Alliance Physical Therapy Partners in Agile Virtual Physical Therapy proudly present Agile in Me, A Physical Therapy Leadership podcast devised to help emerging and experienced therapy leaders learn more about various topics relevant to outpatient therapy services.
Richard Leaver: Welcome back to Agile and Me Physical Therapy Leadership podcast series. I am excited to welcome back Tiffany Warden, who is all things compliance. Welcome, Tiffany.
Tiffany Warden: Thank you.
Richard Leaver: I think it’s actually been a few years since you were last on a podcast for me, for Agile and Me. Is that right?
Tiffany Warden: It was last time we talked about medical records.
Richard Leaver: Such excitement. You know, I do all the best podcasts, don’t I? Medical records, payer relations and now we get to talk about all things HIPPA, you know, what more could one ask for as a listener? But anyway, regardless let’s get on with it. But for those that perhaps haven’t listened to the all things medical records, can you just give perhaps a very brief overview to the listeners of who you are and your experience and background?
Tiffany Warden: Sure. My name is Tiffany Warden and I’ve been in the physical therapy world since 2005, so a little over a couple of decades now, and my certifications are in coding and compliance and in healthcare law.
Richard Leaver: I’m sure it’s very valuable.
Tiffany Warden: It is very valuable. But I’ve been working with HIPPA policies and, and HIPPA procedures for about 15 years now.
Richard Leaver: Okay, so let’s dive in. Everyone talks about HIPPA. Let’s start at the beginning. So the abbreviation, HIPPA, what. What are we talking about? When was it originally enacted and perhaps the primary reasons for its creation because I get the feeling of what the primary reasons were. It’s kind of morphed over time with regards to how it’s impacted healthcare and perhaps the.
Biggest impact perhaps wasn’t necessarily the original intention, but we can get into that a little bit more. So what’s HIPPA? When was it passed into law and what were the primary reasons originally?
Tiffany Warden: So HIPPA was officially back in 1996 was when we first started hearing about HIPPA in force and which one of the, what it stands for is the Health Insurance Portability and Accountability Act.
It’s basically the purpose is to protect patient information. PHI, not only from a privacy perspective, which by the way was largely the concern back in 1996, but now it’s morphed into more of something that really addresses the security side of things. So we’re looking at IT practices, you know, how we report, how we monitor, how we audit on the IT side of things to protect the EPHI, the electronic protected health information.
Richard Leaver: If I remember correctly, the original intent was to ensure the continuity of coverage between jobs to one of them.
Guarantee coverage for employees with preexisting conditions and prevent what’s called job lock, which is scenario which plan members stay in a job to avoid losing benefits, which I find very noble and admirable and important.
But whenever we think about HIPPA, the first thing we think about is patient data. Rather than these grandiose or measures that have really very little to do with security of patient data.
Tiffany Warden: Right, right. Well, a couple of things. Back in 1996, we weren’t all that into EMRs the way that we are today. We exchange almost all of our information electronically today, and in fact are required to do so in certain circumstances.
And, but that wasn’t a concern back in 1996. That started becoming a concern in the early two thousands. And if you look at the 2013 high tech update of that law, that’s where you really start to see proposals relating to EPHI and getting more into the privacy and security things. It was always been about protecting the information, protecting the access.
On behalf of the patient. It’s just that as we have gone through the years and as technology has advanced, the way that we look at it and address it has had to change.
Richard Leaver: Yes, it’s, it the privacy and security part, which I’m sure we’ll focus on more on a little bit was actually at a latter point, wasn’t it?
You know, if it was in 1996, it took years and years before it was really implemented and it morphed somewhat. But in the beginning I also understand that. The implementation or the requirements associated with HIPPA actually increased the cost significantly for the payers, and as a result of that, congress then enacted the measures to combat fraud, waste, and abuse.
Which is really quite interesting. And perhaps we’re geeking out a little bit here that the fraud, waste and abuse legislation was as a result of the increased cost associated with the HIPPA legislation.
Tiffany Warden: I think all laws coming out of Washington are attached somehow to each other. They’ll find a way.
Richard Leaver: Oh dear. Yes. Let’s not perhaps go down path regards to politics.
Tiffany Warden: The first 10 hour podcast That’s right. That you do for Agile of Me. We want to get into all of it.
Richard Leaver: And then, as you say, with the push towards electronic medical records, which was again supported and encouraged by the Secretary for Health and Human Services, and there was definitely a lot of money provided by federal government to move towards that.
Then it, it really became a bill or law that was to safeguard patient privacy and security of data, which was the privacy rule that was actually published in 1999. So it was a few layers later, wasn’t it? In the original act? It was. It was.
So tell me perhaps a little bit about what the privacy and security rules were trying to do and what those rules really encapsulated.
Tiffany Warden: So 2 sections of HIPPA. One is the privacy side and one is the security side. So on the privacy side, what you’ve seen is the goal with HIPPA is to protect. Protect the privacy of the patient in, in, in physical matters. So you’re looking at access to clinics, access to physical records. Because remember paper records and access to other equipment, physical equipment that could contain PHI.
And so you have some physical and administrative measures on the privacy side of things that are things that you actually do on a day-to-day basis to ensure the protection of that data. And we’ve seen that morph. We’ve seen it morph over the years and through all of the iterations of HIPPA that have come down, there always is a new consideration for things that are advanced.
I mean, we used to see a big emphasis on faxes and on phones and paper. We don’t really have a lot of, you know, paper. I have a cell phone, but I don’t have a landline. So, and then, you know, faxes are kind of going the way. Of the dinosaurs as well so what we’re seeing is just an iteration of this law that continues to adapt to our changing technology.
On the privacy side of things, same thing on the security side. Back then in 1996, not really a big concern, right? Not even really addressed, but as the years went by 99 and especially in 2013, that’s where we start to see them acknowledge the advances on the IT side of healthcare. They wanted some measures put in place that would block who or restrict who has access to that patient health information and how it’s exchanged.
Richard Leaver: It strikes me basically as a law or set of rules that are continually morphing because the how we communicate and how we obtain store and use data is constantly changing. I. Right. You know, to me, even when you look at the dates of the legislation and the rules, the privacy rule was published in 99, but it wasn’t until August 20th, 2002 that they’re actually able to come up with the final rule because they had to keep moving, changing it.
And then, you know, it took even more time to, to look at the security role. Yes. And, you know, we’ll talk about this perhaps at the end. My, my thought is as we move towards a society that embraces more AI and automation, I’m sure the rules are going to have to train change even further. Yes. So it’s like a moving target.
It’s like this I know blob that is just growing in size. And not only is it grown, but it’s changing what it is over time as well. Yes.
Tiffany Warden: Yes. And just to illustrate that, you know, as you said, we’ve seen 96, we’ve seen 99, we’ve seen 2013. And then now a couple of years ago, they actually, the OCR started soliciting HHS started soliciting comments and opinions on updates that need to occur with HIPPA.
And these were done mostly on the security side of things, right? Because as we continue to evolve technologically, I along with. Most other patients want access to the information at my fingertips. I no longer want to get in my car and drive and go get a record somewhere or ask for them to fax it or email it to me.
I want that information hopefully via an app or some type of infrastructure that, that the provider has. And so you see HIPPA morphing to accommodate this new kind of technology. And over the past couple of years, they could hardly keep up with it because they’ve had a comment period open now for about 24 months and they haven’t even published what they’ve come to agree on.
So if you look at what we’re doing now, we’re taking a lot of those back in 2013. On the tech side of things, you saw a lot of things as either required or addressable. Addressable meant if you had the resources, you had the size, you had all of these things going for you, you had to do it. If you, if it was within your means and your ability, you had to do it.
But if not, then that’s fine. It was an addressable component of that legislation. But what we’re seeing now is because of the advancements that we’ve seen on in it, we are having those addressable issues become requirements. A lot of those have our surrounding the security framework of the provider itself.
You know, you’ve got the encryption issue. You know, encryption was something that was addressable way back when, but now the proposed rule is that it is both at rest and in transit. That PHI must be encrypted. You look at multifactor, I ident multifactor authentication. That’s going to become a requirement.
You look at, you know, risk analysis, that analysis that you should do, you know, on a regular basis as our company does. And you have to lay out a roadmap. You have to identify your deficits, you have to lay out a roadmap to correct the deficits so it is ever evolving, it’s ever changing, and. I mean, it really is so much more than what it started out to be.
Most orthotic manufacturers take a one shape fits all approach to solving lower body pain symptoms. They focus on arch support for temporary pain relief, which can lead to inefficiencies and injuries. Bio Correct. Does things differently with 25 years of experience Bio Correct. Knows that everyone has unique needs.
Bio Correct. Is a fully customizable foot orthotic system engineered to address and treat the biomechanical imbalances of your entire body. Bio correct? More than just an insert to learn more. Visit us@biocorrect.com.
Richard Leaver: You got to see the funny side, haven’t you? You know, the burden placed upon healthcare pro entities to comply with the rules is increasing, and I would say increasing to the point where the financial cost is.
Creating issues. Yes. Particularly with lowering reimbursement rates, and we won’t need to go there. Multiple episodes have talked about that. So you’ve got, on the one side, you’ve got these people that dealing within the healthcare environment, having to comply with these more arduous rules and the cost associated with it.
Then on the other side, you’ve got social media and people using social media in a way that. Really in everybody’s, well, majority of people’s information is out there. It’s available. And, you know, people, individuals, I would say a significant minority of individuals are happy with that.
Yes. I’m not saying, I’m not advocating that healthcare information should be disseminated or anything like that but you’ve got to see the funny side of this.
Tiffany Warden: Yeah, I, yeah. We’re more interested in sharing. Our personal information than ever before. But in this one area, you know, and probably banking, I’m sure, so finance and healthcare. We are really reliant upon the providers to make sure that our information is secure and not accessible by anyone other than who we designate it is.
It’s a funny juxtaposition.
Richard Leaver: Don’t get me wrong, you know, I wholeheartedly understand and agree with regards to the safekeeping and safeguards associated with HIPPA, but it is interesting when people go onto Facebook and talk about their medical conditions. But obviously that’s their choice.
So when we talk about security rule, this includes three sets of safeguards, doesn’t it really must be complied with by covering entities and business associates and those are administrative, physical, and technical. So those are the three safeguards. Yeah. Can we perhaps talk about, about, about what those three are when we talk about administrative, physical, and technical?
Tiffany Warden: So the, we’ll start with technical because obviously that’s everything that’s technical. Anything that’s going to store a device, anything that would assist the provider in electronically exchanging PHI with either internally or externally is going to be covered under the technical side of things. And so what you have to, what you have to do is marry that with the physical and the administrative.
The measures. And so when you’re talking about physical safeguards, it’s exactly what it sounds like. Lock your door, lock the filing cabinet, you know, make sure you’re using ID for people that are coming in, or at least that they’re known to you. Your workforce, your staff, your patients. You know, I.
Make sure that you’ve identified even all of your physical equipment, right? We went through this not, but a few years ago, where we assigned, you know, a tracking number and a barcode to all of our equipment so that we would know when we audit for that, whether or not we’re missing items. And that’s an important part of, it’s just to know physically what you have and that what you have is physically safe, reasonably physically safe from intrusion.
On the administrative side, you’re talking more about your policies and your procedures, right? Do you have a really well thought out HIPPA policy section that addresses all of those components? Do you have security roles assigned to your organization? You know, that’s part of it, kind of, that one can actually span a couple of different departments but do you have those security roles, your workforce security, your trainings?
You know, are you adequately training your new hires and doing the annual required trainings? So it’s, you know, none of them stand alone. They all work in, you know, every one, every single measure and every single column of those three columns actually works together with ones in the other columns.
So it’s hard. There’s a lot. Yeah, it’s difficult. It’s difficult to actually wrap your mind around until you just kind of dive into it and realize the extent to which HIPPA operates just under the radar with healthcare providers and I really like seeing the changes in staff. When I first started in healthcare about 20 years ago, I noticed that HIPPA wasn’t really understood, number one, and it wasn’t really followed all that well.
You know, people still do what people do. They talk to each other, you know, they talk to other people and they’re not really all that careful. But as we have come through the last 20 plus years, I’ve noticed that this has taken a lot more seriously. And I probably, because there’s more penalties and things like that associated with violating HIPPA.
But generally speaking, people have come around to the fact that this information really probably should remain private unless, like you say, we want to post it on social media platforms. But that’s, that, that’s that choice that HIPPA gives to people, whether or not to make it public or whether or not to keep it completely private and then control access to it.
It’s kind a fascinating to watch it morph over the past few years.
Richard Leaver: We’ll talk a little bit about it. It’s moved from the kind of the carrot approach in it to the stick approach, and we’ll talk about the legislation that really moved that. But so the three sets of safeguards, if I just kind of summarize for our listeners, really the technical really covers topics such as perhaps password management, automatic log off data encryption, or you know, transmission security, isn’t it?
So it’s very. Very techy, essentially.
Tiffany Warden: Yes.
And then the physical is richly access to devices maintaining P-E-P-H-I, device security data backups, clinic dispose, disposal of data and devices. Correct? Yes. And then administrative, the way I see that is essentially is risk analysis processes, policies, training, and planning.
Yes. Correct. Is that right? Correct. Yes.
Richard Leaver: Now what I found interesting was, you know, there was obviously the privacy and security components that came in to little after the year 2000, and then I. It was continually dated, wasn’t it? Update in the, there was administrative simplification rules that evolved into title two of HIPPA and that came in, I think 2003.
And it was only until really the late, well, almost 2010 if I’m correct, where. Perhaps a little bit earlier than that, where they started enforcement rules. In the beginning it was guidance, wasn’t it, essentially, right. What you should do, how you should do it, and defining the certain rules and expectations.
But then it turned, didn’t it? Once that had occurred, then it turned towards enforcement. Yes.
Tiffany Warden: Yes when those standards, those administrative simplification standards came out first, what they were looking to do was standardize a lot of how providers and payers communicate with each other. I won’t get into all of the alphabet soup of all those documents and requirements, but simplistically it.
They have to tell you with one set of transactional codes, what has happened to your claim. What is the status of your claim, whether your claim’s received, et cetera, et cetera. And so they have a standard set of codes that they publish that say it was paid because of this, it was denied because of this reason, and they want to, they want that process to be standardized across everything.
It also includes standardization of the codes that providers use as well, and how we transmit claims and things like that over to the clearing house. And then onto the payers and how we receive our money. How we receive payment for our services. So there were a lot of things that they were trying to do in the background that made the administrative side of medicine within the IT realm a little bit more efficient than what it had been in the past because you could have gotten.
Any denial code and you would just have to figure out what it means. But now we’ve have a standardized set of those, and so it allows the whole of healthcare to kind of run a little bit more efficiently. And it also allows better communication between payers themselves, because when a primary and a secondary, and maybe a tertiary period working together, what has to happen is they’ve got to know what the last one did.
Having that set of standardized transactional codes, there is something that has, you know, pushed that to fruition. Yes.
Richard Leaver: So when we talk about enforcement, essentially we are saying that if you do not follow the administrative, technical, or physical safeguards and information is. Or becomes available for un non-covered entities.
So basically escapes from your ecosystem. Then there are can be penalties. So for those that perhaps don’t geek out about HIPPA as much as perhaps ourselves, can we, what are those? Pieces of information. What? What is considered to be private information when it uncovered under the HIPPA rules?
Tiffany Warden: Well, there are a standard set of items I.
And though most people believe that it’s, you know, name, address, date of birth, social security number, it actually goes beyond that. It goes to anything that can, any piece of information that could narrow down and identify, potentially identify the identity of that person. So you’re looking at.
Most of them are, you know, like date of birth, name address, social security number, but you’re also looking at license plate, you’re looking at IP addresses you’re looking at other pieces of Informa healthcare numbers, right? What’s your healthcare ID with your insurance payer? These are things that can be used to actually narrow down and get closer to identifying the person about whom that PHI is referencing.
So there are. I think medical record number, health plan, beneficiary number, I mean, there’s 18 of them that are there. I’m not going to go through all of them. I don’t know if you want to include this, but the funny part is as you get older, you are subject to actually identifying them based on zip code.
So if you’re over a hundred years old, you can’t even use a zip code because there’s only so many people. That zip code that are that age or above, and the sample could be so small that you’ve got to get rid of that as well. Isn’t that weird?
Richard Leaver: I remember a situation where the sign in sheets where there was a name of a PT provider at the top of the sign in sheet, and then there was, I think a first name and.
Just that information was sufficient to be considered a breach. Am I correct in saying that?
Tiffany Warden: Actually, that’s the one exception that we have. So I’m glad you asked that because I talk about sign in sheets all the time, believe it or not. So a sign in sheet is something that is allowed. But as always, you are required to use the minimum necessary standard.
So as you say, is it necessary to, if that sheet of paper were to ever be floating around in the public and you’ve got the name of your company and then the patient’s first name on there, that gives them a little bit more information to go on. But if you just have a blank sign in sheet. It has the patient’s first name and perhaps last initial, and they have to sign in when they come in.
Whether that’s on paper or whether it’s done electronically. That’s okay. It is it is allowable.
Richard Leaver: Okay, so you heard it here. You are allowed a sign in sheet, but keep it as minimal as possible and essentially a blank piece of paper if you can, and then obviously shred it at the end of the day.
Tiffany Warden: Right, right. Because I’ve seen sign in sheets with first and last names and, you know, here’s your diagnosis code and all of these other pieces of information, but it’s not necessary. And under minimum necessary with HIPPA, you have to use the minimum amount of information necessary to achieve whatever goal you’re trying to achieve.
And with a sign in sheet, essentially what you’re doing is just acknowledging that they showed up for the appointment. And so HIPPA considers that an incidental disclosure. You still are, you know, you still have to abide by minimum necessary, but it is allowed now. Take your sheet again with your patient name at the top, sorry.
The practice name at the top and the patient name and any other identifier. And you may be right because now you’re using more than the minimum necessary standard. You know, you’re using more information than what you need. And so that’s something that, you know, minimum necessary, always has to be paid attention to because that is the standard under which we operate.
Every transaction under HIPPA is subject to that.
Richard Leaver: How effective do you believe HIPPA has been in protecting patient data? I think you touched on it earlier. I think by the sounds of it actually has, I. Over time become more and more effective. I think primarily as people become more and more aware of the rules and, you know, perhaps we should have a party this year because it’s essentially 20 years since this, the really, the legislation and rules came into place or shall I say, morphed, matured.
To the point where they were really clear and being implemented and enforced. So happy birthday, HIPPA, as they say. But as I say, how effective do you think it has been?
Tiffany Warden: I can, I look at that from two different perspectives. The first one being that we’re looking at a very large government agency that is trying to implement a very large piece of legislation and they’re just trying to keep up.
That’s all there is to it on that side. So I think that has been a big struggle. But as we adopt. Technology more and more into our daily lives as individuals. I think that the government maybe has a little bit of an easier time. These regulating agencies have an easier time keeping up, making those slight changes incrementally still.
But they’re more adapted at maneuvering through what all of the new, you know, the creation of the new tech, the adaption of the new tech by the public at large. The other side I look at is on the individual side. We have a population that is becoming just so comfortable with always having tech around.
And that is con they want information instantly. They want to send messages instantly. They want to call, when they want to call, they want to video call when they want to call. This was not all that conceivable in 1996. I mean, we were just getting there and so now that we’ve got a bigger adoption of this technology in the population.
I think we’re having an easier time of it and people are a little bit more accepting of the fact that maybe, while there are some things that are good for public posting, there are certain things that people need to keep private in order to be able to maneuver through the system in the way that they are supposed to.
Then also, you know, sometimes if you look at how society is generally private medical issues have always been private, but they’ve been a little bit more out there for other people to take a look at in past years. And now what we see is just an acknowledgement of the fact that some of the issues with access or willingness to engage in the medical community to treat whatever ailment is happening.
That is, that has to happen in a private environment. It can’t be out there for everybody to discuss, for everybody to look at, for everybody to know, because that’s a barrier and people have generally, as we move throughout the last couple of decades, they’ve become a little bit more comfortable with the fact that maybe some of those barriers need to be taken down.
In order to do that, we’ve got to keep things private.
Richard Leaver: Yes. Yeah. I think there is a. A good general awareness that there are privacy and security rules. Now it’s taken 20 years, but what is also the case is it’s amazing the number of providers, not only patients, but I would say even more providers that say, I can’t do that because of HIPPA and.
They’re just completely wrong.
Most orthotic manufacturers take a one shape fits all approach to solving lower body pain symptoms. They focus on arch support for temporary pain relief. Which can lead to inefficiencies and injuries. Bio Correct. Does things differently with 25 years of experience. Bio correct Knows that everyone has unique needs.
Bio Correct is a fully customizable foot orthotic system engineered to address and treat the biomechanical imbalances of your entire body. Bio correct more than just an insert. To learn more, visit us@biocorrect.com.
Tiffany Warden: Funny story. During Covid we had, I walked into a, an auto parts store. I won’t name, I won’t name the brand, but the National Auto Parts chain and essentially.
It said it was when the mask requirements were kind of coming down after, you know, after we had the covid in hand. And what it said was, we cannot ask you your covid status. It is a HIPPA violation in an auto parts store. And the first thing that I want to say is, well, I don’t think you’re a covered entity, so I don’t think this applies to you, number one.
And number two. Wearing a mask is not protected health information. You’re out there in the public either wearing it or you’re not. So, you know, it was it there is, there’s a wide misunderstanding of who is subject to HIPPA because not everybody is, you know, there you got to meet certain categories there.
Richard Leaver: Yeah. We move to enforcement and fines. So when I read through the fines, they can really read as in. Really scary language. So for instance, you know, we have different tiers. The first tier minimum fine is a hundred dollars per violation up to 50,000 all the way up to tier four, which is a minimum of $50,000 per violation up to one and a half million dollars.
And that’s per violation.
Tiffany Warden: They’ve updated that.
Richard Leaver: Oh. I’ve got outdated information. I apologize. So has it gone up or down?
Tiffany Warden: Up.
Richard Leaver: Of course it’s inflation. Inflation, but regardless, I, regardless, you know, these sums are obscene.
They really are when you’re talking about per violation. Now having said that though, let’s put things in perspective with regards to, I think the last.
When I did an online search the last time a physical therapy company got fined, I think it was 26, $6,000, I think almost 20 years ago now as well. So it, it doesn’t happen that often, but there is definitely the risk isn’t there. And that risk is financial as well as custodial, I think. Is that correct?
Tiffany Warden: That is correct. That is correct. Because remember, HIPPA’s not just about security and privacy, it’s also about access, right? If you think back to 1996 like we were discussing, you know. A few minutes ago, this is an issue about patients being able to take and have access to their medical information, and that’s not a small issue.
It’s big. And so HIPPA also addresses the access component. Patients have access to this. Here’s how they get it. Here’s what you have to do to verify identity. Here’s what you have to do to provide it in this format. Whatever the patient requests, there are all kinds of things that are addressed on the access side of HIPPA.
And so that is a lot of the fines that you see recently. There’s a big push in enforcement on patient access to their medical records, and those fines are generally around $10,000. Per incident that happened. So that’s something that you know, you really have to watch out for and have a strong understanding, not only of the security and privacy aspect of it, but also the access component.
Richard Leaver: I think when I understand reading the literature, the entities that are policing governing this. Wanting to educate and wanting to work with entities to resolve rather than necessarily going straight to fines. Financial penalties. Yes.
Tiffany Warden: Right.
Richard Leaver: So it would have to be pretty bad. Not only would you have to violate it, but you’d have to perhaps knowingly violate it and then do nothing to actually resolve the issue before the HIPPA police would come along and hit you over the head.
Tiffany Warden: Yes. Right, and there, there is a difference because you can incur civil penalties and criminal penalties in HIPPA, and all of those underlying facts matter. Your knowledge, your ability to address something, you know, your knowledge of whether or not something was happening, your access controls, your audit frequency, all of those things matter and help you establish if you’re doing them correctly and when you’re supposed to help you establish a pretty good defense.
In the event that something, you know, were to happen down the road from a security perspective or a privacy perspective, there were a breach, then those things that you have done to mitigate risk are going to count in your favor. So yeah, there is the potential that paying attention to all of the rules could lead to reduced risk of the financial penalty down the road.
Richard Leaver: I just looked it up. It was complete PT pulled and LAN physical therapy. It was a $25,000 fine and they basically posted photographs of names and pat of patients client testimonials on their website without obtaining consent. So this is quite interesting, isn’t it? Oh, the
Tiffany Warden: marketing. Yes, exactly. The marketing side of hip.
Richard Leaver: Don’t think about that. And there’s a lot of clinics out there that don’t get. Written consent necessarily, or don’t think about it, particularly smaller entities, but that is definitely an area, isn’t it?
Tiffany Warden: Yes, it is. You know, there are special considerations for marketing purposes. Every business in the whole world, except healthcare is allowed to, to market using, you know, pretty much a free use of patient testimonials and things like that.
But in healthcare, we have to paper that up. There has to be consent, has to be in writing, and there has to be an acknowledgement that the patient understands what we are about to do and in what format and in what media format. That’s the big one too.
Richard Leaver: And then another thing, which I think is perhaps a little unfair, but you know, the reality is let’s say we have a individual that is not employed by the entity within a clinic or within a healthcare setting that is, for instance, on video, and they are videoing the facility and they just happen to include patients.
Then the liability is on the entity with that that those individuals are within. Correct?
Tiffany Warden: That is correct. It certainly can be, and that’s part of the administration side of things. Having proper policies and protocols in place to ensure that patient privacy is the utmost concern every time a patient comes in our clinic.
So having a policy such as no video. Excuse, you know, no videos can be taken into the clinic. The phone’s got to have to be put away. You know, essentially those things have to be in order to protect the entity from those, from outside interference in those areas. It’s a lot to think about.
Richard Leaver: It is. No wonder people say, oh, well that’s breaching HIPPA, whatever it is. But anyway I could go down the road and say, well, is a a therapy dog bound by the same rules as HIPPA? But perhaps we don’t need to necessarily go down. We better hope they never develop the ability to tell us what they hear
Or if there’s a parrot. A parrot that’s embedded within a clinic and then it starts saying patient’s name. I would assume we would be liable, but I don’t think that’s necessarily happened. So I think we’re safe.
Tiffany Warden: No, I don’t think so. But I would like to see a parent parrot queue a patient
Richard Leaver: That would be great. Yeah. Great.
Save on tech hours. So I’m going to really test you now. Tiffany. So. There have been some major changes under the new HIPPA security rules for 2025. Yeah. Just can’t wait. Any idea what they are and how it might impact.
Tiffany Warden: Yeah, so a large part of them have to do with the security side, right? And that’s taking those addressable standards and making them required.
Because we, as, again, as tech develops down the line, we become more and more able to do so that, and it’s not so cost prohibitive. And you know, as well as I do, the minute something comes out on the market, you know, most of us can’t afford it. But now that we are, you know, five, 10 years down the line from some major advances in how we communicate and exchange information, it is becoming within reach of most providers.
And so that’s part of how the government is pivoting. And requesting this input from providers and from stakeholders to say, okay, given what we’ve known so far, given the development so far what can we say now has to be done? And that’s kind of what they done. That’s what, it’s what they’ve done with this new proposed, these new proposed rules.
And so they’re looking at mandatory encryption. Again the MFA is a big one. Enhanced risk analysis, you know, vulnerability scanning and penetration testing. This is, you know. If you want to geek out, this has been a dream of mine that we would be able to do scanning and penetration testing on our system.
And now that it’s kind of a little bit more available, we are going to be able to do that. And it’s just taking those types of things and putting them in as a requirement, it’s. Easier to obtain and easier to participate and complete those tasks. But it’s still just one more thing that your policies and procedures have to account for.
I mean, every time you do something, you’ve got to have that policy and procedure in place that lets people know the how the what, the why, and the whens. And so they also want to strengthen penalties. Again, I told you these have been. A little bit, and I, that first number I think you said was a hundred dollars to 150.
Well, now it’s $120 to about 160,000 on, on, you know, as a start starting point. But they’re looking at increasing the penalties, not for the run of the mill accidents that happen, but for people that have, you know, repeated breaches for people that you know, that are negligent in how they implement or whether or not they even implement a HIPPA program with their provider.
So they also look at how they want to look a little bit more about how we’re responding to security incidences. We have a policy called a cert policy, SIRT, security incident. Response team, right? And this is when stuff goes south, this is what we’re going to do and this is who’s going to do it. We don’t name people, we name job roles.
And that’s important because gives the organization a roadmap on how to respond. If something does happen to the system or somebody does infiltrate their system, it gives the entire company a roadmap as to how to respond and how to mitigate, you know, whatever just happened. So these are, you know, a lot of it is.
It has to do with the IT side of things, but there are also things on the access side. Again, you know, we’ve noticed an uptick in the enforcement on patient access to their medical records, and this is also going to be something that’s going to be talked about in the updates, I believe, but it’s about reducing the amount of time.
You talk about increasing administrative burden. They’re looking at reducing the amount of time we have to respond to patient requests from 30 days to 15 days. And so what does that take? Resources? What does resources take? Capital? So it is an increased burden, but it’s funny that we’re going to, we’re seeing the IT side of it come down, and perhaps the physical side of it go up and the access side of it go up because we’re going to have to put policies and measures in place in order to comply with all of these new timelines.
Richard Leaver: Never gets easier, does it? No, I’m, to be honest with you, I’m extremely impressed that, you know, what the major changes were for the HIPPA security rule of 2025. Because I was absolutely clueless. So it’s good job that I’m not the clinical compliance officer. So that’s all I can say to finish off really, perhaps this podcast has been a little bit up in the sky a little bit.
I won’t say theoretical, but let’s bring it to a very practical level for our listeners, clinic owners. What do they need to do? What do they need to be aware of? Where do they go for information and help at very high level?
Tiffany Warden: Well, you can always go to hhs.gov. They have a really, well belt out HIPPA reference section there, and it, there’s a lot of FAQs, so if you go through that site.
There are, you can type in pretty much anything in the search bar, and they’ve got a, they’ve got a frequently asked questions document about that, so I am on there quite a bit. You also need to pay attention to your list serves, right? You want to be on those listservs from HHS or OCR. That and OIG, right?
We’re going to go back into our alphabet soup phase here and just say, put yourself on those listservs because they will give you information about current and upcoming enforcement actions and areas of concentration, and it’s all based on. Previous audits. So they’re, what they’re doing is what everybody in healthcare does anyway or should be doing anyway.
They’re looking at how they’re operating deficits and they’re addressing the deficits through policies and procedures. And HIPPA is no different. HIPPA is no different at all. So I would say the first thing is, you know, you need to have the information. So go to that hhs.gov website. Put yourself on those C-M-S-H-H-S-O-C-R, OIG G list serves.
And make sure that information is being fed to you in a way that you know you’re aware of it when it happens. The other part is go over your policies and procedures. They have definite, let me start that over. Go over your policies and procedures. You may, you need to make sure that you’re reviewing them on a regular basis to, to match what is currently in effect.
We’ve got some out, I’ve seen HIPPA policies that haven’t been updated since 2015. That’s not a good thing. You know, your HIPPA policies need to be reviewed annually, and you can match those policies up with requirements on these listservs on these websites that you can go to. There are multiple checklists out there that HHS provides for you to be able to have a HIPPA program that at least checks all of the larger boxes.
You’ll have to decide for yourself what you can do within those different categories. But there are some checklists out there that are free for entities that need them. And you can use that checklist to make sure that you have what it takes to have an appropriate policy for that time period.
And then the last part is train. You have to train your workforce and you have to monitor your workforce. One of the things I think that providers struggle with is identifying what somebody actually does. And you use those, you use that information. You use job descriptions to establish access to systems.
You know, A CEO will need this level of access. Operational leaders will need this level, clinicians will need another level, and you need to have that in writing, and you need to associate those policies and accesses with their job roles because again, you know, you don’t want to give somebody wide open access, but you don’t want to give them too little access either.
There are a lot of things that you can do to actually get on a really good track if you’re not already on one that are pretty simple, free and they just take some time.
Richard Leaver: Thank you, Tiffany. I really appreciate your time today. We’ve covered a lot of ground and it’s been enlightening, so I appreciate you.
Tiffany Warden: You’re welcome. I enjoyed it. Thank you for having me.
This podcast was brought to you by Alliance Physical Therapy Partners. Want more expertise and information? Visit our website@allianceptp.com and follow us on social media. You can find links below in the description. As always, thank you for listening.
