Are You Prepared for Your Day of HIPAA Reckoning? with Danielle Mckinley – Episode 283


Are You Prepared for Your Day of HIPAA Reckoning?

How Do I Get a Podcast?

A Podcast is a like a radio/TV show but can be accessed via the internet any time you want. There are two ways to can get the Dentist Money Show.

  1. Watch/listen to it on our website via a web browser (Safari or Chrome) on your mobile device by visiting our podcast page.
  2. Download it automatically to your phone or tablet each week using one of the following apps.
    • For iPhones or iPads, use the Apple Podcasts app. You can get this app via the App Store (it comes pre-installed on newer devices). Once installed just search for "Dentist Money" and then click the "subscribe" button.
    • For Android phones and tablets, we suggest using the Stitcher app. You can get this app by visiting the Google Play Store. Once installed, search for "Dentist Money" and then click the plus icon (+) to add it to your favorites list.

If you need any help, feel free to contact us for support.


On this episode of the Dentist Money™ Show, Ryan interviews Danielle Mckinley of PCI HIPAA. Known on social media as “The HIPAA Chick”, Danielle consults with practices to help them meet yearly HIPAA requirements. If protecting patient information seems easy, you may not be considering cyber threats, the potential for human error, or the complexity of having vendors who see your patient information.

Show Notes:

www.pcihipaa.com/danielle

CODE: Dentist Advisors
@thehipaachick

 


 

Podcast Transcript

Ryan Isaac:
Hey, Dentist Money Show listeners. Welcome back to another episode of the fabulous Dentist Money Show brought to you completely wholly in part by Dentist Advisors, a no-commission, fiduciary, comprehensive dentist-only financial advisor. Check us out at dentistadvisors.com.

Ryan Isaac:
Today on the show, have a new friend, Danielle McKinley. She calls herself the HIPAA Chick. HIPAA and compliance might not be the most exciting thing you’ve ever heard about. But man, I’m kind of blown away by how steep and scary the penalties can be if you are not compliant. And it is totally possible to implement systems and get the right kind of help in place in your practice. So you don’t have to go through those headaches yourself and all by yourself, all alone. So my thanks to Danielle for joining us today. Some really important stuff to make sure your practice is running the most efficiently as possible. And so you can get back to just doing dentistry and producing and making more money and enjoying your life.

Ryan Isaac:
Thanks for joining us on the Dentist Money Show. If you have any questions for us, go to dentistadvisors.com. Click the book free consultation button. And thanks for being here, everybody. Enjoy the show.

Announcer:
Consultant advisor, conduct your own due diligence when making financial decisions. General principles discussed during this program do not constitute personal advice. This program is furnished by Dentist Advisors, a registered investment advisor.This is Dentist Money. Now here’s your host, Ryan Isaac.

Ryan Isaac:
Welcome to the Dentist Money Show where we help dentists make smart financial decisions and avoid the bad ones along the way. I am your host, Ryan Isaac. And today, we have a special guest. A new friend of the show, but not a stranger to the dental industry by any stretch at all. Danielle, hold on. I’m going to say that again because it’s not Daniel. It’s Danielle, isn’t it?

Danielle Mckinley:
Yes.

Ryan Isaac:
Danielle McKinley. You are known as the HIPAA chick. Did I say that right?

Danielle Mckinley:
That’s my nickname. That’s what people call me.

Ryan Isaac:
The HIPAA chick, I’m curious really fast. I’m going to have you introduce yourself. I have your bio, but I always think it’s so weird to read someone else’s bio to them. It just feels so strange. I would like you to introduce yourself. But I’m curious really fast, your name or the brand. Is it a hippy reference? I mean, do you have flower child kind of hippie vibes that you’re going for? Because that’s what I thought.

Danielle Mckinley:
Yeah, no, no. It’s actually a traditional nickname that was given to me. So HIPAA is boring, right? Compliance is boring. So let’s say I like to have fun. I’m very positive. And one of my partners nicknamed me the HIPAA Chick a while back and it just kind of stuck. And then more people started calling me that and I just ran with it because it’s fun.

Ryan Isaac:
That’s fine. Well, to be fair when we started this podcast five years ago, our other podcast hosts nicknamed me, Sir Ryan Isaac, which is the lamest nickname ever. And he was just making fun of me. And then, it stuck and I couldn’t re-nickname myself, which you’re not supposed to do anyway. You can’t self-nickname.

Danielle Mckinley:
Well, a nickname is given to you. It’s not-

Ryan Isaac:
It’s given.

Danielle Mckinley:
… something that you create.

Ryan Isaac:
It’s not chosen. It’s not chosen.

Danielle Mckinley:
Okay, so in all fairness, I tagged you in a post on Instagram today. And I laughed. I was like, “Sir Ryan Isaac, that’s actually pretty good.” I liked it.

Ryan Isaac:
You liked it. Okay. The people are okay with it, but I would have chosen something different. It reminds me of the episode, if you’re a Seinfeld fan, of George Costanza trying to nickname himself T-Bone.

Danielle Mckinley:
I am a Seinfeld fan, so maybe that’s why I liked it.

Ryan Isaac:
Maybe we’ll go there. Okay, so how about tell us what is the HIPAA Chick, who are you, what do you do, what do you help dentists accomplish? Give us a little bit of intro and background.

Danielle Mckinley:
Yeah, sure. So the HIPAA Chick is like the handyman, but for compliance. So everybody has their go-to person where you’re like, “Hey, I want to remodel this part of my house.” And someone’s like, “Oh, I got a guy for that,” right? I’m your gal for HIPAA compliance. So I was just nicknamed the HIPAA Chick. I helped practices simplify this and take it off their desks so that they can focus on what they like, patients and enjoying their personal life.

Ryan Isaac:
Okay. So, I mean, I’m familiar with HIPAA. I’m familiar with compliance just having worked at Dentist for a long time, but I couldn’t describe to somebody what the process is of compliance and HIPAA. And I’m sure most of our audience knows because they have to deal with it. But I’m also assuming that because you exist to teach people about it, that a lot of people either don’t actually know how it should be done or they’re not doing it correctly or there’s a lot of pros and cons. So how about we just begin with what’s the two-minute overview of what is HIPAA compliance? What does that even mean for an office to be compliant?

Danielle Mckinley:
Yeah, sure. So loaded question, like you said, because there’s so …

Ryan Isaac:
Two minutes, okay? You’re like, “I can talk for 10 hours on this,” But two minutes, sure. Take three.

Danielle Mckinley:
Yeah, two minutes. Ryan says, “Two minutes, tell everybody how to be HIPAA compliant. Ready? Go.”

Ryan Isaac:
Yeah, go. Not how to be. But yeah, what does it even mean, yeah?

Danielle Mckinley:
So what it means is to protect data. That’s the simplest way to put it is to protect information. So the HIPAA laws are not in place to make your life a nightmare or to cause you all of this struggle or extra work or stressful situations. They are in place to protect patient data. And then they are enforced by issuing penalties. So when a practice isn’t managing all of the compliance requirements, it subjects them to huge financial consequences when there’s a mistake in audit or some sort of breach.

Danielle Mckinley:
So the easiest way to put it would be to protect patient information. And instead of trying to outline all of the items you have to do in two minutes, I would direct listeners to taking a risk assessment. That will help them really understand where they’re at, what the laws are asking of them today and what needs to be done to protect their patient data and protect themselves from the penalties.

Ryan Isaac:
Okay, well, that’s a good overview for me. I mean, that might’ve been sub-two minutes actually, so good job. You did it. No, that’s really helpful. To protect data is the main overview. So then I question that seems like a simple task. But clearly, it’s not. And if there’s a giant penalty system, probably really robust, I’m just imagining the tax system and it’s this robust penalty system, then obviously people aren’t doing it.

Ryan Isaac:
We can kind of begin however you want to, but I’d be really curious to explore this path of what are the common mistakes that you’re seeing people make. I’d like to hear … Actually, maybe starting off with some of these financial penalties. Because that’s what our job is, to try to make sure that more money’s coming home, that they can save and invest and pay down debt and all those things. So let’s begin there. What are some of these penalties? How egregious do they get?

Danielle Mckinley:
Yeah, so they’re all over the map. So the range on average is 10,000 to 1.5 million.

Ryan Isaac:
Oh, you aren’t kidding.

Danielle Mckinley:
No.

Ryan Isaac:
I was thinking $500 here, a little $250 over there. 10,000 to $1.5 million?

Danielle Mckinley:
Yeah. 10,000 to 1.5 million is what we typically see. Well, it runs the gamut. It goes all over the place. It can be something as small as like … There was a practice, for instance, that didn’t have a business associate agreement and they were fined $120,000. And then there’s ones that grow into the millions right now where Health And Human Services Is focusing. So health and human services monitors the requirements. Office for Civil Rights is who issues those penalties and issues the enforcement. And right now, it’s all around access rights. And there’s an access rights policy incentive going on because of COVID. There was tons of changes to employee access, patient access. And you have to have these written policies and procedures in your HIPAA manual. You can Google it. I think it’s up to 18 that have been penalized for just not having those policies and procedures.

Ryan Isaac:
How is it enforced? Who polices this?

Danielle Mckinley:
Yeah, so Health and Human Services, Office For Civil Rights. How you really get on their radar to where your practices then issued a penalty is three main ways. The first one is an audit, so taxes. Audits happen at random. Investigation is the second one where an audit in a tax scenario could be someone red-flagged to you. There was a whistleblower. And on the compliance side, same thing. A patient complains about something. A team member says, “Hey, they’re not doing what they’re supposed to,” to protect the practice. Or there’s a data breach. A ransomware attack is the number one thing-

Ryan Isaac:
Oh, it is?

Danielle Mckinley:
[Crosstalk 00:08:49] you today.

Ryan Isaac:
That’s happening a lot. I hear about that, but I wouldn’t know how common it was. Okay, so these are happening frequently through those different methods. People are being investigated, audited. They’re being checked out. They’re being fined.

Ryan Isaac:
So let’s get into a little bit of maybe let’s start with what’s new in the field. Since COVID, you mentioned that, are there new changes and updates that people just don’t know about or are behind on or just not being compliant with certain things that have been implemented recently?

Danielle Mckinley:
Yeah. So the easiest way to think about it is … I’ll use taxes, being a financial guy. So you and I, we weren’t taught how to file our taxes in school, right? We figured it out, we enlisted help or we have a family friend or we work with Ryan Isaac or work with an accounting firm. And we do that because we don’t want to suffer the consequences, right?

Danielle Mckinley:
So from a compliance standpoint, doctors were not taught how to manage HIPAA or OSHA compliance in dental school as part of that business side that comes with it. So just like tax law changes and evolves every year, so do the compliance requirements.

Ryan Isaac:
That frequently?

Danielle Mckinley:
That frequently. And just like the IRS doesn’t call or issue a press release or an announcement and say, “Hey Ryan and Danielle, you got to be aware of this.”

Ryan Isaac:
They just let you know later when you are fined.

Danielle Mckinley:
Exactly.

Ryan Isaac:
You’re like, “Wait, that was a rule?”

Danielle Mckinley:
That’s correct. And so that’s exactly how the HIPAA laws work. So it’s not designed to be practical, especially for the private sector of the industry. They’re there to treat patients, but they also have this business side to run. So the challenge becomes how do you become aware of the updates? How do you know? And so I always direct back to the risk assessment because a risk assessment is required. So, A, it checks a box for something you have to do. But it’s also a really good way to stay abreast of changes and things you need to be aware of.

Ryan Isaac:
Okay. So let’s pause it on that then and we can put this in the show notes and link to this when we post this on social media, but where do they find this risk assessment? And is this an annual audit someone should do internally in their office, this assessment?

Danielle Mckinley:
Yeah. So the purpose of it is to help you be aware of the changes, like what we were talking about. So yes, it is required to be done every year. I would be happy to give your listeners one for free. That comes with a 23-page report. It’ll save them $750.

Ryan Isaac:
Oh, solid! Geez! Okay.

Danielle Mckinley:
So I can give you a link to it with some other resources that are just going to be complementary tools. Yeah, so anyone that wants to take a risk assessment and get those learnings, they can go to PCIhipaa.com/Danielle and they’ll type in Ryan Isaac or Dentist Advisors in the code and they’ll get it for free.

Ryan Isaac:
Okay, So we’ll make everyone aware of that. And see, I like this because we’re interviewing on the show, but I don’t know anything about this stuff, so I’m asking questions. If I heard a dentist, I’d be like, “Teach me about this. I got my crayon here. I’m very, very basic elementary school status here.”

Ryan Isaac:
So you said this assessment is required?

Danielle Mckinley:
Yes.

Ryan Isaac:
I was thinking this is an audit you could just choose to do if you didn’t have any other resources, but you have to complete this assessment every year. Okay.

Danielle Mckinley:
You do. Yep. A risk assessment is required every year. And then, think of the risk assessment as the only tool or resource that Health and Human Services is giving your practice to get those learnings. Otherwise, you’re researching and that’s not practical.

Ryan Isaac:
Do people not do the assessment? Is that common or no?

Danielle Mckinley:
It’s less common. So I’ve been doing this for 13 years. I’ve been helping practices with this stuff. And even I would say six years ago, it was still about 50/50. But at this point, most practices know that they need a risk assessment. And then that’s kind of the path to gaining those learnings.

Ryan Isaac:
So let’s talk about pitfalls then and common mistakes because when I think about this, if the assessment is required and most people are doing it, then there’s a gap somewhere along that way. They take the assessment and they’re like, “Oh, here’s what I should do.” But they just don’t implement or probably a host of other things. So walk us through common pitfalls. Where are people going wrong? What are the top reasons why people are still getting in trouble and getting fined for this stuff if there’s this assessment that’s supposed to keep them on track every year?

Danielle Mckinley:
Yeah. So the assessment is one step, right? So the assessment is telling them, “Hey, these are the gaps that your practice has with the way the laws are written today.” The next step is correcting them. And that’s where it gets tough because practices love to push compliance down the priority list.

Ryan Isaac:
Oh yeah. Not fun.

Danielle Mckinley:
That’s understandable. Right? It’s not fun. So we tend to gravitate towards the things that are enjoyable and bring us happiness.

Ryan Isaac:
Doesn’t produce money.

Danielle Mckinley:
Correct, so that’s really where it comes down to really is that implementation. So what’s helpful is talking to a consultant or getting an understanding of like, “Okay, these are my results. Now, coach me through how to accomplish this.” Those practices are going to fare better in actually getting there to reduce the risk.

Danielle Mckinley:
Now, in terms of pitfalls, I’ll give you two really common ones. So one will be around a HIPAA manual. So a lot of practices will purchase a template-based manual. A very common one is the ADA manual. Great solution. If you have the time to customize everything to your state laws, your federal requirements and have an attorney review it to make sure it’s done correctly. Most practices aren’t going to do those three things. They’re going to stick it on the shelf. And so just buying a template-based manual, if you’re just putting it up on the shelf and letting it collect dust, it’s the same as having nothing at all.

Ryan Isaac:
Is it the cheapest? Is it the cheapest manual out there?

Danielle Mckinley:
Not always. Couple of hundred dollars, but you’re throwing a couple of hundred dollars in cash if you’re not doing anything with it, right? So that’s a common one. Making sure your documentation is not only up to date, but practice-specific, include your state laws as well as the federal. And then the second one is around training.

Danielle Mckinley:
So everyone has webinar fatigue because of COVID. Zoom fatigue is a real thing. So a lot of practices attended tons of CE or they gave their team members stuff to do. And they took one on HIPAA. So just doing a C course on HIPAA or OSHA doesn’t mean that your annual training requirements for your staff are in order. That one Zoom or that one live CE presentation or what have you doesn’t cut it. And the number one cause of data breaches is human error. So screening is what protects you from those penalties we’ve been talking about.

Ryan Isaac:
Like what? Human error meaning? Can you give some examples of what that would mean?

Danielle Mckinley:
Yeah. So human error in one of your team members clicked on the phishing email that installed malware into your system, right? That’s going to be a larger scale. A smaller scale would be like, okay, so my name’s Danielle McKinley, right? Danielle McCainley called and said, “I’m moving. I can’t come to the practice. I already left. I need you to email me my records. Office manager is super busy. She sends Danielle McKinley’s file because of the similar names. That’s something anyone could do.

Ryan Isaac:
And who catches that type of mistake and reports it? The forwarding dentist or the receiving dentist?

Danielle Mckinley:
Well, so both Danielles have to be informed of what happened. And Danielle McKinley is now upset that her information was exposed. She files a complaint with Health and Human Services. Now, you’re being audited.

Ryan Isaac:
Oh, okay. And so I’m just thinking myself as a patient. If that happened to me, Bryan Issac gets forwarded or leaves and then they forward Ryan Isaac my stuff. If I was informed of my dental records, I’d probably be like, “I don’t really care,” but I know that maybe in a broader perspective in the medical world, that could be a bigger issue. And some people are just really private with their information. And that’s great too. So I guess I’m wondering does that happen a lot where an accidental forwarding of the wrong patient and then the patient actually lodges the complaint? That’s pretty common?

Danielle Mckinley:
Yeah. We definitely see it. There are some people that, I’m with you, sometimes it just kind of on the personality of the person that’s in it. And really where we see more of a sensitivity in the dental space is not so much around your last cleaning or your root canal or those things. It’s more around the personal data that comes with it.

Ryan Isaac:
Because that comes with it.

Danielle Mckinley:
The name, the address, the social. That’s the stuff that people are more upset about in the dental space.

Ryan Isaac:
I don’t think I realized that. Okay. Well, that makes a lot more sense. Yeah, I’m like, “I don’t know, look how many cavities I’ve had.” I drink too many energy drinks.

Danielle Mckinley:
Yeah, I have a couple of veneers. What?

Ryan Isaac:
What do you want from me? Oh, my social, my address. Yeah, that makes a lot more sense. Okay, so human error, you said, is the most common way. Any other human error or are those just the main ones that always happen?

Danielle Mckinley:
Yeah. So, I mean, any type of human error. You can also have a scenario where let’s say you did a case. It was a really great case. You’re a cosmetic dentist and you want to showcase it on your Instagram feed, but you didn’t get the approval.

Ryan Isaac:
Oh, I wondered about that.

Danielle Mckinley:
You didn’t get the approval from the patient. And let’s say that the patient isn’t happy or something happens. Someone in your office upset them and now they don’t want that on your profile. That’s a huge violation if you didn’t get the proper approval documented. So there’s a couple of kinds of little things that can occur.

Ryan Isaac:
I mean, it’s such a big marketing tool nowadays for so many dentists, orthodontists, cosmetic dentists to just show all this casework. And with the rise of that, are you seeing more of that instance happening, not having permission or just forgetting to or a disgruntled patient later on?

Danielle Mckinley:
Yeah. So we’ll have clients call us. Practices that work with us call us and say, “This happened. How do we deal with it?” So we hear about this scenario a lot. And really, part of the training process is making sure you have an authorization to disclose. So as long as you have that on record with the patient, and you can make that part of your new patient packet or when you’re going to do that case, if you know it’s one you’re passionate about and you want to share it on social or maybe in a presentation that you’re going to do down the road, just get the disclosure in advance and then keep it in the patient record.

Matt Mulcock:
What if a podcast listener loves our podcasts and all the things we talk about, but they want to see our faces and go into subjects a little bit deeper?

Ryan Isaac:
Man, it’s amazing you just asked that. The best way to do it is to listen to our webinars. Actually, watch the webinars. You and I, as you know because you’re there, cover one subject a month where we both host and we talk about a whole range of things in a lot of detail.

Matt Mulcock:
Yeah, it’s really fun. And we’re going to go into all the topics when you go on the Dentist Money Show, but go in more depth. Super easy to sign up. Go to dentistadvisors.com, click on webinars under the education library button on the homepage.

Ryan Isaac:
Okay, so you’re saying once they mess up, they call you, which is how it goes sometimes. But you also fit in the equation early on to make sure that there’s no mess ups. A consultant like yourself, how do you go in? What’s your process? How do you fit into all this?

Danielle Mckinley:
Yeah, so we proactively solve for compliance. So we go in and address all of the needs that our practice has as one vendor under one roof. So a lot of practices today understand or have this awareness to being compliant, but they might be working with say eight vendors and they’re still not fully addressing everything that they need.

Danielle Mckinley:
So my niche, if you will, is the solution that does it all under one roof and automates the process as much as humanly possible so that the practice, the doctor and the team are focused on the patients versus how to navigate compliance. And then if something happens, we’ve got their back.

Ryan Isaac:
And you’re saying from the beginning, you’ll make sure they’re getting the assessment done. And then they’re implementing the things and then they have a manual and then it’s being trained properly and implemented. And it’s in accordance with state and local laws. That’s also on your team? That’s what you guys do?

Danielle Mckinley:
Yep. We do everything that you mentioned and then some. And from a financial standpoint, because I know you and I are both about the bottom line and how do we help with cash flow in that, we explore how to turn compliance into savings for them. So we’ll look at other things that they’re spending on like maybe they have an OSHA person that’s coming in or a HIPAA person coming in. Maybe they’ve purchased a manual, but they never did anything with it. And so we’ll consolidate all of those fees. And in a lot of cases, be able to show the practice how they can turn compliance into savings by consolidating and outsourcing that piece of their business.

Ryan Isaac:
And that’s what you were saying about multiple vendors. A lot of times, they’ll have different people, but it’s not cohesive, it’s not organized, and they’re just spending money and it’s not doing anything for them. So you’ll come in and consolidate a lot of that stuff.

Danielle Mckinley:
Yeah, exactly. So we’ll consolidate it and show them how everything is met. So those penalties we talked about at the beginning, those go away, for instance, on our program because we’re meeting all of the compliance requirements for them. And then, we’re diving into other parts of their business to say, “Hey, we can eliminate this fee. We can eliminate that fee and we’re going to get you true protection.”

Ryan Isaac:
Yeah. That’s awesome. Later on in the process, what happens when you’re called in and there is a mistake or you’ve been there and they still didn’t implement something they were supposed to or there was just that human error that happened? How do they navigate that? How do they manage a situation where they’re slapped with a penalty that big?

Danielle Mckinley:
Sure. So when something happens, regardless of the incident on our program, we are their incident response team. So we have a team of advisors, breach coaches, HIPAA attorneys, and forensic experts. All they do is call, text or email us. We fill out an incident report. It takes them approximately 10 to 20 minutes to complete. And then that team goes to work for them.

Danielle Mckinley:
So for example, if it’s an audit, Health and Human Services is going to be requesting usually 10 items to show proof of compliance. We compile it. We send it. We handle the correspondence. If it’s a full on data breach like a ransomware attack or a cyber incident where there’s been exposure, we’ll navigate the breach notification laws for them. So we’ll handle the patient correspondence, the forensics, the identity theft monitoring and insurance they have to provide. We do all of it. So the goal is get you compliant, keep you compliant. If something happens, we’re there for you. And then we round out our program with cyber and data breach insurance that covers financially for the clean-up.

Ryan Isaac:
That seems like so much as you say that. And I’m just thinking if they don’t have somebody working on it, how does the average dentist without a HIPAA team or a consultant even respond to all this? Do they just get buried and pay the penalty and be like, I don’t know, “Here’s the money,” or what do they do?

Danielle Mckinley:
Yeah. I mean, unfortunately, we’ve seen practices that have closed their doors as a result of an incident because they had nothing in place. They pay it. We just signed on a new practice this last week who had a ransomware attack before working with us and it cost them $175,000. Where if they were a compliant practice, not necessarily on our program, but just in general, if they were a compliant practice, they would have been protected from that expense.

Danielle Mckinley:
So break it down to productivity, right? So everybody wants to be more productive, doctors want to see more patients, make more money, spend more time with their family and you have to place your bets on your strengths and where you can get the best return. And in a practice, having your office manager place the bet on compliance or you place the bet on compliance, you’re really gambling with the penalties. And you got to ask yourself, “Is that really the best use of mine or my team member’s time?”

Ryan Isaac:
Yeah. And the answer is no. The answer is no, it is not the best use of your time. Okay, so if you had to narrow it down, maybe there’s just one, maybe there’s a top-three tips to just avoiding all this situation, what would those be?

Danielle Mckinley:
Yeah. So number one, by far, take a risk assessment. At least get the learnings because even going through a risk assessment and understanding where you stand, you can walk away from that experience and implement three things that put you in a better scenario than you are today. So I would say the risk assessment is by far the number one starting point. And then from there, you can identify the next best two based on your specific needs.

Ryan Isaac:
And everything that’s going on. You mentioned something earlier about business associate agreements. Do you want to expand on that a little bit? Because you’ve mentioned it as a pretty common issue.

Danielle Mckinley:
Yeah. Yeah, sure. So business associate agreements are often confused. People are like, “I don’t have a partner. I didn’t bring someone in.” So the business associate agreement portion of the law is really designed to protect the practice and it’s for vendors. IT providers, accountants, practice management software because …

Ryan Isaac:
You have access to the stuff.

Danielle Mckinley:
Yep, exactly. So they have access to your sensitive data. If they do something to expose it, you want them to be held accountable, right? Not you as the practice. So a business associate agreement is how you ensure that. And there’s a couple of things you want to know.

Danielle Mckinley:
The agreement has to be specific to that vendor. You have to be able to show when you sent it, when it was signed and produce that stuff when an incident happens with them. So business associate agreements’ most common misconception is, “Oh, my vendor sent me one. They sent me their agreement.” So if you take anything away from this topic, it’s you have to have your own agreement and you have to be the sender.

Ryan Isaac:
Yeah, which is a whole other process, right? I mean, that’s what I’m hearing. This is one of the other processes that needs to be happening in compliance. And there’s a lot of vendors that have access to this kind of data. And especially the more you outsource to, like you said, technology and consulting and practice management software, there’s probably a lot of them. Is it pretty common that the practices don’t have their own agreements in place?

Danielle Mckinley:
Yeah, for what I said because they think that, “Oh, someone sent it to me.”

Ryan Isaac:
It’s there since they’ve done it.

Danielle Mckinley:
Right. So basically, if your vendors have sent you an agreement, you’re working with solid vendors because they’re saying proactively-

Ryan Isaac:
They’re trying.

Danielle Mckinley:
… “Hey, practice, I know that I’m going to come in contact with sensitive data and I am aware I have to protect it.” But usually, I would say most practices on average have about seven vendors that truly qualify as a business associate.

Ryan Isaac:
Okay. So again, we’ll link to … You want to give that website again for the assessment?

Danielle Mckinley:
Yeah. Sure. So a couple of tools for listeners would be the risk assessment. So the link for it is www.pcihipaa.com/Danielle.

Ryan Isaac:
Okay, with two Ls.

Danielle Mckinley:
Two Ls. And let’s quiz you. How do you spell HIPAA?

Ryan Isaac:
H-I-P-P-A.

Danielle Mckinley:
Wrong.

Ryan Isaac:
H-I-P-A-A.

Danielle Mckinley:
There you go. Yes. So everybody spells it with two Ps.

Ryan Isaac:
Two Ps like hippo or something. It’s not a hippo. It’s a HIPAA.

Danielle Mckinley:
So make sure you spell it right in your link so that it actually links.

Ryan Isaac:
Hey, H-I-P-A-A. I like that.

Ryan Isaac:
Okay. Any parting words of wisdom you want to give to the people? because I hear all this and I’m like, “Man, you’re talking about a situation that could potentially,” like you said, “close the doors of a dental office,” which is insane, especially considering it’s not an unforeseen event that you could not predict or control or have a process to mitigate. I mean, this is the stuff you have control over.

Ryan Isaac:
And so anything else you want to let people know? You’ve seen this for so long. Maybe just reiterate something you’ve already said. I mean, getting slapped with a six-figure fee is insane. That could wipe out a dentist. It could be multiple years worth of free cash flow savings for their own retirement. But even bigger than that would shut someone down. So parting words here, how do we save people from this totally avoidable situation?

Danielle Mckinley:
Yeah. Look. Compliance, is it scary? Yes. Is the outcome of what can happen scary? Absolutely. Can you prevent it? No, but you can be prepared for it to prevent financial losses for your practice.

Ryan Isaac:
Got it. Okay, so you can be ready for it. It’s kind of like how I hear experts talk about embezzlement in the practice. You can’t really prevent it because some people can just still do it, but you can be ready to discover it and address it quickly and efficiently with minimal losses. Would that kind of be the same type of thing?

Danielle Mckinley:
Yeah. And I think it’s like, look, everybody likes to pivot, turn and run away from compliance because it’s a topic that most people aren’t experts on. It’s not exciting. I mean, if you’re having trouble sleeping, go to hhs.gov and just start reading and you will be fine. You’ll call us immediately.

Danielle Mckinley:
It’s really about where do you want to spend your time? Do you want to gamble and take on that chance? And if you want to be the peer you aspired to or that started their own DSO and they’re growing and you’re like, “They’re doing a podcast and how are they doing all these things,” they’re doing it through delegation and automating things within their practice. And compliance is something that’s absolutely … there’s no reason it shouldn’t be delegated.

Ryan Isaac:
Totally agree. Where can people find the HIPPA Chick and reach out and chat with you if they want to?

Danielle Mckinley:
Yeah. My favorite place is Instagram and my handle is @thehippachick. Again, HIPAA is two As.

Ryan Isaac:
One P, two As.

Danielle Mckinley:
It’s H-I-P-A-A and I put a ton of free content out there that helps guide. And I’m always happy to take questions. I am the most passionate about helping. And until I’m rich enough to be a philanthropist, I love giving back to practices and helping them simplify this.

Ryan Isaac:
That’s totally awesome. I think that shows in the way that you like to educate. I mean, it’s not easy to take a subject like compliance and be like, “Let’s make this fun and exciting,” at least enough where someone will do something about it. And I think you’re doing a great job with that, so that’s cool.

Ryan Isaac:
Danielle, thanks for joining us on the show today. And if you have any questions for her, go find her on Instagram, the HIPAA Chick. And Danielle, have a great time. And thanks for tuning in everyone. Thanks for listening. And we’ll catch y’all later. Take care.

 

Practice Management

Get Our Latest Content

Sign-up to receive email notifications when we publish new articles, podcasts, courses, eGuides, and videos in our education library.

Subscribe Now
Related Resources