Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. We suggest you watch the video while reading the transcript.
Good morning, whatever it may be for you. My name is Dr. Perry Barnhill and I want to thank H. J. Ross for having us here to discuss HIPAA and why it matters in our office and why it’s so important. Go to slides. Fearless chiropractor. Like I said, we want to talk about why HIPAA matters in the chiropractic office.
It’s about protecting you and protecting your patients a little bit about myself. My name is Dr. Perry Barnhill. Like I said, I’m a chiropractor just like you have a doctorate in naturopathic medicine, a certified professional coder, a certified professional medical auditor, certified professional compliance officer.
Click here for the best Chiropractic Malpractice Insurance
and a certified HIPAA privacy and security expert. The reason that I’ve gotten all those credentials is because I know one thing. One, I understand that chiropractors understand other chiropractors. I also understand that coders and auditors and all the HIPAA people, they understand themselves as well.
So creating a HIPAA program that’s for chiropractors designed by chiropractors, but also with the lenses of an auditor that can see things through their perspective is really important. It’s vital that we understand both sides of the coins or both sides of the fence. So let’s go through a few things here.
Let’s talk about HIPAA. I know we just all love HIPAA. It’s something we always want to talk about. Obviously, I’m being a little bit sarcastic here. But what is it that most of us think about HIPAA? A lot of us think it’s just that we don’t talk about patients outside of our office or that we, don’t leave their names in plain sight or we don’t discuss their conditions or their diagnoses out loud.
Get a Quick Quote and See What You Can Save
Or maybe it’s that we don’t have sign in sheets with names left on them. Some of us think it’s just having a manual that’s signed and, but we’ve never touched it again and we think we’re good to go. And a lot of us think that HIPAA matters or HIPAA is that we have staff that’s appointed to it so we never have to worry about it.
But here’s what HIPAA compliance really means. HIPAA compliance, it’s a compliance program that’s a continuous and living, breathing program. It’s something that we can’t just deal with once. We have to act upon it and we have to act upon it frequently, which we will discuss here in just a little bit.
It’s not cookie cutter and it can be customized to each individual office. But the reality is that most chiropractic offices are very similar. So that’s why we as chiropractors have produced a manual that fits just about any chiropractic office. And again, it has to be routinely referenced. It’s not just this manual.
It doesn’t matter how much money you spent on it. It can’t just sit on the shelf. It can’t just collect the dust. It has to be something that we have ongoing and continuous training with.
I get this question a lot. Is compliance mandatory? And I’m specifically talking about HIPAA compliance here for chiropractors. Because a lot of us, a lot of us chiropractors, we just do cash. A lot of us are not preferred providers for any particular insurance company. Or some of us say I don’t do anything with Medicare.
However, the answer is yes. Even if you’re only cash, even if you do zero insurance, even if you have nothing to do with Medicare at all. You still have to be HIPAA compliant. Now, what I want to do is just talk a few minutes about this mysterious HIPAA audit and how it goes, because so many of us have really no ideas about HIPAA.
And we wonder how’s it going to happen to me? Or when are the HIPAA police coming? Basically the office of civil rights. are the police of HIPAA. And those are the folks we don’t want coming to our doors. So here’s how things can go. They can have random audits. They really can.
And recently, they literally just mentioned recently I think within the last month that, Hey, listen, they’re going to really start cranking up these random audits. So This is why we have to stay on our toes. They could potentially come right through our doors with no announcements whatsoever. However, there’s other things that could create a hip audit on the ends of our offices.
It could be complaints. If a patient complains to the OCR, again, the office of civil rights, which is part of the HHS. gov, or essentially the government. They’re going to investigate it just like our boards, someone files a complaint against us. They’re going to investigate Sometimes it can be staff members, especially if you have a disgruntled staff member They leave and they’re upset about something.
Maybe you weren’t doing things the way you were supposed to they knew about it They called. Maybe you were doing things correctly. Who knows? People get upset. People say things, but that could happen too. And the other thing too is other doctors. Sometimes the reality is that other chiropractors will tell on other chiropractors for things that they think there may or may not be doing right, but that could create an audit as well.
Breaches, breaches are huge. And these are the things that we hear about more often than not in the world. And that’s the cyber attacks is phishing. We got these hackers out there, we have people who will hold computers in our networks, for ransom. And, you may pay, you may not pay.
And that’s something that you discuss maybe with some others. But It’s we just don’t want to be in this position. We have to protect our networks and our computers. You could have physical theft as well. Someone could walk out with a patient file. So that could be a reason that you have to report to HIPAA, the OCR, because if we have a breach, you have to by law report these things.
Improper disposal. Sometimes people throw away patient records. There’s literally been doctors that have gotten in big trouble because they’ve their entire files and they toss them in the garbage can. Someone sees it. Someone calls HIPAA or essentially the OCR and boom, you have an audit on you.
You do not want to be there. You have to know the rules for proper disposal. We have business associates, our business associates can be breached. What are business associates? Business associates are third parties, not other doctors, but third parties that have access to our PHI or protected health information.
For example, a billing company would be an example of a third party. If they get breached because you hired them, You have some culpability and some liability. So we have to make sure we have these things called business associate agreements in place To protect ourselves in the case that they don’t do something like they’re supposed to be doing So I just want to give a little history and i’m not big on and on scaring people with these things But it’s important to understand that we are at risk for audits and these audits begin years ago all the way back again This is just a little history 2011 2012 The ocr again remember the ocr the office of civil rights the hippo police They instituted a program to basically make sure we’re all doing we are covered entities, by the way, as doctors and chiropractic offices to make sure we’re doing what we’re supposed to be doing.
And no big surprise, right? They’re always telling us this. The results were not good. And so they begin another phase and again, the results were not good. And again, recently, just like I just said recently they have said they’re going to really start ramping up some of these odds because there’s so many breaches that are occurring.
Again, a big reason we have to be on our toes. We have to have these manuals in place. We got to make sure that we’re doing ongoing training.
One of the number one reasons, in fact, there’s a few here and there a bit lumped together for fines and penalties are what we refer to as risk assessments and analyses, such as we’re not doing security risk or we don’t have physical safeguards, technical safeguards, administrative safeguards, or what they refer to as the ICER, the Information System Activity Review.
And these are things that, something really simple as an example for a physical safeguard is like Do we have locks on our door? Obviously we do, but that’s just a real simple physical safeguard. Administrative safeguards could be things like is, what about passwords, logging in, logging out, technical safeguards, things such as making sure computers are protected with basic stuff.
Firewalls, but it’s way more than that. We got encryption, we have decryption, and although these things. Seem to be complicated a lot of times with HIPAA. What happens is that we’re learning a new language And it’s something that appears to be really complicated But when you go through a step by step process like we have it’s something that we can break down And it doesn’t have to be as bad as it seems and we can reduce those fears because really they’re not Necessary if we’re doing what we’re supposed to be doing and again I’m not going to spend much time on this because I do not like scaring docs, but we do need to be aware of these things because the penalties and the fines are huge I always talk to doctors about A lot of us are worried about other things regarding compliance in our offices, but I tell doctors one of the biggest risks we have these days is not so much maybe, and there are risks with other things obviously, but it’s HIPAA compliance because of this right here in front of you.
They have these different tiers of fines or violations and penalties. I’ll just cruise through these here real quickly. So tier one, you’re unaware that there was a violation. But you exercise reasonable due diligence. You can see where the fines are 141 bucks on minimum kind of an odd number and here’s what’s really funny I think last month or it’s been really recent the ocr because these fines literally just change They increase the fines due to all things of inflation.
I was like, holy smokes you guys like They’re going to get their money if they can. So number one, there was a violation, you weren’t aware of it, but you were doing what you were supposed to be doing really for the most part. Tier two means reasonable cause and actions, but you weren’t willfully neglectful.
So it’s like you were doing a lot of the things again, you weren’t willfully neglectful, but something happened and you can see these fines do, they do go up as we go down. Tier three, you were willfully neglectful. So you didn’t do what you were supposed to be doing But you found out somehow and you resolved it within the first 30 days, but still look at the minimum fines fourteen thousand dollars up to three hundred and fifty five thousand dollars in a year these are these could be devastating tier four Which obviously we want no part of but you were willfully neglect Which means you absolutely didn’t do what you should have been doing and let me say this Should have known what you should have been doing because the OCR says, Hey, listen, you guys are doctors.
You should be aware of these things. You should be doing what it is you’re supposed to do. So we can’t say any more oh, we didn’t know. They just don’t buy it and it’s not a valid excuse. So if you’re number four, willfully neglectful, and then you didn’t attempt to resolve it within the 30 days, This is where the big fines are there.
You can see it’s 71k up to two million dollars a year. It’s bad. We don’t want to be there and we don’t have to be there. Here’s some questions I want you to ask yourself and your staff. Number one, who is your compliance officer? When is the last time you updated your privacy and information security policies and procedures?
Cause these are things that we need to do. And do you have regular proof of your training? This is so important. They could, they say the OCR, I’m saying they say, Hey, cool. You have a manual. That’s great. It’s all filled out. That’s great too. But are you doing the ongoing training? And according to them, even if you have the manual, even if it’s all filled out, but you can’t prove essentially write down document that you’re doing this ongoing training, then they say, not my words, they say it’s just as bad as not having a manual at all, which is really absurd, but it’s their rule.
So we got to make sure we play by them as close as we can. Have you perform a vulnerability tests on your networks, meaning A lot of times, IT people come to this, making sure that our systems are secure and as bulletproof as they possibly can be, they’re not going to be 100 percent because even the government gets hacked.
But it’s not so much that they know that these things are not going to happen because listen, we know computers get hacked, even government computers get hacked. It just happens, right? But here’s the key. Are you doing what you’re supposed to be doing, knowing what you’re supposed to be doing to protect your networks, to protect your patients information so that there are not breaches?
And again, the last one here, do you have a documented incident breach of notification plan? So you have to have policies in place that Tell you essentially what to do if you have these breaches or breaches of phi Here’s some other ones and I discussed this just a little bit earlier with our third party vendors like our billing companies do you have business associate agreements?
You need to have those business associate agreements in place because if something happens to the business associate And you do not have a business associate agreement in place. You’re liable and you’re going to get in trouble So you got to have these things in place and it’s not complicated. It’s just something you got to do The last one here physical safeguards.
I talked a little bit about that. I know this seems simplistic book locks You know something as simple that obviously people have those things Administrative safeguards passwords technical safeguards laptop security all that good stuff. So here’s some thoughts I want you all to leave with a lot of us Get concerned about this we get scared about this and we have fears about hippo We know it’s something we’re supposed to be doing But a lot of us don’t do what we’re supposed to be doing because we just quite frankly don’t know what it is We’re actually supposed to don’t be that person You know don’t be that ostrich where you put your head in the sand And hope that it’s not going to happen to me or to you because the reality is these things do happen It may not happen to you.
Let’s hope that it doesn’t but if it does you have to make sure You have these safeguards in place. You have your manuals and they’re filled out. If not, you’re in big trouble. And again, you can delegate this process of training to your staff so that you as the doctor can focus on your patients. I know what it’s like to be in practice.
Did it for many years. So you the doctor are better at taking care of your patients in a lot of cases Then you aren’t doing the SIPA stuff So the program in the manual that we’ve created is perfect for a staff you appoint one of your staff members to become You’re appointed because we have to legitimately have a piece of paper.
We have this in the manual Let’s just say listen. This is my point of compliance officer This is my lead person and a lot of times our staff can do a better job at that Or at least just as good as we can so you can delegate that stuff So you can focus on the patients and you can take care of them If you need somebody to help, here’s some next steps.
There’s a couple things you can do here. You can go to this website, you can click the QR code, and you can download this checklist here. Now, as you’re going through this checklist, it may be too small to see here, but if you’re not checking all these boxes yes, we have these things dialed in, you’re not HIPAA compliant.
So you put yourself at great risk of having some of those fines and it’s obviously fines are the biggest concern of us, but at the same time, we have to think this way. We don’t want our patients information being breached anyways. When we go to our providers, our dentists, our doctors, we want to make sure that our social security number, our diagnoses, our addresses and all those things, we want to make sure they’re protected on the patient end of things as well.
And then on the flip side, the doctor side of things, we want to protect our patients and we want to make sure we try to avoid any possible fines and or penalties. Okay, so again, a couple different things you can do. You can schedule a demo and click on here. Schedule a demo. We’ll walk you through things.
You can click on the QR code here. If you want to just get rocking and rolling and just get started with the program, we have the manual in there. It’s very easy. You get login information. You go through an onboarding process. You literally can go all like Google documents, virtual, or if you’re, want to do paper, that’s okay.
Three ring binder, you can do whatever. We explain it. Step by step chapter by chapter the forms the policies are all in there You can find and replace so it doesn’t take forever putting your chiropractic office name in there We make it really simple or if you choose to you can contact me right there.
Dr. Perry at better hip a blueprint comm and I’m more than happy to help you. Like I said, I’m a chiropractor like your chiropractors. I understand you. I get you I also understand the other side of the coin, too I want to make sure myself and dr Julie my partner here want to make sure you’re protected in your chiropractic office and you don’t get yourselves in trouble So in the meantime, I do want to say this.
I want to give a big thanks to the H. J. Ross company for having us on here. Speak about the worries we have, the scariness, if he will have hit, but it doesn’t have to be scary, but thank you, H. J. Ross. Thank you everybody. And in the meantime, I will talk to y’all later. Have an amazing day.
Click here for the best Chiropractic Malpractice Insurance
Get a Quick Quote and See What You Can Save