Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. We suggest you watch the video while reading the transcript.
Well, Greetings. All my friends members, doctors have been to seminars and so forth. I welcome you. We’re into the new year and of course with the new year. There’s always things that are updating. I wanna make sure, especially that network members are paying attention. ’cause we wanna be careful. Is there some hyperbole that happens among our profession on some things?
You bet. Let’s talk about what’s going on. Let’s go to the slides. What’s happening for HIPAA in 2026? Because, man, I’ve gotten a lot of emails to this and a lot of people saying, Sam, what’s going on? I’m nervous. What do I have to do? Because many times you gotta remember. Fear cells a little bit. I get it.
Click here for the best Chiropractor Malpractice Insurance
And they’re trying to make you react to something. Maybe they solve the problem. So here’s an email that I got and it said, Hey, Sam, happy New year. Hope all is well. But I see a su sudden surge of emails about the new HIPAA laws that go into effect 2 16 26. Now, I’m gonna tell you, don’t get mad at me. He doesn’t spell HIPAA correctly.
I know that, but I didn’t wanna change his email. And he is saying, is this accurate? Or just marketing hype? And I’ll say. Let’s remember, there is always gonna be hyper hyperbole, but the context, let’s go back to the basics of hipaa. What is HIPAA about keeping records private? In the old days of paper only records, that was relatively simple in some ways because there was no easy way for someone to get them other than breaking in your office and stealing them.
Get a Quick Quote and See What You Can Save
Now, because we have things electronic, there’s a lot more safeguards, and that’s really kind of part of it. But then there’s also new rules, and so this is where we have to be careful because there are new laws. Did come into place or will be coming into place in a week on two 16 about changes. But this is where I always have to say it’s about context.
I’m always gonna be a little centric, quite frankly, when it comes to any of this. So let’s talk about it. What are these updated requirements they’re talking about? ’cause they don’t really make it clear. They just show you gotta make a change. The deadline is February 16th, but these updates chiefly concerned.
Heightened confidentiality protections for substance abuse disorders and reproductive health privacy. So there are changes if you’re doing, dealing with patients with substance abuse and you’re dealing with substance abuse records, or you’re dealing with reproduction, somehow you’re dealing with any type of reproduction, use of birth control, abortion, whatever.
There’s extra safeguards that have to be in place to protect because obviously. Different states have different rules. They wanna make sure how things transfer. So again, ultimately with the idea of keeping patients’ records more private and it’s more about just how records are to be handled. We have to change the privacy notice essentially this, if you were handling these records, you would put into the patient that there’s additional safeguards and additional rights of privacy.
They have that they can make a rule. They don’t want anyone to receive any type of information for reproductive rights that’s outside of the state, let’s say. So the reality is for us is not hyperbole. It is, it’s really more the reference. So do we really need to change our privacy practice notice? No, not unless you’re dealing with access rights to substance abuse disorder and reproductive health.
I just don’t see that happening much in a chiropractic office. If it is you’d have to make some updates. I’d say as a network member, contact me. We’ll talk about what you need to put there, but I just don’t see it as one. So for most practices, it’s more just letting people know there’s changes, but there’s updates every year.
Just be careful. You do not need to change your patient privacy notice. Now, let’s als also keep in mind. Let’s say a rule like this happens and you do need to update your privacy notice, you really do. You’re like, oh, I need to update it. Does that mean you have to have all patients sign a new one? It does not.
They’ve signed the original and what I would do though is post the most current for someone coming in, they wanna see it. ’cause if you think of it for all of us that sign those HIPAA privacy notices many years ago, have you noticed you’ve never signed them again? When you’ve went back in and there’s a reason for that.
Now, if there’s some new things happening, of course, update. Make people aware, but always be careful when someone states that I want to keep HIPAA in a short way, a review, and here’s part of your compliance. He’s you need to do a HIPAA review. Compliance. We’re doing it right here. What are the basics of hipaa?
What do we have to protect? Protected health information. So the patient’s name, their date of birth, social security number, diagnosis, treatment notes, billing, and in other words. They’re records. Now, this applies to everything, and remember when we first started with this, people said it only applies to electronic records.
No, it applies to everything, including verbal. This is why if you go into a hospital and you get on an elevator, you notice E, everyone shuts up because they might have been speaking about it when no one else is on there later. But as soon as someone that’s not involved have to keep quiet. So we do have to keep it private, but always keep in mind even when there’s things, then when they’re requesting records, always think of minimum necessary.
So when someone says they need a data service, what do we send them? A data service. Don’t put more here would be the rule. If you’re not sure what to send the least possible. That you think is going to be needed because it’s easier to send more if needed because once you send everything, we can’t get it back.
And of course we have to have administrative safeguards. We gotta have someone that’s the privacy officer, which is probably the doctor, but could be a staff. And we’re gonna conduct a risk assessment. That’s partly what we’re doing right here. If you said if you ever did a risk assessment, yeah, you did it in the short time with me.
Make sure everyone’s getting some initial and annual type of HIPAA training. Just updating, probably going through it again, making sure everyone’s on board with it. Make sure there’s some sort of written policies. I’m not saying you have to have a big, giant manual. Small office can have one, but there should be some written protocols that a staff person should they have an issue, they can show they’ve been trained in it.
If you’re dealing with outside vendors billing services, make sure, of course you’re using a business associate agreement and make sure by example things where you’re doing email. Is your email HIPAA compliant? Unless you’ve got a paid email, the Google Suite or ones through Microsoft or the paid ones, those aren’t HIPAA compliant.
Be careful. And then of course, if there’s any problems, we have to make sure to have sanctions, or at least how do we fix it? What do we need to change? It’s obvious there’s physical safeguards. Secure your charts. We don’t leave a chart on the out on the table for everyone to look at.
If there’s screens that are visible, make sure the screens are turned. Or I recommend a little privacy screen. Those are easier ’cause unless you’re looking straight on, no one can see You don’t want anyone, catching information to someone else. And then of course, just don’t leave things unattended, like leaving things out on the door or on the table.
And for the most part, you don’t have to lock a cabinet, but you know what you should be doing. Making sure that there’s no access to it. If you have your charts behind the desk, that’s fine. There should be some physical safeguards, no one’s allowed back there. And then of course, just maintaining records within the time limit.
Some are gonna be seven, some could be 10. But realize once records are older that they can be destroyed. Shred them. Do them with a cross cut. Make sure that no one can get access to them by trying to piece it together. Not that I think people do that, but make sure they’re properly shredded. And then of course, this is the bigger area for technical safeguards.
Every staff member gets their own unique password. Don’t let have, have everyone logs in the same way. There should be an automatic log off. I know my computer logs off probably after five minutes when I don’t touch it. You may even make it sooner for a front desk. And then make sure everything’s encrypted, laptops and otherwise, most machines come that way.
But check to make sure and then make sure that, does a person need access to that? If you have a person that only does appointments, do they need access to the billing part? Maybe not. And the reason why I don’t, I’m not saying they’re trying to do anything sinister, but what if they don’t understand how the protection is?
And then make sure that if anyone’s using any type of personal device, which many of us do, you gotta make sure, is that personal device really gonna fit that it’s gonna be safe? Obviously, make sure everyone signs a privacy practice notice now, once they’ve signed it once, don’t have to update, but if you’re making a new one, make sure any new patient comes in with that and make sure that people are made aware that they can have an ability to amend or request copies.
I don’t realize they can’t really amend it. They can put a little addendum if they will. Okay. And when someone wants their records to be kept confidential, honor it. This is why often cash practices have the most HIPAA compliant practice ever. The reason why, if you never want someone to have access to your medical records, pay cash.
When you pay cash, an insurance company has no access to that. They better get a subpoena or something so that way people can do things. I’m gonna keep that private, I’m just gonna pay cash. And of course, make sure if there’s some type of disclosure to have an authorization, something signed by the patient so they don’t come back later and say, Hey, I never said you could do that.
You’re gonna show no, you signed for it. Bottom line is we’re doing things to keep records private, and it’s not that hard. Common sense. Avoid discussing patients in public areas. Don’t speak too loudly. I’m loud enough. I always have to be very careful. Identify before releasing information. If you’re getting a request for records you don’t trust, it’s okay to question it again.
It’s easier to allow records to go once you can verify it than to pull them back. So if you’re not sure, just say no. And it says, use discretion when calling patient’s name or leaving voicemails unless the patient said it’s okay. I had a patient once that didn’t want their spouse to know. So you gotta be very careful.
And then before you send anything, verify who I’m sending to the fax number. And again, I’d be very careful of email unless you know that’s the person you’re sending to and their side is confidential. This is why Dropbox and things like that. The other way to think of it is keep it simple. Keep it private, keep it in a way that, making sure that I’m gonna send just minimum necessary.
You don’t have to send everything. If they want a data service, send that data service. It’s not as fancy as people think. What we’re here to be is always your support, so realize that when hyperbole happens, check with us first. Network members, of course, reach out to me. If you haven’t done a meeting in a while, let’s get going on it, but this way you can understand that some of the stuff you’re receiving.
Come check with us, make sure we’re here to help. ChiroSecure is your partner, as I am. We always wanna make sure your practice is doing well and staying up to date. Until next time, my friends.
Click here for the best Chiropractor Malpractice Insurance
Get a Quick Quote and See What You Can Save