The Accounting Podcast

Our great time at Sage Intacct Advantage 2019 continues, as we take some time to talk with Mariana Antcheva, VP Legal for Sage Intacct. We dive into all things HIPAA, privacy, security, compliance, and some of the newest regulations that may impact accountants and bookkeepers dealing with sensitive client information. Mariana, one of Sage Intacct Advantage's highest-rated speakers, began her legal career in Bulgaria, moved to the States, developing a wide range of expertise and skills in the SaaS and tech sectors revolving around IP strategy, e-commerce, privacy, and compliance.

Show Notes

Sponsors
Show Notes
  • 01:08 – Meet Mariana!
  • 01:46 – What's a lawyer doing at an accounting conference? 
  • 04:22 – Mariana takes us to school on HIPAA
  • 06:38 – Why should accountants and bookkeepers care about HIPAA? 
  • 06:58 – There are three types of entities that fall under HIPAA protection - healthcare providers, plans, or clearinghouses
  • 08:19 – Any accounting system that contains names and addresses of patients must comply with HIPAA Privacy and Security rules
  • 10:09 – Which apps in a healthcare accounting ecosystem DO have to follow HIPAA rules? 
  • 12:20 – When dealing with collections for medical accounts, HIPAA rules get so complicated that it's best to consult with legal advisors to know exactly how to proceed
  • 13:40 – Sage took a detailed approach to implementing HIPAA compliance in its 2018 product offerings | Sage Intacct 
  • 16:06 – There's no official HIPAA compliance certification, but there are vendors who will provide independent assessments of a firm's compliance level
  • 17:47 – HIPAA is no joke. Violations carry significant civil and criminal penalties! 
  • 19:27 – Mariana shares a few facts about the California Consumer Privacy Act | Californians for Consumer Privacy 
Connect with Mariana
Episode Art Photo Credit: 
  • April Blankenship
    • https://twitter.com/aprilblnknshp
    • https://twitter.com/aprilblnknshp/status/1187023281687130112/photo/2
Get in Touch

Thanks for listening and for the great reviews! We appreciate you! Follow and tweet @BlakeTOliver and @DavidLeary. Find us on Facebook and, if you like what you hear, please do us a favor and write a review on iTunes, or Podchaser. Interested in sponsoring the Cloud Accounting Podcast? For details, read the prospectus, and NOW, you can see our smiling faces on Instagram!  

Meet Blake and David in person! 
Limited edition shirts, stickers, and other necessities
Subscribe

Creators & Guests

Host
Blake Oliver
Founder and CEO of Earmark CPE
Host
David Leary
President and Founder, Sombrero Apps Company

What is The Accounting Podcast?

The Accounting Podcast (formerly the Cloud Accounting Podcast) is the world's #1 accounting, bookkeeping, and tax podcast! Join us weekly for a roundup of accounting news, analysis, and interviews. Plus, earn free NASBA-approved CPE credits for listening with the Earmark app. Learn more at https://earmarkcpe.com.

This episode of The Cloud Accounting Podcast is sponsored by Teampay. Wouldn't it be great if you had a way to automatically enforce spend policies and gain full transparency into requests for funds all the way to reconciliation? Or what if you could do that while empowering your employees to buy what they need, when they need it? Teampay gives total control and real-time visibility into spending. Teampay's distributed spend management platform automates the purchasing workflow and gives you proactive controls and real-time visibility over a company spend.

Teampay also empowers your employees with a user-friendly purchasing experience. When employees make a request, Teampay automatically enforces policies, issues intelligent payments, and automatically sends the transaction data to your accounting system pre-coded. To learn more about how Teampay modernizes how you manage spending, head over to CloudAccountingPodcast.promo/teampay. That is Cloud Accounting Podcast dot promo forward slash T-E-A-M-P-A-Y.

Mariana Antcheva: Your accounting system, whichever one you use, if it finds itself containing patient names or addresses of patients, will have to comply [00:01:00] with the privacy and security rules of HIPAA.

Blake Oliver: Welcome to The Cloud Accounting Podcast. I'm Blake Oliver.

David Leary: I'm David Leary.

Mariana Antcheva: And I'm Mariana Antcheva, VP Legal of Sage Intacct.

David Leary: Mariana, thanks for joining us. We are here at Sage Intacct Advantage-

Blake Oliver: Live in Las Vegas.

David Leary: Live, recording right in the middle of this major walkway [crosstalk]

Blake Oliver: -the rotunda. People are going from sessions to other sessions, and there's elevators going upstairs. This is a big conference. There's like thousands of people here.

David Leary: I like [00:01:30] to always look at all the sessions and I plow through, and I saw yours, and I'm like, "Why's a lawyer speaking to a bunch of accountants and bookkeepers?" You usually don't see that at the conferences we tend to attend. So, how did you become a speaker at an accounting conference - yeah, Intacct Advantage?

Mariana Antcheva: Well, this is my second Advantage for Sage Intacct. Last year, I volunteered to speak because the GDPR - the General Data Protection Regulation and Privacy Regulation ... quite comprehensive - that came into [00:02:00] effect last year in Europe was something at the forefront of the news, as well as, we were getting questions at Sage Intacct about our own compliance. So, I volunteered to do a session for Advantage, and I ended up, quite surprisingly to myself, even, being the highest-rated speaker at last year's Advantage. This year, the Sage Intacct Advantage team invited me to do two sessions.

David Leary: To defend your title.

Mariana Antcheva: Yes.

Blake Oliver: And, of course, you know, in the world of professional [00:02:30] services, if you do well, you just get more work, right?

Mariana Antcheva: Very true.

David Leary: That's the real world.

Blake Oliver: So, this year, you're speaking on ... What are the two topics you doing this year?

Mariana Antcheva: I am doing, today, which is Wednesday, October 23, I'm doing the California Consumer Privacy Act; a new California law that's gonna come in effect on January 1, 2020, in California. It's quite comprehensive; privacy oriented. Tomorrow, I'm going to be talking about HIPAA-

Blake Oliver: That [00:03:00] is the Health Information ... Help me with that acronym.

Mariana Antcheva: Let me help you here. HIPAA stands for the Health Insurance Portability and Accountability Act, which is a federal law dealing with the providers' provision of medical care, as well as the handling of individual medical information called 'protected health information.'

Blake Oliver: So, I have a personal story around HIPAA compliance, [00:03:30] which is that I started my career as a bookkeeper, and some of my earliest clients were in the medical field - occupational therapists, doctors' offices ... Now, I'm a bookkeeper; I'm not a lawyer; I'm not a CPA, at that point. To me, it was like no big deal that we had patient names in the accounting system, and we were tracking their sessions in different ways and whatnot. But I understand that that is [00:04:00] not okay to do, in certain respects, right? We have to keep ... The big picture around HIPAA - we have to keep the patients anonymized somehow? What do we have to avoid doing, I guess?

Mariana Antcheva: As a lawyer, in a typical lawyerly fashion, let me ask you a question before I answer your question. When was that?

Blake Oliver: So, I guess that was like five years ago.

Mariana Antcheva: Okay, so you're asking actually somewhat of a history question, yes, because HIPAA has [00:04:30] evolved over time, especially around the issues that you're alluding to, meaning how protected health information is handled, how secure it has to be, how private it has to be. HIPAA was originally passed in 1996, and at that time, it was passed as kind of a framework that- it was supposed to be filled in over time. The original focus was more on the portability part - portability of health insurance, when [00:05:00] employees change jobs; portability of medical records, when patients change medical providers. But, over time, this framework got filled with also the privacy and security aspects.

In 2004, the Privacy rule came into effect, and it deals, at a very high level, with how private the medical information has to be; with whom it can be shared, et cetera, et cetera. Then, two years later - 2006 - the [00:05:30] Security rule came into effect. It deals with how secure the protected health information has to be protected from unauthorized disclosure or alteration. Then, 2009, another couple big developments. The Breach Notification rule came into effect, and that deals with who do you have to tell, if you realize that protected health information in [00:06:00] your custody has been disclosed without authorization? That is the breach. The other development in 2009 was the HITECH Act. Here, I have to refer to my notes because HITECH stands for Health Information Technology for Economic and Clinical Health Act-

David Leary: Simple, simple ...

Mariana Antcheva: Yeah, very simple. The HITECH Act deals with electronic health records; also [00:06:30] expands the HIPAA Privacy and Security rules to business associates. I assume you were actually a business associate?

Blake Oliver: Right. So, that gets us to the question - why should we, as accountants, care about HIPAA, right? If it's medical information ...

David Leary: We're just touching the money.

Blake Oliver: Yeah, we're just accounting for the business, right? Why do we care?

Mariana Antcheva: Okay, another legal trick, here.

Blake Oliver: Yes.

David Leary: A legal trick ...

Mariana Antcheva: Before I answer this question, I would like to include a preface here-

Blake Oliver: Okay.

Mariana Antcheva: -because HIPAA [00:07:00] does not apply to every single company here in the United States. It applies to what HIPAA calls 'covered entities,' and covered entities, at a very high level, are three kinds. There are providers of health services; there are also health- could be health plans, or healthcare clearinghouses. If you're an accountant providing accounting services for one of these covered entities, definitely, HIPAA has to be at the forefront [00:07:30] of what you do-

Blake Oliver: Because you're a business associate of these covered entities-

Mariana Antcheva: Exactly. Sometimes, it gets missed. A lot of people don't realize that a patient name, in and of itself, or a patient name and an address, in themselves, without further medical information, actually constitute protected health information under HIPAA.

Blake Oliver: This is what I had no idea about, as a bookkeeper, is that ... I don't know what the reasoning was, but I [00:08:00] think whoever set it up thought, "Okay, well, we're not including any medical information in this file; it's just names and addresses for invoices."

Mariana Antcheva: This is a very common misconception.

Blake Oliver: Right ... I can't even have that in the accounting system unless the system is compliant with those data protections. Is that what I'm ...?

Mariana Antcheva: Exactly right. Your accounting system, whichever one you use, if it finds itself containing patient names, or addresses [00:08:30] of patients, will have to comply with the Privacy and Security rules of HIPAA.

This episode of The Cloud Accounting Podcast is sponsored by Bill.com. As a listener, you've probably heard Blake and I speak about Bill.com on numerous occasions. It feels like they are discussed monthly in either new news or new announcements, but I'm betting there are some things you don't know about Bill.com. Did you know customers use the Bill.com platform to process over $70 billion in payments for the 2019 fiscal year? That they partner with several of the largest U.S. financial institutions, like Bank of America, PNC, and Chase? More than 70 of the top 100 U.S. accounting firms use Bill.com.

Bill.com not only connects to all the popular accounting-software providers, they also connect to many of your favorite apps, as well. To learn more about how Bill.com's, AI-enabled financial-software platform creates connections between businesses and helps manage cash inflows and outflows, head over to CloudAccountingPodcast.promo/bill. That is Cloud Accounting Podcast dot promo forward slash B-I-L-L.

Blake Oliver: That excludes [00:09:30] the vast majority of accounting software available on the small business market. I've looked into this ... Nothing that's selling direct to ... The products that you would get at Office Depot are not HIPAA-compliant, generally ...

David Leary: So, then, I see this ripple effect, because obviously, we're at Sage Intacct Advantage today, and there's all those apps on the Expo floor, and they tie on to Sage Intacct, but they also tie onto all the other accounting systems that are out there. [00:10:00] Now, there's like a ripple effect because maybe the accounting system's HIPAA-compliant, but maybe that time-sheet app isn't. Where does this stop?

Mariana Antcheva: That's an excellent question because you assume that HIPAA follows wherever the protected health information goes, and that's exactly right, that's the concept of a business associate - someone who is not the covered entity, but performs services, or holds information for the covered entity. If Sage Intacct, for [00:10:30] example, our application, were to hold protected health information for our customers, applications that link to it - that's your question - do they have to be compliant with HIPAA, as well, or not? The answer ... Here comes another lawyerly answer - it depends.

It depends, first, on whether protected health information makes it into the other application because, in many cases, it actually doesn't. If it is an application that does, for example, employee [00:11:00] expense reimbursement, there's no protected health information; there's no patient data in that application; so, it won't have to comply with HIPAA. But assuming that protected health information makes it into the other application, then, it also depends because some purposes for handling protected health information are actually outside of the scope of HIPAA, and HIPAA lists what these are.

Examples of that are some [00:11:30] forms of scientific research, for example, would not fall under HIPAA, or what is perhaps more pertinent to our listeners today is processing for financial purposes, such as processes of consumer-conducted transactions by debit, credit, or other payment card, or the clearing of checks, or electronic fund transfers - things like that are outside of the scope [00:12:00] of HIPAA.

Blake Oliver: Okay.

Mariana Antcheva: It is a very complicated set of rules, almost like playing chess-

David Leary: Like collections, I imagine, too, because the collections works, a lot of times, is you ... That patient didn't pay you; now, you turn that over to a collections agency and sometimes, they sell it to 50 other collection agencies. I mean, technically, that's the patient, but sounds like that - based on what you just said - all the sudden is not as covered.

Mariana Antcheva: Well, we'll have to delve into the depths of the HIPAA regulations to verify where collections stand, on one side or the [00:12:30] other. If you have listeners who are interested in that, I urge them to consult with their legal advisors because, again, the rules are so complicated.

Blake Oliver: So, how does Sage Intacct help with HIPAA compliance?

Mariana Antcheva: Well, Sage Intacct announced its HIPAA compliance last year, and it was a kind of an involved process for us-

David Leary: Almost a decade after-

Mariana Antcheva: Right.

David Leary: -after the HITECH standards were put in, it took a decade for Intacct to even announce ... [00:13:00]

Mariana Antcheva: We have had interest by prospective customers asking whether we're HIPAA compliant. So, first, we conducted a customer survey to understand what the actual need is. We realized that the typical use-case scenario for Sage Intacct is when the accounting team needs to process and issue a refund check to the patient. That's when the patient's name and address make it into Sage Intacct. They said, "Okay, there's [00:13:30] need by our customers and prospective customers for us to be HIPAA compliant so that we can address this use case without resorting to some work-arounds."

We engaged with a vendor, Sword & Shield, and conducted gap analysis. We realized that we were already in kind of pretty good shape because we are PCI-compliant; we're SSAE 18-compliant. So, the gap analysis resulted [00:14:00] in a high-19s percentage compliance already. The most probably involved gap that we had was our ability to track not only who has edited accounting information in the system, but also who has accessed it. One of the rights of the patient under HIPAA is to receive information from the covered entity who has accessed that patient's health information.

In [00:14:30] an application such as ours, this turned out to be a pretty significant technical issue. Imagine, for example, you run the report, and the patient information makes it into the report, or you have a drop-down menu which is pre-populated for convenience purposes. That's also considered access. So, we took a very detailed approach. We did significant product developments in our May release in 2018. [00:15:00] We launched the Advanced Audit Trail, which does this advanced tracking of access.

An interesting fact for our listeners, I, myself, last year, had to have surgery at a renowned Silicon Valley hospital. I was given the option to create a account on the website of the hospital, for myself, to communicate with my doctors, to track my prescriptions, things like that. So, per using the website, and my account, I [00:15:30] saw a button - Who has seen my information? I'm like, "HIPAA Access rule! Let me see who has seen my information!" I clicked, and I was so underwhelmed to realize that the system returned only my own log-ins. I'm like, "Uh, amateurs!"

Blake Oliver: Right. Of course.

David Leary: When it comes to HIPAA compliance, obviously, if somebody wants to be a CPA ... You have to go through the bar exam to become a lawyer. Do you just test it yourself, and be like, "Hey, we're [00:16:00] HIPAA compliant," or is there some certification board that's out there issuing stamps/medallions for being HIPAA compliant?

Mariana Antcheva: There is no official certification for HIPAA compliance, but there are vendors who would provide a independent assessment of your systems and processes and would issue a verification whether, in their opinion, you are compliant. Sage Intacct uses Sword & Shield as such a vendor and does [crosstalk]

David Leary: That way, you can push that liability, like, "We hired these guys. They [00:16:30] said we were ..." You can push that liability off of you a little.

Mariana Antcheva: I don't really view it as a re-assignment of liability, but it is something to reassure our customers that we're taking it seriously; that we're continually monitoring and staying on top of it every year.

Blake Oliver: Let's do a hypothetical. I am a CPA who owns a small accounting firm, and I have lots of medical offices that I do outsourced accounting for. We have exactly that situation [00:17:00] that you mentioned, that use case, where we're very careful not to include any patient information in the general ledger. The doctors have their own practice-management software.

We're just recording the income and expenses, except, every now and then, the doctor has to show a refund check. We will cut that check and now, there is a patient name in the general ledger. We're not using a HIPAA-compliant accounting system. We're using something [00:17:30] else. What is my risk? What is the risk I'm running if I just keep doing that? What are the potential penalties that I might face? Because it's very expensive for me to change accounting systems, and maybe I'll just keep doing it if it's not that big a deal?

Mariana Antcheva: Well, from the mouth of a lawyer, it's never a good idea to ignore the law, but that is especially true about HIPAA. HIPAA carries significant civil and criminal penalties. HIPAA takes, [00:18:00] actually, into account the culpability of the company and how reckless, or willful they were in violating the HIPAA rules. So, in really bad cases, the civil penalties can go quite high, up to $1.5 million dollars per year per type of violation. On top of that, there could be criminal penalties for willful violations, going up to 10 years imprisonment. HIPAA [00:18:30] is no joke.

David Leary: I'm trying to think about a poor accountant, or bookkeeper, now. You have to know IRS regulations and guidelines, right? You now, because of Wayfair v. South Dakota, you need to basically understand sales tax nexus at a completely ridiculous 50-state/county/city level, across the board. Now, you have to also know HIPAA laws because your clients might ... The poor accountant or bookkeeper has to know everything now these days-

Mariana Antcheva: And may I add, the California Consumer Privacy Act, maybe- [00:19:00]

David Leary: Oh, yeah, the Privacy Act. That's next! That's next! Privacy Act. Yep. Absolutely.

Mariana Antcheva: Or the privacy laws of about a dozen states that are still in the works but may come into effect in the next year or so.

Blake Oliver: Fortunately, the California act only applies to businesses of a certain size, and the threshold is ... Do you have those offhand? I don't remember.

Mariana Antcheva: That is my presentation in about 38 minutes.

David Leary: All right, we'll have to start a whole new podcast for that!

Mariana Antcheva: It's like, let me give you the number. It [00:19:30] is over $25 million in revenue, or a business that derives more than 50 percent of their revenue from selling personal data, or a business that sells that personal data of more than 25,000 people per year.

Blake Oliver: To me, not to get into this ... This is really a topic for another episode, but to me, the big logistical hurdle would seem to be figuring out how to get all of that customer data into one place because [00:20:00] you have to be able to return it to the customer if they ask for it, right?

Mariana Antcheva: Yes.

Blake Oliver: So, if you have everything in spreadsheets all over the place, it's impossible.

Mariana Antcheva: Very true. Very true.

Blake Oliver: Very difficult, right?

Mariana Antcheva: Yes.

Blake Oliver: All right. Well, I hear that buzz, and I think that means people are changing sessions, and you probably have to get over to your session that you're gonna be leading-

David Leary: Especially with the reputation of being the best session [crosstalk] last year.

Mariana Antcheva: Well, let me first try to defend it this year, and then we will talk again.

Blake Oliver: So, Mariana, we [00:20:30] always ask our guests - where can people contact you/get in touch with you online, if they'd like to continue the conversation?

Mariana Antcheva: Of course. You can find me on LinkedIn - Mariana Antcheva, VP Legal of Sage. I check LinkedIn pretty regularly. Shoot me a message if you would like to connect.

Blake Oliver: Wonderful. Thanks for your time.

David Leary: Thank you.

Mariana Antcheva: Thank you.