Transcript
[Transcript] Episode 501: What We’re Keeping an Eye on and What You Need to Know That Will Be Impactful to Your Practice in 2025
Evan Dumas
You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.
Liath Dalton
And I’m Liath Dalton, and we are Person Centered Tech.
Liath Dalton
This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.
Evan Dumas
Hello and welcome to this first episode of the new year, Episode 501: What We’re Keeping an Eye on and What You Need to Know That Will Be Impactful to Your Practice in 2025.
Liath Dalton
Indeed, yes. Welcome to the new season, and the new year of Group Practice Tech. Today, we’re going to be talking about the stories and developments and regulatory and sort of practice landscape changes that are noteworthy and impactful and that we’re going to be staying on top of so that we can keep you informed about related action items, so that you can be prepared and proactive and in compliance with any required changes that you should be making, and wanted to sort of foreshadow a bit what’s what’s forthcoming.
Liath Dalton
We’ll be giving you some highlights related to each topic or area that we’re keeping an eye on, and then we’ll be doing deeper dives devoted to each one in forthcoming episodes. So that’s the little spiel about what, what the episode is going to contain, and what the future, some of the future episodes for this season will contain, and how they relate to your practice.
Liath Dalton
So with all that said, let’s dive in, and I want to start by saying thank you for joining us and for continuing to utilize Person Centered Tech as a supportive resource for managing your practice. We know that it’s an intense time to be running a practice and navigating all of these changes, while still centering client care and hopefully also a healthy work life balance for for you as practice leader. So we’re grateful to be able to continue to play a supportive role in that.
Liath Dalton
All right, the one of the really big stories is actually that there has recently been a proposed change to the HIPAA Security Rule, which has not been changed since the Omnibus Rule in 2016 right? So it has been nine years, essentially, since there have been any changes to the Security Rule. Of course, in practice, how people meet the existing requirements of the Security Rule has really evolved in that timeframe.
Liath Dalton
But because the threat landscape has evolved so rapidly, and we’ve been seeing the really serious consequences of those threats being realized in practice, and those implications, some really specific updates are required. And so the proposed rule changes are available, we’ll be linking to those in the show notes. The good news is that for those of you that are using PCTs customizable template, HIPAA Security Policies and Procedures and HIPAA Manuals, like 99% of those pieces are already explicitly addressed in those materials.
Liath Dalton
But in general, what previously was introduced in 2024 as recommended cyber security measures are being proposed to be changed from recommended to required to explicitly required, so no longer optional. And there are a couple other noteworthy aspects as well. Evan, do you want to speak directly to some of those?
Evan Dumas
Oh, yeah, some of the aspects are that, you know, we recommended people to do risk analyses every year, and now they’re saying do risk analyses every year, because it’s going to be like a requirement, which is lovely. Some other little bits added in here about having asset inventories, which is great. We already talked about the requirement for multifactor authentication being true everywhere, which is really good. There’s some changes in deadlines to things, like 72 hours, like written procedures of how to restore from outages. And like, know that you can, that type of thing. So, you know, we’ve always advocated for contingency plans, but they finally gave time frames on what they want to see from that which is really, really nice.
Liath Dalton
Exactly. And for, once, the, it is confirmed that the rules as proposed are going into effect, we will be updating the customizable template materials to include those specifications right? And for those of you that are already utilizing our customizable template materials, though, we will share those updates with you along with guidance on how to incorporate them into your existing materials in the most efficient and streamlined fashion, so it’s not too onerous of a process.
Liath Dalton
But it will require really minimal change for those of you who are already on the PCT Way path with your practice, and if you aren’t yet, a good action item, would be to start working your way through that process, as all of these things are going to become explicit requirements, and so there isn’t sort of an optional element to them, and it’s going to be really necessary to be adhering to them.
Liath Dalton
And I want to take a moment to again reiterate something that we often do, which is that these regulatory requirements are not arbitrary, right?
Evan Dumas
No.
Liath Dalton
They may feel that way to an extent, because they are in tech and security and legal-ese lingo, but they really do provide a supportive framework with the best specificity that we can get for managing the in practice risks.
Evan Dumas
Yeah.
Liath Dalton
And again, those in practice risks are things that materially impact the confidentiality and security and integrity of your clients’ information. So something that, aside from the HIPAA requirements that you are ethically required to be safeguarding as well.
Liath Dalton
And safeguarding client info in that way has important clinical implications too, because failure to safeguard it can lead to client harm, and that’s something we’ve been seeing more examples of with the different breaches that occurred in the last year in particular, can impact not just the therapeutic alliance, but actual clinical care outcomes in a pretty substantial way. So protecting your clients and their info is also then protecting your practice, and that’s something I know all of you listeners are really committed to.
Liath Dalton
So that brings us to one of our next stories that is noteworthy, which is that the OCR, the Office of Civil Rights, the HIPAA regulators, have just resumed their HIPAA compliance audit program. And, Evan, when was the last time they were actually doing audits?
Evan Dumas
Gosh, was that okay? It’s either it, was it 2017 or 2013?
Liath Dalton
2017, yep.
Evan Dumas
Oh my gosh, yeah.
Liath Dalton
So they have not been doing those random audits since 2017. Now, the before you start worrying that the HIPAA regulators are going to come knocking on your door and your practice is likely to be selected for for one of these audits, they are limiting the number of audits to 50. That’s five zero. So considering the number of HIPAA covered entities, and that HIPAA covered entities include both solo practitioners, you know, group practices, hospital organizations, clearinghouses, we feel it is fairly safe to assume that they are going to be focusing on the larger
Evan Dumas
Yeah.
Liath Dalton
HIPAA covered entities whose lack of security and compliance has the ability to be more significantly harmful to clients and patients. I think part of what precipitated this audit program resumption was really related to the Change Healthcare breach in 2024 and the massive fallout that that had across kind of all sectors of healthcare service provision, from pharmacies to hospitals and surgeons to solo practitioners.
Evan Dumas
Oh my gosh, so many.
Liath Dalton
But we do have one really relevant takeaway from what they’re focusing on in those audits, and it is oriented around the risk management and risk analysis standards of the Security Rule, and no doubt, also is going to, they’ve explicitly stated that thus far, but the cyber security provisions are also going to feature heavily, because part of the threats that have been most realized and most significantly harmful are related to hacking and unauthorized access of PHI.
Liath Dalton
So again, part of why they’re highlighting the importance of multifactor authentication and safeguards that are preventative of that sort of thing from being able to occur, as well as data backups that preserve the accessibility and integrity of PHI.
Evan Dumas
Mhm.
Liath Dalton
So what that translates to for you, listener, is just being sure that you’re on on top of those standards, right?
Liath Dalton
There are some other stories that aren’t explicitly HIPAA related, Medicare related and telehealth related and AI related, that we’re going to get into in a minute, but I want to sort of finish up the HIPAA related stories and foreshadowing of what’s forthcoming and what’s impactful.
Liath Dalton
So two other big changes happened in 2024, one at the very end of 2024 related to changes to the Privacy Rule and additional provisions therein. And one of those relates to CFR 142, part 2e, which is quite a mouthful, and really what that is related to is substance use disorder treatment PHI, and that is kind of the most restrictive component of HIPAA in terms of what can be released and disclosed and how and what the requirements are around there.
Liath Dalton
Some of those provisions have actually been lessened to an extent in order to help manage kind of continuity of care and provision of care without undue burden, while still keeping the reasonable safeguards in place and the sort of compliance requirements with those provisions. One piece of it entails updating your HIPAA Noticeof Privacy Practices to address those changes. Now, thankfully, in part, because the HHS has not released yet an updated model NPP and their model NPP is really the gold standard, and what we recommend practices utilize as the template for for their NPP, the requirement for covered entities to provide updated NPPs is not until 2026. So why we’re bringing this up now is so that you have time to get prepared to be in compliance with it when that requirement is in effect.
Liath Dalton
And related to that, you also will need to be updating your NPP to address the safeguards for reproductive rights and for PHI releases related to any reproductive care or discussion of reproductive care. On the topic of reproductive rights, though, and that new legislation that has gone into effect, there is a requirement that anytime a request for PHI is made that may include PHI related to reproductive care or discussion of reproductive care, that an attestation is required to accompany that. So check out the show notes for a link to that model attestation. And that’s present and in effect now, but the NPP component of things is not until 2026.
Liath Dalton
So we’ll again be doing a dedicated episode to this. And we also have a training related to clinical documentation in a post-Roe world. So we’ll include the the link to that on demand CE training for you as a another optional resource. But do check out for sure the attestation and template to be utilizing.
Evan Dumas
Yeah.
Liath Dalton
Yeah. So those are the big HIPAA stories and changes and kind of action items that are related to them. Another big topic, and one that we’ve been getting a lot of questions about, is related to Medicare, because there were, thanks to COVID, one of the silver linings of of the pandemic, all of these exceptions that were made initially on a temporary basis for telehealth provision. Evan, what are some of the best of those exceptions?
Evan Dumas
Yeah, that you didn’t need an in person visit to start like a relationship with a provider. You didn’t need to go to some facility, that you could do it from the comfort of your own home.
Liath Dalton
Exactly, and that they would cover virtual sessions for behavioral health care services when the client or patient was at their home. That the home now qualified as, what’s termed in their language, as an originating site, rather than having to go to a designated facility that had been certified as an originating site. So that change was huge, because it massively opened up access, and thankfully that exception is continuing, as is their coverage for audio only telehealth provision for behavioral health care services.
Liath Dalton
So being able to continue to deliver care to clients in their home from your practice location or your home office continues, as does audio only coverage. What is up in the air currently is the in person assessment. Where there there is an exception for if it is too risky or places an undue burden, in the assessment, of both client, patient and and provider. But the specifics of that feel kind of fuzzy, and folks are understandably wary of relying on that.
Liath Dalton
So initially, the waiver of the in person assessment requirement was set to expire at the end of 2024. hat has now been extended until March 31 2025. So, we have through Q1 for the three different pieces of proposed legislation that would make that permanent, to hopefully go through.
Evan Dumas
Hopefully.
Liath Dalton
And there’s a lot of speculation as well that it may be that if one of those three pieces of legislation don’t go through, and it isn’t extended on a permanent basis, that another kind of last minute extension may go through. But if your practice is a Medicare provider and works with Medicare covered clients, the fact that that provision, and exception may expire, needs to be on on your radar, so that if that does happen, you are prepared to be able to manage that and do so in a way that doesn’t disrupt the provision of client care as well.
Liath Dalton
On the subject of telehealth, also want to share that I know those of you who are counselors or have licensed counselors as clinical providers in a group practice and provide telehealth have really been wondering about when the Counseling Compact is going to go into effect and when they will start actually granting practice privileges. Previously, that was estimated to occur by the end of 2024 now that is shifted to by the end of 2025. But the sort of good news is that, since we last gave a little update on this, the Counseling Project, who is responsible for implementing the infrastructure for it, did a actual demo of their minimum viable product for the system that’s going to manage all of this. So it is moving forward measurably and and the you know application to obtain practice privileges should open within this year, but it is not yet in effect. The other development as well is that there are now 37 member states to the Counseling Compact, so it’s going to be pretty awesome when it does go into effect. And I imagine that even more states will join between now and the time than it does, in fact, go into effect.
Evan Dumas
Yeah, I hope so.
Liath Dalton
Yes.
Evan Dumas
Poor Marriage and Family therapy workers.
Liath Dalton
I know, it’s really brutal. The Social Work Compact, Licensure Compact is is also progressing forward, though they have less specificity around ETA for when the applications and practice privilege granting will occur than the Counseling Compact, but we’re keeping an eye on that. And we will be updating our teletherapy practice rules by state tool to reflect the compact status for both the Counseling Compact Social Work Compact and keeping the PSYPACT designations updated and current as well as all those are kind of continually shifting pieces.
Liath Dalton
And then we would be remiss if we didn’t talk about another area that we are keeping an eye on and that really has implications for all healthcare providers and practices. What might that be?
Evan Dumas
Oh, that’s still buzzword, AI.
Liath Dalton
Yes. So there are a lot of moves by different regulatory bodies, including even the FDA, to specify regulation around AI utilization in healthcare provision. There are many stakeholders, and this is a, you know, not only is AI utilization and availability proliferating everywhere, but the move to try to catch up to that proliferation on a regulatory basis, to provide the necessary legal and ethical provisions and safeguards, is is occurring and emerging.
Liath Dalton
So as there is proposed specific regulation, and as that has specificity around what you can and cannot do, or should or should not do, as a healthcare practitioner, we’ll be informing you of of those changes, and that that news. In the meantime, following the legal, ethical recommendations that we and Eric Strom, the teletherapy and HIPAA attorney and American Mental Health Counseling Association Ethics Committee Member provided in our training on AI utilization is going to be kind of the the basis. Because, to date, only one of the professional ethics codes, that the AMHCAupdated their ethics codes explicitly, but we can draw on each of the ethics codes other standards to guide how AI can and cannot be utilized and how to do it in a ethical and appropriate way.
Evan Dumas
Yeah, we should.
Liath Dalton
So, we’re not, we’re not, we’re not alone like we aren’t without resources and guidance to to draw on. It’s just that there will be more forthcoming, and what’s forthcoming will be even more explicit, but we need to be very intentional and diligent right now, and every moment going forward, in how it’s it’s utilized.
Liath Dalton
So be be aware of that, and also to that end, one of the projects that we are working on at PCT and will soon be releasing is a policy insert to go with our customizable Policy and Procedure materials and manuals that explicitly addresses AI utilization, adoption and correct usage. So, stay tuned for that as well.
Liath Dalton
So those are the the main stories. There are definitely other stories and and topics that we will be addressing throughout the season, but that’s the kind of initial lay of the land for the things that are going to be kind of most significantly impactful.Anything that you would add, Evan? Probably telling folks to take a break, a breath and not be overwhelmed.
Evan Dumas
Well, I mean, that’s all we know right now. Like these are the things that have been coming down the pike, and we’ve made aware of but that’s also to say that, you know, a lot of regulatory changes might be happening, and we’re going to keep you abreast of those too.
Evan Dumas
So just stay tuned and let us do the analysis and keep up with the news. So you know, if you see worrying articles on pop culture news sites, things like that, know, there’s always more to it, and we’re getting it right from the good sources. So come to us, and we’ll help either assuage fears or validate them.
Liath Dalton
And if we validate them, our goal is always to then provide the specific steps and resources to help you in taking those steps that will cover your your bases and needs with whatever the scary thing is or significant thing is that that requires taking some sort of action.
Evan Dumas
Yeah.
Liath Dalton
So with that, thank you for joining us. We hope that this year and season is a strong one for your practice, and look forward to being a part of that.
Evan Dumas
Yeah, always looking forward to help.
Liath Dalton
We’ll chat to you good folks next time.
Evan Dumas
Yeah, talk to everybody later.
Liath Dalton
This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.
Your Hosts:
PCT’s Director Liath Dalton
Senior Consultant Evan Dumas
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we give an overview of the big stories, developments, and regulatory changes that will impact group practices in 2025.
We discuss:
-
A proposed change to the HIPAA Security Rule, and how it will impact group practices
-
OCR resuming their HIPAA Compliance Audit program
-
Updates on telehealth provisions and exceptions for Medicare and important dates to know
-
Updates on the Counseling Compact and the Social Work Licensure Compact
-
Upcoming regulatory changes for AI use and our current recommendations
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources & further information
Resources:
- Proposed New Rule From HHS: HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information
- Resumption of OCR’s (the HIPAA Regulators) HIPAA Audit Program
- New Rule: HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet
- New Rule: Fact Sheet 42 CFR Part 2 Final Rule
- Telehealth Update: DEA/HHS Temporary Rule, Medicare Coverage of Telehealth Services, and What to Watch For in 2025
- Medicare Telehealth Flexibilities Get a Three-Month Lifeline
- JPM2025: Regulation of artificial intelligence: Navigating a new frontier in health care | JD Supra
PCT Resources:
- Relevant on-demand, legal-ethical CE training: Law & Ethics of Clinical Documentation for a post Roe world
- Addresses the practical applications of the US Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, with particular focus on the impacts this decision has on client confidentiality and documentation of clinical services
- Relevant on-demand, legal-ethical CE training: The Evolving Legal-Ethical Standard of Care for the Clinical Use of Artificial Intelligence in Mental Health
- Gain insights into the benefits and challenges of incorporating AI technologies into their practice, understand the clinical implications, and learn how to navigate legal and ethical guidelines while maintaining compliance with HIPAA regulations.
- PCT’s Comprehensive HIPAA Security Compliance Program (discounted) bundles:
- For Group Practices
- For Solo Practitioners
- PCT’s HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours — including monthly session with therapist attorney Eric Ström, JD PhD LMHC
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Solo Practitioners
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.