Resources

Podcast

Understanding Risks and Managing HIPAA, OSHA, and PCI Compliance

a blue background with a logo for the modern practice podcast with a microphone

On this episode of The Modern Practice Podcast, host Gary Tiratsuyan is joined by compliance guru, Madison Evers, Practice Solutions Consultant at Rectangle Health.

During the conversation, Madison covers:

  • Action items practices can take to avoid HIPAA violations
  • Resources practitioners can utilize to avoid costly penalties
  • Commonly overlooked areas of compliance risk
  • OSHA and PCI best practices

Tune in to hear how your practice can simplify compliance.

Connect with Madison on LinkedIn to discuss compliance at your practice.

Learn more about Rectangle Health’s HIPAA and OSHA compliance solutions.

Transcript

Gary Tiratsuyan 00:22

Hi, everybody. Welcome back to the Modern Practice Podcast. Hope you’re all doing well. And as always, before we get started, I just want to take a moment to thank you all for your feedback and reviews. Without all of you this show could not have reached the heights it has in such a short period of time, and we appreciate your endless support.

We’ve got another great episode in store for you today, as we’ll be discussing compliance, specifically around everyday tasks and processes many practices utilize and have in place—pre-care, at the point of care, and post-care. Joining us on the show today to provide insight is health care compliance guru, Madison Evers. Madison, thanks so much for taking the time happy to have you on the show.

Madison Evers 01:05

Hey, not sure when I got the compliance guru title, but I’ll take it. I appreciate you asking me to join today. And I look forward to the discussion.

Gary Tiratsuyan 01:15

Oh, you’ve got some raving fans. So I’ll be sure to direct them your way. And the pleasure is all mine. And where I want to start is by asking, every day you speak to these practices, specifically around compliance, how’s that being managed at a practice?

Madison Evers 01:34

Good question. One of the main things that I notice within medical and dental practices when it comes to compliance is confusion, a lack of labor, and like an appetite for simplification, if you will. There’s oftentimes a lack of clear direction, and a lot of practices are using patchwork. Practices are just trying to cover their gaps without any clear plan or strategy for how to actually manage their compliance. And personally, I don’t think that that’s the practice’s fault. Compliance is one of those things that doesn’t necessarily generate revenue for the office. So, it’s sometimes something that easily gets overlooked because of this. Especially because when the doctors decide to start a practice, all they’re ever typically told is to purchase a binder. Nobody ever sits down with them and tells them everything else that is required to actually manage their compliance, and help protect the liability of their business.

So oftentimes, compliance falls on to the office managers. They are the ones that are wearing a million hats over there, doing a little bit of this, and managing the business. And most of the time, the office managers themselves don’t actually have any tools or resources to help them effectively manage compliance for the business owner.

One of the biggest struggles, I would say, within practices when it comes to managing compliance, is communication within the practice to staff or patients. Because this can cause risks to the overall compliance of the office. Most practices are moving at a quick pace, and they’re focused on doing their best to keep the practice full, because empty slots are obviously lost revenue. And unfortunately, with practices’ employees, everybody’s moving at a rapid pace. There’s risk associated with this, because employees may say something that they shouldn’t have said in front of a patient. And a lot of times with the proper training, we can avoid many of these risks by just telling staff the right ways to communicate within the practice, and with which forums they can communicate.

Gary Tiratsuyan 03:52

Really interesting. Getting into the specifics here, you already mentioned that compliance is not necessarily revenue generating. But there are tactics and things that a practice does every day to help generate revenue, but they need to be mindful of the compliance side. So, beginning with that patient engagement and communication, everything from texting to scheduling and confirming appointments, asking for post-care survey feedback, asking for public reviews—these are all very strong, very modern methods of enhancing the patient experience being a modern practice and growing as a practice. But there is risk there, right?

Madison Evers 04:35

Yeah, unfortunately, that is true. A lot of employees may just not know what information is or is not acceptable to send via email or text. If they’re not provided, as I mentioned, with the proper training when there’s they start with the practice… every practice is going to vary. Some people have no healthcare experience. So, when they start, you know, obviously they need some thorough training, but compliance is constantly changing. And so this is why it’s important for employees to continue receiving the monitored and updated training. It’s super common for practices to use emails as their main form of communication within the practice. But ensuring that the staff are again trained on how to safely maneuver emails is so important because email is actually the second most common way that breaches occur.

And so, I think, most importantly, it’s kind of critical to ensure that every single patient is provided with a consent form that outlines the way that they wish to be communicated with. And again, the staff need to be properly trained on how to give those consent forms, how to ensure that they are communicating with employees based on their perfect communication methods. It’s really the practice and the business owners obligation to ensure that they’re doing that.

Gary Tiratsuyan 05:57

That’s a perfect segue; you touched on some of it already, but what are some of the steps a practice can take to avoid any potential HIPAA violations when sending these messages?

Madison Evers 06:10

Yeah, as I just mentioned, offices should ensure that of course, they have those consent forms filled out. The staff need to be trained on following the preferred communication methods. I think a great thing that I recommend to clients all the time is going to be pre-approved messaging templates. These should be completed or created by the compliance officer or the practice owner. This way, there’s transparency across the organization for how your staff are communicating with your patients. You’re going to know exactly what’s being said.

Another thing that I recommend is going to be email encryption. So, email encryption, and text communication services also help. If you have a text communication service, you can create these templates in there. If you have email encryption, it’s an extra barrier protection when you’re sending emails. But practices still need to ensure that you’re limiting the type of patient information that they’re transmitting via email or text.

Last, I’ll add that text messages are by far the best form of communication with patients believe it’s about 90% of patients open text messages within three to five minutes. And one of the cool things about using a HIPAA-compliant text communication platform, is that practices are able to track the open rates responses, you can collect payments quicker and confirm appointments. So, there’s all sorts of things that you can do through these compliant platforms.

Gary Tiratsuyan 07:45

You think it’s a best practice, while an office onboards this kind of technology that is HIPAA compliant, that is templated, that they can build it out and have that peace of mind, but in the meantime, for the practice to limit who and the number of how many people can send these outbound messages just to protect themselves?

Madison Evers 08:11

My professional opinion, for what it’s worth… I think that as long as staff has been properly trained on what to do, and what is acceptable to be sent, and that they’re pulling from those pre-approved message templates that the office has provided them, we don’t necessarily need to limit who can send messages.

Gary Tiratsuyan 08:32

That’s great input there. And great advice. Texting is definitely a powerful communication method. And I just want to caveat, the intent of this episode is not to scare anyone or prevent them from doing what they’re doing. We just want to make sure that it’s done properly to avoid any issues that can potentially be costly to the practice. So, is there a good resource you can recommend for practices looking to make sure they’re meeting all sort of all the compliance requirements?

Madison Evers 09:02

Yeah, I have a couple resources that I would definitely recommend. But I think the best place to start for practices of any size, who may be wondering, ‘What am I doing? Is it sufficient?’ You know, maybe you think you have some good things in place, but you’re not entirely certain. The HIPAA Risk Assessment, this is actually an annual requirement from the Department of Health and Human Services. But it truly just serves as an educational tool to help practices evaluate where exactly they stand with compliance. I’m more than happy, if anybody wants to reach out to me directly, I can walk you through a risk assessment. No problem there.

Another option that I have is consult with a with an actual compliance expert. Myself, I may be one there may be someone you know in your organization that you know as well. But having somebody that you can consult with on compliance, the way that you would do a consultation for any other area of your business is going to be powerful. Take a look at what you currently have in place it’s better to know than to be surprised when something goes wrong.

Here at Rectangle Health, we actually have a whole team of dedicated compliance advisors who help practices every single day, learn what the requirements are, where their gaps may lie and how to manage compliance effectively and more efficiently. That’s what we’re really concerned with is helping you be as most the most efficient that you can be. As I mentioned, if you want to complete an annual HIPAA Risk Assessment, you can DM me here on LinkedIn, I’m more than happy to set up some time to talk with anybody to get that completed and, you know, provide you with a consultation.

Gary Tiratsuyan 10:37

Thanks for that Madison, I’ll definitely have a link to your profile in the episode description for sure. And I think now’s a good time we’re we’ve spoken about the communication with patients and how important it is to build that into your everyday workflows, but to be mindful of the compliance element of all that. So, what other areas of the day to day do practices need to be mindful of to ensure they’re compliant, and that may not be so obvious or are commonly overlooked?

Madison Evers 11:12

I’ve spoken about training a couple times today; I would say one of the major pieces of compliance that is overlooked is new-hire training. A lot of practices have the mentality that their new hires should have been trained at their old job. So, they don’t provide any sort of training. And this isn’t necessarily the case. Even if an employee was trained by their old employer, that does not mean that that new hire knows how your practice operates, what your policies and procedures are, or what best practices for communicating with your patients are. So ,it’s critical that every single new hire is being trained for how to operate within your practice. That’s what we’re concerned about, at the end of the day—keeping your practice safe.

Another thing that I would say is most practices have an IT provider that they work with for things such as firewalls, antivirus, maybe their email encryption and data backups. But oftentimes, what’s missing from these services is cyber liability insurance. Just because you have somebody that handles your cybersecurity doesn’t mean that person or company is going to protect you financially in the event of a breach. And that’s where we all need protection at the end of the day, because that can hurt a little bit.

Gary Tiratsuyan 12:23

And I want to dive into that a little bit. What’s the potential risk in overlooking that key area?

Madison Evers 12:39

Ninety percent of cyber breaches occur by employee error. And one of the most common vulnerabilities targeted by cybercriminals is weak credentials. So, if a hacker has your employees’ or the providers’ or the business owners’ credentials, then they have an open door to your entire system. Additionally, malware and insider threats due to the misuse of systems can lead to your system, your entire practice, being breached and all of your PHI or protected health information being stolen. And when a breach occurs, the next thing that happens is HIPAA comes into an audit. And audits are expensive. And oftentimes they can be detrimental for those who are acting negligent of compliance.

Gary Tiratsuyan 13:30

That makes sense, and I want to get into the enforcement trends for HIPAA violations. Can you talk to me in our audience about the biggest changes or updates you’ve seen in recent months and years, potentially?

Madison Evers 13:42

Yeah; I’ll talk post COVID. So, post COVID, there’s been a number of changes due to the increase in cyberbreaches that are occurring. So, HIPAA has actually put a foot forward in increasing the amount of technical safeguards that they expect practices to have in place. There’s actually four new policy updates that came out, post COVID, all around technical safeguards that the practice should be implementing. Practices are expected to implement these changes in the practice, and follow these and train your team on all of these changes so that you can better protect your patients’ information.

Second, I personally think it’s more critical than ever to ensure that any practice has multiple sets of data backups. This is your life’s work we’re talking about. If something happens to one set of data backups, you want to ensure that you have another that you can pull from. And then finally, I know I shared some details about cyber insurance, but it hasn’t been until recent years that cyber insurance in medical and dental practices has become so popular. Though, it’s not necessarily a requirement, it is actually used two times as frequently as malpractice insurance, and so that’s why I recommend it. It’s just for peace of mind. Hopefully we never have to use it but it’s there when we need it.

Gary Tiratsuyan 15:01

Absolutely. Is there anywhere you would recommend our listeners can reference or always have the latest news and information on these types of changes and how to remain compliant with new enforcement trends and things like that?

Madison Evers 15:19

Yeah. Obviously, Rectangle Health; we have the podcast here, we have all sorts of resources for our listeners and our viewers to use. I think hiring a professional is always the way to go. I outsource everything in my life that I don’t know how to do; I don’t know how to do my taxes, so, I have a tax person, right. Rectangle Health also hosts monthly webinars; you can find these on our website, where, as I mentioned before, you can take the HIPAA risk assessment with me complimentary, so that you can evaluate your needs. And I can provide you with some insight as to how you’re doing, what’s changed, and solutions for bridging the gaps in your compliance system.

Gary Tiratsuyan 15:59

Thanks so much for that, I’ll have links to all those resources in the episode description as well. And I want to shift gears here just a bit and talk OSHA compliance. In your conversations with providers, where are you seeing the most risk?

Madison Evers 16:17

I would say the toughest part of OSHA compliance is probably just the documentation of the policies and procedures, especially across like multiple location organizations. OSHA is very site specific for things from the, data sheets, the labels, the actual layout of the practice. A lot of practices have a physical binder, a lot of the times they don’t necessarily know what they have documented in the binder or when it was last updated, or who the point of contact would be. If OSHA were to walk through the door, that’s probably where the most risks with OSHA come about.

I would say that, due to COVID. Unfortunately, there has been an increase in OSHA audits. So, ensuring that practices are doing an annual walkthrough, checking to make sure that your practice has everything properly labeled. You’re noticing fliers, your fire extinguishers and expired, things like that can be very, very beneficial to practices in the long run. Ensuring that you have a safe workplace for your staff to operate in, and for your patients.

Gary Tiratsuyan 17:37

And if we’re talking about staff retention, the high turnover rates playing into that, and just how busy a practice is. Do you think it’s harder now than ever for a practice to keep up with these compliance requirements?

Madison Evers 17:49

Yes, absolutely. I speak with practices every day. And every day, I have practices expressing to me how bad turnover has been; that it’s, you know, expensive, time consuming, it’s too much work to train the new hires, and to keep their original staff up to date. You know, why do practices want to put money into training somebody if they don’t know how long they’re going to be there? The list goes on and on. And, you know, it’s all very understandable because it is overwhelming. But what these practices unfortunately don’t realize is that neglect to train their staff is actually opening the practice and the business up to areas of vulnerability that can be much more costly and time-consuming than training their staff members. And training staff doesn’t have to be boring. Online training is an amazing resource for practices of all sizes. We actually have a compliance solution here that provides practices with not only HIPAA and OSHA training, but we provide 1,400 hours of both live and on demand, continuing education, with no additional cost to the practices, that’s readily available for all staff to receive. This gives practices the flexibility to train their staff how they want and when they want, which is great if you operate with a small staff or if you have five locations, and it’s impossible to get everyone together. Just having that flexibility really helps them ease the pain of having to train your staff.

Gary Tiratsuyan 19:21

I think there’s just so much to maintain and ensure you’re doing right and protecting the practice data, the staff and the patients. And we haven’t even touched on PCI compliance yet. Can you educate me a little bit on that?

Madison Evers 19:37

Yeah, so super exciting stuff, right? PCI compliance actually falls under HIPAA because it’s protected financial information, or PFI in the compliance world. To maintain your PCI compliance, there’s a couple of requirements. The first is going to be called a self-assessment questionnaire. It’s a couple hundred questions long; it goes through, what are you doing with your credit card payments, essentially. Vulnerability testing is going to be the second requirement. This is essentially scans of your IP address to ensure where you’re sending your patients PFI through is secure.

And then the most important part is actually going to be maintaining a copy of your PCI certificate that should be kept in the HIPAA binder. Failure to do so can result in regulatory noncompliance fees, non-validation fees, higher rates on every single transaction, which lead to a loss of revenue to practices because you’re not compliant. So now, noncompliance is penalizing you. One of the many reasons that Rectangle Health’s payment integration software practice management bridge is actually so popular is because we handle your PCI compliance for you. And the people who are familiar with their PCI compliance know how daunting it is. And so, this is, this is a winner for a lot of people.

Gary Tiratsuyan 20:50

Thanks again for that so much, Madison. And last question, before we wrap up, is there an easy way to manage all this?

Madison Evers 21:04

Of course; the simple answer is just let us do it for you. Practices are busy though; everybody wears multiple caps within the practice. This is why practices outsource and consolidate their solutions. Finding one vendor who can manage all of your compliance needs for you will not only protect your life’s work, but also be more cost effective than outsourcing to multiple vendors.

With this in mind, I know I’ve mentioned a solution that we have here a couple of times, but Rectangle Health, we have a compliance solution. It’s our award-winning cyber liability and compliance software. It’s actually one of the only compliance softwares in the nation that does everything for HIPAA, OSHA and PCI compliance all in one spot. And so, it’s a great way to outsource and consolidate everything. Having it will not only get you compliant, but keep you compliant and protect you in the event of a breach or an audit under our quarter million dollar cyber liability insurance policy that requires no underwriting and no downtime to guarantee your coverage.

Gary Tiratsuyan 22:09

Awesome, Stuff. Madison, thank you so much. I really appreciate you taking some time today. I know I’ve learned a lot and I know this is critical info from our listeners. And I know they appreciate it and need to stay on top of it. Thanks so much for joining me.

Madison Evers 22:21

Of course; it was such a pleasure having the opportunity to talk with you today. I know compliance isn’t necessarily the exciting stuff about running a practice, but it is equal equally as important as everything else. You know your patients appreciate you being compliant. Your employees may not like the training, but they appreciate not getting in trouble for doing things the wrong way. If you have any questions, if anybody has questions for me, you can either leave them in the comments or send me a message directly here on LinkedIn. If anybody is interested in hearing more about our compliance product, you’re also more than welcome to shoot me a message or just schedule some time to talk with me.

Gary Tiratsuyan 23:00

Awesome. And thanks again Madison. I’m looking forward to having you on again real soon. And for our listeners tuning in, be sure to visit the links in today’s episode description to access all of the valuable resources Madison mentioned today. And to get in touch with her and be on the lookout for upcoming live CE credit training courses to stay on top of the latest compliance requirements training and resources available to you. We appreciate you tuning in. And as always, welcome your feedback. If you enjoyed today’s episode, like subscribe and leave a review on Spotify, or your favorite streaming channel. We’ll be back again next week with another great episode on the Modern Practice Podcast. Thanks for tuning in till next time, everybody.

Editor’s note: This interview has been edited for length and clarity.

Get started today!

Thousands of providers like you supercharge their front office with Practice Management Bridge. Schedule a call to see how we can help reduce admin work, so you can focus on your patients.

Book a Demo