HIPAA and Your Practice: Steps to Compliance


Join Jason Karn of Total HIPAA Compliance as he discusses how MACRA and HIPAA work together and the steps to take to achieve and maintain HIPAA compliance.


About our Presenter

Jason Karn is the Chief Compliance Officer at Total HIPAA and has been active in HIPAA training since the inception of the 2013 HIPAA Rules. He is the co-author of all Total HIPAA 2.0 training for Agents and Brokers, Employers, BA/Subcontractors, Medical Providers and Dental Providers and is a regular speaker, blogger and a significant Twitter influencer on all things HIPAA.



Download the Slide Deck


HIPAA Resources




Jennifer Henderson: Thanks for joining us today. My name is Jen Henderson and I'm the Senior Marketing Coordinator here at NueMD. Joining us today is Chief Compliance Officer at Total HIPAA, Jason Karn. Jason is a technology expert and has been active in HIPAA training since the inception of the 2013 HIPAA rules. He is the co-author of all Total HIPAA 2.0 training for Agents and Brokers, Employers, BA/Subcontractors, Medical Providers and Dental Providers, and is a regular speaker, blogger, and a significant Twitter influencer on all things HIPAA. We're glad to have you Jason so if you're ready, let's go ahead and get started.

Jason Karn: Welcome everybody to this webinar on HIPAA. We're going to start off with a little bit of housekeeping. This program is educational, it does not constitute and may not be construed as legal advice, or creating any attorney-client relationship with any person or entity. Things change here pretty frequently, so I always recommend that you review the source material.


Reviewing MACRA

So now we have that out of the way, we are going to review a little bit of what we talked about last week and sort of how we've gotten where we are in the world of MACRA and HIPAA. For those of you who are new this week and didn't see last week's MACRA webinar, it's available now on the NueMD website. It's hosted by Ginny Mahaney from Smartlink Mobile, Autumn Bell from NueMD, and myself talking about this new MACRA regulation. MACRA which stands for the Medicare Access and CHIP Reauthorization Act of 2015.

This repeals Sustainable Growth Rate (SGR) formulas, streamlines quality programs, links for fee-for-service payments to value and qualify and two different payments tracks and provides bonus payments for participation in advanced alternative payment models. Who does this apply to? This applies to any clinicians who submit Medicare Part B, have more than $30,000 that they submit to CMS for payment, and provide care for more than 100 Medicare patients. It's important that both those standards must apply in order to qualify for MACRA.

These people by and large are going to fall into what we call MIPS, which is the Merit-based Incentive Payment System. Lots of acronyms here today so I'm going to do my best to translate everything as we get into it.

So as you can see here there are going to be four quality controls that are going to happen with MIPS. We are looking at improvement activity, that is going to be 15% of your score, we have quality, which is going to be about 60% of your score.

What I'm going to talk most about today is the Advancing Care Information and how that applies to HIPAA. That is a full 25% of your score and cost is, at this point, 0%. These are the formulas for 2017 going into 2018. The percentages will change going forward as far as weight for each of the categories. So if you have any questions about that again the webinar in our last week we spoke about how that's going to change going forward because cost becomes a larger portion of this, but just know that Advancing Care Information as we get into that, that takes up that whole 25%.

What is Advancing Care Information?

Now what is Advancing Care Information? Well, HIPAA compliance is required to qualify for a score in this MIPS category. ACI is very interesting because they have these five items that you have to have. You are required to have these items in order to receive that 25% score. This is a one or zero or yes or no.  There is no if, ands, or buts. If you do not have these five items, you do not qualify so you lose 25% off the top.

The things that we're looking for is your Security Risk Analysis. That's pretty much different wording but the same thing is what we see, we call it a Risk Assessment when it comes to HIPAA. Electronic prescribing, providing patient access is another item, and then sending a summary of care records, and request or accepting a summary of care records. All four items are things that you probably do with your EHR. So something like what you would do through NueMD if you are using their EHR system. That summary of care would be if you are going to send say a patient on to a specialist that you're then sending on that summary with the patient, and that becomes part of their record going to the other provider, and then it's the same as requesting and excepting that summary of care.

What we're really going to focus on today, I just wanted to give a lay of the land and let you guys know, how we ended up here, and what we're going to really dig in to now is what it takes for ACI to be part of MACRA. We're also going to talk about HIPAA so if you don't qualify for MACRA at this point you can just hang in with me because all this information I'm going to tell you is going to apply to all medical practices going forward here.

HIPAA Risk Assessment: Administrative

The number one thing we're looking for when it comes to HIPAA compliance when it comes to this ACI reporting for MACRA, is conducting a Risk Assessment. Now there are three parts to a Risk Assessment. There is the administrative, the physical, and the technical or security as we saw that they called it a security risk analysis for MACRA or what we call a HIPAA Risk Assessment. Those are assessment, analysis, those are essentially the same terms just used interchangeably.

There are as you see these three items that are required to be part of this Risk Assessment. If you only do security it's not sufficient, you have to look at your physical, and you have to look at administratively what you're doing to protect your clients through your patients' information.

What kinds of things are we looking for under administrative? We are looking for you to assign a Privacy and/or Security Officer. Now I know a lot of you guys are small and we work with a lot of small providers here at Total HIPAA. We've got practices that are 1 person up to 10 people. We work with some larger practices too.

For the smaller practices, this can be the same person. You don't have to have two different people, it can be your practice manager you can just assign the task to, basically what we need is somebody where the buck stops. We need to know who's in charge, if there is an issue be it from a breach, an electronic breach, or a physical breach of records, or something lost, a patient has a complaint, those sorts of things, we know who we're supposed to go to. That needs to be designated, that needs to be written down, the entire staff needs to know about this. This is not something that you want one of your nurses, or PAs, or a receptionist dealing with if there is an issue. You want to make sure this is a manager level person that is taking care of this.

It's important to also note that this person doesn't have to be an expert on HIPAA. It's good to give them support, give them other people they can work with like hiring a company like Total HIPAA to work with your practice, and also if you use external IT, I know a lot of smaller guys, you use external IT, making sure they are part of that process too. Even if they're not in a lead position with you, they need to be there for support for this person.  There are a lot of steps that go into HIPAA compliance so you want to make sure this person has all the tools necessary to move forward.

Now the next two things are important also, actually everything we talk about here today is very important, is that we are looking at four Privacy and Security Policies and Procedures. This is how you actually tell people what you're doing. Just doing the Risk Assessment alone isn't enough. The Risk Assessment I would say is the blueprint, it's like showing me receipts for tax returns. We're in tax season so I think it's a really great analogy.

The Privacy Policies and Procedures and the Security Policies and Procedures, those are like your actual tax forms. If you don't have those and don't submit those to the IRS, or say you're audited and you don't have those to give to HHS, that audit is not going to go well, I'll tell you right now. So you need to make sure that you have those documents. Those are very detailed documents. They actually lay out exactly how you're protecting that information, be it either physically or electronically, it also helps inform your staff as to what programs they're allowed to use, how they can share information, how they can communicate with your patients, these are very important things. It's one thing to tell somebody how it's done but it's another thing to actually have it written down and have it documented.

And as I said earlier, if you get audited, they are going to be looking for this and we're seeing now that there's a lot more coming in with desk audits. This is the second round of audits that we've heard about and that we saw a lot of this past year. The desk audits were they wanted submissions of this information both of your Risk Assessment, Privacy and Security Policies and Procedures, and they wanted Business Associate Agreements. They wanted all that information sent to them in a paper format or an electronic format so they can see what was going on, and that was then informing whether HHS was going to take the next step and actually do an onsite audit, and we're still waiting to see some of the shake out on this, to see if there were some fines that were levied through that. I'm sure at this point there are some legal proceedings and some legal wrangling going on I expect in the next couple of weeks that we're going to see more and more of this and see what actually came from these audits.

The last thing that we are looking for in administrative is training your staff. You know your staff should know what the law is and they need to know your policies and procedures. These are two key items when you are looking at training a staff. This is fine if you want to do it internally, if you want to do it yourself. The problem that you can run into with that I will tell you right now is, making sure that, you are already asking a lot of your Privacy and/or Security Officer, is then you are throwing on them, they need to develop training that actually says, "Hey this is what we're doing."

That's why going to an outside resource might be really nice. We have a really nice online training program. I know there are other ones out there, I don't want to just say you can only use mine but then the next step is making sure that you tell your staff, items like how often they need to change passwords, again, what programs are acceptable for use, what programs do you use for communication, how that communication is encrypted, if you're going to allow texting, how texting is going to happen. So these are a lot of pieces that you need to put in place administratively so that people understand exactly what you're trying to do and how to protect your patients.

HIPAA Risk Assessment: Physical

The next step we're looking at is physical. This is how you actually physically secure your facility. Door locks, we're looking for maybe you've got an alarm system, maybe you've got video monitoring, it could that you're in a building that has a front desk, those sorts of things. You really need to determine what we're looking for in this Risk Assessment. Okay, let's see how we're actually doing this, let's make sure that all of our entrances are secure. It sounds like a basic thing but you'd be surprised to find out that sometimes when we go in and look at places that they think they secured all the entrances and exits, but they haven't.

How you secure physical files? I know we're moving away from electronic files, we don't see them as much, but there are still a lot of providers that are using physical files. That's fine but we want to make sure that we're not only securing those records, securing where they are stored, but also documenting who's taking records, who has access to them, these are the kinds of things we need to look at.

A disaster recovery plan. This kind of straddles physical and security but you're really looking for what are you going to do if there's say a fire, you know, you've got a flood, any sort of tornado, anything that damages your property yet you have to continue to serve your patients. You have to be available and you guys a lot of times are first line defense, so making sure that you have access to records and accurate records, and how are you going to get back up and running as quickly as possible.

And then we are going to look for device and media controls. And on this we are actually looking for physical controls, so if you have laptops are you locking them down? If not, are you tracking them using something like a program called Prey, or using Apple Find My Mac, or Find My iPhone? Those sorts of programs. How are you actually making sure that these devices are secure and that nobody is getting access or maybe trying to take these devices?


HIPAA Risk Assessment: Technical 

And then technical. I'm not going to spend too much time on this today. We are going to do another webinar on March 30, where we are really going to delve into this. Rob McDonald with Virtru is going to be with me and we are going to have a really interesting discussion about this, about things that apply to your practice, and things that you can do. We are going to look for low-hanging fruit, but we're also going to talk about some higher level items.

So when you are looking at technically what's happening, we want to make sure you've got firewalls set up, we want to make sure you have virus protection on all your devices, this includes, we are starting to see some malware for Android phones, so we want to be really careful about where we're getting software from, what kind of programs are allowed to be loaded on these, especially with your staff bringing their own devices, we want to do as much as we can to make sure that your network is secure, and that anything that touches your patients' PHI is a secure device.

A big one is encrypted email. You guys have to communicate with your patients. We want to make sure that communication is as easy as possible, but we also want to make sure it's as secure as possible. So, that's a big thing because that's usually the best way most providers don't have time to pick up the phone and answer every phone call coming in.

Text is not necessarily a great way of communicating unless you're using a texting program. There are some really nice texting programs that do encrypt texts but just using say like the iChat or Android Chat, or one of those programs, is not a good way of going about and actually could open you up to a breach. So these are things we are going to talk more about next week.

File encryption, how you are storing these files, this could be within your EHR, this could be something like using Dropbox, Box, Google Drive, those sorts of things, and then web browsers, making sure that your web browsers are up to date, and that kind of stuff. And that's just sort of an overview as I said. We will dig more into this next week, so I think that will be really interesting, so make sure you sign up and join us next week to talk more about this.


Business Associates 

So as you get into working with, and you go through this Risk Assessment. You really need to start thinking about those Business Associates you work with. Now for the small to medium size, and even for large practices, I don't want to discriminate in any way on that, your Business Associates are really how you do business. This is your IT, external IT, this could be lawyers, accountants, billing companies, anyone that you need who's actually touching PHI on your behalf and communicating, either through you for clients, and they're doing basically some of the heavy lifting so you don't have to have a staff of 40 or 50 people just to manage all these different things.

Business Associates are an important part of our everyday life. So this is a very important part of your Risk Assessment, and you need to make sure that your Business Associates are actually doing what they're saying they're doing for you. You know we've seen some bad practices by Business Associates, and last year we actually saw, excuse me the year before in 2015, we saw that there were about 40% of the breaches that happened were actually the fault of Business Associates. This could be a paper shredder that didn't shred onsite, that actually took files away and all of a sudden a big gust of wind came and the files came out and the people were finding files.

We've seen people who posted things on websites where they weren't supposed to post it, trying to find help to do data entry and those sorts of things. There actually was a big fine that came from that with Stanford Hospitals, it was a $1.5, $1.8 million fine where Stanford ended up picking up $750,000 of that fine, even though they were not the ones responsible for the loss of that information. The Business Associates, there were two of them that were responsible, they ended up picking up the rest of that.

So that's really important and the reason that's so important, and I mention this is, you are responsible for ensuring your Business Associates are complied. This is called the Common Agency Provision. This is part of the Omnibus Ruling of 2013 and clearly states that you need to make sure that your Business Associates are in compliance. Now what does that mean? Does that mean you need to follow around your Business Associates like you would with a toddler? No, that's not what we're saying. What we're saying is that you need to do due diligence before you sign up with a Business Associate, and you need to make sure that they actually, as we said, doing what they say they're doing.

So if you hire a shredding company, you want to make sure that they have policies and procedures for protecting that information. Maybe they shred things onsite, so they would never take anything offsite, and you can actually walk out and watch them shred the information that needs to be shredded, right there.

When it comes to say, file storage, that you know that, hey, they store these keys with a third party, that nobody else has these encryption keys.

There are a lot of things that you need to think about and make sure that you have signed a Business Associate agreement with these groups, but not signing a Business Associate agreement blindly is what we're trying to say.

You want to make sure that you know and have vetted these companies to know that they're doing what they said they're going to do for you.

So Business Associates what you really need to do is look and say, "What vendors do I have that have access to my PHI?" They will give you this information and if they don't, then you need to rethink whether you are going to use this Business Associate or not. You know a lot of people are starting to use this as a marketing advantage so if they got that information, by all means ask them for that information.

So review those compliance plans or summaries; summaries are fine. You want to know that they are actually storing the information properly, that that information is encrypted, who has access to it, that they're training their staff, and you also want to ask, "What subcontractors are you using?"

You know this whole line of, you guys are the covered entity, you hire a Business Associate who may outsource to a subcontractor, but if that subcontractor has an issue, it opens up that whole line to an audit. So let's say you hired a file storage company, they stored it with Joe's file storage company down the line, Joe's file storage company didn't have proper documentation, didn't have SSL on their website, and they were hacked, and HHS comes in, they will not only look at Joe's file storage company, they will look at the vendor that you hired, and then they can conceivably look at you. That's essentially what happened at Stanford. They were opened up to an audit up the chain, and that's one of the things that we really want to caution you about when signing up those Business Associates.

It's one thing to actually say, "Hey, I'm just going to sign up with somebody because they say they have a compliant" versus actually looking at saying, "This is important, I reviewed this information, I know what they're doing with my information and I know what the next steps are here."

And then that last step is collecting and signing those Business Associate agreements. Those should be countersigned by both parties, stored onsite for use, so you can access them, this will be one of the key items that are asked for if you are audited. They will not only look for that Risk Assessment, they will look that you tried to mitigate items, they will look for your policies and procedures, and they will look for Business Associates and agreements.

So your Business Associates have the same responsibility, they have the same obligation to protect personal health information that you do. They are open to the same fines, they are open to the same penalties, so again you want to make sure that they know what they're doing, and another thing to think about is, make sure you review those Business Associate agreements very carefully. When it comes to some of the larger vendors it really is take it or leave it. Google is not going to negotiate with you over a provision that you may or may not like in their Business Associate agreement.

Breach Notification Requirements

One of the key things that we tell people to look for is what are the notification requirements within the Business Associate agreement? Is it 15 days, is it 20 days? How much time do you have? The reason we ask that question is from the day that there was a breach, they say basically you should have known or reasonably should have known, you have 60 days then to notify the patient of what's happened, and if it's a breach of over 500, we call it the Rule of 500, if it's a breach of over 500 patients' information, you have 60 days to notify HHS, and if you're in the State of California, you have 60 days to notify the State Attorney General, for other states you need to double check that, I think if I remember correctly I think Massachusetts is another state where you have to notify the Attorney General of a breach. You also need to notify major outlets, media outlets, newspapers, television stations, to basically get the word out. If you having trouble contacting patients, you need to post that information on your website.

So these are things you want to make sure that your Business Associate is giving you enough time to then respond to a breach, and so we say that this should happen within 15 days if not immediately, that there is a breach, that you need to be notified immediately so that you can start a plan. You can start moving forward and notifying your patients, especially if you think there is an imminent threat, say that there was somebody who was stealing information.

In fact, I just saw that today, there had been, I think it was a hospital that's got a class action suit against it now because a worker was stealing information, was taking information, and using it to file false tax returns. So you want to make sure that you have plenty of time to notify your patient if there is something that's fishy or something that's not right with that health record.

So we have covered a lot of information; we talked a lot of MACRA today. I just want to reiterate that if you need to comply with MACRA, if you're looking for MACRA compliance, you really need to think about this ACI, and these Advancing Care Information protocols that you need to be in line with, and HIPAA is a big part of that.

You may be asking and I want to make sure I've covered this too, is, you may be asking why does MACRA and why do HIPAA both act for this Risk Assessment? Is this redundant in asking for this and really what's come out is that HHS has looked at this and said, "You know, we are not sure that these Risk Assessments are actually being done". This is part of the ERH Incentive Program is they went through that they found out that a lot of physicians were not following through with those Risk Assessments, and so that's a really important, they wanted to reinforce the importance of this.

Now they didn't put a lot more when it came to the security and physical requirements in MACRA, but the reason behind that also is that they felt that HIPAA was very thorough about this, and they didn't want to be redundant but they did want to make sure they drove the point home that doing these Risk Assessments is vital to the health of your ..., not only for your practice, but also as part of making sure that you guys are getting paid properly and reporting information properly when it comes to MACRA.



Q: What is the estimated cost of completing a HIPAA Compliance plan?

A: This really depends on the size of your practice. For a small practice, say one to five people, it starts at $75 a month, that's $900 for a year. We find that most physician practices -- groups of 6 to 20, runs around $125 a month or $1,500 a year, and goes up from there. You will find that most providers, depending on how much hands on they're doing, fall in to about that price range. I would estimate you're going to spend about $1,500 to $5,000 depending on who you go with.


Q: Does sending an email using Outlook with proper security settings satisfy the encryption requirement?

A: So proper settings is using what they call a Transport Layer Security or TLS you've probably heard. This is a protocol that does encrypt from point to point, but there are some concerns about when it goes from one server to another. So say you're sending it through Google Apps or if you're doing Outlook you're probably sending it through 365, so Office 365. They do encrypt it up to a point, but once it jumps servers and goes to say a Hotmail or a Yahoo account, the hope is dead, it will continue with the TLS at that point. That part is negotiable about whether it encrypted the entire chain, but what is concerning to me and the thing that we run into most is the authentication.

We really are looking to make sure that the patient that you're trying to email is the person who's actually opening that email. Authentication means that either through, it could be through their email provider, but that they've actually logged into something so you know it's not just going to a desktop or know that they've actually authorized this to come to them, and that way you know that it's actually encrypted the entire way and that they've actually had to do that.

Now there are different ways of going about that and I did say we'll spend a little more time on this with Rob McDonald since he is an email encryption expert over at Virtru, and we'll talk more about this, but I will tell you that we like using an encryption overlay, so be it ZixMail, Virtru, LuckSide, are a bunch out there that are quite affordable and the reason we like those is the authentication of who the user is. So you make sure that you're actually, if you're going to send it to John Smith, that John Smith is the person who's actually receiving that email, and there's authentication because if you send an email and it's encrypted but you send it to the wrong person, it doesn't matter, you have a breach on your hands because there was no authentication in that chain.


Q: Do clinics need a Business Associate Agreement with outside labs like Quest or Oxford Diagnostics?

A: Laboratories do not require because they are covered [inaudible 00:31:26] in their own rights.


Q: How long does it take to complete a Risk Assessment if you do it yourself?

A: We estimate it takes anywhere from 50 to 60 hours to do a Risk Assessment yourself. There are tools that you can get online. There is a tool through HHS. If you Google that you can find an online tool, it works on a PC, it works on an iPad, it's very thorough, but one of the reasons I would caution on doing that yourself is:

    1. The number of hours that it takes; and,

    2. The amount of detail that you have to go into and understand yourself.

In many respects it's nice to have a third party consultant to help you with that and help drive that along. You know what we find on average when people work with us is that it cuts their number of hours down to about 10 hours dedicated to doing the Risk Assessment and doing the documentation.


Q: How soon after hiring should new staff be trained on HIPAA Polices and Procedures? What about re-training?

A: New staff should be trained within 30 days or ideally before they come in contact with any patients or any PHI and all staff should be retrained on an annual basis. 


Q: Is having established HIPAA Privacy Policies enough to meet MACRA standards?

A: Following the Omnibus ruling and the updates to the American Reinvestment and Recovery Act of 2009, privacy is no longer enough to meet these requirements. Security is also a crucial part of this which is why both MACRA and HIPAA call for it You need to make sure you've looked at your practice and know that you have protected your patient's data and have documentation detailing how that information is being protected.


Q: What do I get for meeting MACRA and HIPAA's standards?

A: For MACRA, you are eligible for a bonus payment if you meet these standards -- but there is also a penalty for not complying. So you could lose 4-5% of your Part B payment if you do not satisfy MACRA. For HIPAA, you're looking at major fines that cap out at $1.5 million per violation. That's why HIPAA compliance is so important. It protects your entire practice as well as your employees and your patients.


Q: If my clinic is on a college campus and University employees are cleaning our offices, do they need to sign a Business Associate agreement?

A: According to HHS, cleaning crews are exempt from having to sign a Business Associate agreement. That's across the board, because their job does not require them to handle PHI. However, it is a good idea to make sure the crew knows they are not supposed to go through that information and if they do come in contact with PHI that was left out they should immediately notify the practice manager.