Ever wondered how small healthcare businesses tackle the colossal task of HIPAA compliance? I'm Dr. Kate Walker, and I promise to guide you through the labyrinth of conducting an annual HIPAA audit, ensuring you're armed with the knowledge to protect your clients' sensitive information. This isn't just about ticking boxes; it's about understanding the vital role you play as a custodian of Protected Health Information (PHI), whether you're a licensed practitioner or not. Our discussion will demystify the complexities of HIPAA, alongside Texas' House Bill 300, to help you establish a robust self-audit system that doesn't just aim for perfection but prioritizes continuous improvement and adherence to crucial regulations.
As your navigator through these murky waters, I'll illuminate the distinctions between systems that manage PHI and the significance of having ironclad policies, breach response plans, and a culture of accountability. Small healthcare business owners, listen up: it's time to embrace comprehensive training for all staff and integrate practice risk training into your routine. Remember, staying informed and prepared isn't just a best practice—it's your ethical and legal shield. So, join me, roll up your sleeves, and let's secure your practice's compliance and integrity together.
Get your step by step guide to private practice. Because you are too important to lose to not knowing the rules, going broke, burning out, and giving up. #counselorsdontquit.
Ever wondered how small healthcare businesses tackle the colossal task of HIPAA compliance? I'm Dr. Kate Walker, and I promise to guide you through the labyrinth of conducting an annual HIPAA audit, ensuring you're armed with the knowledge to protect your clients' sensitive information. This isn't just about ticking boxes; it's about understanding the vital role you play as a custodian of Protected Health Information (PHI), whether you're a licensed practitioner or not. Our discussion will demystify the complexities of HIPAA, alongside Texas' House Bill 300, to help you establish a robust self-audit system that doesn't just aim for perfection but prioritizes continuous improvement and adherence to crucial regulations.
As your navigator through these murky waters, I'll illuminate the distinctions between systems that manage PHI and the significance of having ironclad policies, breach response plans, and a culture of accountability. Small healthcare business owners, listen up: it's time to embrace comprehensive training for all staff and integrate practice risk training into your routine. Remember, staying informed and prepared isn't just a best practice—it's your ethical and legal shield. So, join me, roll up your sleeves, and let's secure your practice's compliance and integrity together.
Get your step by step guide to private practice. Because you are too important to lose to not knowing the rules, going broke, burning out, and giving up. #counselorsdontquit.
Wait, that's a different outfit, Am I live? I've got last week's video up. Hold on, there we go, all right. Hey, I'm Dr Kate Walker, and welcome to this week's training, which is all about your annual HIPAA audit.
Speaker 1:Now what's that? You say you don't know you're supposed to do an annual HIPAA audit. Well, unless you attend a training like this or from one of my esteemed colleagues, you probably wouldn't know. There's not really a lot of information, unless you dig as a provider, which, if you're a provider and you own a business or you've hired other professionals to do services, you absolutely should be doing this research. So that's what I do, right? I'm not special. I just use the Google machine and a few other search engines that I really like and I try to find this kind of information for you.
Speaker 1:So, for this training today, I want you to understand how often, who has to and what are some crucial elements, especially for you small business owners. The one thing I'm always aware of when I start investigating HIPAA is oh my gosh, I'm not a hospital, I'm not an agency with 3,000 employees and the people I'm talking to. So I, kate Walker, I'm talking to you. You're a small business owner as well, so it's important to understand that this stuff is for everybody. So, as I put in the description or at least I hope I did, or if you got the email this morning, it's not like you're going to be perfect, right, like Mary Poppins practically perfect in every way. It's not probably going to be us. So I'm going to cover that as well. When you know for a fact, you are not perfect in a particular area. So I have verified that I'm live, eleanor, I'm so glad you're here, but if you want to keep your camera on or off, it's totally up to you, and then I'll take questions at the end. But here I go and I'm not going to screen share today, so I'm just going to be reading to you. So I'll try to make it super entertaining. No, I won't, it's the government, it's law. I love it, but I don't know, it might seem a little dry to you all. So how often? Well, let me back up. Let's talk about House Bill 300. So you may be going whoa, whoa. Wait, why are we talking about House Bill 300 when you just said we were going to talk about HIPAA? Well, because Texas has a law called House Bill 300 that mirrors HIPAA. So when we get to the part of this training where it's you know, okay, who really has to do this stuff, kate. Well, you could say licensees do right.
Speaker 1:So if you dig into your LPC and your LMFT rules, you will see lots and lots of references to HIPAA, especially when it gets to privacy, protecting client, protected health information. So PHI is the term that we use for any sort of information that could identify your client, and I want you to think super broad here. It's not just their name or their last name or their address. I mean, yes, it includes all of that, but that also includes information that if somebody overhears you talking about a situation, they might say, oh my gosh, I heard about that on the news or I know who that is. Yeah, you may have disguised the names or sent an email with you know initials only, but if you put identifying information that can be tied back to a client, then yeah, that's all protected health information.
Speaker 1:And the bottom line is, you got to remember, protected health information doesn't belong to us. That's why we use the term custodian or records manager. We're responsible for maintaining this protected health information. But it's like if somebody loaned you their car, right, that card didn't belong to you. It's your job to take care of it though, right, put it in a covered parking spot, make sure the tires are aired up, and that's kind of where the metaphor falls apart. But you understand, this is not your record, it's not your email communication. It is your client's protected health information and you must follow certain rules. So we have the federal law, hipaa, and we have the Texas State Law, which is House Bill 300. And if you live in a state other than Texas or a country other than the United States, you may have a similar law that you need to investigate.
Speaker 1:Now, where I know it gets to the folks listening to me is when it comes down to OK, just tell me what to do and tell me how often I need to do it. So that's really what this is about, and if I look at who this applies to, then I'm going to actually go to a definition here. So the HIPAA privacy rule covers I'm talking slowly because I'm looking at my notes and I haven't got them up yet covers, entities, covers, covered entities. A covered entity is, number one, a health plan, number two, a health clearinghouse and number three, health care providers who electronically transmit any health information in connection with transactions for which HHS, which is Health and Human Services, has adopted standards. So there's a lot of not a lot. There are folks who may think they can kind of loophole that. Well, I don't do that, I'm not that Well, I don't transmit information for that reason. So I'm not covered by HIPAA.
Speaker 1:So, again, I would redirect you to the laws for your state, the laws for your license, and let's talk to you folks who maybe are unlicensed. Maybe you work the front desk, maybe you work on an emergency hotline and you are getting this information and you know what. These people aren't even clients, yet they're potential clients. Well, you are still the guardians of the protected health information. So when you are doing this and I'm going to use the term self-audit, I'm not making this up Doing a self-audit is best practices for HIPAA.
Speaker 1:So I've heard in my research I'm reading anywhere from once a year to six times a year. But what you are going to be auditing is your entire practice, from people to security measures, to things like file cabinets and doorknobs. So when I did my research here's what you're looking at you want to make sure that you're conducting a risk analysis every year. So a risk analysis is going to be everything from I know I'm so choppy today your cyber security so that's your email, that's your text messaging, your physical site, any kind of device that is security related to the security of your practice, your privacy standards, and then your high tech, which is the audit requires policies and procedures to be implemented that relate to breach notification and for workforce members to be trained on these policies. So what's kind of interesting is today I have literally had to mention our policy and procedures episode on Texas counselors creating Badass Businesses podcast like three times.
Speaker 1:So in your policy and procedures manual, having a section on how to manage protected health information is one thing, but then you have to have a section on okay, what do we do if a breach happens? Who do you notify? If the breach affects this many people, how many more people do you need to notify? Who needs to be on that list? Do you know? If there's a breach of a certain amount, a certain amount of information, you have to notify the media, right? So, having doing an audit of your policy and procedures manual, doing an audit of the electronic systems that you use to transmit protected health information think text messaging, think email, and so when we hire a company to take care of our clients, protected health information for the purposes of communicating, and that information is going to be held for any period of time. So think about that server that's two miles underground in Montana, right?
Speaker 1:If you're having this information stored a client record in a file somewhere, then the person or the entity that is holding onto that information for you needs to be on your team. They need to understand that they're gonna share the liability, for what do we do if something goes wrong? Because really, that's what a business associate agreement is. This person, entity, agency, cloud file storage, handling, whatever is not just saying, oh, yeah, yeah, you can trust us. They're saying no, these are the procedures that we'll take if a breach happens on our watch, with our stuff, with your file. So they're a partner with you.
Speaker 1:I hear a lot of people talk about business associate agreements with, like, cleaning crew or landlords and things like that. You really need to read a business associate agreement when you get one, like, even if you do Google workspaces or they have a HIPAA compliant cloud storage option you can download, you can print that BAA and you can see that they will partner with you. So that's one of the things to put on your audit. I am not happy with what I'm finding right now because I did have a better list Policies and procedures. Oh, here we go.
Speaker 1:Okay, another thing to audit is your employee training, and hold me to this. In a few minutes I'm actually going to talk about how often HIPAA and House Bill 300 say you must be trained. So as a business owner, even if you are the only person in your business, you must ask yourself document put in your policy and procedures how often you get trained in HIPAA and House Bill 300. So with training, it's funny because HIPAA says periodically, so best practices would be onboarding. House Bill 300 is very specific. It literally says within 60 days of hiring and then every two years. Now, you know, kate Walker, training offers an online HIPAA training and if you're in the membership Texas counselors creating I'm sorry, I don't even know my own memberships the step it up membership, you guys already have this training and then every time we update that training it goes into the members profile so you can train every single year and I make sure that our training covers HIPAA and House Bill 300. In fact, I developed a training for the CACs of Texas and the Children's Advocacy Centers of Texas. So they were aware of the importance of having annual training, not only in HIPAA but in House Bill 300.
Speaker 1:So if you go back to my comment a few minutes ago, if you're still kind of squishy and wondering am I really a covered entity under HIPAA? You are a covered entity under House Bill 300 if you live in Texas and you handle they call it resident, resident protected health information. So under House Bill 300, the definition of who is covered covered entity is any person who assembles, collects, analyzes, uses, evaluates, stores or transmits PHI. So any healthcare payer, governmental unit, information or computer management entity, school health researcher, healthcare facility, clinic, healthcare provider or person who maintains an internet site who comes into possession of PHI now I'm talking to you staff, unlicensed staff, volunteers, people who work at your site, obtains or stores PHI. Any employee, agent or contractor of any person who meets the above criteria.
Speaker 1:So those of you who are thinking, yeah, I probably should get a BAA for the custodial crew, I would say how about just offering them a training to get certified or get a training in HIPAA in House Bill 300? How about saying, hey, you know what, in order to work for us, we really need you to sit through this class and y'all, I'm not the only one. You can go to the website, the Health and Human Services website, for HIPAA. And then I know it for Texas tons of people offer trainings for House Bill 300. So imagine making it a condition for employment, even for unlicensed staff, that you must do an annual training for HIPAA and House Bill 300, remember, hipaa doesn't specify how Spill 300 does.
Speaker 1:So I'm going off on a tangent I'm going to bring you back to your yearly self audit. So HIPAA does say do a self audit, make sure you go through every single one of your systems. So we were talking about I'm going to start over so understanding the requirements. So do your own research, go ahead and get your own HIPAA course under your belt, conduct a risk analysis, go through your policies and procedures, go through the physical space in your office, go through all of the software that handles protected health information, that stores it. Now, I'm not an attorney, I don't pretend to be one, but there is a difference between a company that holds the software, holds the information, rather not software holds your client's PHI and picking up the phone and just for a split second, your client's voice is on some ether line somewhere In one instance their protected health information is being stored. In another instance it's passing through. So you would need to dive in a little deeper just to make sure that your systems. Are they passed through systems where the PHI is passing through? Or is it something where? No, it's literally being stored here and I just click a few buttons and I can get in and access it, which means anybody else can too.
Speaker 1:Number five employee training. That goes back to your policy and procedures manual in your self-audit document. When you train your employees on House Bill 300 and HIPAA, you've got the business associate agreements. We talked about that, that's with any entity that will store or handle PHI and who will agree to do one, and physical safeguards, technical safeguards, the breach response plan. So what happens if something goes wrong and when you audit? So when you do your self-audit, you're literally going to document hey, we did an audit.
Speaker 1:Now, at the beginning of this training, I said you can't expect yourself to be practically perfect in every way. Like Mary Poppins, you're a small business owner. You can afford what you can afford. You may have this many clients, so you're not going to get the $800 a month record management software, so you're going to document known issues. These are issues and I've given the example before and we had a guest speaker, vanessa Hillis, and you can still access that on YouTube, I believe, and they talked about known issues where it's like if you had a dog in your backyard and you had this gate with a busted latch and you're like man, I need to really fix that latch and I can't afford the latch, or it needs a special latch and I'd have to ship it in and supply chain or whatever that's called a known issue, and if your dog gets out, you would say, ah dang, I knew I needed to fix that latch.
Speaker 1:Well, as a growing business and as a owner of a growing business because you're amazing and your counseling services are going to be sought out and whether you want to grow or not, your community needs you and they're going to keep knocking on your door you must plan for systems that will keep you HIPAA and House Bill 300 compliant, but you may not be able to afford those systems today. So if you are, let's say, you know that you can't afford the big, expensive email software, well, that's a known issue. You don't have email software that will comply and sign a business associate agreement, because email is an example of software that holds PHI. It's not a pass-through. Same thing with texting. Texting holds PHI. You can get into wherever the servers are, somehow some way, and you can hit print. You can get transcripts of the information you've shared with your client. So if you're not able to right now get the fancy schmancy software with the BAA, then you have to take other measures here in me. This is your training now. This is your policy and procedures. You could have something as simple as in our office we do not have HIPAA compliant email. Therefore, no employee can use email to communicate with clients. Right Consequences for doing so are and it's important you have a consequence here.
Speaker 1:I saw a thread on the interwebs today, one of the social media threads. He was talking about issues with owning a practice and my comment was it sounds like you have great standards but you're not following through on your consequences. So, having this policy and procedures in place, with these beautiful standards for protecting information, it goes to hell in a handbasket if you're not going to follow through on consequences Because, remember, you have to document that as well. So if you catch Joe over here, joe LPC, and he has used email to communicate with a client. That is a write-up, that is a documented thing and that must go into your self-audit. Yeah, in March 2023, we had to talk to Joe because he used our non-HIPAA compliant email to communicate with a client. Now, it's not a breach, right? I mean I'm assuming, right, there was no breach, nothing was leaked, no email was sent to the wrong person, so you don't have to inform everybody or inform the government.
Speaker 1:What you note in your self-audit is hey, this is a known issue. We put it in our policy and procedures manual, we train our employees annually and we onboard new employees with this information and knowing that Joe still did this. So these are the steps that we took to make sure Joe knows the rule, knows the consequences and sign and date it. So you keep a running log and that's part of your self-audit. So, whether it's this time of year, I love January because we can kind of go through our closets, go through our HIPAA log, do you? But it's nice because then you have sort of this annual time where I mean, do it when the clocks change? Oh wait, the clocks don't change anymore, right? We don't do daylight savings time anymore, right? I don't know, somebody tell me, but have something that reminds you to check that log? Now, if it's just you, maybe it's your policy and procedures manual. You know what you were able to afford the fancy schmancy, hipaa compliant software. It's not a known issue anymore, but your training still is.
Speaker 1:So even if you're a hospital and you have the latest, greatest, amazing stuff, people are always going to be the weak link. How do you mitigate that with your training? So remember 20 minutes ago when I was talking about how HIPAA just says train as needed, but how Spill 300 is no, within 60 days of hiring and every two years. So which one of those is more stringent? I'm a dual licensed person. I always say go with the most stringent requirement.
Speaker 1:So if people are always going to be your weak link and I'm talking to you now, supervisors with your associates who are in private practice or maybe who own their own private practice are you training them?
Speaker 1:I know associates don't need CEs anymore, but wouldn't you love to document that you trained your associates? Wouldn't your associates love to do that in their own self audit for their own practice? Hey, I took a training on House Bill 300. Hey, my supervisor made sure I took a training on HIPAA and they told me I have to do it every year. So the way you handle known issues known issues because of funding, known issues because it just doesn't work for your practice, known issues because people and new people you're going to put in your self audit, how you mitigate all of those risks, those known issues, along with the steps you are taking with the criteria. Again, I hope everybody runs to the Google machine after this and just look up HIPAA, look up what is involved with HIPAA or, better yet, take a training. All right, thank you so much for listening. I'm going to turn off the recording and take questions, so here I go.