04. 21. 23
On this episode of The Modern Practice Podcast, host Gary Tiratsuyan welcomes Rectangle Health’s Director of Compliance Solutions, Terry McDonald to the show.
During the discussion, Terry outlines how healthcare practices can simplify compliance to avoid violations and costly penalties by:
Get started with your free HIPAA risk assessment here >>.
Connect with Terry McDonald on LinkedIn.
From Rectangle Health, this is the Modern Practice Podcast, a show that provides you with fresh perspectives and practical advice from industry experts in the ever-changing world of healthcare technology. Every episode, we tackle a timely topic to help you stay current and simplify the business side of healthcare. Without further ado…
Gary Tiratsuyan 00:21
Hello everybody, and welcome back to the Modern Practice Podcast. Today’s conversation is all about practice compliance, and how you can simplify the process, meet HIPAA requirements and avoid costly penalties. If you missed part one of this compliance miniseries, I encourage you all to tune in by following the link in the episode description below. Expert Nicole Parker shared incredibly valuable insights into the steps your practice can take to tackle HIPAA, OSHA and PCI requirements head on. And without further ado, I’m excited to introduce compliance guru Terry McDonald, Director of Compliance Solutions here at Rectangle Health to you all, Terry, thanks so much for taking the time to join me today. Appreciate you being here.
Terry McDonald 01:03
Thank you for the opportunity, Gary and Rectangle Health. It’s my pleasure.
Gary Tiratsuyan 01:08
The pleasure’s all mine, Terry. Let’s get into it. I want to start with the lowest hanging fruit. For a practice, what are the simplest steps they can take to check a few boxes off the list and ensure compliance?
Terry McDonald 01:21
That’s a great question, Gary. You know, I always try to tell everyone, the first thing you want to do is have a culture of compliance, meaning, it’s something that’s important to you and your practice. So, if anyone is wondering where to start, it sounds like you’ve already got your culture together. My first step… I think every compliance is a little bit different. Specifically, let’s start with HIPAA. I think with HIPAA, one of the first couple things you could do is actually your annual HIPAA risk assessment. The government actually requires you to do this every year; it’s for your own benefit.
But a HIPAA risk assessment… let me define what it is. First of all, HIPAA risk assessment is some sort of analysis. We’ve created our own version here at Rectangle Health; it’s about 45 questions. So, we ask you 45 multiple choice questions about your HIPAA program. The idea of this assessment is to help you highlight and uncover any gaps or deficiencies you have in your compliance program that you’re practicing there at your office. So that’s the first step. You have to do it every year. The government wants you to do it, so you can get ahead of any gaps that you have before they come back to get you. So that’s always my first step is: get your HIPAA risk assessment completed, which is actually two parts, one part is getting it completed. But the most important part is the second part where you actually analyze the results and take actionable steps to close those gaps. That’s the first step you should do is really just become aware of what your needs are first, so you can begin to address them.
Gary Tiratsuyan 02:52
And I’ll drop a link to the Rectangle Health HIPAA risk assessment in this episode description. So, if we get into the weeds a little bit here, Terry, what would you say are the most commonly overlooked areas or tasks that practices must complete to avoid violations and potential penalties?
Terry McDonald 03:10
I think that’s a great question. I’m going to give you a two-part answer. For those practitioners out there, those business owners, those doctors—often you delegate it to your office manager. Like I just said, that risk assessment is your first step right? If you’re running the business, and you want to limit your risk and limit your financial responsibilities, or I should say liability, you want to get ahead of your risk assessment, and get your culture of compliance in place and start doing the things that you’re supposed to do.
The second part of it is everyone else at the practice the rest of the team members. I would really say it’s the training. But not just any training; it needs to be effective, it needs to be modern. And everyone at your practice needs to sign a document saying that they completely understand the training—they’ve completed it—but also the policies and procedures that are in place in your binder. And I say that, Gary, because the majority of breaches that happen around America, are caused due to human error, meaning someone on the staff made a mistake. Often, they could have been more careful had they had compliance training a little bit more baked into their thought process with that culture of compliance. So, I would say for leaders and the business owners, get the HIPAA risk assessment done. For everyone else, get your training done.
Gary Tiratsuyan 04:35
Got it. And obviously Terry HIPAA law is complex. On the first episode of this series, Nicole mentioned it extends into hundreds of pages in length and tasking staff to understand each section each line of that as a huge ask. So, for simple day-to-day workflows at the practice, something like responding to an online review or sending text reminders for payment or appointment confirmations, not to scare anyone, but you have to be cognizant. So, in a circumstance where you as a practice owner, or manager, hiring new team members, how do you train them to be careful? How do you train them to be vigilant?
Terry McDonald 05:16
I think it’s important to remember that our society has changed since the pandemic, right? We were so used to people coming into our offices to sell us or train us that that was the way of things. Now, we’ve really shifted to this virtual society, where Zoom meetings are commonplace. In fact, they’re now preferred over anything. And I think that extends to the way that you conduct your HIPAA training for your team.
The days of having a HIPAA trainer, for example, come into your practice once a year to train your team—those days are dead. Because again, it’s inefficient to do it that way, to have everyone stop working. That means you’re not generating revenue, and everyone’s going in the room. But also because people need to be trained on their first day of work. HIPAA is all about protecting PHI, protected health information, and stopping it from falling into the wrong hands. New employees are getting exposed to that PHI on day one. Therefore, a good practice who has a real culture of compliance has HIPAA training being completed in the first few days of being employed at that practice. And the best way to get that done these days in order to do that is you need a usually a digital, on-demand resource where they can sit down and do training right away.
For example, in our solution OfficeSafe, we have a training portal. Every new employee, as part of their onboarding would just simply sit down and have training assigned to them through our OfficeSafe compliance portal. But what we don’t want to do is wait. If we have a person coming in in October and I have them start in April, well, they’re going months without being trained. And that’s just unacceptable and is just really opening yourself up to future issues, if you ask me.
Gary Tiratsuyan 07:07
There’s huge risk associated with that. So, you host a lot of webinars covering HIPAA and cybersecurity best practices. And one of the things that stood out to me as I’ve attended these training sessions from my own knowledge and awareness is the trends in enforcement and those shifts that happen in that area. Can you dive into that a little?
Terry McDonald 07:32
Yeah, absolutely. Well, I think the trend is… there was a time, let’s just call it six, seven, eight years ago, where HIPAA had enough staff. They were hiring more people, and they were doing random audits around the country. And you’d have to be worried about being compliant. So, you’d want to stay compliant all the time, because you didn’t know when you could be randomly audited.
But that’s changed. HIPAA doesn’t have staff like that anymore. They’re not doing random audits. So, what they’re doing is they’re making examples of people. So, when something goes wrong, they’re going to find them, they’re going to post it all over the internet, and make examples of practices to scare them into doing the right thing.
And that’s important because enforcement these days, again, most of the breaches and most of the HIPAA issues we’re dealing with—90% are cybersecurity, cyber breaches. And every year over a year, the likelihood and the quantity of the cyber breaches happening is going up. So it’s more and more likely you’re going to have a breach, now we look at it as not a matter of if, it’s a matter of when, you need to be prepared. And when you are being prepared, the question is, if I had a breach or some sort of cybersecurity issue, how long would I be down? And how quickly can I restore my system get my practice up and going in and generating revenue? A, the first thing is, how do I keep my practice generating revenue? B is when I report it the way I’m supposed to, and HIPAA comes in and audits me—because the only way HIPAA is going to come audit you is if you have a problem. When it rains, it pours. They’re going to come in there and audit you. Are they going to find things to fine you over? Or are they going to go through your HIPAA binder and your program and see that you did everything you were supposed to and the issue was unavoidable, therefore, you’re not going to be fined. So. we want to limit our downtime, and limit our compliance exposure and financial risk as well.
Gary Tiratsuyan 09:27
Just really quickly, if you have an example, Terry, not specific to any practice, but in your experience and in your time working on this, what’s the longest duration that you’ve seen? Let’s say any healthcare practice, not generating revenue, not treating patients due to this exposure?
Terry McDonald 09:46
That’s a great question. Well, in my position, lucky enough for me, I’m here at Rectangle Health. So, the majority of the issues I see could have been way worse if they weren’t a client of ours. The worst nightmares and the worst case scenarios I see are what I’ve read about and see as well. But also, those people who call me up after they’ve had a breach, and say, ‘Can you help me? I think I’m having a breach.’ And I had to break it to them, ‘If you’re calling me in the middle of a breach, it’s already too late.’ Right?
So, I’ll share a couple links for you that you’ll be able to drop in the links as well, North Memorial HIPAA violation, you could Google that one. But practices can be down for days. But really, it boils down to the revenue that’s lost, how much money are we losing, both on the business side, and then once HIPAA police come in and audit and fine us. So, I don’t want to count the revenue as in days, because it could be a small dental practice, versus a huge practice that could have 20 practitioners. One day down for them is 20 times as costly as a small practitioner. So, the key is, how fast can I get restored and are we compliant? That’s the safest way to operate, day in, day out.
Gary Tiratsuyan 11:02
Yeah, and it speaks a lot to what happens to the patients right? If they have scheduled appointments, if they need the necessary care, that can’t happen. So, it’s detrimental on all sides. You definitely want to avoid that. And very quickly, what’s the difference between the Rectangle Health HIPAA risk assessment versus something else that’s out there in the market that can be accessed by practice?
Terry McDonald 11:29
Great question. There’s not a ton of tools out there in the market. The government offers a risk analysis tool on the HHS website. And this is designed to help practices do this annual risk analysis on their own. But I can tell you, the majority of people I’ve bumped into, if they’ve tried it, they’ve quit. It is a very cumbersome, confusing process. You have to download 100-megabyte program directly on your computer and enter tons and tons of questions about your people, your processes your equipment, all before you get into the actual questions about compliance. And then it’s going to give you a report. And the problem with the government’s solution is it’s cumbersome and confusing.
So that is why we’ve been so successful with our version of the HIPAA risk assessment. We’ve simplified it down to 45 multiple choice questions that give a great idea and snapshot of where your practice is. But also, what makes us different, is we’re going to assign you for free, a compliance advisor that’s going to walk you through that report. Every practice is different on how you apply HIPAA and what your individual issues are. Our compliance advisors will meet with you one on one, walk you through the report, and make sure you have a copy of the report. And then of course, we’re we are there to simplify it and make it easy for you to understand. But once you’re clear on what’s wrong and what you need, we can then of course, provide you with a couple of simple solutions to help you get back on track and get compliant.
Gary Tiratsuyan 13:04
Thank you, Terry, for that. And again, for our listeners all I’ll have that link to the free HIPAA risk assessment in the episode description below. Take advantage of it, take advantage of our compliance advisors calling, and really running through your action items. And, Terry, before I let you go, I invite all of our listeners today to connect with Terry on LinkedIn, I will also have a link to his profile in the description. Thank you so much for taking the time to join us and share your expertise with us.
Terry McDonald 13:35
It’s my pleasure, Gary. And let me just add on that last thing I said here real fast. We’re pretty much the only company out there that will dedicate this much time with you upfront. We’ll help you with the risk assessment, we’ll help you with the review. Our organization is the only one that’s putting in multiple hours of work with no guarantee you’re going to do business with us. We truly believe that an educated practice will make the right decisions for their practice. So we focus on educating you and help you make the best decisions for yourself. And I believe if you take the time to get educated, you’ll value what we do and how we provide it. So, I look forward to connecting with everyone. Feel free to shoot me some connection requests on LinkedIn. I’m always here to help with any random one-off questions. I love to be challenged; shoot them on over to me, or if you just want to connect in general, I’m here to help.
Gary Tiratsuyan 14:24
Thanks so much, Terry, and hopefully I can have you on again real soon.
Terry McDonald 14:29
I would love that anytime for you, Gary.
Gary Tiratsuyan 14:33
Appreciate it. Lastly, for our audience, we’ve got great guests joining the show in the upcoming days and weeks, so be sure to subscribe and leave your comments on this episode, and what you’d like to hear covered in the future. Thanks for tuning in. Until next time, everybody.
Thank you for listening to the Modern Practice Podcast. If you enjoyed today’s conversation, subscribe on Apple Podcasts, Google Play, Spotify or SoundCloud for new episodes and follow Rectangle Health on social media for more helpful information news and event details. Thanks for tuning in.
Editor’s note: This interview has been edited for length and clarity.