Healthcare Compliance: Safeguard Your Community's Health Data in 2024

Healthcare Compliance: Safeguard Your Community's Health Data in 2024

By Sara Perry
Published On Apr 02, 2024

Discover essential insights into safeguarding your organization’s data and unlocking healthcare compliance in this expert-led webinar by Daxko and Welld. Join industry leaders as they dive deep into the intricacies of protecting sensitive information, including Personal Identifiable Information (PII) and Protected Health Information (PHI). Gain valuable knowledge on understanding the differences between PII and PHI, implementing robust data protection plans, and navigating compliance requirements such as HIPAA.

Guests

Mentioned in the Webinar

Key Takeaways

(00:06:12) – Nonprofits Deal with HIPAA Compliance Every Day

Where are you regarding your understanding of PII, PHI and what you all might be doing or not doing? What sensitive information are you currently collecting? Do you have a current protection plan? Do you know if you even need to have specific HIPAA controls in place? Are you doing something a little more lightweight, and just what is the difference between PHI and PII?

Health Insurance Portability and Accountability Act (HIPAA) data is a privacy, HIPAA is a privacy rule that was adopted in 1996 to protect and preserve health information. It defines PHI as data that relates to a past, present, or future health of an individual. It is also related to the provision of healthcare to an individual.

In your case, while you all may not think of yourselves as clinicians, I would say that YMCA’s, JCC’s, and the like are most certainly in the business of healthcare if you are providing things like health coaching, lifestyle coaches who do DPP, Lead Strong Cancer Survivor Program, and the Fall Prevention Program. You are doing those pre and post assessments for those programs and collecting health information with PII.

Some health metrics, some health benchmarks, the production of those programs, that equals HIPAA data because at that point you are now in the provision of healthcare. You are part of the treatment cycle.

Also, you can be construed for the payment or for the provision of healthcare. That means if you have a third-party payer, whether it is an employer or insurance company, who covers any of those services.

Now, you are again in the HIPAA covered-data world regarding this health information. Healthcare operations deal with sensitive details about a patient, including the birth date, medical conditions, and your health insurance claims. And whether you have paper-based records or electronic-based records, make no mistake. You are collecting and maintaining, storing, and controlling HIPAA data on premises.

“Healthcare operations deal with sensitive details about a patient, including the birth date, medical conditions, and your health insurance claims,” says Cassandra Stish.

(00:16:05) – Importance of data security measures

You all might want to think “where are you storing that stuff, and do you have a secure disposal protocol, electronic data security, in the cloud?” That would be Daxko and Welld or Daxko and RedCap or something else. Whatever it is that you are choosing to use, just make sure that you understand your technology partner’s ability. Read the contracts about who’s responsible for what. Is a BAA required? Have you signed one? All those things. Step into this with a little bit of intentionality and your eyes wide open.

Health and human services (HSS) have some great easy to read guides. You can go on their website and just look at their guidance on data protection and what are some things that you can do to implement. Make sure you have a good protocol in place that protects you and your members.

Then, you might want to consider having a little bit of liability insurance that is specific to this, including some sort of cyber policy if you do not already. While we all like to think about the happy path, we do know that sometimes things happen by mistake. We are not going to say anybody is a bad actor, but this is a world where there is a lot of potential for a cyber-attack or spoofing and phishing emails that result in some unfortunate circumstances.

“We’re not going to say anybody’s a bad actor, but this is a world where there’s a lot of potential for a cyber-attack or spoofing and phishing emails that result in some unfortunate circumstance,” says Cassandra Stish.

(00:23:05) – The Reward of Data Stewardship is Worth It

It is entirely possible that your old data handling protocols need to be dusted off. You might need to identify who your officer is again. I have seen that happen in eight or 10 different YMCA’s recently where the folks who were doing it previously have moved on and now there was a vacuum.

So, institutional knowledge must be rebuilt and re-identified. All to say, it sounds a little bit scary. If you are engaging with members through programs or tracking and measuring health outcomes, please know you are collecting information. While these rules might seem a little daunting, I would like to say that the reward from collecting this information is greater.

Measuring the impact of your services from membership to through chronic disease programming is critical for you to be able to tell your data story to a wide array of stakeholders, whether it is your members, your donors, your boards of directors, community impact grants, health and health plans, or employers. If you are not measuring it and tracking it, you can never tell your story of how you have done a good job as a good steward and as a good partner in your community.

So, please do not be scared of collecting the data. This whole idea today is to help you understand that you are collecting something precious. It does need to be protected. It is not completely without risk, but the reward is great, and it is one worth taking.

Full Transcript

Wendy (00:00:00)

Okay. Good morning. Looks like we’re live. Welcome to today’s webinar from Daxko and Welld Health. I am Wendy White, I am the Chief Marketing Officer of Daxko and joining me today is Cassandra Stish, Chief Customer Officer from Welld Health, and we’re going to take you through a “skim the surface” overview of PII and PHI, and you’ll learn what those terms are in a minute.

I think the thing I want to emphasize is we’re going to go fast. We’re going to share a lot of information. You can ask any questions at any time, and we’ll interrupt and honor and try to watch the Q and A so that we can interact with you as needed. And do not worry, you’re going to get all this information after the event today.

So again, here we are, our smiling faces, and let’s just keep moving on. Before we get into Welld Health, I just want to emphasize why is Daxko bringing this event to you today? Well, first of all, Welld Health is an amazing partner, and you all have access to Welld through the Daxko Exchange, which I’ll talk about at the end.

But it’s also part of just an initiative we have this year at Daxko to make sure that our Ys understand how we safeguard your data. We want to make sure you understand your data is your data. Our job is just to safeguard it, and that’s through our policies, our practices, including how we partner with amazing partners like Welld to even protect it further when it comes to health data.

So, we’re going to walk through this webinar. We’ll ask questions as we go. And I will circle back at the end and talk to you about how you get access to Welld. And with that, I will turn it over to Cassandra. Good morning, Cassandra.

Cassandra (00:02:09)

Good morning or afternoon, depending on where anybody is in the country. I hope you all either had a good lunch or are currently enjoying one.

I’m grateful to be here today to spend a little time talking about PII and PHI. These are things that are close and near to dear to my heart because in addition to being the Customer Officer here at Welld, I’m also the Compliance Officer, which means that I take into consideration all the things that we do as a product company and relationship to your needs with regard to data protection.

Now, sometimes when we hear data security (PII, PHI, and HIPAA) and all of that, there’s a subtle or maybe not so subtle in a cringing that might happen. It’s often because we’re weary of the things that we don’t understand, and especially if those things might come with some large consequences If you get it wrong, right?

So, I’m going to start off with just a couple of questions to sort of frame up.

Where are you with regard to your understanding of PII, PHI and what you guys might be doing or not doing, or maybe you want to do more of to protect it? What sensitive information are you currently collecting? Do you have a current protection plan? Do you know if you even need to have specific, like, actual HIPAA controls in place? Are you doing something a little more lightweight and just what is the difference between PHI and PII?

So, let’s go ahead and explore, and this is where the slides get a little meaty, guys.

So, Personal Identifiable Information (PII). This is the first line of information that you collect and it’s PII is commonly referred to as information that is used to distinguish or trace an individual’s identity, either alone or when combined with other personal identifying information that’s linked or linkable to a specific individual.

Basically, anything that can help somebody figure out or pinpoint who a certain individual is from your records, equals PII. Here’s a really good laundry list of examples of PII on this slide. I’m not going to read them all. You can see it’s pretty exhaustive, but something I want to call out about it, and you might recognize this from some of your normal member onboarding when you’re creating a new membership.

Almost everything in that record is a piece of information that is considered to be PII. You got social security numbers, you might have a driver’s license number, you might have, definitely have first name, last name, address, all those sorts of things, credit card. All of those things are considered to be PII, especially when they’re in combinations.

You got multiple pieces of this information on one single record. This is classic PII example.

Cassandra (00:05:00)

We have some examples of PII, which are made public. You think about old phonebooks if you’re old enough to remember using those. Those things are coming from the first name, your last name, maybe a little bit of an address and a phone number.

But those are considered to be, public that are used for the common good and just for society to work. But when you start layering in additional things are a little bit more private like driver’s license numbers and those kinds of things. They start tipping into that realm of things that you might need to be protecting. PII is widely stored in your Daxko products, your organization.

If we’re talking about PII, and then now we’re tipping into Protected Health Information (PHI). So PII is collected and stored on a health record like weight, BMI, blood pressure, medical history. Maybe you’re collecting a little bit of medical history on your park use. That collection and storage of all of that together in one place constitutes a health record.

You’ve got PII plus some health information kind of coming together in one place. Now you’ve got a health record for your members that you’ve got logged or stored somewhere. Health Insurance Portability and Accountability Act (HIPAA) data is a privacy, HIPAA is a privacy rule that was adopted in 1996 to protect and preserve health information.

It defines PHI as data that relates to a past, present, or future health of an individual. It is also related to the provision of healthcare to an individual. In your cases, while you all may not think of yourselves as clinicians, I would say that YMCA’s, JCC’s, and the like are most certainly in the business of healthcare if you are providing things like health coaching, lifestyle coaches who do DPP, Lead Strong Cancer Survivor Program, and the Fall Prevention Program. You’re doing those pre and post assessments for those programs and collecting health information with PII.

Some health metrics, some health benchmarks, the production of those programs, that equals HIPAA data because you at that point are now in the provision of health care. You’re part of the treatment cycle.

Also, can be construed for the payment or for the provision of healthcare. So, if you further have a third party payer, whether it’s an employer or insurance company, who’s covered any of those services.

Now you’re again, again, in the HIPAA covered-data world with regard to this health information. Healthcare operations deal with sensitive details about a patient, including the birth date, medical conditions, and your health insurance claims. And whether you’ve got paper-based records or electronic-based records, make no mistake. You are collecting and maintaining, storing, and controlling HIPAA data on premises.

I want to take a minute there and say that there is like a little bit of a line. So, we have this concept, this idea of a covered entity and the business associate.

We have a covered entity and a business associate covered entities are obvious. Your doctor’s offices, your pharmacies, your clinics, your health plans. These are these are folks who clearly engage in a day-to-day basis with HIPAA data, because they transact business and healthcare all the time.

But we’re talking about today is where your organizations, your Y’s are tipping into that space, as part of the continuation of care. So maybe a medical referral is coming into your door for someone for a cancer survivor program or diabetes prevention program. In which case, you would be considered a business associate of a covered entity.

Cassandra (00:09:02)

The covered entity is the clinician, and you are now an associate who’s working alongside them for the care of that patient and you’re going to be receiving information about that patient doing some service and providing information back to that referring provider about those services. You are now part of that health care continuum, which is most definitely covered from end to end by the HIPAA rule.

Whether or not you’re taking insurance doesn’t necessarily protect you from the strictures rf the structures of the HIPAA statute. Business associates are, if you think about it, like the wraparound services that might support a clinician in the transmission of care, and you can be both.

You could see how organizations might be both, and sometimes they both they’re both in the same context. You’re wearing both hats at the same time. A business associate is like, “Well, you know, we would come alongside your organization and sign that BAA agreement with you that now allows us to be your data platform to collect and store the HIPAA data that you’ve been receiving from your clinical partners for the covered entities.”

You start to see how this creates the chain of accountability around which HIPAA data is protected. And of course, the HIPAA rule is really good at defining all the way through it, everybody’s roles and responsibilities. This business associates agreement is like the best place to go find who does what in the course of transacting these things, we’re working together with health information.

So, if again, just before we leave from this slide, PHI is a combination of PII plus health data together. Health data in and of itself, without any identifying factors, does not constitute PHI. If you’ve got just a bunch of de identified health, weights and blood pressures and different things like that kind of tracking maybe population health outcomes without any identifying information, that is not HIPAA.

But it’s when you put it all together with that personally identified information, essentially create a health record that you are now tipping into that space. So, now that we know that when certain information is all combined together to create a health record, here are some examples of the of the types of things that get combined.

You can start to see you’re recognizing on the left column. There’s a lot of information that exists probably on your standard record in Daxko for your member. But then, you tip over what might happen in a health record, which would be something that’s stored in a platform like Welld, or maybe for some of you who are using RedCap still to collect your information.

This is where the health information is stored. These two things together create a health record. Certifications, license numbers, vehicle IDs, all that stuff, not necessarily health information, but you can see how it tips into a slightly more personal, in particular pieces of data that are more protected, Full face, photographic images, by the way, biometrics and all that, there are some new rules around that, which we’re going to talk about in a second.

I just wanted to point out that if you all are offering programs like exercises, medicine, any of the fall prevention programs, the cancer survivor programs, diabetes prevention, even some of the weight loss programs, if they’re in combination with a medical referral. Do you offer goal intentional goals-based onboarding where you’re collecting a baseline measurement of weight, a blood pressure, those types of things and tracking outcomes?

Cassandra (00:13:01)

Those types of activities fall under the treatment category of services that HIPAA protects. So, if you provide outcomes back to a referring clinician, you are most definitely staying inside that swim lane and making sure that whole end-to-end data collection, storage, and transmission back to a covered entity is protected.

So, privacy and liability for fitness coaches. Well, I think probably some people on the, on the call are thinking, “I just collect a little bit of onboarding information. I’m just collecting a weight when they start and maybe we’re doing an in-body scan to give them something to go by.” If it is handed that for the individual and you are not storing it, you do not have to worry about it.

But if you’re trying to pull data into your organization and store and capture it for tracking and measuring your outcomes, then you probably need to be thinking about, how your privacy and liability protocols at your organization extend out to fitness coaches.

I put fitness coaches here generally really broadly, because I want you to think about it for personal training for your onboarding folks, and then also out into any of those registered dietitians you might be working with, or your lifestyle coaches to do DPP.

Those things are a little bit more intentional or feel like they’re a little bit more classically related to chronic diseases. An organization like a fitness center or YMCA is very much 100% in the healthcare spectrum from membership all the way through to chronic disease management if you’re measuring outcomes.

One best practice to consider avoiding any liability around data collection and working with this data is, do you have a compliance officer, or do you have a data security champion that lives there at your facility who can help design a comprehensive plan will serve your center and your members for the years to come?

This is a really good way just to start. Assess what are we doing, what are we collecting, and where are we storing it. Do you have A regular compliance review? Annual security audits are really good docent that you do those, a docent retention and secure disposal protocol.

I know that recently there was some case law that came into my attention where an organization had a gym with all those bins of the exercise cards that were just available for anybody to open and go find their own and record your stuff.

This is actually a lot of really personal information. This is being left wide open in these unsecure folders. Anybody to go rifling through look at somebody else’s data. They’re saying, you can’t do that anymore. We’re all leveling up. We’re all being more mindful about how we’re protecting information.

Cassandra (00:16:05)

You all might want to think “where are you storing that stuff, and do you have a secure disposal protocol, electronic data security, in the cloud?” That would be Daxko and Wellder or Daxko and RedCap or something else. Whatever it is that you’re choosing to use, just make sure that you understand Your technology partner’s ability. Read the contracts about who’s responsible for what. Is a BAA required? Have you signed one? All those things. Step into this with a little bit of intentionality and your eyes wide open.

Health and human services (HSS) have great easy-to-read guides. You can go on their website and just look at their guidance on data protection and what are some things that you can do to implement. Make sure you have a good protocol in place that protects you and your members.

Then, you might want to consider having a little bit of liability insurance that is specific to this, including some sort of cyber policy if you do not already. While we all like to think about the happy path, we do know that sometimes things happen by mistake. We are not going to say anybody is a bad actor, but this is a world where there is a lot of potential for a cyber-attack or spoofing and phishing emails that result in some unfortunate circumstances.

It’s probably good to make sure you’ve got some coverage there. I want to take another quick pass and mention biometrics on this slide, just because it is a growing space regarding case law and protection and more states are adopting some version of control.

Biometrics and baseline health data, even exercise data, even data regarding sleep, exercise minutes, how often are they running, R. P. E., all that stuff that we kind of have classically thought are not really health data. Is it is now becoming to be considered health data, or at least biometric data that falls into a protected class of data.

So, even your personal trainers who might be collecting and storing to help their members follow their journey through their training package to see their impacts. If you’re measured, if you’re collecting and storing at some place, you probably fallen under this category of actually protected information.

Just because it’s not a lab from a doctor, or we’re not doing classic medical things with an insurance payer, or we’re not sending claims off to Medicare to be processed, that doesn’t mean you’re out of the space. Just to let you know, California was the first to adopt the Biometric Information Privacy Act (BIPA). We’ve got HIPAA and BIPA now.

Recently, we’ve had Illinois, Texas, Washington, California, New York, Arkansas, Colorado, Connecticut, all of them are starting to adopt similar policies to take HIPAA and just extend it out to say “you know what, HIPAA’s, HIPAA’s here, but we recognize that there’s like this other band of data that probably needs our attention as well.”

And so, those things are starting to come into play. It is good if you can work with a partner that understands them and can streamline or help you get off the ground with it. HIPAA is something that the YMCA has advocated for largely over the past several years if you’re not using them already.

They’re a really great tool that can help you set up a plan. They’ve got some good templates and some checklists to help you develop and make sure you’re maintaining that plan from year to year. So, if you haven’t checked into that resource yet, I highly suggest that you do just because it’ll give you some peace of mind.

It’s not what we all need more work to do, but we certainly all want more peace of mind. Because this is lunch and learning, I’m trying to get out of here before everybody’s half hour is up. I took all that information to boil it down and did these two simple things.

Does your nonprofit need to be compliant?

HIPAA complaint is sort of a blanket statement. Does your nonprofit collect health data, and do you need to have some sort of security measures around it? It’s kind of what we want to talk about, right?

Yes, if you receive referrals from a medical professional, collecting and storing health information on your numbers in a health record, weight, blood pressure, heart rate, etc. If you’re submitting claims or invoices for payment to insurance companies, then, yes. You really should be having a rather robust, somewhat hardened and, operationally, it should be transparent.

Everybody should know what SOPs are. If there is a breach, if there is a problem, what do we do? All of that stuff should be dialed in.

And no. If you are processing only third-party payer memberships, like insurance-based reimbursements for memberships, those don’t count. That was an actual exclusion written by the lawmakers that said that check-in data is not HIPAA data, mainly because you’re not using the health insurance policy ID to track that person, ergo Silver Sneakers and Optim. All those guys are aggregators.

They hold the policy. I. D. they create a fitness benefit. I. D. that then those members use instead of their policy. I. D. Therefore, check-in data is not HIPAA data.

They’ve tried to create that barrier for you, which is extremely helpful. If you’re not collecting any health information and storing it. If you’re not doing EBHIs or onboarding, where you’re collecting those baseline measurements and measuring outcomes over time, then no.

Cassandra (00:22:26)

You don’t have to worry about it too much. And if you’re not making any medical claims or medical referrals, if you’re not getting things in the door into your programs from any of your clinicians in your community, don’t worry about it too much. I hope that was enough to get you thinking.

This is a lot to think about. If you are thinking about the programs, you have offered or what’s coming up on your strategy, you’re trying to get your program started back up again after the pandemic. Maybe you’ve lost some people over the last several years and are bringing in some new team members to get things going again.

It’s entirely possible that your old data handling protocols maybe need to be dusted off. You might need to identify who your officer is again. I’ve seen that happen in eight or 10 different YMCA’s recently where the folks who were doing it previously have moved on and now there was a vacuum.

So, institutional knowledge all has to be rebuilt and re-identified. All to say, it sounds maybe a little bit scary. If you’re engaging with members through programs or tracking and measuring health outcomes, please know you’re collecting information. While these rules might seem a little daunting, I’d like to say that the reward from collecting this information is greater.

Measuring the impact of your services from membership to through chronic disease programming is critical for you to be able to tell your data story to a wide array of stakeholders, whether it’s your members, your donors, your boards of directors, community impact grants, health and health plans, or employers. If you’re not measuring it and tracking it, you can never tell your story of how you’ve done an excellent job as a good steward as a good partner in your community.

So, please don’t be scared of collecting the data. This whole idea today is to help you understand that you are collecting something precious. It does need to be protected. It is not completely without risk, but the reward is great, and it is one worth taking. That’s it for me.

So much information. Cassandra is helpful for many folks here. We’re going to open up the floor for additional Q and A. I see a few already in the Q and A on your screen. You should see a question mark or a place for Q and A. If you could click that and put your question and we’ll definitely address it before I leave the presentation.

Though. I did want to emphasize that you all have access to Welld through the Daxko Exchange. You can log on to your Daxko Exchange page and see if you have Welld activated. If you don’t know. If it’s not, then just reach out to your sales team and we’ll make sure to turn that on for you and get that into your integrations.

Daxko exchange is a wonderful way for you to understand your data, who’s got access to your data and make sure you’re protecting your data. And now, it looks like somebody deleted their question. So, I’m going to just keep my eye on the Q and A.

H3:Q&A – Is Daxko integrated with RedCap through the Daxko Exchange?

Wendy (00:25:51)

One of you asked, “is Daxko integrated with RedCap through the Daxko Exchange?” And the answer to that is no. Our preferred partner today for health information data exchange is Welld. You’ll see them available on the Daxko Exchange. If you have questions about that or want to talk about it with a different partner, reach out through partnerships email, which is partnershipswithaxko.com. Sarah will also be, as soon as we, fully transition with the Q and A here.

Sarah is going to be dropping all kinds of resources into the chat, or you can grab them from there. You will also get them along with the slides and email tomorrow.

Q&A – Is it a HIPPA violation if we code name the PT client versus using their real name on the documentation?

Wendy (00:26:43)

Looks like we’ve got questions coming in on the chat and on the Q& A, so I’m going to go back and forth. Valerie asked this question quite a while ago in the Q& A, so I’m going to pop over to this one, Cassandra, which is, what if we code name the PT client versus using their real name on the documentation?

Is that still a HIPAA violation or is that under the umbrella of HIPAA if we’re using a code name on the documentation?

Cassandra (00:27:08)

Blanking out or somehow obscuring someone’s identity like changing their name might be good enough. You have to ask the question of, like, “does it make it difficult operationally for you to continue to work without records when that person comes back? Is it hard to find them? You know, how do you look them up? Those kinds of things.

You’ve got to balance that operational ease and use like “how am I accessing this record, interfacing with this person” versus. obscuring their identity and a stored record, and that’s the balance. I would say I’ve got some groups who are fine, which is blanking out that information and they feel like it’s enough.

But if you’re leaving other things on there, and your sample size isn’t big enough, there’s other potentially identifiable information. Even the lack of their name might not be enough to actually obscure their identity. So, I would caution against using that as a sole remedy to solve.

Q&A – Is there a reason to keep a physical copy, source document of any kind of intake or referral from a physician activity readiness questionnaire?

Wendy (00:28:15)

Tim asks, “is there a reason why we should keep the physical copy, the source document of any kind of intake or referral form from a physician like physician activity readiness questionnaire or anything like that that might be used whether kicking off a program. Do we need to keep a physical copy of that?”

Cassandra (00:28:36)

I would not say you need to keep a physical copy if you can upload a digital copy someplace and store it somewhere, and then you can securely shred those physical copies.

If you do keep physical copies of any of that stuff on premises, please make sure they’re in a locked secure room someplace where the file cabinet can get locked. Some groups like to have those backups for a little while, and then they kind of move on maybe every six months or so, and they do a big purging of files that are so old.

Q&A – What does Welld do?

Wendy (00:29:11)

Okay, great. Chrissy asked the question, “what is it that Welld does?”

She’s being a straight person here and setting you up, Cassandra. Talk a little bit about what Welld does because I think the audience wants to make sure they understand how we use Welld?

Cassandra (00:29:29)

Sure. So, think about it this way. If Daxko houses your member record and all your member contracts, we are the health record for that member that sort of hangs off of it.

We’re always downstream of Daxko. Daxko is your source of truth with the member ID, all those things that are happening there. But then, if they engage in any health services, or if you’re tracking any health information about that person. Log it in Welld, when we integrate with Daxko, then all your utilization and things are flowing back and forth.

You don’t have to double enter the record, et cetera, but then the health information is protected in this other manner through our platform.

We support everything from personal training all the way through all the YMCA’s, flagship health intervention programs, and then a host of custom-built protocols that many YMCAs have initiated themselves.

Q&A – How do I get to the Daxko Exchange page where I see whether we’re using Welld or not?

Wendy (00:30:23)

Okay. I see Sarah’s been dropping the resources in the chat. I also see Roderick has a question.

“How do I get to the Daxko Exchange page where I see whether we’re using Welld or not?”

Roderick, I just asked my product team to give me the explicit directions if we don’t get it before the end of this webinar, we’ll just pop it into the email that we’re sending you tomorrow with all the information.

So, you all know how to go look at your Daxko Exchange and see which apps you’re connected to or not. So, considering I run that program, you would think I would know exactly how to say that, and now I’m embarrassed that I don’t know how to describe the navigation from inside the product. I will get you that answer, and I will do better.

Q&A – How long do you need to keep health and wellness paper files until you shred them?

Wendy (00:31:09)

Alright. Let’s see. Are there any other chats? Thanks, Wendy. You’re welcome, Roderick. Let’s see.

“How long do you need to keep health and wellness paper files until you shred them?”

Cassandra (00:31:19)

There’s no specific rule that I’m aware of, like the length of time for data retention it all depends.

If you’re doing medical claims, like anything to Medicare, Medicaid’s, they sometimes tell you, that you need to retain a docent for 10 years. If you’re not, this becomes part of your own operational S. O. P. and as long as you’re documenting it and keeping up with it, it’s fine.

You can, you can decide we’re going to keep them for 60 days. We’re going to keep them for two years. Whatever it is, as long as it’s consistent and documented and you’re following through with your own protocols, you’ve built up what you can rely on.

If you ever did have a situation where there was a breach or a problem, you can say you’ve followed your structures. If we have to change them to make them better, that’s fine; but at least you’ve got something documents you’re keeping up with.

The biggest takeaway is having a plan, sticking to it, and maintaining some sort of data integrity through that operational control.

Wendy (00:32:24)

I have to say, I’m always thrilled to partner with Welld and Cassandra in particular. You were an amazing speaker for us at the General Assembly and here again this morning. So, I just want to say thank you for that, and for everybody who joined. Thank you. If you have additional follow-up questions, don’t hesitate to reach out.

We’ll be sending those materials in this in the recording tomorrow, and we’d love to hear back from you on any questions or any help we can give you and we’ll happily connect you with Welld directly if you have any questions for them.

Thanks everybody for your time today. Cassandra, amazing job as always, and have an enjoyable day everybody. Thank you.

Cassandra (00:33:02)

Thanks everyone. Happy Valentine’s Day.

Subscribe to our blog

Curated trends and resources, right to your inbox.

WEBINARS