Transcript
Episode 410: Upcoming HIPAA Security Rule Changes Transcript
Evan Dumas
You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host Evan Dumas. And
Liath Dalton
I’m Liath Dalton and we are Person Centered Tech. This episode is brought to you by Therapy Notes. Therapy Notes is a robust online Practice Management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system. With all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.
Evan Dumas
Hello, and welcome to Episode 410: Upcoming HIPAA Security Rule Changes.
Liath Dalton
This is a big deal, a really big deal, for multiple reasons. One being that the HIPAA Security Rule has been enacted for basically, multiple decades at this point. And during that time, it’s been a vital tool for covered entities and business associates to manage their safeguarding of client information and patient information in the health care sector. And it’s been lauded for being both flexible and scalable. And during the time that it has been enacted, there have been a lot of changes in terms of technological developments and advancements, and concurrently, a lot of developments in terms of the threat landscape
Evan Dumas
Mhmm.
Liath Dalton
that we’re all operating within.
Evan Dumas
Mhmm.
Liath Dalton
So it doesn’t come as any surprise, really, if you think about it, that there are plans by Health and Human Services, by HHS, to make some specific updates to the HIPAA Security Rule.
Evan Dumas
Mhmm.
Liath Dalton
And those are, at this point, in terms of the timeframe going to be kind of started, the update is going to be begun this spring,
Evan Dumas
Mhmm.
Liath Dalton
spring of 2024. So we don’t have a final proposed rule update yet. But we do know where the focus of these updates are going to be. And dun dun dun: What area is that? Evan?
Evan Dumas
Yeah, it’s gonna be all on cybersecurity.
Liath Dalton
And would you describe a little bit about why why are are focusing on it, based on kind of like the current news that may be top of mind
Evan Dumas
Yeah,
Liath Dalton
of many folks?
Evan Dumas
bunch of reasons.
Evan Dumas
reasons. So you know, HIPAA came out in ’05, and tech has changed quite a bit. And ransomware attacks have also become the, you know, kind of the, it’s a 278% increase for large breaches amongst those. And large breaches are also happening way more, almost twice as much. And it’s all due to cyber-incidents, as they call it. So this is becoming the the weak point in people’s security sort of landscape, or profile. And so they thought, Oh, time to try to get people to update their cybersecurity.
Liath Dalton
Exactly. And, you know, having greater specificity and clarity about what it is that needs to be done to protect client info and what the required safeguards are, is to everybody’s benefit. But we know that, you know, HIPAA compliance in general, especially discussion of formal compliance can feel like a daunting undertaking
Evan Dumas
Yeah.
Liath Dalton
for a lot of practices. So what we want to talk about is, how to manage your compliance in a practical way.
Evan Dumas
Mhmm.
Liath Dalton
And, not to be redundant here, but in a practical way that is really manageable. We want you managing your compliance in a manageable manner. And so what that looks like in terms of being able to be really proactive ahead of these changes going into effect, and also paired with the resumption of the random audit program
Evan Dumas
Oof.
Liath Dalton
is to really manage formal compliance, but in a implemented way. And Evan, can you remind folks what the cornerstones of formal compliance are?
Evan Dumas
Yeah, those would be the risk assessment and the risk mitigation plan that we bundled together, and the policies and procedures – having it all written down. So when it comes time to do what you need to do you know what it is, and everyone else can know too.
Liath Dalton
Exactly. But we aren’t the only folks in this sort of security, risk management and compliance setting, talking about what needs to be done to prepare for these upcoming changes. And the main areas that there are consensus around, from us and a lot of healthcare attorneys as well, are addressing your known security gaps. And of course, your security gaps can only be known and known sufficiently, if you have done that security risk analysis or risk assessment. And then, Evan, the importance around documentation really being heavily emphasized here, as well, right?
Evan Dumas
Oh,
Evan Dumas
definitely. Yeah, it’s it’s, we’ve always been saying documentation or it wasn’t done. But they’re just wanting to really hammer that in, saying document everything you do for security improvements. It’ll also help you, should you be audited, but also just shows you’re doing the work.
Liath Dalton
Exactly. And what we’re going to be talking about in our next episode, are the specifics of these cyber security strategy changes
Evan Dumas
Yeah.
Liath Dalton
for the healthcare sector,
Evan Dumas
Mhmm.
Liath Dalton
which are going to be what the focus of the Security Rule changes are on.
Evan Dumas
Mhmm.
Liath Dalton
To foreshadow
Evan Dumas
Mhmm.
Liath Dalton
the really awesome aspect of things is that all of the basic requirements of of the changes are already included and fully addressed in the PCT Way system for managing compliance.
Evan Dumas
Exactly.
Liath Dalton
So if you’re already doing things the PCT way, then you are covered for for those pieces of things.
Liath Dalton
mhmm
Liath Dalton
If you’re not yet, you have that option. But then some of the optional and encouraged pieces are also addressed in our system. So we’re going to talk about the nitty gritty of what all that is in our next episode.
Evan Dumas
Mhmm.
Liath Dalton
But in the meantime, just want to kind of reassure folks that the processes for navigating these changes exist and are are accessible.
Evan Dumas
Oh yeah.
Liath Dalton
And that what’s really going to be most beneficial is to just try and address things in a proactive way. We never wanted to be fear mongering and
Evan Dumas
No.
Liath Dalton
here we ‘ve now done two episodes back to back one saying hey, they’re resuming the
Evan Dumas
Hahaha.
Liath Dalton
random audit program and they’re changing the rules and and paired with that they are also seeking to have stronger penalties and sort of enforcement and consequence powers
Evan Dumas
Mhmm.
Liath Dalton
to leverage. But that’s all because this is such a you know, issue of significant importance and consequence. And so we all just need to do our part to manage the risks effectively. And so that’s what we’re here to be of support with. Yeah, in the next episode to talk about those cybersecurity goals.
Evan Dumas
Yeah, see you next episode.
Liath Dalton
This has been Group Practice Tech. You can find us at PersonCenteredTech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.
Your Hosts
PCT’s Director, Liath, and Senior Consultant, Evan.
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we give group practice owners a heads up about upcoming changes to the HIPAA Security Rule.
We discuss what the focus of these rule changes will be; why the changes are happening; steps you can take to be proactive about HIPAA changes; and PCT’s practical tools to help you get on top of things in a manageable way.
Resources are available for all Group Practice Tech listeners below:
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources & further information:
- Vital Signs: Digital Health Law Update | Winter 2024 | JD Supra
- 2024 Update: Regulators Use “Carrots and Sticks” to Incentivize Healthcare Sector Cybersecurity Compliance
- 3 ways to prepare for impending HIPAA Security Rule updates
- HHS Unveils Healthcare Cybersecurity Strategy
PCT Resources
- HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
- PCT’s Group Practice PCT Way HIPAA Compliance Manual & Materials — comprehensive customizable HIPAA Security Policies & Procedure and materials templates specifically for mental health group practices. with a detailed step-by-step project plan and guided instructions for adopting & implementing efficiently **includes policy prohibition on use of BCC and CC; workforce forwarding emails from their practice email account to personal email account; data entry checking/not using autofill suggestions for recipients — the P&P components that address the email gone awry situations we discussed in the podcast episode
- Policies & Procedures include:
- Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.
- Computing Devices and Electronic Media Technical Security Policy
- Bring Your Own Device (BYOD) Policy
- Communications Security Policy
- Information Systems Secure Use Policy
- Risk Management Policy
- Contingency Planning Policy
- Device and Document Transport and Storage Policy
- Device and Document Disposal Policy
- Security Training and Awareness Policy
- Passwords and Other Digital Authentication Policy
- Software and Hardware Selection Policy
- Security Incident Response and Breach Notification Policy
- Security Onboarding and Exit Policy
- Sanction Policy Policy
- Release of Information Security Policy
- Remote Access Policy
- Data Backup Policy
- Facility/Office Access and Physical Security Policy
- Facility Network Security Policy
- Computing Device Acceptable Use Policy
- Business Associate Policy
- Access Log Review Policy
- Forms & Logs include:
- Workforce Security Policies Agreement
- Security Incident Report
- PHI Access Determination
- Password Policy Compliance
- BYOD Registration & Termination
- Data Backup & Confirmation
- Access Log Review
- Key & Access Code Issue and Loss
- Third-Party Service Vendors
- Building Security Plan
- Security Schedule
- Equipment Security Check
- Computing System Access Granting & Revocation
- Training Completion
- Mini Risk Analysis
- Security Incident Response
- Security Reminder
- Practice Equipment Catalog
- + Workforce Security Manual & Leadership Security Manual — the role-based practical application oriented distillation of the formal Policies & Procedures
- + 2 complimentary seats of the Security Officer Endorsement Training Program (1 for Security Officer; 1 for Deputy (or future Deputy) Security Officer.
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Solo Practitioners
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.