Thursday, August 10, 2017

Six Ways to Improve Data Security at Your Practice

A married couple — both doctors who shared a medical practice — almost divorced over a HIPAA breach that blindsided them when a patient called to say that her medical records appeared in a Google search and she was filing a lawsuit.

The orthopedist of a small practice didn’t want to fund the cost of an IT service provider to make sure his network was secure.  Instead the doctor hired his cousin who earned his IT stripes fixing performance problems on his own laptop.  Unfortunately, the family member never updated the practice’s malware software and patient data ended up on a rogue server.  Now it’s being held for ransom. 

The Smaller the Practice the Less the Compliance

For medical practices with 20 or less employees, doctors are often reluctant to spend money on HIPAA security than larger practices.  Importantly, the latter will have a compliance officer who makes sure HIPAA rules are followed, employees are trained, and policies and procedures are up to date. 

Doctors running small practices don’t believe they’re at risk for a data breach so they ignore the same steps taken by the compliance officer.  Meanwhile, it’s ordinary human errors that could take down the practice.  An employee leaves his tablet in a taxi or thieves break into the office and steal two laptops that contain patient records.  Or the doctor loses his laptop and keeps it under wraps since he thinks he hasn’t stored any patient records on it, so no one needs to know.  However, a disgruntled employee who was terminated gets revenge by reporting the practice to the Department of Health and Human Services’ Office of Civil Rights (OCR).  The OCR accuses the practice of having a breach and hiding it, and calls for an investigation. 

These are all real world events that have sent medical practices into a tailspin.  Doctors call a HIPAA compliance expert in a panic because they’re now caught in the web of the OCR and scrambling to prepare for an audit.  Worse yet, these compliance risks were right under their noses.

The Practice Needs As Much Care As the Patients

The risk of a data breach can be as life threatening to the practice that doesn’t protect its data, as the risk of lung cancer is for the patient who chain smokes.  Think of a data breach as a disease and the stolen laptop causing pain and suffering, and eventual death, which could all be prevented.  Doctors should think about data breach prevention and care for their businesses with the same commitment to disease prevention and care for their patients. 

When a practice fails to perform a security risk assessment or ensure that his employees used strong passwords, not long after he is convincing OCR auditors that the breach was an accident.  He has to hire attorneys to complete the audit and there is no budget left to invest in more network security, or cyber insurance. 

HIPAA Compliance Made Easy for Small Practices

There are some simple steps small practices can take that will take far less time than preparing for an OCR audit:

- Perform a security risk analysis — Analyze how patient information is currently protected. How often does the practice perform data backups? Is there a termination procedure when an employee leaves? Do employees have the minimum level of access to patient information? Are all portable devices encrypted?  Are medical records protected in case of fire or flood, or lost or stolen laptops that contain patient information?

- Train employees — Make sure they know how to spot phishing scams and suspicious links in emails, recognize fraudulent “IT experts” who call in to upgrade an operating system.  They should also know to avoid conducting business on public Wifi, and minimize sharing on social networks.

- Inventory patient information — Locate where all patient information is stored. It could be an EHR or a word document in the form of patient letters, or excel spreadsheets as billing reports or scanned images of your insurance carrier’s explanation of benefits (EOB).  This information resides on desktops, laptops and mobile devices, and should be encrypted.

- Employee data theft — Employee theft of information is one of the leading causes of HIPAA breaches in small organizations.  An employee steals patient information and opens a charge account at a local department store.  The patient finds out and sues the practice for not protecting her electronic protected health information (ePHI).  Employees should have minimal access to EHRs — only the information they need to perform their duties.   Also data logs should be checked.

- Breach Response Plan — Is there a response plan in place in case a breach does occur? The plan should include who will be on the response team, what actions the team will take to address the breach, and what steps they’ll take to prevent another similar breach from occurring. Make sure the plan is documented and all employees are trained on what they need to do.

These few actions can make the difference between being sued by patients for a data breach and gaining their confidence that their doctor cares as much about their health as he does for their security.

Source(s): https://www.hcsiinc.com

For more information on this and other healthcare compliance topics related to HIPAA, OSHA, Medicare and HR, simply email your questions to
visit our website at or post a question on our LinkedIn group at:

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Thursday, July 27, 2017

HHS Launches New Video Training Module for HIPAA Patient Right to Access

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it has a new video training module for health care providers.

According to HHS, the new training module provides an “in-depth review of the components of the HIPAA right of access and ways in which it enables individuals to be more involved in their own care.” The training module provides helpful suggestions about how health care providers can integrate aspects of the HIPAA access right into medical practice. This activity is intended for primary care physicians, obstetricians and gynecologists, pediatricians, and nurses.

The goal of this activity is to review components of the Health Insurance Portability and Accountability Act (HIPAA) right of access and ways in which it enables individuals to be more involved in their own care.

Upon completion of this activity, participants will have increased knowledge regarding:

  • The components of the HIPAA access right, including an individual's ability to direct a copy of their health information to a third party, including a researcher 
  • How the HIPAA right of access enables individuals to become more involved in their care
Information about training materials can be found on the HHS website here:

The video module can be found here:

The module contains a video (approximately 37 minutes) titled “An Individuals’ Right to Access and Obtain Their Health Information Under HIPAA” and features Devan McGraw, the Deputy Director for Health Information Privacy at the US Department of Health and Humans Services. The video talks about why privacy protections are important, but mainly focuses on the patient’s right of access, including:

  • what fees that can be charged
  • whether records may be sent unsecured at the patient’s request
  • how quickly the records need to be provided to the patient upon request
  • which records can be excluded from a patient’s right to access
  • an individual’s ability to have a copy of his/her health information sent directly to a third party.

Upon completion of this activity, participants will receive free Continuing Medical Education (CME) credit for physicians and Continuing Education (CE) credit for health care professionals. In order to receive credit, it is required to have a Medscape user ID and password, which is free to sign up. There are no fees for participating in or receiving credit for this CME.

Additional Training Materials and Resources

Helping Entities Implement Privacy and Security Protections

The HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities.’s Guide to Privacy and Security of Electronic Health Information provides a beginners overview of what the HIPAA Rules require, and the page has links to security training games, risk assessment tools, and other aids.

Patient Privacy: A Guide for Providers (login required), is an educational program for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules. Physicians can earn free Continuing Medical Education (CME) credits and health care professionals will receive Continuing Education (CE) credits.

State Attorneys General Training materials provide a more comprehensive overview of HIPAA compliance:

Want to learn more about the HIPAA Privacy & Security Rules? Sign Up for the OCR Privacy & Security Listserv

OCR has established two listservs to inform the public about health information privacy and security FAQs, guidance, and technical assistance materials. We encourage you to sign up and stay informed!

For additional information about HIPAA Privacy and HIPAA Security training for your self and your staff, please contact Healthcare Compliance Solutions Inc. (HCSI). (801)-947-0183


To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Tuesday, July 18, 2017

New I-9 Form Available As Of July 17, 2017

U.S. Citizenship and Immigration Services (USCIS) has released a revised version of Form I-9, Employment Eligibility Verification, as of July 17, 2017. 

Instructions for how to download Form I-9 are available on the Form I-9 page. Employers can use this revised version or continue using Form I-9 with a revision date of 11/14/16 N through Sept. 17, 2017. On Sept. 18, 2017 employers must use the revised form with a revision date of 07/17/17 N. Employers must continue following existing storage and retention rules for any previously completed Form I-9.

Revisions to the Form I-9 instructions include:

  • Changed the name of the Office of Special Counsel for Immigration-Related Unfair Employment Practices to its new name, Immigrant and Employee Rights Section.
  • Removed “the end of” from the phrase “the first day of employment.”

Revisions related to the List of Acceptable Documents on Form I-9 include:

  • Added the Consular Report of Birth Abroad (Form FS-240) to List C. Employers completing Form I-9 on a computer will be able to select Form FS-240 from the drop-down menus available in List C of Sections 2 and 3. E-Verify users will also be able to select Form FS-240 when creating a case for an employee who has presented this document for Form I-9.
  • Combined all the certifications of report of birth issued by the Department of State (Form FS-545, Form DS-1350, and Form FS-240) into selection C #2 in List C.
  • Renumbered all List C documents except the Social Security card. For example, the employment authorization document issued by the Department of Homeland Security on List C changed from List C #8 to List C #7.
These changes are also included in the revised Handbook for Employers: Guidance for Completing Form I-9 (M-274), which is now easier for users to navigate. 

E-Verify User Manual Update

E-Verify recently revised the E-Verify User Manual to include the most current system enhancements and policy updates. The manual has a new look and feel, looks better on the computer screen, and has a more user friendly navigation. Some sections have been reorganized and consolidated to improve the flow and readability of the information. To assist you in identifying the updates, the revised manual includes a Table of Changes.

See the Contact E-Verify page for E-Verify technical support, phone numbers and e-mail addresses.

Visit I-9 Central to get more details and to stay informed of other upcoming changes.

Healthcare Compliance Solutions Inc. (HCSI) clients will also be able to download the new I-9 form and "Handbook for Employers: Guidance for Completing Form I-9" from our website in the "Employment Law (HR)" section found under the in the "Updates/News" link.
To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Friday, July 14, 2017

Hiring and Your Social Media Advantage

Using social media as part of your hiring process will help you find the kind of employees you want for your organization.

Jennifer was hired two months ago by her new boss Sally. Jennifer was an okay worker, but there were some things about her character that concerned Sally and Jennifer's co-workers. She had the skills to do the job, but she was not fitting into her team or the culture of the organization. Sally had thought she made a good hire, but was beginning to doubt Jennifer's longevity with the organization. When it came time for Jennifer's new hire 90-day review, Sally had no choice but to let her go. By this time Jennifer had become a negative influence on her co-workers and morale was beginning to suffer. It was time for Sally to being the costly and time consuming hiring process over again.

Hiring managers are faced with the described situation above far too often. They think they have made a good hire, but soon realize the mistake they made. 20 years ago, hiring somebody who's character and personality does not fit within the organizational culture would be very difficult to foresee. Today, there are resources available through social media that help hiring mangers make more informed hiring decisions.

Why is Character So Important?
When a new employee is brought into an organization, that new employee will have an effect on their co-workers and on the culture of the organization itself. Whether that effect is positive or negative greatly depends upon the character of the the new employee. It is important to take the character of a potential new hire into account before making the hiring decision. Finding someone who has the basic skills and knowledge to get the job done is critical to being able to do the job. With this in mind, if a hiring manager can find a candidate who has good basic skills, not superman skills, but a basic understanding of the job skills and knowledge, but also has good character, then that is a great candidate.

Social Media Resource
When a hiring manager begins to narrow his or her list of candidates down to the final few, it is time to find out more about their character. One of the best places to discover more about a persons character is by reviewing the select candidates social media profiles and posts. This enables a hiring manager to get a basic understanding of the candidates and their character. It is through the language they use, their posts, and how they interact with others that gives the hiring manager look at the personality and character of who they are looking to hire.

Social Media and Privacy
Some hiring managers may say that they do not feel comfortable looking at a candidates social media profiles due to it being perceived as an invasion of privacy. It is important to understand that anything posted online within a blog or social media is not private! Anything posted on the Internet is available to anyone at anytime and cannot be permanently removed. Any type of posting on the Internet, immediately becomes public knowledge. Reviewing someones social media profiles is not an invasion of privacy.

Hiring managers are given the responsibility to bring the best and most qualified new employees into their organization. Having the ability to review social media profiles makes it less of a crap shoot to accomplish this task.

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Wednesday, July 12, 2017

HCSI Interveiw with Buck Parker a General and Trauma Surgeon Episode: 25

Lance King of Healthcare Compliance Solutions ( interviewed Buck Parker, General and Trauma Surgeon at St Mark's Hospital and digital entrepreneur.

Buck Parker was born in Jackson WY. He did his residency at Detroit's Henry Ford hospital, and after a couple of moves to Florida and Wyoming now lives in Salt Lake City, Utah. Buck grew up hunting with his dad and  in field dressing animals became interested in anatomy. His dad and grandpa were carpenters and he enjoyed working with his hands, plus he loved science. He thought about being a doctor when he was 16 and after some detours finally decided to go into medicine when he was 21. He felt that he did better in med school than most of his colleagues because he was older and more mature. 

Digital Entrepreneurship
Buck's family members had their own businesses, so he grew up with an entrepreneurial mindset. His mom and dad had a motel and restaurant. They did things out of box and were ahead of the marketing curve and Buck learned to think creatively from them. He wanted an internet business when the internet first came around and in medical school he researched web-businesses. Between college and medical school he lost 30-40 pounds, so he decided to get into affiliate marketing and sell the product that helped him lose the weight. He told us how he ended up having the most popular website for these products and the company had to ask him not to compete with them. Buck shared with us different methods of digital marketing, including pay-per-click, opt-ins, and content creation and curation.

When he first started out, pay-per-click (PPC) was a cheap and easy way to get people to find your webpage. PPC is where a company pays a host website money every time a  user clicks on the company's ad. Another PPC method is where a company 'buys' search engine words so that when a user searches those terms, the company's advertisement will show up first on the search list. As time has gone on, PPC marketing has gotten more expensive. Buck recommends looking at other avenues that are more accessible.

One of those methods is opt-ins. Anytime a company offers something for free in exchange for a customer's email address, it is utilizing opt-in marketing. Social media platforms are essentially opt-in based, because users click “follow” to receive information and offers from a company. Buck says that as long as you give good content, you can eventually offer a product or service to purchase, or you can receive money through advertisers who want to be featured on your page. Many companies do this and he doesn't see why physicians can't do the same thing. He says, “If you can be informative and entertaining, you'll gain followers.” The purpose of opt-in marketing is to give value. His company's goal is to give 10 times the value of stuff the customer buys, so if they buy $1000 worth of stuff, he wants to give them $10,000 worth of content.  Buck knows that most people are scared of giving too much because people won't buy their stuff, but he says that good marketers give more than average.

Content Creation and Curation
A related method that Buck touched on was content creation and curation. This method works with social media. You can either create your own content, such as photos, videos, and articles, or you can curate a collection of related photos, videos, and articles created by other people. He has found that curation is much easier and effective than creation. Buck told us about his Jackson Hole Vacation Instagram account and how he's found ways to successfully attract advertisers.
Buck says the most important thing is to spend time figuring out what platforms work for your specific services/products. He subscribes to Gary Vaynerchuk's idea of 'day trading in people's attention' and that every time people's attention moves to a new thing, there's another opportunity to be the first person there. The current trend of attention is moving from Facebook to Instagram to Snapchat. Buck looks forward to staying on top of the social media marketing curve throughout these changes.

Personal Habit of Success
Throughout the interview, it was apparent that throughout his life, Buck Parker is a persistent person, who doesn't stop looking for the next challenge. It was no surprise when he said persistence was his personal habit of success. He says you have to hold on to the things you like and that drive you. For him, surgery and internet marketing drive his passion. Buck watched his parents try to do everything themselves and they were never able to grow their businesses as big as they could have. He realized that he has to give up micromanaging and find the right person to take care of the details so he will be free to build something else.

Three Absolute Truths
  1. Be kind because everyone is human. It's the right thing to do and you'll be happier for it.
  2. Always be yourself. Be authentic and don't worry about what people say. Embrace whatever makes your life fun.
  3. Be awesome. When you have positive energy, (like picking up trash when no one is looking), it piles up and makes you feel better which makes you be able to do better things for the world.

Buck Parker, Bio

Dr. Buck Parker is a Doctor and Entrepreneur. Dr. Buck is a General and Trauma Surgeon in Salt Lake City, Utah. He is from Jackson, Wyoming and is an avid skier. He did his medical school at St. Matthews University School of Medicine in Belize. He then did his General Surgery residency at Henry Ford Hospital in downtown Detroit, MI. Dr. Parker has been an entrepreneur since residency when in 2007 he built a successful business selling exercise DVDs and equipment based on internet marketing and search algorithms. Since then he has been interested in how current technology can shape and improve our lives and society. Dr. Parker’s mission is to use this knowledge to spread the positive message of personal accountability for overall societal improvement, using social media and internet marketing techniques. With this mindset change, ordinary people can achieve greatness

Thanks to you all for watching, following, and listening! Please contact Lance King at with all your healthcare compliance questions! He would love to help you out. Make sure to follow Lance on LinkedIn and catch the weekly Doctor Entrepreneur podcast. Make it a great day!

Help Us Spread the Word!

If you enjoyed this episode of the Doctor Entrepreneur podcast, please head over to iTunes, leave a rating, write a review, and subscribe.
Subscribe to our YouTube Channel.

Buck Parker Interview

Doctor Entrepreneur Interview Playlist

Monday, July 3, 2017

HCSI Interview with Stephen Parker of The Profitable Dentist Episode: 24

This episode of Doctor Entrepreneur featured an interview with Stephen Parker, Editor-in Chief of The Profitable Dentist Magazine, President of Excellence In Dentistry, Founder of Dentiva Consulting, and Founder of WhiteRock Dental. Lance King at Healthcare Compliance Solutions is proud to bring this podcast to you. (

Stephen Parker, Personal Life
Stephen Parker is married with 5 teenagers. He likes to sail with his wife.  He's been a serial entrepreneur and the advice he gives to aspiring entrepreneurs is to start with the end in mind. Steve has always had a passion for business. He started in the restaurant equipment business and watched that industry aggregate and scale. He then grew a telecommunications business and sold it. Twelve years ago he talked to friend about doing something different because he was getting out of the teleconference industry. His friend, a dentist said, “Your next thing should be a dental lab. We pay a lot of  money to them and we hate them all.” Steve took his friend's advice and started aggregating dental labs. He found most owners were great lab technicians but terrible businessmen. And in working with dentists, he saw the same trend among them as well. He decided to go into dental business management consulting.

The Profitable Dentist
Through his consulting work, Steve met Dr. Oakes, founder of The Profitable Dentist magazine. Dr. Oakes had Steve take a look at The Profitable Dentist and see if he could do something for them and he is now the Editor-in-Chief. The Profitable Dentist was started by Dr. Oakes, who realized upon graduating from dental school that he was never taught about actually running a dental practice. He decided to travel around to dentists in his area to speak with them. They talked about best practices, opportunities, and struggles. They decided to start a dental newsletter to reach other dentists. They put an ad in a dental industry magazine, looking for subscribers.
Interest in the newsletter grew so large that they started a magazine.  When the magazine first started, they received a letter from the ADA saying “how dare you put profitable and dentist in same sentence?” Dr. Oakes response was that “Patients are happy to go to profitable dentist.” Traditionally, dentists have been reluctant to talk about the business side of things, but over the last 5 years things are changing dramatically. Steve says people must realize that for dental school graduates, 90 percent are going to be independent business people, and they will have zero training in business. This is where The Profitable Dentist Magazine ( can help. The magazine covers topics such as hiring, firing, payroll, marketing, and other aspects of practice management, as well as providing clinical resources. The Profitable Dentist also holds a yearly seminar, featuring speakers and training in various areas, including business practices and clinical information. Sleep apnea and implants are the two most-requested clinical topics and retirement planning and marketing are the top two requested business management topics. The magazine looks for the best speakers who are on the edge of this evolving industry.

Recommendations to Sole Practice Dentists
His biggest piece of advice is to decide when you want to get out and plan with that end in mind. Ninety-six percent of dentists are unprepared to retire at age 65. Planning to find an associate to sell to doesn't work anymore. Dentists must start building systems and processes to get them ready to retire.  Steve's consulting firm, Dentiva Consulting suggests that dentists look at joining/creating a dental group to aggregate business processes and increase profit margins. He says that we're in the Wild West stage of dental aggregation. The dental industry was originally where most dentists were sole practitioners or a few joined huge dental corporations. Now most doctors choose to incorporate, just in smaller groups than some people imagine. Since the industry only has room for a few “elephants,” most groups are 5-17 dentists and people are happy at that size. The dental practices can aggregate business functions; marketing, supplies, and billing, but dentists can still have control over the clinical aspects of the practice. The DSO model is flexible and allows doctors to create a version that works for them. (Lance interviewed Jeromy Dixson, of Smiles Dental, who also talked about DSO's in this interview.)

Steve says you will mess up every day just remember to not lose the message along the way. His biggest failure was his understanding (or misunderstanding) of how dentists ran their practices. He saw so many practices failing, with no apparent reason. He found that 9 times out of 10, the practice had borrowed too much money and needed restructuring. After the necessary changes were made as suggested by the consulting firm, the practices would get right back into debt, sometimes within the first month after the changes were made. Steve kept thinking that knowledge would be enough to change. He has found that sometimes behaviors are so entrenched you can't fix it through consulting. Now his company takes over those business processes for dentists. He likes that his company is able to evolve as the industry demands.

Personal Habit of Success
Steve says, “Know your numbers. Find metrics.” He believes that anything that's watched and measured will improve. He gets the end-of-day metrics on whatever he wants to improve. He says to let your team know what you're watching. In the role as leader, know what you're working on and make sure to look at it and measure it every day.

Help Us Spread the Word!

If you enjoyed this episode of the Doctor Entrepreneur podcast, please head over to iTunes, leave a rating, write a review, and subscribe.
Subscribe to our YouTube Channel.

The Profitable Dentist Magazine

Doctor Entrepreneur Interview Playlist

Wednesday, June 28, 2017

Patient Authorization

What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?
 Healthcare Compliance Solutions Inc.
The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations (TPO). Covered entities that do so have complete discretion to design a process that best suits their needs.

By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than TPO (treatment, payment, or health care operations), or to disclose protected health information to a third party specified by the individual.

HIPAA requires that certain elements be present on the authorization that the patient is to sign. Whenever you receive an authorization (or “release”) asking you to disclose PHI and HIPAA requires an authorization for the disclosure, use this checklist to verify that the authorization meets the HIPAA requirements. If any ONE of the following elements is missing, you should NOT release the patient’s PHI until you have a valid authorization signed by the patient. If ALL the elements are present, the authorization is valid.

• A description of the PHI to be used or disclosed that identifies it in a specific and meaningful fashion. They may request the entire medical record, all records between specific dates, or other specific items.

• The name or other specific identification of the person(s), or class of persons, who can make the requested use or disclosure. For example, the signed request should list either your organization or someone in your organization by name.

• The person(s), or class of persons, to whom you may make the requested disclosure. The specific entity(ies) to receive the information should be identified. A cover sheet stating who should receive the information is NOT sufficient.

• A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose. The above statement or some other description must be present.

• An expiration date or an expiration event that is related to the individual or the purpose of the use and disclosure. The statement “end of research study”, “none”, or similar language is sufficient if the authorization is for a use or disclosure of PHI for research. Again, the statement must be present.

• Signature of the patient and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

• In addition to the core elements, the rule states that a valid authorization must include:
  1. A statement of the individual’s right to revoke the authorization, in writing, and either:
    • A reference to the revocation right and procedures described in the notice, or
    • A statement about the exceptions to the right to revoke, and a description of how the individual may revoke the authorization
    Exceptions to the right to revoke include situations in which the covered entity has already taken action in reliance on the authorization, or the authorization was obtained as a condition of obtaining insurance coverage. (*Note that if an authorization is revoked it must be fully documented in a separate "revocation of authorization" form/document.)

  2. A statement about the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the authorization:

    • The covered entity must state that it may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization, or
    • The covered entity must describe the consequences of a refusal to sign an authorization when the covered entity conditions research-related treatment, enrollment or eligibility for benefits, or the provision of healthcare, solely for the purpose of creating protected health information for a third party on obtaining an authorization.

  3. A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and may no longer be protected by the rule
•    The ability or inability to condition treatment on the authorization by stating either:  
  1. The covered entity may not condition treatment on whether the individual signs the authorization or 
  2. The consequences to the individual for refusal to sign the authorization.  (Remember that there are very limited circumstances in which action can be a condition on a patient signing an authorization.)
•    A statement that informs of the potential for information to be re-disclosed by the person or organization to which it is sent.  The privacy of this information may not be protected under the Federal Privacy Rule depending on whom the information is disclosed to.

*Authorization for marketing purposes: If the requested use or disclosure is for marketing purposes. If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state such remuneration.

The HITECH Omnibus Rule requires a valid authorization be obtained from an individual before the use or disclosure of PHI for marketing purposes involving financial remuneration. The authorization must also include a statement about any direct or indirect remuneration the covered entity has received or will receive from a third party. An authorization for marketing purposes can be included on the organization’s compliant HIPAA authorization form or a separate one may be created.

The following are exceptions to the marketing rule and do not require an authorization:
  • Face-to-face communications from the covered entity to the individual 
  • Gifts of nominal value provided by the covered entity


To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Monday, June 26, 2017

HCSI Interview with Charles Tramont of Meridian Medical Practice Solutions Episode: 23

Lance King of Healthcare Compliance Solutions, Inc ( interviewed Charles Tramont, Founder and CEO of Meridian Medical Practice Solutions (

Personal Life
Charles Tramont is a quick-witted dad who lives in Las Vegas with his 6 kids and his fiance, Candy. His father was an OB/GYN and he watched and learned the ups and downs of private practice. Charles served briefly in the US Army in psychological operations, so when he got out, he went into marketing. Working for a marketing firm, he learned about everyone else's business. He founded several business ventures, including co-founding dual diagnosis center in South Jordan, and a digital marketing company, as well as his current company, Meridian Medical Practice Solutions. He has experienced the roller coaster ride of being an entrepreneur and says, “You don't know how high you can get until you bounce off the tarmac a couple of times.” His successes and his failures have led him to where he is today. Charles heard a quote by Chuck Yeager that impacted his way of thinking. Yeager was told about the number of people who had died attempting to fly faster than the speed of sound and Yeager said that since there was nothing he could do he wasn't going to worry about it. Charles has seen many people who don't get past the starting gate because they get caught up in worry. He has realized that successful people get up and do things.

Today's Practice
Charles says the popular publication which he started, Today's Practice, began almost as a by-product of a different firm that he ran.  He co-founded an organization where they managed associations and membership benefits. He saw the need for easily distributing information to physicians who were part of that network. He bought a domain name late at night and started the trade magazine, and it has blossomed from there. This October, Today's Practice is hosting a conference for physicians, and it will feature an investor symposium for start-up healthcare technologies. The mantra of Today's Practice is to disrupt the status quo in regards to current state of healthcare and patient outcomes. 

Meridian Medical Practice Solutions
Before Charles spoke of Meridian Medical Practice Solutions, he shared a couple of anecdotes about why he started the company. When he was younger, his father came back from Desert Storm after a year deployment and rebuilt his OB/GYN medical practice. A couple of years later, his practice was acquired by a hospital, who held him over barrel professionally and he had to acquiesce to their demands because he had no network for assistance or advice.
Fast forward to 6 years ago when Charles was at a conference with an ad agency client, a podiatrist. The conference turned out to be nothing but web development pitch which every physician who attended had paid $1600 per ticket. He felt like he was in a room with 150 people like his father, who had no recourse for misrepresentation and no one to turn to. He decided to do something about it. He directly went to his hotel room, called his attorney, CPA, and PR firm and said he was creating a new organization that would offer an advisory board-in-a-box for physicians. Over time, they added features and benefits and were approached by a physician membership organization who wanted to use them to manage membership benefits and educate physicians. Now he promotes businesses that add value for physicians and create a win-win business model.

Walk through
The only way to gain access to benefits of MMPS is to be a member of an independent physician organization. If you have not joined and IPA, join and participate. TIPAA (The IPA Association of America) is the best resource for finding an IPA near you and is the best ally in protecting against legislative issues in Washington. One of the benefits of MMPS and an IPA is being able to find out about related service providers and know that they are recommended. The best way to find out more about Today's Practice, Charles Tramont, and MMPS is to visit This website has the basics of what his organizations are all about.

Failure That Shaped Charles
Charles says that in being a true entrepreneur, the list of his failures is long. One good instance is when he co-founded a digital signage company with friends. When they encountered a problem, the only solution they saw was to raise money. They decided on a single, absolute path and because they weren't willing to look at other solutions, they made bad decisions to reach their goal. The moral of the story he learned in this case was to always step out of yourself and weigh other options, then determine the best- and worst-case scenarios. Finally, mentally disown all outcomes to be more open to them all and choose the best option. Another failure that shaped him was when his investment in the digital marketing company went from $7/share to 22 cents/share overnight and on the same day he lost his $250,000 in a bar he had purchased. He went home and was immobilized because of the weight of what had just happened. His significant other, Candy said, “Are you going to sit there all day or get up and start something new?” He got up and through his new ventures was able to recoup the vast majority of his losses in less than year.

Personal habits of success
Charles doesn't think any successful people stop looking forward. He says the secret to happiness is, “Don't argue with idiots,” meaning don't waste your time on people who don't know what you are capable of. He is successful not because of optimism but because of stubbornness. He doesn't know he can't do something, so he does it. 

Three Absolute Truths
  1. Family is everything
  2. Nothing is absolute (besides family being everything), so question everything.
  3. Don't go hiking in Vegas between noon and 4:00 PM.

Charles asked Lance to share his absolute truths. His three truths are as follows:
  1. God exists
  2. Family is number one
  3. Telling the truth will steer you in the right direction

Future of MMPS
Charles says that he hopes his organization will help healthcare have a sustainable and more certain future. He says that MMPS exists to make sure independent physicians focus on their patients and not their mortgage payments. He won't know if he's making an impact until it's long been made and he hopes to be around to see the fruits of his labors.

Charles Tramont Bio
Charles Tramont is the Founder and Chief Executive Officer of Meridian Medical Practice Solutions (MMPS). MMPS is hailed to be the "Preventative Medicine for the Health of Your Practice", and is quickly becoming the membership platform for tens of thousands of physicians nationwide. Early in his career, Charles served in the U.S. Army Special Operations as a Psychological Operations Specialist and Russian Linguist, which created an incredible foundation for his future in field of Marketing and Advertising. After founding and operating a successful marketing firm in Scottsdale, AZ, Charles brought his team and expertise to the Las Vegas market where he developed a solution to declining patient outcomes, through creating a successful environment for today's physicians. Now at the helm of Meridian MPS, he continues to develop innovative methods of educating today’s physicians through physical and web based solutions. Charles is also the Founder and Editor-in-Chief of Today's Practice, a publication that is quickly becoming the dominant voice in changing the business of medicine.

Thank You for Tuning In!
Thanks to our followers. Please share the Doctor Entrepreneur podcast with your friends and colleagues. Follow us on Facebook, LinkedIn, and YouTube, @hcsi. Visit our website for more interviews and helpful articles,

Help Us Spread the Word!

If you enjoyed this episode of the Doctor Entrepreneur podcast, please head over to iTunes, leave a rating, write a review, and subscribe.
Subscribe to our YouTube Channel.

Meridian Medical Practice Solutions

Doctor Entrepreneur Interview Playlist