On this episode of The Modern Practice Podcast, Nicole Parker, senior compliance advisor at Rectangle Health joins host Gary Tiratsuyan to discuss how providers can simplify and tackle compliance at their office.
During the conversation, Nicole shares:
1. Compliance expectations for providers
2. The biggest challenges faced when it comes to compliance
3. Commonly overlooked areas of risk
4. Where to start your corrective course of action
Gary Tiratsuyan: Hello, everybody, and welcome back to The Modern Practice podcast. Today’s episode is all about simplifying the process of compliance at your practice. I’m really excited to be joined today by Nicole Parker, senior compliance advisor at Rectangle Health, who brings a wealth of knowledge and has been helping healthcare offices identify course correct and maintain compliance and security. Nicole, thank you so much for taking the time to join us today.
Nicole Parker: Absolutely, Gary. Glad to be here.
Gary Tiratsuyan: Awesome. Well, Nicole, before we get started, can you tell us a little bit about yourself how you got into the healthcare space, and specifically, the often confusing and challenging world of compliance?
Nicole Parker: Sure, well, I started off in a customer service background, which I think anytime you’re interacting with clients, practices, grocery stores, you know, any type of interaction, having some customer service goes a long way. So that’s exactly where my career started. And it transitioned into healthcare because it was the more stable environment, meaning there’s always a need. So the specialty that I’m in now, which is helping with the education of HIPAA, and OSHA compliance, it just allows me to help practices get the education needed, things that they don’t teach you in school, as far as, once you start seeing patients at your practice, you’re now bound by health and human services policies and procedures. And as soon as you hire any employees, now you have to follow OSHA laws, policies, and procedures. So being part of that education to help practices be aware on how they can correct any areas that they need to be in place does allow them to be able to protect their liability in their practice. So, I really enjoy my job and being on that side of it to help educate practices so they can protect themselves.
Compliance Expectations for Providers
Gary Tiratsuyan: Awesome. Well, thanks so much, Nicole. Thank you again for taking the time to share your expertise. So, let’s dive right in. And let’s face it, compliance can be overwhelming. But before a practice can get to a good place with it, they need to know what the expectations are for a single office or larger multilocation organization. Can you sort of give us an overview of what the lay of the land is? What are the expectations for compliance and security?
Nicole Parker: When it comes to the complexities of compliance, a lot of practices, they’re doing the basics, such as having a binder or often providing training. But knowing specifics, such as training is required to be conducted annually on the date that it was last administered. When hiring a new employee, for example, you do have expectations to train them within 10 days of their hiring date to comply with the training requirements. When there’s an overview of all the aspects of compliance, are talking about documentation, policies and procedures, business associate agreements, emergency plans, backup plans, email encryptions, and other technical safeguards. So a lot of times, there’s not a full picture being drawn as to what the expectations are. And that’s where you do find a lot of the challenge in understanding what compliance looks like, which is where Rectangle Health comes in. Understanding where those gaps and vulnerabilities are so that we can help you with developing a corrective action plan to address those areas. And just understanding that as things change, and as we’re all aware, COVID brought about quite a few, having real-time resources to get those updates to maintain your compliance and a full complaint order.
Biggest Compliance Risks
Gary Tiratsuyan: There’s a lot there. So I kind of want to start to unpack this a bit and really get into… What are the biggest risks and challenges when it comes to compliance at the practice?
Nicole Parker: One of the biggest risks is the misconception on the size of the practice as to what they need to do to be compliant. It just starts with that first patient record, at that point, whether it’s a paper chart, or an electronic chart, there are safeguards in place to make sure that that patient information is fully protected. Practices need to have a full understanding of what those requirements are, not to what they feel is necessary to be compliant, but really understanding the requirements of Health and Human Services and OSHA. So as a senior compliance advisor, our jobs here are to again educate on what those requirements are. The development of a corrective action plan not only helps you to meet the requirement to complete a risk assessment but also helps draw a course map. The benefit is knowing exactly how to correct these issues. And the solution is what’s most important on how to do that most efficiently. With practices, often a person who is designated as a compliance officer, which is one of the requirements of health and human services, they also share many roles. Often their office managers are hygienists, taking on the responsibility of compliance. So as day-to-day business goes about, sometimes compliance requirements get overlooked. So, understanding the time that it takes to implement towards compliance to keep it in order. That’s where one of the biggest challenges comes in. So here at Rectangle Health, we’re able to offer a solution that helps to focus on the compliance requirements, allowing practices to focus more on patients and practice functionality.
Commonly Overlooked Areas of Compliance
Gary Tiratsuyan: Thank you so much for that, Nicole. And that’s a perfect segue because I wanted to ask, are you seeing a common theme as you help healthcare professionals to get to a good place when it comes to the most commonly overlooked areas?
Nicole Parker: One of the most commonly overlooked areas is the requirement that Health and Human Services has in place that does require every practice that holds patient information to complete an annual HIPAA risk assessment. What the risk assessment does is just allows you to be able to take a look at your compliance, it helps to identify any gaps or vulnerabilities, and it also forces you to be able to be aware of any changes or updates that take place. You can imagine that as Health and Human Services, creates new policies or procedures, or even just recommendations, it would be too much of a daunting task for them to physically contact every practice in America by phone or mail to notify you. They do expect owners of practices to be aware of the requirements and have resources that they can rely on to keep them updated. So, it does in essence, help you to stay in mostly abreast with the changes just by meeting that annual requirement. In my opinion, in the most practices that I speak with, I do feel that that is the most overlooked area. And then it also requires you to maintain them for six consecutive years, which means for six consecutive years, you’re responsible for showing proof that you have developed a culture of compliance within your practice.
Gary Tiratsuyan: Yeah, so the practice can choose to go the DIY, do-it-yourself route, right? So, practices can start that corrective action on their own. But ultimately, there’s risk in that as well. You know, I’m assuming stones can be ultimately left unturned?
Nicole Parker: Absolutely. The risk assessment is designed as a self-assessment, meaning you’re answering the questions with yes or no. Yes, we have this policy. Yes, we’ve completed training. No, we don’t have email encryption. And it’s a host of about 36 questions total. But what it does is that ensures that practices are compliant with HIPAA has administrative, physical, and technical safeguards. So, it’s comprised of questions addressing each of those sections within the risk assessment. That is one of the most important pieces towards reflecting compliance is to keep up with your risk assessment requirement that will help you to understand any areas that you need to address on an annual basis.
Correcting Compliance Issues
Gary Tiratsuyan: So, a practice takes the free HIPAA risk assessment. What happens from there as far as the correction process goes? And sort of Part B to that question is, does the practice have a lot of manual work to do from that point on? Because we know they’re busy. We know they’re understaffed and wearing multiple hats, as you mentioned.
Nicole Parker: Absolutely. It does take a lot of time to address it manually. In the midst of, as you mentioned, other hats and other functionalities within the practice. Not only is it an opportunity for you to have help to understand those areas, but with Rectangle Health, you also get a way on how to correct those areas. It’s already eye-opening, sometimes overwhelming to be able to identify. I’ve had many doctors just say, oh my goodness, I might as well just retire. Which, of course, you know, at that time is a good time of the year for them in order to reach that milestone. However, until you actually do sell your practice or retire, unfortunately, up until that very day, you are required to maintain your compliance. So, the do-it-yourself option is always there; it’s just, do you really have the time? Do you have the proper resources? Do you have the finances when you’re spreading out your compliance with multiple vendors, which typically takes three to seven vendors, involvements to reflect compliance. That’s multiple vendors, additional business associate agreements, additional phone calls that you have to make, especially if something were to go wrong. So, it’s an option. But in order to fully protect yourself, in all honesty, most practices that are compliant is because they leave it up to compliance experts.
Gary Tiratsuyan: Just to recap, from the point of completing that HIPAA risk assessment, a practice can simply rely on you and your team to manage the compliance and mitigate risk.
Nicole Parker: Correct. So, the compliance requirement on the risk assessment, you can purchase that from other vendors. It’s something that has to be done as I’ve mentioned previously, however, Rectangle Health does provide a complimentary risk assessment and the review of that. So, the risk assessment is something that you’re able to complete with one of our team members. We’re there to help answer any additional questions you may have on that while taking it, and then set up the review to be able to go over with the professional consultant, the results of that review.
Gary Tiratsuyan: That’s awesome. Nicole, thank you so much. For our listeners tuning in, you can access the free HIPAA risk assessment by following the link in the description of this episode. As you’re filling out the form, be sure to use code modernpractice to complete it, and a member of the Rectangle Health compliance team will reach out and begin outlining the necessary steps and corrective course to ensure your practice and patients data and information is secure. Nicole, compliance is most definitely a scary topic for me, difficult to understand and overwhelming but the insights you shared, definitely give health care providers a starting point to begin tackling it and getting a good handle on it. Thank you so much for taking the time to join me today.
Nicole Parker: It’s been my pleasure to be here and in the efforts of Rectangle Health, helping practices to simplify the business side of health care.
Gary Tiratsuyan: Thanks again, Nicole. And once again for our listeners you can access that no cost HIPAA risk assessment and tackle compliance head on by following the link in the description below. And be sure to use that code modernpractice when you do. Be on the lookout for more episodes on compliance and cybersecurity coming soon to The Modern Practice podcast.
Thanks for tuning in till next time, everybody.
Editor’s note: This interview has been edited for length and clarity.