Keeping Your Practice HIPAA-Compliant with Matt DiBlasi

Alec Goldman (00:01.366): Welcome to How I Grew My Practice, a podcast presented by NexHealth. I'm your host Alec. In this episode, we have Matt DiBlasi, CEO of Abyde, here to talk about HIPAA compliance and security risks here today. Matt, welcome to the show, how you doing?
Matt (00:22.002): I'm doing awesome Alec, I appreciate you having me.
Alec Goldman (00:24.918): That's great. Well, it's really an honor to have you here. I know we're talking about a topic that at least for me and perhaps for others is a bit of a black box. HIPAA compliance to really, I guess short, short kind of longish words that mean a whole dang lot. But before we jump into it, Matt, I'd love if you could just give a short introduction about who you are. If you give a small introduction about Abyde and what you guys are up to over there.
Matt (00:51.102): Yeah, I appreciate that. So my background is in healthcare IT. We started Abyde back in 2016, but before I was with Abyde, I worked for a MSP based out of Long Island, New York, and we've worked primarily in the eye care space, and it was through that process that a lot of our customers were being audited for HIPAA compliance. And so they were coming to us as an IT company asking for our support, and so for sure there's a technical aspect to HIPAA, but there's a lot more that goes into it than just that. And so as a company, we wanted to make sure we were well versed into what was necessary for those practices to meet standards. And so we really dove into the requirements and really kind of this black box that you're talking about that nobody wants to take a look at. And we kind of sparse it out and looked at it from the eye care perspective. And so really understood what an independent medical practice would need to do to be compliant. And so we started consulting with practices all over the country, but we all know consulting is expensive not only for the customer, but for the business as well. And so we wanted to scale this out. We were seeing a great return in what we were offering. And so in my mind, there was an easier, more cost-effective way to do it, right? Like TurboTax, but for HIPAA compliance. You don't have to be an expert, right? We can give the tools and the power back to the practice. You allow an office manager or a doctor who doesn't know much about HIPAA, right? This abyss. But allows them to implement and sustain compliance programs without having to have that expertise or that knowledge, right? And do it easily. And so like TurboTax, right, you kind of just fill in some profile information and you answer questions, questions that you can understand, right? You know, if you bought a house, you know, if you got married, like big yes, no buttons, right? And so that's what a bot is as well. And like TurboTax, it provides you all the documentation you need to meet government standards should it ever be called upon, right? And that's Abyde. It comes down to documentation with HIPAA compliance. And so Abyde allows medical practices to do that. There's a training aspect as well. And really the other areas that practices need to focus on to be compliant, we solve with our solution. But yeah, we launched into that call it December 23rd of 2016. So we like to say January 2017. But again, just with the idea of let's help out some practices, right? We get 6,500 customers first year. That would be awesome. We ended up with like 450 customers that first year. And so we knew we were onto something. Since then, we've just really kind of stepped on the gas and scaled it out. Not only were we in eye care, but obviously now in dental and chiropractic, any independent medical practice environment, we have over 3,500 customers using our solution across the country every day, which is really cool and really love forming partnerships with organizations like NexHealth and other companies that you know are our industry leaders to help get our message out.
Alec Goldman (03:49.322): Well, congrats on all the success. So I'm going to ask you perhaps the question that you may have been asked the most in your entire life, at least in regards to Abyde. But given that HIPAA compliance is a bit of a black box, there's so much that goes into it. If you could just start off by describing, you know, in Matt's eyes, an expert on HIPAA compliance, what is HIPAA compliance?
Matt (03:51.02): Thank you. Yeah, so as I mentioned, like I didn't ever set out to be a HIPAA expert. It was something that, you know, we really dove into when I was working with the IT company. And so I've tried to simplify it in my mind. And I think that's what we've been able to do as an organization is really simplified for our practices, um, in layman's terms, right? So the way that we look at compliance at Abyde, and this is based off of our experience with state attorney generals going through audits, with the Office for Civil Rights going through audits. This is based off of our experience. We know that the government is looking for documented proof that there's a culture of compliance within the organization. And so again, I'm going to use that tax example and try to draw a parallel there as well. And so if you think about taxes, you can pay your taxes accordingly every year, to the penny, but if you don't have the right documentation and you're audited by the IRS, it's like it never happened, right? And so there are specific documents that you need through an IRS audit that they're gonna call upon. There are specific documents when it comes to HIPAA compliance. And so the cool thing is, is the government has done a good job of outlining the first step. And so the first step in HIPAA compliance for any organization, large or small, thousands, tens of thousands of employees when it's an insurance company all the way down to your one doctor practice, it's the security risk analysis. And so that security risk analysis has been outlined as the first piece of the puzzle. And we actually like to look at compliance, especially HIPAA compliance, as a puzzle, right? So if you have a puzzle picture and you have one piece, but you don't have all the other pieces, you don't have the full picture, and you also have to have the first piece to the puzzle, right, the piece that you start with, that kind of that cornerstone. And that's exactly what the security risk analysis is. And it is exactly what it sounds like. You are analyzing in your practice what safeguards you have in place to make sure that the sensitive data that you hold is secure. But then they also want you to implement safeguards or standards that you don't have in place. And also, you know, identify those as vulnerabilities. And unfortunately, this is where the problem starts to come, even when a practice is educated, because as a non-HIPAA expert, as a non-CIO or CTO of a major hospital, even though you have the same requirement, when you're not an expert, how do you know when there's vulnerabilities, right? I think most practices out there, if they knew there was a vulnerability when it came to their sensitive data, they'd implement a solution, right? So it's not out of negligence, it's really out of lack of education and knowledge. And so that's where we see like...
executing it is tough, right? So being aware of it's one thing, most practices aren't, but then executing is another. And so, you know, we'll hear all the time, oh yes, we're HIPAA compliant because we do training, right? All we outsource training with Henry Shine. That's great, but that doesn't mean that your organization is compliant. That's one piece of the puzzle that needs to be documented appropriately. If an organization doesn't tell us that they security risk analysis within the last year, they're not compliant. And that's the way the government's going to look at it. So if there was ever an audit, the first thing the government's going to ask for is proof of security risk analysis. And they may ask for multiple SRAs. And so it's not just a one and done. It's an ongoing process as well. You're always analyzing and reviewing your risk, implementing and mitigating solutions as you find vulnerabilities over time, and making sure that you're documenting that appropriately. That is the first step. Now there are other pieces to the puzzle. A lot of practices have heard of different pieces, whether it be the HIPAA manual. Oh, we have a HIPAA manual, we're HIPAA compliant. That's great. But what documentation is in that manual? And so if I draw back to my tax example, the security risk analysis is like a tax return. Kind of the big chunky document that gives a full overview of what's gone on over the last year. The additional supplemental documentation is like your policies and procedures for your practice. And so if the government goes beyond your security risk analysis, they're going to ask for policies and procedures that are identified through the security risk analysis. So if you identify in your SRA that you're not utilizing corporate-level antivirus. You can't have an anti-virus policy that talks about how your organization utilizes a business level anti-virus because it's not truth. So they want to see that they're a match there. It's through three categories of safeguards that the organization is doing this and pulling together this documentation. So it's physical, technical, and administrative safeguards that they're looking at. So there's more that goes into it than just the IT side. There's policies, as I mentioned, around... onboarding employees and off boarding and termination. And really everything needs to be documented appropriately and that documentation has to match up. So there are additional pieces to the puzzle. A lot of practices are doing a good job with, as I mentioned, like patient authorization forms, right? Getting patients to sign those before they see a physician. We hear that a lot as well. We're HIPAA compliant. We get our patients to sign those forms. And it's like, that's great, but it doesn't on its own, doesn't mean that you're HIPAA compliant. It takes all of those puzzle pieces. So I'll pause there. You might have some questions about some of those, but yeah, there's a lot to take in there. Ultimately it comes down to documentation, the right documentation.
Alec Goldman (09:56.474): Yeah, I mean, it definitely feels a lot like tax. Just obviously, you know, I'm like every other American here who has to pay their taxes. But you kind of leave your undergrad graduate experience having you know, you receive your whether you're working for a company or you're a W2 employee, you're like, what do I do? There's a real lack of education on that specific topic. So my first question is, where do medical practices and doctors, office managers go to be educated on this topic to learn more?
Matt (10:28.638): No, that's the void we're trying to fill. We're trying to educate. And I think that's the biggest problem is that they're not aware of their roles, true roles and responsibilities. I mean, you need to go to a trusted source. The problem is, there's not a ton of them out there, right? A lot of organizations are gonna try to point you in the direction that most benefits them. I think state associations are great. That's why we partner with them because we want to show that we are credible sources of educational information. And so we part with partner with state dental associations, state medical, you know, all the verticals that we're in, because we want to we want to be the voice. We want to be the ones to carry out this message and do it in an easy to understand format. But in reality, you know, we are a lot of times combating some of the mistruths and the misconceptions that have either been, I guess, you know, it's the perception, right? Sometimes maybe it was, you know, stuff is misheard or misinterpreted. And so we're trying to kind of unwind them from some of those, you know, mistruths that they may have experienced in the past when it comes to HIPAA. So in all reality, I wouldn't recommend you go to the government website because it's not easy to understand, right? It's just like taxes. You can find this information out there, but it's just, you need a filter for someone to interpret, interpret it to correctly and digestibly.
Alec Goldman (11:56.674): So as a company that's working with lots of different practices, you mentioned medical, eye, dental. How does HIPAA compliance change from practice type to practice type?
Matt (12:08.746): And all reality is very similar, right? Those independent medical practices across those verticals have the same challenges. A lot of times they're set up the same ways within those physical, technical, and administrative safeguards. So that's the neat thing about our solution is that it can be utilized across those different verticals and there's so much similarity. So it's typically an office manager or a business manager that's wearing many different hats that kind of wears the responsibility of the doctor and owner typically will say, hey, make sure we're HIPAA compliant. And so the office manager doesn't have a resource or someone to go to. So they're doing kind of the best they can. But yeah, that seems to be the same, whether it's eye care, dental, chiropractic environment, general family physician, those challenges of people wearing different hats and one of those hats being a federally regulated industry is pretty tough.
Alec Goldman (13:04.898): So what is, and maybe this is a silly question, but it's one of these things that practices have to do. Right? And if you do it, you kind of get a check, but if you don't do it, what are the downsides of not being HIPAA compliant?
Matt (13:18.91): Yeah, I think more than anything, when you don't take the onus and you're not proactive in implementing a compliance program that meets government regulations, you put yourself at risk, right? Like, you put your livelihood at risk, you put your practice at risk, you put your patients at risk and their data. And so, you know, we definitely recommend that they protect themselves before something happens. And so when you implement a compliance program, it makes you identify these vulnerabilities. It makes you implement those solutions. And so you can really mitigate your risk when it comes to compliance if you're proactive in that sense. But we see a lot of practices, unfortunately, because they don't know what it truly means to be compliant and what those steps are. They are vulnerable and it can be extremely detrimental. Right. There are so many different aspects of negativity that come associated with a data breach or a patient complaint. Right. So not only do you have the costs associated with the data breach, but potential costs associated with a HIPAA fine or HIPAA investigation that results in civil monetary penalties, which the Office for Civil Rights is levying more and more to independent practices because they're trying to make an example of there's no practice too small. There's no organization kind of, I don't know if you have kids, I've got kids, right? The Paw Patrol, no, no, no pup too, or no, no circumstance too big, no pup too small. No organization too big, no practice too small when it comes to the government's crosshairs. And so fines we've seen range anywhere from 3,500 to a couple hundred thousand just for one or two kind of errors, right? Where maybe just a couple patients or maybe one patient was affected. Maybe it was patient right of access which is going on right now where patients understand that practices have to give them access to their information when requested within a certain timeframe. That's not happening a lot and the government is really making an example of these smaller practices that aren't doing that correctly. And so we've seen those large fines in tens of thousands, hundreds of thousands just for not complying with one patient request. And so yeah, I mean, when you add up all the associated costs, you know, we look at it for...you know, from a business perspective, you know, with your patients and work gets out there and bad press and, you know, the cleanup and the time that's associated with it, you're better off getting ahead of it and making sure that you're doing things the right way or the best you can beforehand. And that will mitigate so much, you know, the damage on the backend.
Alec Goldman (15:59.894): Yeah, I mean, that's a serious cost. And obviously not just a financial cost, time, right? Just the amount of time that you'd be dealing with a headache of that magnitude. Yeah, exactly.
Matt (16:07.01): Yeah, opportunity costs we talked about, right? What else did they be doing other than dealing with a data breach to drive, you know, revenue to their, to their business or practice.
Alec Goldman (16:15.742): Exactly. So I know a lot of, or even just hearing from you, a ton of HIPAA compliance is really about data sensitivity of the practice and of the patients that go to the practice. Lots of data today is in software, right? Software like an EHR, it could be a dentrix, it could be a curve, it could be an open dental, right? Or it could be like a patient experience software. It could be a NexHealth, it could be a solution reach, whatever it may be. So how should practices be thinking about the technology vendors that they select in regards to HIPAA compliance?
Matt (16:51.298): That's awesome. Yeah, just a week and a half ago, a business associate, which that's what those organizations that you're speaking of are, they're business associates of the covered entity, a business associate got levied over a $300,000 fine. And so business associates have to make sure that they're doing the same thing that practices are doing with the security risk analysis, with making sure they understand how they store, they transmit, they receive the sensitive data that they get access to, that it's whether it's stored or in transit, that it's being secured appropriately. And so the only way for a practice to make sure that they're working with the right organizations is to get what's called a business associate agreement signed. And so business associate agreements are the responsibility of the covered entity of the practice themselves. It's not the...
the company is not the third party company that's responsible for these, it's the practice. And so the covered entity has to initiate these. A lot of times though, it does come from the business, which is good, but these documents, these agreements are so vital. They offset liability from the practice to the business associate, should there be something that occurs, that's detrimental to obviously the sensitivity of the information that's being stored or transmitted between the two organizations. And so without these, the practice, right, if there's ever a data breach, you know, and it's an IT company, you don't have this in place. It's the practice that's responsible for any of the ramifications that come. And so we can't stress the importance of this enough. If a organization that a dental practice is working with will not sign a business associate agreement. There's a hard line there. We say, do not work with that organization because you're putting your business at risk. It may be a challenge to find another vendor in the same space that provides you the same type of service. It's not worth the livelihood of the organization. And so that should really shine the light of organizations like NexHealth that are making sure that they're doing those things appropriately for their customers. My guess, and I don't know, but my guess is probably NexHealth has a business associate agreement that you all initiate from your side making sure that your practices are taken care of. And you're doing that on their behalf, which I think is really neat, even though it's not necessarily the responsibility of the BA.
Alec Goldman (19:20.77): But it acts as a differentiation for an organization.
Matt (19:24.734): Absolutely. It's one of those things that you can't as a provider, you cannot do business with a business associate that will not sign that agreement. And I guess let me clarify real quick just what a business associate kind of that definition. It's any organization or third party that doesn't work in the in the practice that will have access to or does have access to or potentially may have access to the sensitive information that's within the practice. So in each EHR system. Right, the IT company, even though the IT company is not dealing with sensitive data, when they jump on that network and they're doing some repairs on the computers or whatever it may be, they're running updates, they could potentially have access to that sensitive data and this agreement will make sure that if anything happens, it offsets that liability from the practice.
Alec Goldman (20:14.718): And Matt, just for everybody listening in, sensitive data meaning, so I know certainly we're talking about medical forms, so birth date, address, consent, but what else is classified as sensitive data?
Matt (20:31.03): Protected health information is the technical definition. There are 18 identifiers of PHI. So anything from first name, last initial, or last name, first initial, email addresses, phone numbers, anything that can be tied back to an individual person, right? Obviously social security numbers, even medical numbers that within a database are connected to a name, right? So even if it's just a number, if at some point it's ever connected to a name, then that number would be considered protected health information. And so there's a long laundry list there. And that is something that you can easily find online to really dig in. But I think a lot of practices are surprised to hear email addresses, right? We've been through it with one of our practices. They accidentally on a was an eye care practice and they sent out, because they're retail about a sale that they had going on for lenses, instead of blind carbon copying, they CC'd all of their patients. And so because of that, all the emails were exposed at that point. And so that was considered a data breach. They did a great job of getting ahead of it. We helped walk them through the investigation process. And because they had the right documentation in place, there was no penalty given, right? And so that's where the government has grace. And again, not to kind of change the subject here, but they will have grace in the case that you provide the right documentation to show that you're proactive.
Alec Goldman (22:03.426): I mean, it's a whole lot of information at that point, right? I mean, you're talking about if you're booking online, talking about digital forms, you're talking about the messaging, even at imagine, uh, recorded phone conversations for the sake of the practice learning and being able to hold themselves and their teams accountable, all would fall under the category of sensitive data. Um, so I mean, it is, it's a serious thing. I mean, it's your patient experience.
Matt (22:16.074): Yes. It's everywhere. And some people may say, you know, like what is it to somebody, you know, an email address from a dental practice got out. The thing is there is that how is the government supposed to delineate what is considered sensitive and private, right? And so for you, your email address may not be a big deal if it gets out. If it's a celebrity, probably a big deal, right? And so it's one of those things that you kind of got to look at it from all perspectives. We had to think with, I think it was Kanye West a few years ago and somebody leaked the fact that he was in a rehab facility or a mental facility, right? And so, you can't say, well, only for psychiatrists, only for psychologists, only for, you can't start keep carving that out. And so that's why the government is very adamant on if you provide medical services and you're immersed financially for those medical services, then you need to make sure that the information that you have access to, whether you feel like it's sensitive or not, is stored correctly and stored securely, because it's not up to the practice or the covered entity to determine that. It's really up to the patient.
Alec Goldman (23:41.278): Matt, we are at the 23 minute mark. Podcast triangle for 25. I know, and I bet you, I mean, knowing how much is under the HIPAA compliant box, we'd probably go for a whole nother episode. But I do wanna make sure that you have kind of a last moment here. Just to kind of share what your big takeaways that you have from founding Abyde and all the practices that you've been working with. I get to tell you, at least from my behalf, it's like, wow, if I'm a dental practice, you know.
Matt (23:44.757): That's it. I feel like we just got started.
Alec Goldman (24:10.75): I'm hearing that there's tremendous fines, the opportunity cost, what can I do? But I do want to leave it to you, what are your last thoughts here?
Matt (24:18.082): I mean, I would just recommend to dig in and make sure they take it seriously. You know, it's one of those things, we're all patients somewhere. We don't want our information getting out, right? We all sign off on privacy policies and all that stuff, and we know our information gets shared out. We all know it's annoying, right? But when it comes to the medical information, you know, when that stuff is leaked, I mean, you're talking about stolen identities. It can really be detrimental to us, to people's lives, right? And so as a covered entity, like I would just recommend take the responsibility. It's nowadays, the solutions are inexpensive enough. You utilize efficient solutions like an Abyde to implement the documentation, right? On the security side, you work with a wise IT company that understands your environment, understands the dental market, understands your challenges. They're gonna get you set up the right way. We have organizations that we work with across the country that can help on the security side. So it's not so overwhelming that it can't be accomplished, but you have to do it strategically. You have to do it the right way. Do it the right way the first time. It's gonna avoid any damages down the road. But ultimately, I think making sure that you're meeting government requirements is a good thing for our healthcare system and then obviously for our patients out there as well. Making sure that their information is staying secure.
Alec Goldman (25:44.562): Awesome, Matt. For everybody listening in, if you have any questions on HIPAA Compliance, you know who to go to. Matt, CEO of Abyde, thank you for joining us today. Obviously, we got a, I'm sure we have another episode ahead for us to do together to deep dive into HIPAA Compliance again.
Matt (26:00.994): Awesome. It was a good time. I appreciate it, Alec. You too.
Alec Goldman (26:03.17): Thanks for having a good day.