving from reproductive privacy rules and think about this, cybersecurity, look at ai, artificial intelligence, and all the new things that are coming down with computer systems and privacy and cybersecurity threats and phishing.
It gets really scary at times. This is why. Monthly training isn’t optional. It’s your, it’s literally your lifeline such that you have to stay on top of these things. And I’ll be very clear, it’s not like the government says, Hey, by law, you have to absolutely do one monthly HIPAA training a month.
That’s not what they say. What they say is you need to do continuous training throughout the year for yourself and to all of your employees and even to your business associates, believe it or not. What I’ve also heard other people say that teach the things that we teach is that even the government suggests that you do HIPAA training.
To about two times a month. Now, is that a law? It’s not a law, but it’s what we’ve heard for suggestions. We step back and say, Hey, you should be doing things at least once a month. All right, so staying informed protects your license. It’s your patience and your peace of mind. And believe me, if you don’t have these things dialed in like you’re supposed to and someone comes knocking on the door for an audit, it’s something that you don’t want to go through because I talk to doctors all the time.
I talk to acupuncturists all the time. That get scared because they don’t have the things that they should have. So it’s really easy to get the things that you need to have, and I’ll talk to you about that here in just a second. HIPAA compliance, again, you can’t just check a box and be like, okay, cool, I’m HIPAA compliant, or fill out a particular form.
It can get a little bit involved. It’s about staying ready for whatever comes next. Keep learning. Keep updating the things. Stay fearless. We want you to be fearless so you can focus on your patients. That’s why you became an acupuncturist, is to focus on your patients. We can help you with the HIPAA side of things, so what are some of the next steps that you can do?
Couple things here. HIPAA checklist, if you’re wondering like, ah, I wonder if I’m HIPAA compliant, or I wonder if I’m even close to being HIPAA compliant, you can scan the QR code and get this checklist, or you can just look at it here and go through these questions. You can’t answer these questions, or if you’re not doing these things on these questions, you’re not HIPAA compliant.
It’s not worth the risk. So if you want to, you can set up a demo with us, where we can talk to you, we can show you the HIPAA compliance program that we have and how easy it is to navigate through this. Just go to go dot fearless provider.com/demo. You can scan the QR code here as well.
Sometimes acupuncture, you just wanna get started. So you can go to ww dot fearless acupuncturist.com to get started. Or. A lot of times people just wanna reach out and ask me questions, and I am more than happy to answer any questions that you may have, and you can contact me there at that email, Dr.
perry@betterhipaablueprint.com. If you have any questions, like I said, reach out to us. We are absolutely more than happy to sit down and talk to you and spend some time with you and clear up any questions or confusion that HIPAA presents with many of the times. In the meantime, everybody have an amazing day and we will talk to you soon.