Subscribe
Share
Share
Embed
This Dental Specific Podcast is dedicated to the Dental "Entrepreneur" Michael Dinsio, Founder of Next Level Consultants, delivers #TRUTH when starting up a dental practice. From the very first step to getting the keys of a dental practice, Michael shares his raw & unscripted playbook with you. Not only does this podcast provide you with "What To Do" but more importantly "What Not To Do". With over over 15 years of experience & over 150 past clients, Michael delivers an educational and informative program in a real and genuine way. Start w/ Episode 01 - as we go through a STEP by STEP process.
00:20
All right, right, guys. Welcome to another episode of Startup Unscripted. This is Mike Dinsio, founder of Next Level Consultants, as you all know. And today we've got an incredible speaker today, a guest and a friend of mine that goes back with me many, years. It was great catching up to you before the show started. Danielle McKinley with Office Safe. You may know her as a common name of the HIPAA chick.
00:50
So if you don't Google that and you'll find her. But she is the HIPAA queen and keeps you all safe from getting into a mess with HIPAA. And today we're just gonna kind of break that down today because you know, as you all know, startup unscripted is all about getting open and getting into business. And we worked through that entire process from start to finish and now you're open. It's kind of why we did the Encore series.
01:20
We're on quarrying it. And these are the things you need to think about. There's lots of things that are going to come at you as you are open. You need to be thinking about how to protect yourself. You need to be thinking about all kinds of stuff. So today is a good episode to discuss HIPAA because we've got the expert on the phone. So Danielle, welcome to the show. Thanks for being here. Thank you. Thanks for having me. Heck yeah. Heck yeah. So give us the rundown. And by the way, I tend to lose people.
01:48
There's statistics on this stuff. I tend to lose people inside two, three minutes if we're not super dynamic and fun to listen to. So how would you describe what you do today and how you help people in a 30 second clip? Go. Yeah. So we know that was not fun, right? So don't go away yet, but easy. And easy equals
02:10
fun. So I would say in the 30 seconds, what I do is I simplify compliance so that you can focus on treating patients, running your practice and enjoying time with your family, all knowing that hey, if something happens, my practice is covered. Sweet. So that's good, because nobody else knows about this stuff. And I'm glad you do. So let's get let's just get right into it. So what are like
02:37
Walk us through this journey of HIPAA because it's this like thing that everybody's scared of. Nobody really knows how to handle it. We know people are walking around with clipboard somewhere out of some office in some downtown. We don't want to get busted, but we also know that the odds are probably pretty low. Just give us the rundown. What's the story in the HIPAA world? What are you supposed to be doing? Yeah, so obviously HIPAA is kind of like the IRS. Like nobody likes you, right?
03:05
So it's okay to like the HIPAA chick. I'm the good guy that helps you or good gal, if you will, that helps you navigate everything. So the way that I put it in the simplest of terms is just like you weren't taught how to file your taxes in school, but you file them because of the risk. Same concept. You weren't taught how to navigate HIPAA compliance in dental school, but it's something that comes with the career path.
03:29
And really, you know, it's not just about you and protecting yourself. It's also about your patients and protecting their sensitive information. So if you, when you think of it on that, that side, it makes you a little bit more like, okay, let's get this going because you want your information to be protected at all of your provider's offices as well. Yeah. Yeah. No, that's, that's huge. So, all right. So let's get into it. What are the common, the most common things people screw up? How do people get busted? Like,
03:59
What are the most common ways my clients, my audience will get busted if they don't secure this or shut this down, lock it up? What do people do? How do they get busted? Yeah. So how, how penalties arise is three main ways breach audit or investigation. What are each of those? So an audit is totally random. It's our government's way of enforcing the laws. And if you get selected for an audit, it's, it's similar to tax, a tax audit.
04:28
Right. Investigations are going to be more likely. These are going to be a lot more common. Those are brought on by complaints. So something happens at your practice. Maybe a patient over here is your front office team talking badly about another patient and they file a complaint about that. Or you accidentally sent me Danielle McKinley's information and you had to notify both of us. And now Danielle McKinley is upset because I saw her information. She files a complaint.
04:55
that can trigger an investigation where they start to look at your compliance requirements. The most common thing that's happening still today is ransomware attacks. So cyber attacks, and then you're having to address those. And in doing so, you're not following the notification requirements and boom, now you're subject to penalties and additional costs. All right, wait, wait, wait. That last one went right over my head. So ransomware is definitely something that I've heard of. You almost have to like be...
05:25
I don't know. Um, you have to be like an expert at just that to understand what you mean. So ransomware, so break that down a little bit more. So yeah. Yeah. So ransomware statistically, it's like not a matter of if, but a matter of when in business and not just in dental, like for all businesses, it's a problem right now. And ransomware is a virus or a malware that gets into your system.
05:52
It locks down all of your computer stations. You would basically come into the practice and it would say, you have to pay X amount of dollars by this time, or the amount goes up and you can't get into your systems. They're locked. they're literally, they're literally taking your life over and, and, and, and holding you hostage to it. Yes. And what's
06:14
not so commonly understood is that they don't always ask for outrageous or absurd amounts of money because their goal is to get paid. So the problem is, that if you just pay them, they can come back for more. You don't know what they have access to. And so of course your first phone call is going to be to your IT person. Hey, my computers are down. I can't get into the system. Once they get the ransomware virus out, you're required by HIPAA law to run a third party forensics to make sure that
06:43
data wasn't accessed or exposed when they were holding it hostage. And if it was, that triggers the breach notification laws under HIPAA. And you need someone that you can count on, or you need to have an understanding of what are my state law requirements for response and my federal requirements. And if you don't know those, then it can cost you big time. See, this is it. This is why no one reads about this stuff. It's so deep. Okay, so...
07:12
So someone's hacking in, get in, they hold your stuff's hostage, they ask you to pay, you pay them, they might hold your hostage on something else. And you pay them it I'm assuming they're just trying to milk milk it until you fix the situation. Do pay them. So here if there's anything you learned from today's presentation or today's podcast, ding ding ding ding golden nugget, don't do not pay the ransom. Do not pay it.
07:41
Okay, it's it's reminds me of like a I never split the difference. It's a great book. Right. You've okay. And it reminds me of like the him he's an FBI ex FBI agent and and he what's his name? I was gonna go to his workshop one of these days. I can't think of it. have to go. Yeah, I was gonna say like, is it? Yeah, so so it's a it's a he's a professional negotiator.
08:07
And, um, you never pay the ransom, right? That's, that was that. And so he's got all these great stories. And anyways, I don't know why I thought about that sidebar, but don't pay, don't pay. Hire Lee, Liam Nilsson to come in and take care of it or AKA Danielle McKinley to handle this, situation, the hippo chick. Okay, cool. So, so I, I assume that you probably fly pretty closely with a lot of decent and reputable IT firms. Yes.
08:37
Absolutely. Yeah, we have a ton of partnerships with it firms because we complement one another. So there's there's the physical controls, the technical controls and the administrative controls when it comes to compliance requirements. So they're covering the technical we're doing everything else. And when working together, all your bases are covered. Okay, cool. So when do usually people reach out to you guys like
09:03
Okay, wait, wait, let's back up. I just jumped on the third one. Let's talk about, let's go back to the first two. So the first one, um, was what again? You said there were three, the ransomware was number three. What was number one and two? So, the, of the ways things can happen. The PIF. Yeah. investigations. Okay. So audit, um, that's probably pretty low and, and, and, and, and probability, but it could happen. Yeah.
09:29
you get that call the time because your clients and they're like, yes, I covered there. But walk me through that because I've actually heard that they're going to crack down more. Are they cracking down more? Is this a thing? Are they hiring in more army of people? Like what's that? What do you know about this audit? Yeah, no, definitely. So I don't know. We haven't seen an increase. We are hearing the same thing, but we haven't seen an increase on the audit side.
09:57
what we do see are the investigations that stem from complaints and an audit. Yeah. mean, an audit and investigation are, the same. You're going to go through the same process. just means that an investigation was triggered by an actual event where an audit is just totally random and you got unlucky in the process. Okay.
10:21
The thing is though, is we hear about like the really big occurrences. That's what hits media. And so then we go, oh, we're only hearing about, you know, a couple a year. But if you go to HIPAA, if you actually Google HIPAA wall of shame, you will see breaches. The only ones that go on there are ones that had exposures of 500 or more patient files or patient records.
10:45
but you will see that there's all kinds of occurrences happening every single day. And then the investigations, don't, those, there's no way to like publicly see those, right? And people are going to like really be like, Hey, so I recently got investigated by HIPAA, right? That's not something that is exciting or social currency to share. You don't hear about it as much, but we see it in my field. Certainly. Of course. Yeah. It's, it's like the life insurance, insurance rep.
11:15
He's always hearing about death, right? Every single day. Okay, cool. So so the audit, the actual random audits happens. You haven't seen an uptick, but we've heard that there's going to be one. We haven't seen it. But the the absolutely I being in a a the practices every day, having having our clients run their business every day, we get
11:41
negative Google reviews that we need to respond to, we get the patients that are threatening things we like next level gets all of those complaints and how do you handle that and whatever. It's not too far fetched for me to think that a patient gets pissed off at you about billing or something and they're like, how do I fuck these people over? Right? And then they and then they and then they report it. So same with employees, I bet you employees.
12:09
pissed off employees probably do it too, right? Well, yeah, there actually is a whistleblower incentive for health and human services. So people get crafty, right? When they get upset, they find stuff and there is an incentive where that employee or that patient really on the employee side could make money by blowing the whistle on your lack of HIPAA compliance. Is that a lot of money? I, you know, I
12:36
It is a range just like everything like a hip was so great, right? So, but it's if someone's upset enough and if they're on purpose so that if somebody's willfully neglecting the HIPAA laws, there is an incentive to, you know, call into that. That's terrible. It's, hard enough to run a business. Yeah. And if we have to worry about people being in Senate incentivized, like you literally could be a mole.
13:05
and work at all these offices and figure it out and then quit and get a check and go somewhere else. You can create a little business by this. It's terrible. I think that people would catch on after two or three of them though. dental industry is like a big, yeah, it's like a big, you're a big fish in a small pond. Like it's just, it's so tight knit. It's true. It's true.
13:28
Well, okay. So, okay. So those are the three risks and the, the scary stuff. And that's how you get busted. Do we want to talk about like what you guys do to protect them from these three? Is that, is that where we should take this? Why don't you tell us a little bit about like, yeah, you know, like for me, I feel like all of these compliance, you go to a webinar or a CE or you go to a seminar at a conference and it's all the scary stuff.
13:57
Right? Like there's no reason to be scared. This is something that's actually pretty easy to address for your practice. And I think, yeah, talking about the scary makes you understand the why behind it. Right. But there's also, Hey, we can take care of this in a simple way. So here's another golden nugget for the listeners. Something that you can do to understand where you're at and where you need to go is take a risk assessment. risk assessment is mandatory every single year.
14:26
It helps you stay abreast of changes because HIPAA is a moving target. So the law is always evolving. There's updates to policies and procedures, training requirements, those sorts of things. So taking a risk assessment is going to check a box for you in the requirements and also help you understand like, what am I doing well? What vulnerabilities do I have that I need to address? And how do I go about doing that? And that's something that I give away totally complimentary, no.
14:56
no obligation to do anything. I just simply want to help you get on the right path of understanding. Let's, um, compliment complimentary to office safe. Let's go ahead and put that in the description of the show here of a link. Um, if you could provide something and then we'll put that right in the description below and go take your risk risk assessment, save that in your favorites and do it every year. Yeah. Every year. Yeah. Okay.
15:26
And then, you we can talk about some common things that like you could check on right now today that if you're not doing them, you have big exposure that you'd want to button up. So let's go over like the next top two. So it would be your training, your staff training. How are you training your team? There's a lot of times where training kind of gets pushed under the rug because you hire someone from industry and you're like, oh, they know it. They know compliance. They've been in the industry.
15:53
Health and Human Services doesn't care how long they've been in the industry. They wanna know three things. Do you have training information? Can you prove what that information is that you're using to educate so they can verify that it's compliant? Is there accountability? It was not exciting. We've all agreed to that, right? So we're dozing out, we're checking email while we're being trained. Did you verify your team understood it? And then they wanna see acknowledgement forms.
16:19
And that is going to protect you in those incidents where complaints are filed. Because one of the first things they're going to ask for is your staff training. Yeah. It's like HR. got to keep up on your HR folder. Yep. So the three things is your content up to date. Do you have accountability and a way of measuring understanding and have they signed the two acknowledgement forms? Okay. Those are the three things. So you're going to help organize and facilitate this. Yeah.
16:46
Absolutely. So with the risk assessment, you'll get the information if you want a free consultation where we can help walk you through it or talk through questions specific to your practice. No problem. Okay. Then the third thing that you could do right away is ask yourself, am I prepared? If these things happen, do I have a plan? Because the last thing you want to be doing is scrambling. You want to be able to continue to run your practice as normal if a ransomware attack, an audit or an investigation happens.
17:15
So how you do that is by making sure you're prepared with an incident response plan and you have some understanding of who to call, what to do, how you're going to navigate it. And that's something else, you know, we can talk through and help with. And what kind of goes with that is having a cyber and data breach insurance policy. If you do not have a cyber insurance yet, it's like the number one used insurance policy in the healthcare industry. Is it expensive? Get it.
17:43
It depends on where you go, right? Like with anything with insurance, that insurance is something that we can help with too, that gives you specific coverage for things like a ransomware attack, a HIPAA incident, a HIPAA audit, things like that. That seems like a really good way to go. If you're negligent, they cover you for damages, I assume. Yeah. The insurance company.
18:09
Yeah, no. So here's the thing. So the big takeaway with insurance is that that's that would that would that would be the insurance that I would buy like if I could create that business next. That would be awesome. Okay, that's where to go. But in all seriousness, we all you know, this you see it with your clients and their patients insurance companies always try to do what not pay, not pay.
18:33
or really limit the amount that they pay on. Cyber and data breach insurance is no different. So I'll give you a couple of tips if you start shopping. you want to ask- of tips today, folks. You got your pen and paper. If you don't, you're going to have to rewind this episode and get it out. Okay, more, go. I like it. Here are the tips. So you want to ask them if there are sub limits. A lot of people run around going, oh, I have a million dollar policy.
18:59
but you may only have a sub limit for incident response coverage of 50,000 in that policy. That's not enough. So ask about sub limits. You want to ask about underwriting requirements. So meaning like if you file a claim and you don't have proper data backup, proper firewall, proper HIPAA compliance in place, does that mean your claim is ignored? So there's an out for them if you have one small.
19:28
Oh my gosh, of course. I hate these insurance companies. Terrible. Okay. So those are a few tips with the insurance, but if you haven't gotten that coverage yet, do so. It's more likely to be used than it, than any other policy. And you'll, and you'll help make sure, do you guys offer that insurance or you at least help broker it of some sort? Yeah, we do. Insurance comes with our solution and it, it
19:55
is designed so that the insurance underwriter of our program has already confirmed that everything that we give you through OfficeSafe to get your practice compliant meets the mark. So it eliminates that, if you're not doing this, we're not gonna cover you. Got it. Got it. Okay. Wow. All right. So that's a lot to take in today, Should we start cracking jokes so we can keep people here? Let's do a joke. How many good dad jokes?
20:25
Dad jokes. I mean, I'm usually the butt of every joke because I'm a dad. no, I don't. Let me think here. Hmm. Do you have one on top of your head? No, I, you know, I wish I was a comedian. I, my son's a big, um, Mario and Luigi fan right now. He's he's just so into it. And I heard the worst joke today when I was getting this coffee and, and, and I think it could actually work for my son. I know he's four. He might not pick it up, but, um, what
20:56
What's Mario's favorite pair of pants to wear? Mario's favorite pair of pants to wear. I don't know, the red ones? Denim, denim, denim. Oh, that's so bad. So bad. But I think Alexander would love that one. I don't know why, I have it out. Test it out today. Told you it's a bad dad joke. Bad dad joke. This is super helpful.
21:24
Okay, so when do you guys get involved? Like, let's say that someone was doing a startup and they're not open yet. Is it about the same time that they open is when they're going to start wanting to sign you guys on? Or obviously you could be brought on to the team at any time. But specifically for startups, since you're creating something from scratch, when's the perfect time to do this? So perfect sweet spot is
21:52
30 to 45 days before you open because once you open, you're drinking from a fire hose. It's crazy town, right? So this allows you to get everything in place beforehand. And a lot of times my startup clients will have already found their office manager and it's something that they can task them with prior to opening. And then you have, as you start to expand your team, because you're getting more patients and you're thriving, you have like the training solution in place and it's just automated. Yeah.
22:21
Okay. So as a teaser for the acquisition unscripted podcasts, and if you haven't listened to that or, or heard of it, jump over to acquisition unscripted, it's all about acquisitions, but I'm thinking, um, when I do a lot of due diligence and that we can just tease them on that other, that podcast, if you guys folk, if you guys want to check that out, um, I always do chart audits and I'm looking at practices and my first thing that I look at is how old windows is.
22:50
Because if Windows is too old, I know isn't the rule Windows 10. Yes. You can't. Okay. So walk us through that folks. So, so folks, if you work out of practice, sounds like you can get a bonus for turning your boss in. I'm joking. I'm totally joking. Uh, but what I, how do we know what are some things to quickly see like Windows to just tip off that we probably would fail the test.
23:21
Sure. So, and that's the thing is that when your IT provider is telling you need to upgrade certain things, it's not because they want to make money. It's because they want to secure your practice. They want to make sure that if there is a claim filed on your cyber policy, it's not going to get denied because you're on unsupported software. So really that's what it is. When you're on an out of date version of Windows, it's no longer supported. So just like you get software updates on your iPhone,
23:49
It's the same concept when they're doing the updates, that version is no longer supported. So the updates aren't happening. Think of it like if you went on vacation and you left your garage door open and the door into the house was unlocked. That's the equivalent of working on an outdated version of Windows. That's a problem. That's a problem. Okay. So Windows 10, it's impossible to be HIPAA compliant, correct? Correct. Windows 11? Yes. It could be. Okay.
24:18
So that's an easy one, folks. Pull it up, look at the settings, Windows 10. Yeah, no good. So that's an easy And you're like the IT providers or whoever you're working with, that's one that they're definitely gonna mention to you. And what I see a lot of times, especially in older practices or acquisitions where they're acquiring something that's older, they're trying to save money. So they're like, no, I don't wanna do that right now. And the IT provider isn't telling you to do that just because it's...
24:46
there's a reason behind it and it's for your protection. benefit of a startup, right folks? Like, I think we always talk about this. I feel like I do in my head anyways, but I have a lot of conversations about like, what are the pros and cons of acquisition versus startup? I help people do both. But one of the biggest pros, of course, for a startup is everything's brand new, you get to set it up, and it's your systems and it's your team and it's your patients, it's your marketing, it's your equipment, everything you got to pick.
25:14
Beautiful. It's exactly the way I would want it. No patience day one. No cash flow. That's a problem. Acquisitions. Totally different. You're inheriting someone else's stuff. Other people's teams, other people's patients, blah, blah. Location, lease, can keep going on and on. So but you are you do have cash flow. And that's that's huge. so pros and cons right there. But for a startup, start off right.
25:44
talk to the right people and you'll get squared away. Yeah, that's great. Yeah, I mean, I always say that like, I always you'll hear me say this often that successful people always have two things in common. They deeply understand their strengths and weaknesses and they've mastered the art of delegation. So if you know those two things, you could probably be successful in either one because if you're if you're going through an acquisition, you're going to know what you need to outsource.
26:13
so that you can focus on where you're going to be the most valuable to your business. And if you're a startup, you get to already pick and choose those vendors that you're outsourcing to versus inheriting them. Right on. Leave. mean, you gave us so many tips. I usually say like, give us one final tip, but you've given like 100. So is there any final comments on what we've discussed today? I you could probably talk about this stuff all day. This is why she's called the HIPAA chick.
26:40
Lots of stuff to talk about with HIPAA. Maybe anything you want to offer or maybe a link below that says schedule with to get a consult or any final comments or things that you want to give my folks. Sure. Well, first, know, just thank you. And I think that the number one thing is don't let compliance be a nuisance or a burden. It doesn't have to be that you can work with someone fun. You can outsource it and make it easy and focus on what you like best. And I would be
27:09
happy to give a free consultation, a 30 minute consultation. I'll give you a calendar link where you can schedule. And then we've got that free risk assessment for you. If you take that in advance of the consultation, it'll be a much better use of your time. Yeah. And we promise no terrible dad jokes, right? No terrible dad jokes. We'll be more prepared for the comedy. I'm afraid of the comments that I'm going to get about Mario and his denim, denim, denim. I can't read them. This is to be horrible.
27:40
Well, Danielle, thanks for being on the show. It's a pleasure. We'll have you on Acquisition Unscripted to talk about acquisitions. So stay tuned, folks. But without further ado, folks, just chime in on the next one. We're going to keep these coming. But below is going to be all Danielle's contact information, probably your website, just some cool stuff. Definitely that test. Don't forget that, Dan. You got to send me that. OK.
28:05
We'll have that below and folks do it. It's a great resource and she's there for you if you like dramatically fail that test. So right on? Yep. Thank you. All right guys. Take care until next time.