Episode 135 | COVID HIPAA Considerations with Person Centered Tech

Maureen Werrbach

Hey, everyone, welcome back. I’m excited to have Person Centered Tech, Roy and Liath with me again. I think you guys have been on a couple of times now. Right? Yeah, I feel like you’re in my sphere a lot. It’s such an important topic to talk about, HIPAA. And maybe not always so glamorous, but I think it’s scary for most people. But you know, with COVID, the awareness of­–or not even the awareness of because I feel like most group practice owners are pretty aware of HIPAA, and security. But they’re almost putting it a little bit more front and center where it used to be this thing, I’ll get to it, once all these more fun projects and things get done. And now that we’ve been kind of functioning for almost a year, strictly through technology, people are starting to pay a little bit more attention to the policies and procedures that they have, specifically around HIPAA and security and having their staff at home and the devices that they’re using. So we figured it’d be a great time to have you back on.

Roy Huggins 

Yeah, sounds great. Thank you.

Liath Dalton 

Yeah.

Maureen Werrbach

So tell me what’s been going on in your sphere? These past six months or so what have you seen anything different going on with group owners? Have you noticed conversations shifting with the practice owners that you’re working with?

Roy Huggins 

Yeah, I mean, I feel like Liath can speak to that really well.

Liath Dalton 

Well, you know, it’s interesting, because at the beginning of COVID, everyone was transitioning in this emergent kind of crisis situation to how do we provide care? How do we just get the functionality in place to be able to continue to serve our clients and keep operating? Then we kind of moved into, okay, we got the bare minimum in place. How do we actually optimize this to be able to sustain our practice and thrive while working in this context, long term? Now, we’re in a phase where folks are really looking at the foundation in terms of their security picture and training and how they resource and support their team. Because there’s this sense now of we’re providing all of our client care and all our practice operations through tech. And so what are the vulnerabilities that that brings up? And how do we manage that appropriately in a risk management sense? So that’s been something that’s kind of newly at the top of a lot of group practice owners focus.

Roy Huggins 

Especially because everyone’s at home. Yeah, all staff are at home. They’re like, I tried to set up my office to like, do this stuff well, and now I’m like, I have no choice. What can I do? So a lot of people throw up their hands because it starts with just not even knowing what the boundaries of what sufficient work is when people are at home. So how do you know how to like, set it up correctly?

Maureen Werrbach

I was gonna say, what are you guys noticing are the vulnerabilities that are popping up or the spaces where practice owners are making risk or they don’t realize it?

Roy Huggins 

Yeah, well, I think it’s actually really good to talk about what the actual risks are when it comes to HIPAA? And make sure you differentiate that a little bit from actual risks in terms of like client relationships, or things like that. But they can actually dovetail more than we might realize because like HIPAA is a regulation, right? And so regulations mean that there’s, you know, regulatory bodies, yada, yada. So, you know, one thing I think, makes our job harder sometimes is the, you know, you know, various people out there who will sort of send out these very scary emails that are like, if you don’t listen to me, and what I’d have to tell you, the HIPAA police are gonna come and take your firstborn child or whatever it is they’re trying to claim.

And like, the thing is, like, random audits, almost I they literally only happened twice, or like two periods of like under HIPAA, like they actually big make big announcements when they’re like, we’re going to do some random audits now.

Yeah. And like, you get a, like, you get this email asking you for information before, you know, just to see if you go into the pool to be audited. So like, it’s not, I don’t know where it’s not. And it’s like, it’s also extremely unlikely for smaller practices. Like, if you got to practice like 40-50 people, it’s possible that they like that if you’re randomly selected to be surveyed, and they see that, maybe then they’ll decide to audit you. But even then, you’re still kind of low on the totem pole.

Maureen Werrbach

So there’s two steps to it. Just being asked to be surveyed doesn’t necessarily mean that you’re actually going to be audited.

Roy Huggins 

Exactly. That’s right. And we’re not in one of those periods. So you won’t even have it right now. Like it happened in 2012. It happened in 2016. They have not announced any intended changes or intended upcoming audit periods.

Maureen Werrbach

Seems like it should be happening. Based off years.

Roy Huggins 

Yeah, well, I write. It’s like a four year cycle. No, but I don’t know. That’s why they did it. I think it’s just more like when they have the resources are okay. But the audits happen really in response to things. So there’s two ways that happens. One, the most common by far is that a client files a HIPAA complaint, which is very easy to do. And those complaints are usually over really minor slip ups. Like in our experience, I don’t, I’m going to let Liath speak to this because Liath has a better grasp on all the things we’ve seen because she tends to work directly with groups. So like, Liath, what would you want to say like, because we also don’t want to like talk about who got this or like, you know, that kind of failing? Like, what would you say about, you know, slip ups that have resulted in client complaints.

Liath Dalton 

The most common cause of those has been email going awry. Typically, BCC not actually being used when it was thought to have been used and one client getting emailed with another client’s information. Right. And in some cases, it’s not even been the client who received someone else’s info who had complained. Right. Yeah.

Roy Huggins 

Yeah. And that’s kind of interesting about it’s not the person who’s impacted who complains a lot of the time. But yeah, and that’s, that’s always kind of interesting, because it is very easy to file a HIPAA complaint. And if your complaint is a legitimate HIPAA issue or non-compliance issue, they will follow up, they will always follow up. But the thing is, like, how all of our, our group practice clients who has such a thing occur, like how many of them got audited as a follow up? One, zero? That’s right. Wow. Yeah. What they got is a letter that says, we got the complaint, we see you, we saw what happened. Don’t let it happen again, essentially, it’s like, it’s like, here’s the resources for getting compliant. Right? And says, like, you know, if this happens again, or we get a complaint again, we’re more likely to actually on it. That totally matches what they’ve said, and all their educational settings and everything with us asking, Hey, what’s gonna trigger an audit? And like, well, if it looks like there’s a systemic issue while on it, or you’re really big, well on it, right? So like, like, because there’s like, you know, the potential to harm a lot of people. Right? They’ll do that.

So I don’t want to say this and make everyone go, oh, HIPAA doesn’t matter.

I want to say this, because the thing is getting the letter is still kind of scary. And you don’t want to be there! Because it really is the case that if you got a complaint again, you’re probably going to get audited. And they’re going to see you as a practice with systemic issues, which is when they really get ornery. It’s like, you seem to have systemic issues, we’re going to do something about that. And you don’t want to be there. Right.

The other place you get audited is if you have a security breach. You go to the process of investigating the security breach, and then you have to notify the feds, the HIPAA people, as part of the breach as part of what you supposed to do you notify all the impacted clients, and the feds. And at that point that may trigger a response, some kind of audit, once again, depending on the nature of your breach. It may be just like, the complaint where they just send a letter and say, hey, we saw this, make sure you get compliant happens again, one more like an attitude.

Now, this, the reason to talk about this way is because we really want to make sure people are actually aiming at what’s really important for HIPAA, not just at checklists.

I mean, not that there aren’t checklists, you know, it can be very helpful. But like, but we don’t want people to aim at the idea of avoiding a random audit. I’m like, you’re not gonna have that happen. But the thing that people often most often complain about, is situations where they feel that their privacy or someone else’s privacy is not being well taken care of. Or, and here’s the other big one is where you’re not releasing records as quickly and friendly, as the client wants.

Maureen Werrbach

And that’s actually asked a lot in my facebook group, clinicians are very resistant to handing out notes.

Roy Huggins 

We, and we, there’s new new rules come in in April that we really need to rethink that. And we’ve been needing to rethink that for years. I teach my ethics students to write their notes as if the client is going to read them and not just because like they can get unreleased or something, but because that’s the direction of healthcare documentation in America.

Maureen Werrbach

Wait, can you just sidestep for a second? What is happening in April?

Roy Huggins 

What do you want to know about that, now that I mentioned it? Sorry I mentioned something and then was like ‘well let’s talk about something else now!’ Okay, so you may have heard of it, it’s the open notes rule, that maybe what you’re hearing, that’s the name we give to it, because it ends up creating that situation. The the actual rule name is called information blocking.

And I want to make sure everyone hears this is not a HIPAA rule. This is not a HIPAA rule.

Although it is from Health and Human Services, it’s a different agency. Right? It’s the agency that that covers electronic health records, or electronic health records actually refers something very specific. Like 99% of us do not use electronic health records. We use something called just electronic medical records or practice management systems, they are not certified EHR systems. We use the term EHR for convenience, which is fine, really, you know, I’m pretty pedantic about terms. But in this case, I’m like, whatever, that doesn’t make a difference. But right now, it is making a big difference, because that that determines whether your system has to follow this new rule or not. Right.

So like, for example, you know, TherapyNotes advertises with The Exchange, TherapyNotes is not a certified EHR.

And TherapyNotes does not have the capability to do what we call the open notes rule does, right. So like, because it doesn’t have the capability, if you’re using , TherapyNotes, when that time comes, when the time comes. There’s not really any changes you need to make to your systems. But the thing is, you do need to be aware that there are changes to expectations in a general sense, especially if, TherapyNotes changes how they do client portals. Like one of our people , TherapyNotes about this. And the response was, we don’t currently have that capability. When the capability being that like, as soon as you write your note, it gets pushed to the client portal.

Meaning the whole progress note as well.

Like not just like the fact I saw you and maybe here was my diagnosis like you often see and after visit summaries your doctor. Yeah, like psychotherapy notes don’t have to be pushed this way. But there’s a lot of caveats about the idea of psychotherapy notes. That’s a whole thing.

I want everyone to be real careful if you start latching on to that phrase, because, yes, it’s named in a way it’s very misleading. Right. But that’s kind of a different topic. Sorry. So basically it’s like, you write your note and like the idea is it pushes to the client portal like, and this is the big difference. We’ve been working a lot with Eric Strong, he’s a mental health attorney and a counselor in Washington, a good friend of ours. He keeps insisting he’s like, guys, this is no different from the rights people have always had. We have to adjust to this. This is just more of us needing to adjust to it.

And like he keeps insisting and nothing’s changing. And I’m like, you’re right, that client rights aren’t changing.

But there’s a difference between client having to pull the records from us, and us having to push the record to the client. And the new rule says you have to push the record to the client, if you have the technical capability to do so.

Maureen Werrbach

So meaning if TherapyNotes, Simple Practice or whatever other–now, I don’t want to call it an EHR, but whatever other practice management system allows for pushing out progress note after it’s been done to a client portal, so the client can see it, then we have to allow that.

Roy Huggins 

Yes, you will have to actively use it. Yes. If it’s an option. So like, for example, when our when our customer, our clients, you know, group practice owners, ask TherapyNotes about this, they’re like, no, we don’t have a plan to do that. Because they don’t have to. certified EHR systems have to give you this by April. They have to make it possible. And health care providers must use it.

Maureen Werrbach

Are there any certified EHR? Is that a group practice that might is kind of common that a group practice owner uses? No, Office Ally?

Roy Huggins 

Office Ally is the big one.

Maureen Werrbach

Yeah, just me. Yeah, that one. So if you’re using that, you are

Roy Huggins 

going to have to do this?

Maureen Werrbach

Yes, I know. That.

Roy Huggins 

Yeah. Well, they should consider whether they want to go start studying up on opennotes. Go to opennotes.org. There’s a site for it. There’s a group that’s been pushing opennotes as a norm for like 10 years, lots of great resources, including some trainings from LCSW’s, got some great trainings about opennotes and mental health. You can do that. Or you can switch and to something that doesn’t give you the capability to do this. And that was actually been the big if you excuse my plugging our office hours service. In the group office hours, it’s gonna be a hot topic of discussion. And we bring in Eric, our attorney friend, and we talk about it and like, it’s the big, big thing is this whole issue of like, those who are using a certified EHR, it’s like, do we do we turn the boat around? You know, because it’s a practice, you know, like, 10s of people working for you. We’re like, well, either we go into April, having to immediately push out progress notes about domestic abuse, children, divorce, CPS cases, just having to push it right to the client. Because Eric actually made a strong point that like, you don’t have to push a note if you believe it will harm the client. Right. Right. But even that strong point, he’s like, you think most of the time when we think something will harm a client that doesn’t meet the standard.

Liath Dalton 

Yeah. Right. Because the documentation for it has to be rigorous. The client has a right to see it and has the right to have another qualified provider review it to see and all those supporting materials to see if they agree with the determination by their therapist. So it’s a lot higher bar than I think we like to think of it when we’re trying to hold on to those knobs.

Roy Huggins 

Yeah, we think of that a little too conveniently. Yeah. Right. Not that it’s not there. But like, so that kind of thing happens. A big topic that came up, we just had this session with Eric, and Eric for those who aren’t familiar is an attorney and a counselor and very steeped in HIPAA and telehealth. And like the big discussion was like, he was really trying to say to people, y’all need to adjust opennotes. Like, that’s where we’re going. He’s like, y’all had need to adjust to this. And there’s a lot of that discussion, like we were sort of advocating for the but you know, how are we going to manage pushing progress notes about CPS cases, domestic violence cases, all these kind of things, how we’re gonna manage pushing those by April, in a way that doesn’t cause a bunch of harm all over the place? How are we retraining? How are we figuring that out? And it’s not just that we have to do it by April, it’s that we have to do it in a way. We have to do it without knowing what the regulator’s actually want.

Maureen Werrbach

Yeah. And because no one knows. Yes, yes. All the old stuff is gonna be visible.

Roy Huggins 

Yes. The idea is, is if you do not engage and making the stuff immediately available, then you’re committing information blocking.

Maureen Werrbach

Okay, so does that mean from April on any notes? It’s all of them? Okay.

Roy Huggins 

Yeah, because it’s an issue of how people act because they always had that right to access now. It’s just you have to make the the method of access be immediate and right in front of them without needing to request. If you have the capability. And so that’s why with the I think a big collusion I had last Friday, definitely those practices where there’s a high sensitivity really, if you’re using a certified EHR, you probably want to consider switching to something that’s a practice management systems not certified. So you have time and so we can watch what happens after April. And see how the regulators actually do this and what they actually expect. Because the rule is not the same as execution.

Liath Dalton 

Yeah, right. It should be noted that we give that recommendation with a lot of love and consideration, because typically, you know, switching practice management systems is a hugely onerous and time consuming, undertaking, so not one that we advise to be taken lightly, ever. So the facts that we’re seeing in this situation, we think when you do a cost benefit analysis, that that is going to be prudent for certain practices to invest the time and effort to make that switch.

Maureen Werrbach

Yeah. Okay, thank you for that. Went way more than three minutes. But I feel like it’s such an important topic. Right. So I think Pete, whoever’s listening to this, either a) didn’t even realize that this was a thing or b) realized it similar to me, and then it kind of went on the wayside for a little bit. And I haven’t heard a lot about it, I think, because the idea was most of the practice management systems that most of us are using, don’t, you know, can’t do it. So then it was like, okay, don’t need to think anymore. So thank you for sharing some of the that your thoughts on it. And also, you know, going digging a little deeper than what maybe most of us may be really even knew about it.

So back to what COVID has done, right? Before group practices, and maybe because we’re I know, we don’t have that much time left. But what are some of the things that I know you mentioned some of the vulnerabilities that you are seeing? What are and I know you don’t you, you were talking about checklists, and people love checklists, they want to just take them tick and, but that the checklist method might not be the smartest right now.

Roy Huggins 

Right now, it’s more that if he just to get get a generic checklist, just sort of grab one, you’ll probably do more than need to or get more anxious than you need to. That’s my reason, really. Usually checklists really help reduce anxiety. But I think in this case, it’ll feel it’ll get you overwhelmed. Because like, you need to kind of pick your battles and focus, right. So like, in terms of COVID and telehealth, if we assume everyone, you know, uses our various free and paid resources to get prepared for telehealth. Then, Liath was the one who really brought this up several months ago, that everyone is very concerned about the fact that all their staff are working from home. In fact, we had you on our podcast to talk about how you manage your staff remotely. And it was really helpful. I was like, yeah there’s a lot of great tool recommendations and such.

And now, the other issue is like, so what are the HIPAA compliance and actual security concerns that arise there.

Once again, we’re looking at, one of the biggest things we’re trying to do is avoid client complaints. Avoid HIPAA complaints. And we’re trying to also ensure that we don’t have something we have to report. And I really don’t recommend that you take the strategy of simply not reporting it. Now, that’s, that would actually not be the best way to go. Especially because when that comes up, if you don’t report it to the feds, you have to choose am I gonna tell my client this thing happened? Because honestly, I personally, really, I don’t want it to keep it from the client. Right, and if you tell them, but don’t tell the feds, I mean, now there’s this trail of you not doing, you know, the law.

Maureen Werrbach

Right, like you knew and that you held the information. Exactly.

Roy Huggins 

Yeah. And that’s gonna get you a lot of trouble. It’ll be much easier to deal with the aftermath of reporting trust. Yeah. So like, the the big thing here is, you know, therapists know how privacy works, right? That’s the advantage we have. But it’s not only therapists working from home. Also, therapists may have a different expectation of say, their family members, or roommates, or they just don’t really know what to do with it because it’s not in their training. And there’s so much going on, that they kind of throw their hands up and just do their best and don’t and just sort of let it go. And so it’s really important to give people clear guidance on what is expected of them in the home and they reason for that I really discovered all that, like, my 10ish years of doing this, which is, it’s not just that people need to know, you know what works. It’s like people need to know the boundaries of expectation.

Like when it comes to tech and HIPAA, the problem is people don’t even know that. Right?

Like, even that’s unclear what would be enough. Right? And so telling your staff, this is enough. And this is the expectation gives them like a, like a basically helps them be held really. All right. And so like, Yeah, go ahead.

Liath Dalton 

Yeah, I was just gonna say I’ve seen, you know, a lot of the therapists and clinical staff at practices have had anxiety during this time of feeling more responsibility or awareness of how things could go awry. And that that kind of that responsibility feels like it’s in their court because it’s in their home, right. So getting training and resources, and really specific guidance on expectations. And here, the standards we need to meet from the practice owners feels really supportive and helpful, as opposed to intrusive and unfairly demanding, because it’s, it’s something that they’re understandably worried about. So we’ve seen this.

In particular, when it comes to how they manage network security expectations around, you know, creating a private and confidential space. And then a big one has been BYOD, that even if a practice had a BYOD program, in place, like an official Bring Your Own Device program and policy and support around that prior to COVID. That it’s really needed to be relied on or bolstered in this new environment, because people may exclusively be using their own devices. And that can you know, if we’re talking about surface area of risk vulnerability, that’s the primary one that needs to be managed. In this context.

Maureen Werrbach

Can we end with talking just a little bit about BYOD? And the the added risks that working remotely strictly remotely has has done to that? Because I think that’s just something that obviously all of us are dealing with.

Roy Huggins 

I’ll talk about a couple of risks and life you talk about solutions. Yeah, so like, the, I want everyone to understand that. Often we think about Wi Fi, or devices or things of that, like all those things, often what our first thought is, is confidentiality issues. And a big thing people worry about or figure we’re worrying about is someone spying on our internet connection or spying on our session. That’s actually really unlikely to be an issue. for a lot of reasons I won’t go into here. Our biggest concern when it comes to the safety of your devices, is the device being accessed by the wrong person, which can include a family member. Depending on the family member, I mean, sometimes it’s like it can happen, that sucks. It’s not good. But it’s you know, nothing happened. Nothing bad happened. But that’s not always the outcome. And the other is viruses. And that’s our big thing, infecting your device. Big big big effing deal. Okay, so Liath solutions?

Liath Dalton 

Well, one solution that we’ve been recommending so much, it’s like the big 2020, if you’re gonna get one new tool, get it? Yes, and get a VPN for your team, because that allows them to securely connect to any network, whether or not it’s one that could be designated as trusted or not without the device being potentially compromised. And so even when we’re using a home Wi Fi networks, that we prior to this new kind of scenario, and so many vulnerabilities being exploited, would have said, well, you can go make sure it’s a segment mended network have a password on there, you should, should be okay to consider it trusted. Now, there are additional security measures that need to be put in place on those and that can be kind of onerous. So say VPN is the simple technical solution. That means that you are able to securely connect your device to any network. So that is that is a big deal. Is it expensive to supply VPN services to your entire team? It is not it is super cheap. And the very interesting thing as well is that a VPN is not a service that you need a business associate agreement with a nice, which is a very rare thing.

Roy Huggins 

Yeah, you’ll hear us say that very often.

Liath Dalton 

But in this case, it’s true. So that’s one really a useful tool to help manage this and then just training your team on how to recognize vulnerabilities like phishing has been something that’s been really exploited this this year, because they’re, you know, the bad actors are aware of the new vulnerabilities and opportunities for them that come with that. So we need to stay in step with that. And make sure that our security awareness trainings for our teams are keeping them equipped to be able to recognize and not fall for those things, too. So we’re looking at a combination of technical measures, and then behavioral measures. So training around the how to identify those things and respond in the right way.

Roy Huggins 

Now, of course, we have those trainings available for you to get to your team.

Maureen Werrbach

Thank you. And–not that I can imagine that any one of my listeners doesn’t know your website. But for those who maybe don’t. Where can they find information specific, you know, to group practice owners? I know you have some special stuff for them.

Liath Dalton 

We do indeed. Yeah. If you go to person centered tech.com, slash groups. Or wait, is it group or groups? I don’t think I think it’s just great. No s group, Person Centered tech dot com slash group. And we do have role based staff HIPAA trainings and teletherapy trainings, including one on teletherapy from home or mobile office. Perfect, and the security programs, etc. And you can just talk to me should you want to about what your practices particular needs are.

Maureen Werrbach

Thank you so much for coming on yet again. I’m sure as things shift a little bit here and there. I’ll be asking you to come back.

Roy Huggins 

We’d be happy to.

Liath Dalton 

We’re gonna hit you up to come back to US first.

Maureen Werrbach

There you go! We’ll ping pong.