[Transcript] Episode 422: FAQs on When and If Your Practice Needs Hands-on or Managed IT Services

 

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello, and welcome to Episode 422: Frequently Asked Questions on When and If Your Practice Needs Hands on or Managed IT services.

 

Liath Dalton 

Yes! This is a question that comes up so often, or a set of questions, rather, that come up quite often, particularly in a group practice context. And there’s a whole continuum. And typically what we have found is that for the kind of standard configuration group practice, that is cloud service reliant and not running any of their own servers, that managed IT services are not necessary.

 

Evan Dumas 

No.

 

Liath Dalton 

You may need and want depending on the size and scale of your practice to have some very limited IT support, related to network firewall setup and that sort of thing. But typically, a cloud reliant practice that is managing device security, the PCT way both for practice owned and personally owned devices, there is not need for hands on or managed IP services.

 

Liath Dalton 

Can you describe a little bit more Evan, as a IT professional yourself, what hands on IT services and managed IT services can look like and when they might be a good fit for a practice?

 

Evan Dumas 

Yeah, so it comes in lots of flavors. So depending on the size and scale of your operation, it may involve having someone on site whose whole job is just an IT role. And they take care of everything tech related and everything from your like systems to helping people with their devices to services, updates, things like that.

 

Evan Dumas 

Now, this would make sense if one, you have the size where that’s taken care of. So you already have a security officer, privacy officer, why not have an IT officer where people can go to? Also might make sense if you are required to have local hardware. So say from whatever sort of certifications or work you do, or population you work with, you do need either local backup systems, local servers, local hardware in some way like that, then you would need someone dedicated and smart enough to manage and run it and pretty much do all the things cloud services do for you, which they say in their BAA, which is nice, they take care of it. But you need someone to do that.

 

Evan Dumas 

Another flavor of this is you don’t have someone on site, but you have an IT company that you partner with. And so maybe they manage this stuff remotely. Maybe they come in once in a while to fix things. And when I say remote, I mean hopefully within your same state or zip code so that they can come in if things are needed.

 

Evan Dumas 

We definitely advocate for more local IT services, which is why it’s so hard to give recommendations because it all depends on where you are and what your needs are. But in this way, having someone who does, you know, hands on but you know, sometimes remote hands on, that type of IT support would make sense.

 

Liath Dalton 

Exactly. And that’s definitely going to be something that is more likely if you have a larger team. And if  the sort of complexity of the systems that you have in place. And that paired with not having a team member who is tech comfortable, tech proficient, and can be that kind of internal troubleshooting team member that your folks can go to if they need a little assistance.

 

Liath Dalton 

So as Evan already alluded, we don’t have a specific recommendation for like a national IT firm that can or should work with any mental health practice that is needing some degree or wanting some degree of managed IT services or hands on IT support. And because we work with practices all across the country, we also don’t have a particular like database at this point, of good, HIPAA supportive and understanding IT services. In part because really out of all of the practices that we work with, only a small handful have actual need for this.

 

Liath Dalton 

But this is a question that still still comes up is how do I find an IT service that is going to understand the HIPAA needs, and what are those HIPAA needs?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So, first and foremost, it is important and required to have a HIPAA Business Associate Agreement with an IT service provider that is accessing any of the devices or systems that, or the network that is handling Protected Health Information for the practice. And basically, it’s impossible to have any sort of IT service provider that is going to be working in a practice context who would not have that sort of access, at some point, through the course of performing whatever functions they are for your practice, right.

 

Liath Dalton 

So getting a HIPAA Business Associate Agreement in place is necessary, and particularly imperative if they are going to be remote accessing anything. And if they are going to be taking any of your devices to their physical location, because then they are not just accessing Protected Health Information, potentially, but they are storing it for you. And anytime a provider is storing it, even if they didn’t have the encryption key that that opens the device, which would make it hard for them to work on it, they still would need to have a BAA in place in that instance.

 

Liath Dalton 

So you want a BAA, but you want a company that actually understands

 

Evan Dumas 

Not performative.

 

Liath Dalton 

what that entails. And so Evan, what’s usually a good indicator of that when

 

Evan Dumas 

Yeah.

 

Liath Dalton 

in this sort of context?

 

Evan Dumas 

Yeah, well, a good indicator is that you’ve heard of them from word of mouth from another group practice. So that they have on their roster or history that they have worked with other people in your same field. You know, ideally, this is other mental health group practices, etc. But it could be that they’ve worked in the medical field, that they know, HIPAA from their like their niche and people they’ve worked with. Getting a sense that they know the language, that you’ve got recommendations that you can see, this isn’t their first rodeo.

 

Liath Dalton 

Exactly. And ideally, that they also have a Business Associate Agreement themselves that they will provide to you as a customer, rather than you’re having to provide a template BAA to them. Because, you know, they’re taking on big responsibilities and liabilities by executing a BAA, so typically, that’s something that they are going to want to have have their own, you know, legal representation review and know internally that they are materially prepared and able to be following the the contents of it, right? Because otherwise that’s pretty high risk exposure.

 

Liath Dalton 

If you’re working, if you have really kind of small scale needs and are just working with an individual, rather than an entire company and firm, the presence of that may be less likely, but it doesn’t, and it’s not necessarily a deal breaker if they don’t have a template one, but you really want to be having a conversation and going through that due diligence process to ensure that they do, in fact, understand and are able to abide by the requirements and contents of the responsibilities that they’re taking on through the BAA and through having that access.

 

Liath Dalton 

So BAA, imperative. And then in terms of being able to identify a good source, instead of just cold calling, or Googling, as Evan already said, is to connect with fellow group practice owners and leaders in your area, in your geographical area.

 

Liath Dalton 

I know more and more, kind of states and metropolitan centers as well are creating group practice owners associations, and groups. Some like very formal with even membership dues, and putting on job fairs together, and that sort of thing. But there also seem to be, you know, quite a few that are a little less less formalized than that, but connect with your, your colleagues, and try and source it that way.

 

Liath Dalton 

Another option, if the first path that doesn’t yield good results, or a good fit, would be to connect with the local chapter of your professional association. Their Professional Affairs Division will often have kind of curated resources for relevant support services, to to mental health practice and for your profession type. So that is also a good option. And third, would be to check with your HIPAA attorney.

 

Evan Dumas 

Ha, yeah.

 

Liath Dalton 

Because it’s actually not uncommon, that a HIPAA attorney or health care attorney will be aware of the IT service providers that are working for their clients. So that can be another good avenue to explore, as well. So those are the three main ways to identify a IT provider that is more likely to be HIPAA friendly and able to support you in those needs and check those boxes.

 

Liath Dalton 

So that’s really, what it what it comes down to, is, in a nutshell, most practices don’t have need for managed IT services. And this is something that, you know, if when you are exploring if this is something that you think, Oh, I have a potential need for for that, or it could just be a stress reliever. And so I want to do a cost benefit analysis. What we have seen in a lot of the contracts, like the proposed service level agreement and contracts from IT services to some of the group practices we work with who do have need for them, is that they tend to really pad a lot of services and components that aren’t actually applicable,

 

Evan Dumas 

No.

 

Liath Dalton 

or necessary, and therefore that can make the cost far more than than what it needs to be. So I do recommend really scrutinizing, is this needed or not? One example where costs can can creep is if they’re saying, sure we’ll do device management, you know, we’ll make sure we’ll provide a antivirus, antimalware software set, we’ll make sure it’s updated on everyone’s devices and administer that and charge

 

Evan Dumas 

A ton!

 

Liath Dalton 

a lot of money for that component of things and that it does not need to be handled by a managed IT service. In part because in order to have a antivirus and antimalware that meets the technical security measure requirements to be meeting the HIPAA standards, those are freely available.

 

Liath Dalton 

By freely available, I mean,

 

Evan Dumas 

Free.

 

Liath Dalton 

free. And, and so it isn’t necessary to actually even be paying for those, so to be paying for antivirus and antimalware, on top of paying someone to administer it for you is something that there are very few instances I can think of where I would see that as potentially merited.

 

Liath Dalton 

Yeah. So that’s just something that last little PSA that I wanted to include as well is, you know, sometimes the firm will see, oh, they’re looking for HIPAA compliance, and the standards are all really significant, and but the majority of them are not applicable, particularly if you’re not running your own server. So don’t want to be paying for things that are actually only relevant and necessary if you’re running your own servers.

 

Liath Dalton 

Hopefully, that’s helpful. And as always, in terms of the device security components of things, PCT has you covered through through our system there for both practice owned and personally owned devices in a way that is accessible and economical. So before going the full managed IT service route, because you have device security on your to do list, connect with us around how we can provide resources and support for that piece of things.

 

Evan Dumas 

We’re a lot cheaper.

 

Liath Dalton 

This is true. Yes. All right, any any last parting it pearls of wisdom, Evan?

 

Evan Dumas 

Yeah, I think we hit the good points of you may or may not need it. And also, if you get some sticker shock, consult. Talk around, see if things are needed, get second opinions. Because they may just be trying to say, look how fancy we are with our high costs. That may not be what you need, and don’t let them use technical language to make you feel inferior. That’s, that’s bad. That is unprofessional.

 

Evan Dumas 

And you want you know, tech people like us to be a bridge between what they’re doing and what you’re doing. So that’s always sort of a red flag to me, when you get sold something that they aren’t going to describe why you need it or what it is. So that always just raises my hackles a bit.

 

Liath Dalton 

Mm hmm. Very, very good point. And that also is is something that we have done has been to be the sort of intermediary between an IT service and the practice in terms of helping to translate some of the HIPAA terminology and like the outcome needs. Like what needs to be solved for, convey that to that the IT service. And then translate some of the more technical jargon back down into the and you practice owner, this is how this is actually supportive of meeting your practice needs. Its real world benefit, not just the all the technical jargon.

 

Liath Dalton 

All right, good, folks. We will talk to you next time. In the meantime, take good care and thanks for joining us.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at PersonCenteredTech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.