Transcript

Episode 410: Upcoming HIPAA Security Rule Changes Transcript

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host Evan Dumas. And

 

Liath Dalton 

I’m Liath Dalton and we are Person Centered Tech. This episode is brought to you by Therapy Notes. Therapy Notes is a robust online Practice Management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system. With all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello, and welcome to Episode 410: Upcoming HIPAA Security Rule Changes.

 

Liath Dalton 

This is a big deal, a really big deal, for multiple reasons. One being that the HIPAA Security Rule has been enacted for basically, multiple decades at this point. And during that time, it’s been a vital tool for covered entities and business associates to manage their safeguarding of client information and patient information in the health care sector. And it’s been lauded for being both flexible and scalable. And during the time that it has been enacted, there have been a lot of changes in terms of technological developments and advancements, and concurrently, a lot of developments in terms of the threat landscape

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

that we’re all operating within.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So it doesn’t come as any surprise, really, if you think about it, that there are plans by Health and Human Services, by HHS, to make some specific updates to the HIPAA Security Rule.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

And those are, at this point, in terms of the timeframe going to be kind of started, the update is going to be begun this spring,

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

spring of 2024. So we don’t have a final proposed rule update yet. But we do know where the focus of these updates are going to be. And dun dun dun: What area is that? Evan?

 

Evan Dumas 

Yeah, it’s gonna be all on cybersecurity.

 

Liath Dalton 

And would you describe a little bit about why why are are focusing on it, based on kind of like the current news that may be top of mind

 

Evan Dumas 

Yeah,

 

Liath Dalton 

of many folks?

 

Evan Dumas 

bunch of reasons.

 

Evan Dumas 

reasons. So you know, HIPAA came out in ’05, and tech has changed quite a bit. And ransomware attacks have also become the, you know, kind of the, it’s a 278% increase for large breaches amongst those. And large breaches are also happening way more, almost twice as much. And it’s all due to cyber-incidents, as they call it. So this is becoming the the weak point in people’s security sort of landscape, or profile. And so they thought, Oh, time to try to get people to update their cybersecurity.

 

Liath Dalton 

Exactly. And, you know, having greater specificity and clarity about what it is that needs to be done to protect client info and what the required safeguards are, is to everybody’s benefit. But we know that, you know, HIPAA compliance in general, especially discussion of formal compliance can feel like a daunting undertaking

 

Evan Dumas 

Yeah.

 

Liath Dalton 

for a lot of practices. So what we want to talk about is, how to manage your compliance in a practical way.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

And, not to be redundant here, but in a practical way that is really manageable. We want you managing your compliance in a manageable manner. And so what that looks like in terms of being able to be really proactive ahead of these changes going into effect, and also paired with the resumption of the random audit program

 

Evan Dumas 

Oof.

 

Liath Dalton 

is to really manage formal compliance, but in a implemented way. And Evan, can you remind folks what the cornerstones of formal compliance are?

 

Evan Dumas 

Yeah, those would be the risk assessment and the risk mitigation plan that we bundled together, and the policies and procedures – having it all written down. So when it comes time to do what you need to do you know what it is, and everyone else can know too.

 

Liath Dalton 

Exactly. But we aren’t the only folks in this sort of security, risk management and compliance setting, talking about what needs to be done to prepare for these upcoming changes. And the main areas that there are consensus around, from us and a lot of healthcare attorneys as well, are addressing your known security gaps. And of course, your security gaps can only be known and known sufficiently, if you have done that security risk analysis or risk assessment. And then, Evan, the importance around documentation really being heavily emphasized here, as well, right?

 

Evan Dumas 

Oh,

 

Evan Dumas 

definitely. Yeah, it’s it’s, we’ve always been saying documentation or it wasn’t done. But they’re just wanting to really hammer that in, saying document everything you do for security improvements. It’ll also help you, should you be audited, but also just shows you’re doing the work.

 

Liath Dalton 

Exactly. And what we’re going to be talking about in our next episode, are the specifics of these cyber security strategy changes

 

Evan Dumas 

Yeah.

 

Liath Dalton 

 for the healthcare sector,

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

which are going to be what the focus of the Security Rule changes are on.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

To foreshadow

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

the really awesome aspect of things is that all of the basic requirements of of the changes are already included and fully addressed in the PCT Way system for managing compliance.

 

Evan Dumas 

Exactly.

 

Liath Dalton 

So if you’re already doing things the PCT way, then you are covered for for those pieces of things.

 

Liath Dalton 

mhmm

 

Liath Dalton 

If you’re not yet, you have that option. But then some of the optional and encouraged pieces are also addressed in our system. So we’re going to talk about the nitty gritty of what all that is in our next episode.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

But in the meantime, just want to kind of reassure folks that the processes for navigating these changes exist and are are accessible.

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

And that what’s really going to be most beneficial is to just try and address things in a proactive way. We never wanted to be fear mongering and

 

Evan Dumas 

No.

 

Liath Dalton 

here we ‘ve now done two episodes back to back one saying hey, they’re resuming the

 

Evan Dumas 

Hahaha.

 

Liath Dalton 

random audit program and they’re changing the rules and and paired with that they are also seeking to have stronger penalties and sort of enforcement and consequence powers

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

to leverage. But that’s all because this is such a you know, issue of significant importance and consequence. And so we all just need to do our part to manage the risks effectively. And so that’s what we’re here to be of support with. Yeah, in the next episode to talk about those cybersecurity goals.

 

Evan Dumas 

Yeah, see you next episode.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at PersonCenteredTech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.

Your Hosts

 

 

PCT’s Director, Liath, and Senior Consultant, Evan. 

evan

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we give group practice owners a heads up about upcoming changes to the HIPAA Security Rule. 

We discuss what the focus of these rule changes will be; why the changes are happening; steps you can take to be proactive about HIPAA changes; and PCT’s practical tools to help you get on top of things in a manageable way.

Resources are available for all Group Practice Tech listeners below:

Therapy Notes proudly sponsors Group Practice Tech!

TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.

*Please note that this offer only applies to brand-new TherapyNotes customers

Resources for Listeners

Resources & further information:

PCT Resources

  • HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
  • Group Practice Care Premium
    • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
    • + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
    • + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
  • PCT’s Group Practice PCT Way HIPAA Compliance Manual & Materials — comprehensive customizable HIPAA Security Policies & Procedure and materials templates specifically for mental health group practices. with a detailed step-by-step project plan and guided instructions for adopting & implementing efficiently **includes policy prohibition on use of BCC and CC; workforce forwarding emails from their practice email account to personal email account; data entry checking/not using autofill suggestions for recipients — the P&P components that address the email gone awry situations we discussed in the podcast episode
  • Policies & Procedures include:
    • Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.
    • Computing Devices and Electronic Media Technical Security Policy
    • Bring Your Own Device (BYOD) Policy
    • Communications Security Policy
    • Information Systems Secure Use Policy
    • Risk Management Policy
    • Contingency Planning Policy
    • Device and Document Transport and Storage Policy
    • Device and Document Disposal Policy
    • Security Training and Awareness Policy
    • Passwords and Other Digital Authentication Policy
    • Software and Hardware Selection Policy
    • Security Incident Response and Breach Notification Policy
    • Security Onboarding and Exit Policy
    • Sanction Policy Policy
    • Release of Information Security Policy
    • Remote Access Policy
    • Data Backup Policy
    • Facility/Office Access and Physical Security Policy
    • Facility Network Security Policy
    • Computing Device Acceptable Use Policy
    • Business Associate Policy
    • Access Log Review Policy
    • Forms & Logs include:
    • Workforce Security Policies Agreement
    • Security Incident Report
    • PHI Access Determination
    • Password Policy Compliance
    • BYOD Registration & Termination
    • Data Backup & Confirmation
    • Access Log Review
    • Key & Access Code Issue and Loss
    • Third-Party Service Vendors
    • Building Security Plan
    • Security Schedule
    • Equipment Security Check
    • Computing System Access Granting & Revocation
    • Training Completion
    • Mini Risk Analysis
    • Security Incident Response
    • Security Reminder
    • Practice Equipment Catalog
    • + Workforce Security Manual & Leadership Security Manual — the role-based practical application oriented distillation of the formal Policies & Procedures
    • + 2 complimentary seats of the Security Officer Endorsement Training Program (1 for Security Officer; 1 for Deputy (or future Deputy) Security Officer.

Group Practices

Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.

Solo Practitioners

Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.


v2.1.12-beta

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss