2023 HIPAA Updates

Intro: [00:00:01] Broadcasting from the studios of Business RadioX, it’s time for Advisory Insights. Brought to you by Oberman Law Firm, serving clients nationwide with tailored service and exceptional results. Now, here’s your host.

Stuart Oberman: [00:00:20] Welcome everyone. Stuart Oberman here, your host for Advisory Insights. All right. We know that 2023 is right around the corner. Folks, I’m going to tell you, for my health care clients – and we have, as a firm, a lot of health care clients – our clients are not prepared for the new HIPAA changes. I want to run through a couple of these. I could spend three days talking about this particular topic, but I just want to hit the highlights and give our clients a view as to what’s expected and potential exposure.

Stuart Oberman: [00:00:57] So, from our area, we see a lot of violations. I want to walk through some what we call reoccurring violations. In plain English, it happens way too much. Where are some exposure? One, lost or stolen cellphones or tablets provide an extensive amount of sensitive data in our health care practices. Our doctors, they get information on their cellphones, they get information on their tablets, they get information that is easily extracted. What are you doing to secure that data on your cellphone or your tablet?

Stuart Oberman: [00:01:43] Number two, our medical providers do not train their staff. I’m going to go out on a limb to say 80 to 90 percent of all of our health care offices across the board do not properly, thoroughly provide training to their employees.

Stuart Oberman: [00:02:06] Number three – a common violation that keeps reoccurring, reoccurring, reoccurring – data breaches. Now, what happens is, on those breaches, a lot of times doctors don’t know what to do as far as the violations go. Who do they report it to? Do they report it to the government, to the FTC? Do they have to do a credit reviewer check? Do they have to set up a 1-800 number? Do they have breached notification rules? No, they don’t.

Stuart Oberman: [00:02:39] So, I just ran through three very quick topics and violations that could literally, literally shut down a practice if an investigation occurs. Now, I want to take a look at some other things. I want to take a look at some key changes in 2023. Key changes, first, more direct and timely patient access to electronic health care records.

Stuart Oberman: [00:03:08] There has been a dramatic increase in the time that patients can obtain their data from providers. Do you even know what that time period is? If you do not know what that time period is and you do not know the violations, then I would urge you to either give us a call, take a look at our website, take a look at some of our articles, because that is a huge, huge issue.

Stuart Oberman: [00:03:39] Folks, I’ll guarantee you, you deny patient access to their medical records within a timely manner, you will be getting a very nice I love you letter from the government, which is about 17 pages, and they will crawl up every nook and cranny in your office.

Stuart Oberman: [00:04:01] Now, one thing we have to look at is what is the increase in penalties. Yes, they increased the penalties. Now, they look at what’s involved in guidance, technical assistance. They’re looking at correction action plans.

Stuart Oberman: [00:04:17] You know, what happens is that a lot of these aren’t intentional. Our doctors just rely on the wrong people year after year who have no idea what they’re doing. Unfortunately, they’re not properly trained, so you really can’t blame them. You know, whether it’s office managers, compliance officers – well, let me back up on that. Every medical office should have a compliance officer.

Stuart Oberman: [00:04:43] So, under the new 2023 HIPAA changes, there’s been an increase in penalties. Are you even aware that there’s now a Tier 1, a Tier 2, a Tier 3, and a Tier 4? So, what’s Tier one? Lack of knowledge, “I just didn’t know.” I’ll be honest, that is hard to sell. Reasonable cause and not willful intent, “Look, I knew that I probably needed to do it, but I didn’t mean not to do it.” Willful neglect, “Basically, I don’t really care. I’ve got 30 days to correct it.”

Stuart Oberman: [00:05:24] Now, you get into willful neglect and you not corrected within 30 days, folks, the fines and fees become astronomical once you get into those particular tiers. Again, do you even know the Tier 1, Tier 2, Tier 3, Tier 4 structure? And have you even told your staff of that?

Stuart Oberman: [00:05:46] So, let’s take a look at do’s and don’ts. How do you avoid HIPAA violations and penalties? Now, HIPAA is also criminal penalties. Yep, criminal penalties. Let’s look at what we need to do. Conduct regular audits, spot check potential violations. If you’re not auditing your files – and I’ve been saying this for years on the speaking circuit – at least 15 or 25 a month, which won’t take you long, you have some potential exposure that you don’t want to have, obviously.

Stuart Oberman: [00:06:32] Let’s look at do. Regular employee training. Folks, you cannot train your employees enough on HIPAA. So, I’m going to have an article coming out that I was quoted in and had the pleasure of being a part of the Academy of General Dentistry. And it’s going to be a topic regarding cybersecurity. And in preparing for that, I did an awful lot of research. And I will tell you, it is shocking as to how many breaches there are and how unprepared the doctor is, the team is, the compliance officer is.

Stuart Oberman: [00:07:17] Next, set clear policies and procedures to all employees. Do they know what that is? Do you have a checklist? Do you have an up to date checklist? Are you still using the one from 1996? It’s a different world. Establish in your office a privacy officer. And you’ve got to be careful with this. If you’re a small office, you’re appointing a compliance officer who’s going to answer on your behalf, and you’re going to expect them to cover you with HIPAA issues.

Stuart Oberman: [00:07:52] My suggestion, if you have a small office, you are the compliance officer. If you get bigger, you have a compliance officer, you got to train them. Now, they could be part of your HR – I don’t necessarily like that. I want separation there. But if you have to do it, you’ve got to be both trained.

Stuart Oberman: [00:08:19] Don’ts. Goodness gracious to don’ts. Do not ever disclose or share login credentials. That is an absolute recipe for disaster. Two do not – maybe one of the biggest things – do not leave portable devices or documents unattended anywhere in your office, in public. Look, again, our cellphones are now our offices – our tablets, our laptops. If you go on HHS website and you look at how many fines are due to lost tablets, lost hardware, it’s amazing. Never, ever, ever take flash drives out of your office. Do not do that.

Stuart Oberman: [00:09:11] Folks, I could talk about HIPAA for 20 days here, but I just want to go through, again, some things that we just talked about, HIPAA 2023 updates. Listen to this podcast. Understand where you’re weak at. Fill the gaps. If you’re strong in areas, build on it. If you’re weak, fill it out.

Stuart Oberman: [00:09:32] Folks, thank you as always for joining Advisor Insights. Stuart Oberman. If you have any questions, please give us a call at 770-886-2400, or email, stuart, S-T-U-A-R-T, @obermanlaw.com. Have a fantastic day. Thank you everyone.

Outro: [00:09:53] Thank you for joining us on Advisory Insights. This show is brought to you by Oberman Law Firm, a business-centric law firm representing local, regional, and national clients in a wide range of practice areas, including health care, mergers and acquisitions, corporate transactions, and regulatory compliance.