A conversation about HIPAA compliance.

Tod Ferran, CISSP, QSA
By: Tod Ferran
I had the pleasure of being interviewed by Kathleen Mills of Life Tree Counseling on her podcast, It’s Just Coffee. We discussed an overview of HIPAA, and what mental health care professionals should know as they prepare their business for HIPAA compliance.

Listen to the podcast here, or check out the transcript below.

How HIPAA Compliance Applies to Mental Health Professionals

Mandatory HIPAA Compliance with Tod Ferran

Phillip Crum: Yes, we’re into It’s Just Coffee, which is Kathleen’s weekly episodic foray into the minds, methods, and other words that begin with “m” of the mental health clinicians out there.

Kathleen Mills: Yes. How are you doing, Phillip?

PC: I’m darn good. It’s not Friday but I can see it from here.

KM: Can you?

PC: I’m ready. Let’s do it.

KM: I can’t. I got a full day today.

PC: I understand that you have lined up Tod HIPAA-dude Ferran, which is what you’ve been calling him for the last two months.

KM: Yes, he’s got a badge on his chest and it says, “Security Analyst.”

PC: So we’re going to talk about HIPAA compliance. Is that what I’m hearing?

KM: Yes.

PC: Well, fire away.

KM: Excellent. Tod, how are you today, sir?

Tod Ferran: I’m great. How are you doing?

KM: I am doing well. Before we get started, I just want to make the intro. So we’re going to be talking about securing your digital technology in your private practice and we’re talking with the one-and-only Tod Ferran.

TF: If you provide health care or you have any health care information in your organization, HIPAA applies to you whether it’s paper or electronic.

KM: Very good, sir. So we can’t escape this is what you’re telling me.

TF: That’s correct. It applies to everybody.

KM: Well, before we start, I want you to tell us a little bit about you personally and exactly what you do at SecurityMetrics. And for those of you who don’t know what SecurityMetrics is, it’s a multi-national merchant data security and compliance company in the great state of Utah. So, Tod, tell us a little bit about you.

TF: Okay. So I am a security analyst here. I fly around the globe and I do assessments and security consulting with organizations both in the HIPAA space and in the PCI space. Of course HIPAA is all within the United States, but PCI is across the globe. For those of you that don’t know, PCI is the Mastercard/VISA security rules that they have around taking credit cards. So if you take credit cards, then PCI applies to you as well.

KM: Does this include – I’m sorry to interrupt – but the Square? A lot of mental health professionals are using Square technology.

TF: Square is kind of unique. The company itself, as long as it’s their actual Square device, the company is taking on your PCI liability for you. So if all you take is credit cards through the Square device, then they have taken that responsibility for you as long as you do what they tell you in the terms and agreement, that you protect it, and you don’t let people break into it or do anything with it. And so they’ve taken that liability for you.

However, most of the knock off companies – and I don’t know of any others other than Square that have actually stepped forward and said, “Yes, we’re going to take that responsibility for you.” So if you have a Verifone device that you’re swiping cards through or you have a swipe device on the side or you’re using a portal on the web and your staff is entering the card number into a portal then PCI requirements do apply to you in those situations.

KM: Wow. Okay. Well, keep going, Tod.

TF: Okay. So I do those kinds of things. I fly around the country as well doing presentations on HIPAA. In fact, I will be flying out this afternoon to do a workshop on the 10 myths surrounding HIPAA. And so I’ve done presentations from the west coast to Washington, DC. I’ve met with a lot of government officials – you would think government would be on top of HIPAA but there’s so many different departments and divisions of government that they are behind the ball as well.

I also help train our internal staff. We have offerings such as remote support for HIPAA, guided HIPAA compliance where we’ll help you do a self-risk analysis, go through the compliance items in your risk management plan, and help you get as secure as you can using somebody remotely.

We also have services for when my team might be involved. We would come onsite and actually do a physical risk analysis with you and look at lots of different things including how you’re handling paper, and some of the processes that are surrounding your physical security and your physical interaction with patients. And that gives you a much more complete and thorough risk analysis.

In fact, while I’m talking about risk analysis, let me just separate that we hear risk analysis and risk assessment and oftentimes they are used interchangeably. And they’re actually two different processes.

So a risk analysis is something that we do both before any kind of a breach or on a periodic basis and we’re looking at our entity as a whole, and not just our PHI but our electronic PHI and the processes and things that we’re doing to handle that.

A risk assessment is after we feel we’ve had a breach, then we do a very deep dive on that breach to figure out what happened, what can we do to mitigate it, make sure that we’ve done all our notifications properly. So a risk assessment is post-breach. A risk analysis is a periodic – one-a-year at least – review of a whole list review of our risk as an entity. So those are the kind of things that I do on a daily basis.

KM: So I’m in the middle of doing the risk analysis as we are doing this podcast. And if you could list – I know there are several, there’s probably like eight categories or whatever, that someone needs to address – can you walk us through that?

TF: There’s so many. I’ll try to give you just a high-level view.

KM: Yes.

TF: So the risk analysis- and something else to mention about risk analysis: do many of the folks that we’re talking to, are they doing anything with Meaningful Use? Do you know, Kathleen?

KM: Meaningful Use, meaning?

TF: Okay so Meaningful Use is an incentive program put out by Medicare and Medicaid, and for eligible professionals – which our mental health professionals could fall into that category, especially if they’re submitting to Medicaid or Medicare, and they have, get payments from them – there’s an incentive for them to use an electronic health records system. And it’s either $44,000 or $63,000, depending on which program you do. And Meaningful Use requires a risk analysis. And so a risk analysis for Meaningful Use usually is not comprehensive enough to cover us from the HIPAA standpoint. However, if we do a HIPAA risk analysis, that usually is comprehensive enough to meet our Meaningful Use requirement. So risk analysis, we’re looking at how does our PHI enter our entity? What do we do with it when it’s in our entity? And how does it leave? And then what kind of vulnerabilities do we have at each of those points? So we’re going to be looking at things like, what is our process for intake? On our network, do we have an actual firewall between us and the internet, or are we just using a Comcast router? If we don’t know the answer to that, we probably don’t have a real firewall and we’re very vulnerable.

KM: I think there’s several categories of the mental health professional. Some of them are billing Medicaid and Medicare. In my mind, that would apply mainly to social workers and clinical psychologists because they can do that with Medicare. So that’s a completely different- I mean, it sounds like this is… there’s different categories for mental health professionals to be thinking about.

Talk about the protected health information map, if you will, that you walk through. With me, it includes the copiers, phones, smart phones, how am I billing, how am I keeping my client records, what software am I using, the firewalls- can you just kind of give an overview if possible with that?

TF: You bet. So when we’re looking at our PHI flow – and PHI is protected health information – and there’s actually 17 identifiers such as name, email address, phone number, social security number, date of birth. And then the very last one is any other thing that could uniquely identify that patient, including just the patient name – is considered protected health information. So we look at where the flow is.

So if we have a computer system that we’re using, that’s part of it. If we receive faxes or we make copies or we scan and email, that’s where we talk about the copiers and scanners because a lot of us don’t realize that there are hard drives in those devices. Infinity Health had a bunch of copiers come up at the end of their lease, they just turned them back to the leasing company and leased some new ones. Unfortunately, CBS evening news happened to pick up one of those and said, “Oh look, we found all this protected health data that the entity didn’t even realize was out there.” And a $1 million fine later, they have to go and retrieve all those devices and securely delete that data.

So those are the things we are looking for when we look at our PHI map, what are all the devices? And sometimes we don’t think about it, but if we have emails that have patient information in them and then we pull those up on our smart phone, now our smart phone is something that we need to be looking at and it’s a vulnerability for us.

KM: Yeah, it can have just a piece of the private health information, not the whole piece, to be considered a vulnerable spot. And I don’t think a lot of us really realize we need to be mindful of that.

PC: Tod, does the responsibility for the information on these devices stop at the counselor’s office walls? Or is the counselor responsible for any outside entity devices? And when’s that coming?

TF: A counselor is required to protect all the data that they have and any data that they let go out of their organization. So, for instance, if they’re sending information to another covered provider, a covered entity, if it’s only about a single individual, then they don’t need to have a business associate agreement. However, if they’re giving it to somebody else like somebody’s doing their billing for them, or their coding, or transcriptions. Maybe they’re doing dictation into a recording device and having that transcribed by another company – those would be business associates and they have to have a good business associative agreement in place but realize they’re still liable if that business associate has a breach.

Stanford is a very good case in point in that Stanford had a good, solid business associative agreement in place. They passed some data to their BA. The BA then passed that data to a subcontractor unbeknownst to Stanford. The subcontractor then put it up on a university server and said, “Hey, I need help graphing this data – can anybody help me?” It sat there for a year before a patient Googled themself and found it. There’s a class action lawsuit that was just won for $3.3 million. Of that, Stanford still had to pay about a half a million because they’re ultimately responsible for that data, even though they had no knowledge that the BA was sending it off to this subcontractor. And so when we send data to a BA, we need to make sure we understand what their process is and that they understand that they’ve got to protect that data and they’ve got to let us know and we need to be able to prove anybody else that they send that data to.

We have a lot of responsibility to protect this information and the reason it’s so important obviously is oftentimes we don’t realize how badly it impacts our patient health and safety when we lose their data.
If they have identity theft, its costs on average $20,000 to recover my identity theft and it takes a year to get stuff cleaned up. That’s a huge impact on our patients.
Not only that, patients have told us that if an entity loses our data, depending on the entity – 35% of them will change hospitals, up to 46% for pharmacies, and then the rest of us fall in between. Mental health and physicians, and everybody else falls in between those two high and low marks.

So when we think about it, our patient information is so very important and so vital to our patients that we’ve got to protect it. So that’s the things we need to think about is that we are ultimately the steward of that data and our patients’ health and safety relies on our proper taking care of that.

PC: And things were going so well today, Tod.

KM: Just to review. Just to go back to the first lesson of the Health Insurance Portability and Accountability Act, which is called HIPAA. The original goal of HIPAA was to reduce the cost, simplify process, improving privacy and it dealt in the areas of access, fraud and abuse, related health information group and in revenue. It was kind of a, “We just want it protected in a basic way.” And now it’s just seemed to mushroom into the whole technology portion and the tentacles to other entities that we’re not necessarily in control of but we still need to be in control of. Does that make sense?

TF: Yeah, and so when it came out in ’96, it’s the Health Information Portability Act. So you’re right – the goal of it was to make the information flow easily between entities and payers and so forth. And so that was really the goal, and then other things have been added to it. So we had a new one come out in ’01 and another one in ’03. Of course, Omnibus that came out in 2013. So each of these iterations, the government every time they’ve come out, they say, “Okay, now we’re really going to pursue it.”

And so to a large degree they’ve kind of conditioned us that yeah, they tell us they’re going to put teeth in it and then they really don’t, and so nobody really has really come after us for it. In the past, however that’s really changed. In 2011 and 2012, the Health and Human Services (HHS) did some random audits – 115 of them – and they’re ramping up to do more random audits. They were going to do them in 2014, but they’re actually holding off because they’re bringing in their own staff to do those audits, plus they’re doing a web portal so that people could upload their policies or procedures and other documentation that’s required during an audit. So we’re going to see them launch those in the next couple months or, at the latest, January/February. And so we know that those audits are coming.

KM: Right. And if there’s a penalty or a fine assessed, is the Department of Justice doing that, or the Civil Rights Department in charge of that?

TF: Okay, so the Office for Civil Rights is the enforcement arm for HHS. And so they could come after us and they can enforce the penalties and we need to realize that with Omnibus, it gave them the ability to fine us up to $1.5 million per violation per calendar year. And so that’s why we’re seeing some of these bigger fines. In my discussions with folks from HHS, they’ve indicated to me that they want to do fines that are strong enough to hurt but not kill entities and to make examples of them. And so that’s why we’re seeing those happen.

SEE ALSO: Stay off the HHS Naughty List

So we see different amounts of fines. So OCR could come after us. The State Attorney General can also come after us and we’re seeing that happen. And so both of those both have legal regulations/requirements allowing them to enforce HIPAA. In addition to that, we’re seeing civil lawsuits, including class action lawsuits, being won on the grounds that the entity was not following HIPAA, which is considered best practices, so therefore the entity was negligent or it’s a malpractice issue. So we’re seeing entities getting hit with class action lawsuits. Settlements again that are massive like I mentioned with Stanford.

We’re also seeing the FTC come after entities. Now the FTC – what in the world do they have to do with HIPAA? Absolutely nothing, however in the FTC bylaws it states that they are responsible for making sure the industry secures their customer data. And so that is the regulation that they’re using to go after health care entities that have had a breach. And so we’ve seen at least two entities already that have had to deal with the FTC. One of them being LabMD, who’s now out of business because of it. So realize that HHS is not the only one coming after us.

There’s lots of others that are looking at it and the lawyers are starting to see that, you know what there’s some deep pockets here. Whether you have a deep pocket or not, they think that you do. And we all know that in health care there really isn’t the kind of money and margins that the public tends to think that there is. Unfortunately we have that perception and that’s going to fuel a lot of these lawsuits going forward.

PC: Tod, we’ve got about three minutes left. I want to ask you a couple of quick questions and quick answers and then we’ll do the takeaways segment. The average group counselor – you know, they got the business owner and three, four, five counselors there. Has anyone at any level done any study at the cost involved to implement all these new regs?

TF: Yes. So what we’re finding is that they’re spending anywhere from about $4 to $12,000 to get fully compliant. For those small types of practices.

PC: And they can all afford that?

TF: Well, you know, unfortunately it’s a cost of doing business now. Some of them don’t think they can afford it, but the other side of the coin is that if you don’t do these things, it’s just a matter of time until the breach has been made public because I can guarantee that you’ve been breached if you don’t have a good firewall in place. And so once that becomes public, you’re probably going to be out of business.

KM: So it’s not a question of, “if,” it’s, “when”?

TF: Absolutely. Every entity I’ve walked into has been breached.

PC: So business is costing more, but the cost of business is going up. But the available cash that people have in their pockets on the other end of the equation, they walk through the front door and the counseling sessions frequently aren’t covered anymore, or aren’t covered very long, not as much. And so the competition drives down the prices for the available dollars – business costs going up, available dollars going down – not good.

TF: No, it’s not. We don’t have to spend that all at once, either. We can spend a little bit here and a little bit there and do a little bit each month. And if we can show where we’re making demonstrable progress, that goes a long way with HHS and showing them that, “Hey, we’re really trying to be compliant.” And so that’s why we’ve got some of those-

PC: Do you know – going back to your Stanford illustration, there’s somebody can make a mistake either purposefully or just not even realize that what they’re doing is stupid. So-

TF: No intentions oftentimes.

PC: Exactly. So we get sued and is the payment that I have to make – this is an insurance question, you may or may not know this – is that covered by my insurance?

TF: It’s going to depend on your insurance. Now, most business insurance policies don’t cover those kinds of things. Now, as Kathleen mentioned, she’s going through our guided HIPAA compliance but we’re helping her remotely do that and part of that package is $100,000 of breach protection. And so if I get insurance other than… it isn’t really an insurance, it’s just breach protection. You could spend that money however you need to. If you need to do it on remediation, on notifying patients, on fines. But that’s some coverage that we offer as part of one of our services so that there’s not an added expense so you don’t have to go and convince your insurance carrier to cover that for you.

PC: $100,000, huh? Coverage? You haven’t met Kathleen’s lawyers yet, have you? These guys charge $100,000 for the free consultation.

KM: They’re the best, though! I’d do it again!

PC: Oh, my goodness.

KM: I probably will have to.

PC: Okay, so the counselors that are listening right now – the depressed counselors that are listening – what are the takeaways to these people? The two or three points that you want to make?

TF: Okay, so the big thing is get started today and do something and then document the heck out of it. Document everything that you do and why you did it, and then show demonstrable progress. So do something either every week or once per month – put it on your calendar, set aside the time.

We have Guided HIPAA Compliance where we’ll help you on a monthly basis. You can call and talk with one of our support folks that understand HIPAA. They understand how to do that. They can help you work through a self-risk analysis and help you make and show and document that you’re making that progress. You’re doing your due diligence to try and protect your patient data. And we prioritize it so that your most vulnerable or high-risk stuff we get out of the way first. It’s a very low cost way to get into the game and get yourself covered and get some breach protection in place and just secure your patient data. That’s what we want to do.

PC: Any other points?

TF: That’s really the main one. If I could plead and beg everybody to just do that, start doing something, those first steps – that really is my core message.

KM: Tod, where can people get a hold of you?

PC: If somebody wants to call the HIPAA dude, where do they find him?

TF: I’m in and out of the office. I’m based out of Salt Lake City. The best way really is to email me. My email address is just tod@securitymetrics.com. You could certainly jump onto our website, take a look at our blog. You’ll see that there’s lot of blog posts. We have a bunch of little HIPAA Snippets which will help educate you. So start learning – it doesn’t take very long.

Spend 10 or 15 minutes, read one of our blog posts, and just educate yourself so that you know and so you understand what’s going on. And as you educate yourself, you’ll start to see things that you’ll want to change. For instance, if you have a patient sign in sheet that the last patient of the day can see everybody that signed in today, you don’t want to change that so you’ll realize that as you educate yourself that, “You know what? That’s maybe not the best idea. Let’s find a different way to do that.”

PC: Excellent. This has been good stuff.

KM: Tod, thank you so much.

TF: You’re certainly welcome. Thanks so much for spending some time with me.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.