Episode 194 | Scaling with HIPAA with Liath Dalton
WITH Liath Dalton
- Episode 194 | Scaling with HIPAA with Liath Dalton 00:00
Hey Group Practice Listeners! Another exciting episode is out today! I’m back once more with Liath— Person Centered Tech’s deputy director and co-owner to talk about people’s intimidation of HIPAA compliance, and how both employers and employees can work effectively around it the PCT way.
In this episode we cover:
- Why inaccurate perceptions of HIPAA can be intimidating.
- The PCT’s way of compliance process is aligned with scaling your business.
- HIPAA compliance in five supportive steps.
- Technical versus behavioral measures in setting up a system.
- Where should a scaling group practice start with HIPAA security risk analysis?
Links Mentioned in this episode:
This episode is sponsored by TherapyNotes. TherapyNotes is an EHR software that helps behavioral health professionals manage their practice with confidence and efficiency. I use TherapyNotes in my own group practice and love its amazing support team, billing features, and scheduling capabilities. It serves us well as a large group practice owner.
Do you ever wish for a financial therapist who could relieve you from the last few months’ bookkeeping, talk you off the edge when you’re running into issues with Quickbooks, or help you work through a profit plan for growth? GreenOak Accounting does just that! GreenOak Accounting is an accounting firm that specializes in working with group practices. Their value goes WAY beyond bookkeeping; they can help you get on track for financial success. Schedule a free consultation by going to http://greenoakaccounting.com/tgpe
Hey, everyone. Welcome to another episode of the group practice exchange podcast. This week. I’m super excited to have someone who’s been on our podcast. I think I wanna say at least two times at this point. Yes. And that’s LAA Dalton from person centered tech. Hi, Lia. How are you? I am great. It is a privilege to be here with you as always.
And I love the way we have both of our kind of endeavors intersecting, continuously. So I’m excited to chat with you today about all this goodness around scaling and setting up a practice for success. And I feel. You know, I was saying this before we started recording, but I recommend you a lot, cuz people bring up HIPAA, but really just want those quick answers.
Mm-hmm checkbox type thing. And I know a lot of other group practice owners who’ve used. You also recommend you. You’re usually the go to immediately. When, um, people ask in my Facebook group about HIPAA related things, nobody even answers the question. They’re just like Google persons that are tech and that’s who you can go to.
And so I really wanted to chat with you a little bit today on the P CT way and HIPAA compliance and how it’s actually essential to supporting the growth and successful scaling of group practices, because I think it is a scary concept for those that. Midsize to larger who maybe didn’t invest their thoughts or their finances or their time in HIPAA.
And kind of did the bare bones while focusing on other parts of the practice. It can feel scary to really start paying attention to HIPAA in more than a basic way that we’ve learned in college. Yes, absolutely. And I think it’s so important to name that ambivalence and hesitation and fear really? That is perfectly reasonable to have about undertaking.
This big process that I think most folks will think of as a, have to do, not a want to do. It’s a have to do just because, you know, legal regulatory framework and you don’t want to run afoul of it and have the consequences from it. But it always on getting deprioritized because it seems like it’s somehow disconnected from meeting the inpractice and operational.
Or a big reason why many folks won’t engage it is because it seems like it’s going to limit functionality. It’s gonna cost more limit functionality, require more time and processes and make things less efficient. And those are all counter to being able to have a really robust practice that is profitable and enjoyable to work in.
So if that’s how we think the engaging the HIPAA compliance process is going to turn out, no wonder there’s reticent. However, what we’ve discovered through our years of supporting practices in this process, and really refining the way that we approach it ourselves too, at P C T. Is that it is actually an essential framework and process for making sure that all of your practices needs are met.
So functionality wise, efficiency wise cost wise. and that you are set up to just have this really robust practice, not just on paper, like you’ve done a risk analysis and you have policies and procedures that no one ever bothers looking at or engaging with, but you have this living framework and system that meets all of your needs and also expands capacity.
To focus on those essential areas for growth. So if scaling a business is defined as setting the stage to enable and support growth and having the ability to grow without being hampered, something that requires planning, funding, the right systems, staff processes. Technology and partners then that can absolutely be aligned with doing the compliance process, the P C T way.
Okay. And our way is unique because what we start with first and foremost is a practices tech stack and looking at what tools and systems are you utilizing to meet all of your. Let’s make sure that those needs are in fact, being met in the most cost effective and efficient streamlined way. Let’s make sure that your functionality needs are met, not just security needs, cuz we’ll often see people kind of end up with this hodgepodge.
Of systems where they don’t play nicely together, or they’re paying for multiple systems that all do the same thing and things can just get really cluttered. So we wanna start with making sure the tools, uh, practice is utilizing, are really meeting all of their needs as best as possible. And then that those systems are configured in a way.
That is supportive of their best usage. And one thing that HIPAA really supports through that is wherever you can have technical measures in place rather than relying on behavioral measures. That is basically think of it as guardrails that keep people from doing the wrong thing. And that comes through setting up the systems in a way that’s optimized.
And that entails a lot of different configurations. Can you give an example of a technical versus behavioral? Let’s say a behavioral measure would be. You are not allowed to forward email from the practices, say Google workspace, Gmail accounts to personal email accounts. Instead of having that, just be a written policy and telling everyone that that’s the case, you can configure the Google workspace.
So that email forward. To addresses outside of your domain. Aren’t possible. Same with sharing Google drive, like Google workspace folders. Cuz if you’re keeping, maybe writing client letters and summaries and stuff in Google workspace, you don’t wanna just be sharing that folder or document with them, but that’s something people have to remember to do.
And in practice falls apart, especially the bigger that you are. Great example. Cause when you said that, I was like, I was trying to think of what does that mean in practice? It makes a lot of sense because we often put policies in place. Like what you said, like don’t forward emails that are being sent within your practice to a non-work email for HIPAA security.
But if you’re just telling people to do. Once you’re at a 50 person practice, you have 50 times more likely that someone is going to forget that and just do it versus setting up a system that just literally doesn’t allow them to do it. Exactly. And one of my favorite examples of it actually. Comes in the realm of device security and what we refer to as endpoint management.
So technically speaking in a group practice, most often the largest surface area of risk exposure is going to be related to device usage and personal device usage. It can absolutely be managed and mitigated, but it has to be systematically approached. And so what that means in terms of HIPAA is that every device that is used to handle protected health information or access a system that contains protected health information needs to be configured to have certain technical security measures in place.
That sounds kind of overwhelming and like, it might be a really big deal. It’s actually super easy to do in practice. And we have a really refined system for managing that and making it easy to do. But one of the technical measures that goes along with that is that you can set it so that only admin approved devices can connect to your practice’s Google workspace.
Which means that people are going to have to go through the little device registration process, making sure they’ve done all the security settings on their device before they can connect to the practices, Google workspace environment. That doesn’t mean that their personal device usage is impacted in any way it’s not intrusive, right?
Because when it comes to personal devices, we have to be balancing meeting the security needs and the practices needs with also recognizing the fact that these are people’s personal devices. So that’s one great way that we can help reduce the surface area of risk exposure and just have nice guardrails in place that make it easier for the practice management to know that things are being done right.
And they don’t have to micromanage things. Which takes a lot of time can create friction. That’s not optimal, so that’s maybe way more detail than needed, but it’s good to be able to illustrate these kind of simple ways that have huge impact in terms of keeping things moving forward in a efficient and secure and functional way.
So one of the things that I hear from people who have not. Used you mm-hmm for person-centered tech, but know that they maybe should is that they are afraid that it’s gonna take a lot of time, a lot of money and be stressful to implement, especially if you’re a midsize or a larger practice. So can you talk a little bit about how the P C T way that that system can actually help group practices save time, money, stress, and all of that?
Because I feel. People think the opposite that it’s gonna cause high money and stress and talk a little bit about how it actually can reduce that. Absolutely. The whole goal of engaging the compliance process is to just have this really optimized practice that meets your inpractice needs. And that the kind of byproduct of it is that you are formally in compliance with HIPAA too.
So you have all your documentation ducks in a. The ways that we approach it, that end up resulting in that saving time and money and stress are that the person-centered tech team, our consultants will actually perform the risk analysis and risk mitigation planning for every practice that we work with.
So we in about a two hour consultation. Can check off that huge HIPAA to do, which is one of the foundational requirements of actual compliance is having a quote thorough and accurate risk analysis. That’s something that we can do in a two hour time period. It’s really ed for the practice leader. That’s tasked with the compliance process.
It is not. Prohibitively expensive by any means either $500. And it includes a copy of the risk analysis tool so that when future risk analysis need to be performed, you’ve got that right there. And the risk analysis is a really impactful place to start even though in our five step process, it’s technically step number four for any practice that’s operational.
So not just getting ready to launch. That is where I recommend starting because it checks off one of the formal compliance requirements and it gives this prioritized action plan for addressing all of the inpractice and technical compliance needs based on what is of highest import. And we look at both in practice risk and technical compliance risk, which is very different than the way other.
Compliance organizations approach it. And the reason we do that is because what we care most about is meeting those in practice needs. And if something is just a formal compliance risk, so you don’t have an official policy and procedure in place for it, but you’re doing it right in practice. That’s much less of a priority than something that is in the practice risk.
So that’s our approach for how we start out with the risk analysis and then having a detailed risk mitigation plan that specifies everything to be implemented from there on, and the exact material resource that provides for that. So a lot of folks will have ambivalence around the risk analysis of, oh gosh, I’m just gonna get this list of all the things that are wrong and missing.
And then I’m gonna have to come up with a plan for how to address those and time in which to implement them. Instead, what we get is something that actually. Shows what you are doing, right? Because so many practices really have had intentionality in how they’ve set things up as best as possible, and that gets reflected.
And then we have a chronological action plan that includes the support and resources for every item and the requirement isn’t that as soon as you’re aware of a risk that you immediately. Fix it right? It’s that it is reasonable and appropriate based on capacity and resources in part two, that’s one of the factors that gets considered.
So having that clear plan and all of the resources like material in terms of policy and procedure training, a device security center, all those. Mechanisms make it easy to implement and something that can be implemented, not on a arbitrary timeframe, but on a timeframe that works for the practice. And this is really something that comes up as crucial for success.
When working with a large group practice. That we have a number of groups that we’ve worked with that have been operational for like seven to 10 years, have 50 or more clinicians, multiple locations. And they’re aware that, oh gosh, this is gonna include change management. And so how do we. Delicately address needs for this process in a way that doesn’t hamper productivity and efficiency, client needs being met doesn’t cause undue stress for our team.
And what we found is that it actually reduces stress when people know what is expected. And needed, and they have systems and resources in place that support them in that it is not just making the practice better off in terms of having CYA in place. It is truly making things better for every member of the team within the practice and that reduction in stress and just having the right tools and systems in place makes it possible to be more efficient, more profitable, and really in this current context of having so much burnout and overwhelm and just not enough bandwidth to do all the things.
Every practice that has said, okay, we’ve reached a point where we just have to do this and can’t put it off any longer has said, I wish I had done this sooner. And that is another part of it. The longer that you wait to engage it, the more change management is going to be involved. That doesn’t mean that it’s a barrier for doing it.
It’s just a reason why. It shouldn’t be put off longer in my view, but no matter how long it has been, that this hasn’t been at the top of a to-do list, it is not too late to do it. And there’s no one size fits all prescription for the timeline that has to be undertaken. It’s all reflective of what is going to work for each practice.
And that’s something that we work with you to identify. So wrap all of this together. Mm-hmm where should a scaling group practice start with the P C T way and compliance process? Where should they go first? Where they should go first is doing the risk analysis, the HIPAA security risk analysis and risk mitigation plan.
Because from there you will know exactly what is needed from the other kind. Steps in our componentized system and it will be a prioritized list and action plan as well. So there are no more unknowns. We are just saying, here are the identified needs. Here are the things that meet those needs. And this is the order that we’re going to tackle things.
Probably a great first step in, I talk with group owners about any sort of change mm-hmm whether it hiring their first employee and feeling overwhelmed, like when you just take one step towards the thing, you can always pause after that one. Yes. And then usually once you take that one step, the next step further doesn’t feel as scary.
So the idea of bringing someone like person-centered tech on and changing everything right. Or that that’s what it feels. It’s much less scary to look at doing a risk analysis, which is a time investment of two hours, a financial investment of $500, which is not a lot at all. Just to have information. It is very likely that once you get that information, the next step of rectifying, any of the things that are found in that assessment feel less scary to step into.
Absolutely. And there are things that can be done concurrent with it. Like. What I’ll say to folks, if they’re saying, where should I start is start with the risk analysis. If in looking at things you don’t already have a clear identified need from one of the, the other elements, like managing the device security component, or getting your staff trained or putting your policies and procedures in.
If you do already have those other identified needs, like everyone’s using personal devices, we don’t have any formal policy or documentation. We gotta tackle that. Then we can do the device security process, concurrent to doing the risk analysis, to. But I don’t want anyone to feel overwhelmed of. Like I have to figure out where to start.
Yeah, exactly. So if you are an operational group practice, the place to begin is with that risk analysis and then everything else from there can be done incrementally and we can help you identify what, the kind of timeframe that’s gonna be workable for. You. Is, and there’s no pressure of it has to be done now in terms of all of the resources and support that we provide, they’re all componentized.
So available on a, as needed and wanted basis. We used to have things structured a little bit differently in terms of all inclusive packages mm-hmm but then what we realized was folks were. Having ambivalence around that because it was like, well, what if I don’t use the group practice office hours and consulting work group sessions by the don’t use them all and haven’t finished my project.
Yeah. And when my access is up. And so we’ve just tried to make everything as accessible and adaptable as possible so that there are not barriers in place. Okay. So if they are wanting to schedule that risk assessment, where do they go since that’s the first step? Yes. They go to person center, tech.com and then you can either get to it from clicking on the start here, group practices, menu item, or under process.
If you click step four, risk analysis and mitigation. And you get a link for scheduling with our consulting team immediately upon purchase, we usually are actually able to schedule within about a week. Okay. So it’s not like you have to decide now in order to do it in three or four months time. Yeah. That may change.
right. Especially as more people feel less anxious about that. Anyone has questions for you because I always feel like I can never answer questions around in person-centered tech stuff. So I’m always like, just go straight to. Is there a place where they can reach out to you or someone on your team, just if they have any sort of questions.
Absolutely. Any questions, if you direct those to info at person center tech, either one of our team members or I do get into the info at inbox, like we triage things and then the team member that is most appropriate to respond and provide the guidance and support is the one who. Respond. So info at person center, tech.com will get you looped in with the, that you need to find what’s right for your needs.
Yeah. Well, thank you so much for coming on again and Sherry your wealth of knowledge in an area that scares the shit out of people. we do not anyone scared shit with, and you know, I’ll say the consultant that is our primary risk analysis performer. Not only is a counselor, has masters in counseling themselves, Anna it and computer science background, but is really passionate about addressing burnout.
And so everyone. Just always reports, how supported they feel following the risk analysis and like, oh, I thought this was going to elevate my anxiety instead. It really reduced it. And I don’t feel now, like I’m gonna be guilted or shamed into doing these things. I’m feel like this is a component of self care.
Yeah. That’s awesome. Well, I really appreciate you taking your time today to talk about this very important topic. Thanks so much for having me and I look forward to connecting with you again soon. Yeah, it’s always a delight, Maureen. Same bye.
Thanks for listening to the group practice exchange podcast. Like what you heard? Give us five stars on whatever platform you’re listening from. Need extra. Join the exchange, a membership community just for group practice owners with monthly office hours, live webinars, and a library of trainings. Ready for you to dive into visit www dot members dot the group.
Practice exchange.com/exchange. See you next week.
Thanks For Listening
Thanks for listening to the group practice exchange podcast. Like what you heard? Give us five stars on whatever platform you’re listening from. Need extra suppor? Join The Exchange, a membership community just for group practice owners with monthly office hours, live webinars, and a library of trainings ready for you to dive into visit www dot members dot the group practice exchange dot com forward slash exchange. See you next week.
Here are the resources and guides we recommend based on this episode
* I am an affiliate for some of the businesses I recommend. These are companies that I use in my own group practice, and make recommendations based off of my experience with them. When you use some of these companies through my links, I receive compensation, which helps me continue to offer great free information on my podcast, blog, Facebook group, and website.
Meet your host
Maureen Werrbach is a psychotherapist, group practice owner and group practice coach. Learn more about her coaching services here:
The podcast is structured so that you get practice building tips in small doses, where an episode can be listened to (and a group practice building lesson can be learned) in a single car ride.
Episodes are structured into categories: coaching sessions where I coach a group practice owner on a specific topic, tips of the day by yours truly, real talk where you get to be a fly on the wall while an established group practice owner and I talk about the highs and lows of ownership, and trainings done by experts in the field.
Don’t miss an episode! Download The Group Practice Exchange Podcast on iTunes, Stitcher or Google Play and don’t forget to subscribe and rate TGPE
* The content of this post is intended to serve as general advice and information. It is not to be taken as legal advice and may not account for all rules and regulations in every jurisdiction. For legal advice, please contact an attorney.