Join Andrew Tisser (Talk2MeDoc Podcast) with Joe Gellatly (Medcurity) as he discusses cybersecurity and EHR Compliance. As different kinds of data theft have been seen in clinics and hospitals; Joe works to find solutions to protect organizations against these attacks. He gets into the baseline compliance guidelines that medical personnel have to know in terms of proper handling of medical records and the penalties that correspond to violating them. Joe also talks about the technological advances that have been made to address these issues and how AI can further improve the situation.
By the end, you will learn the value of taking proper measures to protect information. Enjoy!
Medcurity was founded in Spokane, WA, by Joe Gellatly and Amanda Hepper. Our team has decades of experience in healthcare, technology, and compliance. We built Medcurity to help healthcare organizations manage complex HIPAA and security requirements in one powerful platform.
You can find Joe Gellatly on…
Company LinkedIn: https://www.linkedin.com/company/medcurity/
“I don’t expect technology to replace the value of a clinician, the clinician conversation and some care transitions. “
Don’t Forget to Subscribe!
If you like the show please subscribe on Apple Podcasts or wherever you get your podcasts! Click here for a link to all major platforms!
All opinions expressed by the guest in this episode are solely the guest’s opinions and do not reflect the opinions of Andrew Tisser DO, Talk2MeDoc LLC, or any affiliates thereof. The guest’s opinions are based upon information he considers reliable, but Andrew Tisser DO, Talk2MeDoc LLC, nor any affiliates thereof warrant its completeness or accuracy. The guest, Andrew Tisser DO, Talk2MeDoc LLC, or any affiliates thereof are not under any obligation to update or correct any information provided in this episode. The guest’s statements and opinions are subject to change without notice.
Andrew Tisser 0:00
Welcome to the Talk2MeDoc podcast.
Joe Gellatly 0:17
Andrew, thank you for having me. It’s, it’s a privilege and exciting to be part of this show.
Andrew Tisser 0:22
Thanks. I really appreciate that. So Joe, I recorded a little bio about you, but for the listeners, could you provide a little description of who you are, what you’re doing and your current role in healthcare?
Joe Gellatly 0:35
Absolutely. So again, my name is Joe Gellatly. My background has been in healthcare on more of the it and the policy side. So both working toward over the past couple decades, especially around moving into health care’s electronic medical record initiatives, as well as complying with the type of programs that are coming out from CMS. along the lines of meaningful use now MACRA, MIPS.
So these are payment programs that have been rolled out. So my background was working with hospitals and clinics and care providers in meeting the requirements and, you know, hopefully, actually getting value out of the technology, not just putting it in place to meet regulatory requirements. And in the past couple years, I’ve narrowed my focus. Now, I am a co founder of a startup that is focused on the security and privacy requirements. So especially HIPAA requirements that we have to fall under and meet. And we’re working to bring some clarity and more of a sense of where to start what to do to meet those requirements that we have is that help us protect patient information.
So that’s med curity. And that’s been an exciting, project, exciting startup to be a part of, we’re taking as much as HIPAA doesn’t sound exciting. We’re taking some pretty complex requirements, and we’re And breaking those down in a way that the people that end up with responsibility to work on those, they’re usually wearing 12 or 15 other hats too. And so we wanted to take that help them understand how to do a risk analysis, which is one of the requirements on an annual basis, how to understand what they need to be focused on and working toward to stay compliant.
And so that’s been that’s a catch a big part of what I’m doing right now. I’ve also been on the board of a federally qualified health center for about 12 years now. And that’s an important part to me of what I get to do volunteer and be a part of that aspect of the healthcare ecosystem as well. And we, we get to do some interesting things with the health center as well. And so those are a couple things that are probably the most time consuming parts of my healthcare career right now and where I’m spending most of my time.
Andrew Tisser 2:56
Yeah, very interesting. So So do you mostly work with Organizations are you working with the administrators who is your target audience?
Joe Gellatly 3:06
So from a med curity perspective, we it depends on the size of the organization who ends up with that role or that requirement. So it’s often practice administrators in small practices, we’re working directly with a physician. We’re just trying to take that slice of what they’re responsible for. And regardless of whom that is, and then we work it with hospitals, and it’s the CIO level, there often are an orange CHIEF COMPLIANCE OFFICER.
But every one of those roles, they have a lot of other things to work on. So what we’re doing is say, okay, so starting with that security, risk analysis, there are a lot of threats, there are a lot of things that we need to be aware of and risks and, and what happens if we ignore those as a healthcare organization can have some really significant implications for us. And so, all those roles that we work with, they do a lot of other things too, so We’re trying to help this piece of it, which is usually their fifth or sixth or seventh, and a priority list.
So they don’t ever get to get to it in the day to day but, but maybe keep him awake at night. So we help them get a handle on this and begin to feel like they know what they should be doing to to meet those requirements and avoid the penalties that are being handed out and to protect organization against ransomware. And there’s data theft issues. So we’re seeing a lot of different kinds of attacks on clinics and hospitals these days. And it’s all these things that can keep any of these roles up and up at night. Those are what we want to bring in some clarity on how to help protect your organization against that.
Andrew Tisser 4:43
So it’s not just HIPAA, it’s cyber security as well as a whole.
Joe Gellatly 4:48
It absolutely yeah, it runs right into that. So HIPAA even though that was mostly drafted 20 years ago, the Security Rule actually came out in 2004. There wasn’t a lot of specificity in that. So there’s, there’s safeguards you’re supposed to have in place for your, for your clinic or your hospital to protect patient information from an administrative standpoint. So training your staff, putting appropriate policies in place, and then physical. So what’s your facility controls? How do you protect the clinic or the the the institution, the actual building itself, and then technical and the technical safeguards have evolved, but the principles still hold true, but but now the types of attacks that we’re seeing are, like ransomware attacks, where what happens is patient information, whether it’s actually stolen or just locked or encrypted or somehow made unavailable to the practice.
That still goes under the HIPAA breach. categorization. So the Office of Civil Rights federal entity that enforces the HIPAA breach penalties, they consider a ransomware event to be If a breach, they come in and investigate following that, they say show us your risk analysis that you were doing shows the policies you hadn’t played show some things you were doing to protect against this. So we’ve seen the cybersecurity issues roll right up into this. And so part of what we’re doing, although, you know, we we focused initially and primarily on HIPAA compliance, we’ve seen that part of the responsibility that we have been there is, okay, so how do we protect against the type of ways that attackers take into a network which would include primarily actually phishing emails that that trick your employees into giving away credentials are compromised accounts are allowing access to their workstation?
That all fits right under the HIPAA requirements? And so, what that means is for these groups that have had brought us in to help it’s a difficult situation because a you’re already dealing with an incident that has public relations implications. There’s a lot of cost and cleanup when you have something like that happen. But then be you’ve got the government saying, hey, Were you even, we’re even complying with these requirements that you had in the first place to protect that information. And so then you have to be in a defensive position and showing from like an audit perspective showing what you were doing to protect your clinic. So we, that’s exactly the kind of situation that we want to step into and be helpful.
Andrew Tisser 7:19
Yeah, that’s pretty interesting. I mean, I feel like your day to day regular doctor is probably thinking, Okay, well, I don’t share any of my patient information. And I got passwords and everything. So I don’t have to think or care about this stuff. But from what you’re telling me, that’s not true at all?
Joe Gellatly 7:36
Well, yeah, there’s a, there’s definitely a baseline that has some specific requirements. I think if you, if you look at what you should have foundationally, you’ve named a couple of those things. I mean, there are some password requirements.
There are some just almost common sense type, protecting the information that you’re holding. But there’s, there’s more than that even in the foundational compliance With the security rules, so where I mentioned that risk analysis where you’re actually doing a process to look at all the areas you could be taken advantage of, and policies are really critical to, and where these come into play are, if there was an audit, and audits can come from, if you’re doing so that MIPS, the merit based incentive payment system from CMS, if you’re participating in this Medicare payment program, they do audit you and they do ask for that security risk assessment.
And so you have and if a breach occurs, you have these multiple paths that could lead to you having to show that you were doing the right thing, whether it’s because of an incident happen or not. You want to have those documentation, those documents available. You want to show that you were doing that baseline to show that you as a practice, were not negligent that maybe this incident occurred maybe an employee accident we don’t see the shred bent into the dumpster this this happened.
And in multiple cases of this and they’ve resulted sometimes even There’s a single doc practice that ended up with $110,000 penalty because they’re their shred Benjamins accidentally dumped into a dumpster. But they didn’t have policies saying, here’s how we handle patient formation on paper. And they didn’t have training that they could show that they provided their patients. So those penalties come out, but they’re they’re more attached to what you’re doing that baseline compliance work that you’re supposed to be doing. And this happened anyway. Or were you not doing that, that the training and the principles that are that are required as a covered entity under HIPAA?
Andrew Tisser 9:36
Sure, you don’t even think about like silly things like that. But when it starts coming down to dollars and cents, I think people pay attention real quick.
Joe Gellatly 9:46
I mean, yes, yes. Something we unwind and we look at those type of penalties as they come up and try to understand just really quickly, the opposite civil rights when they come into a situation like that. They have the freedom to assess a penalty between $100 to $50,000 per medical record that’s exposed in a breach, whether it’s it or paper. So it’s this wide range. And what they do is they evaluate what they would call negligence. So were you again, were you doing what you’re expected to be doing? And this happened anyway. And so that, that, yeah, that penalty swing can can get pretty brutal for some groups, but really comes back to putting in those baseline requirements for, for me to get the requirements.
Andrew Tisser 10:33
Sure. Let’s talk about the electronic medical record for a second. And I know what you focus on is trying to make some of these regulations a little easier for organizations and practices to understand and deal with. But I guess an argument from from doctors and nurses is that as the medical record becomes more and more complex, and there are more and more things that you need to do just to satisfy requirements. How is your everyday work are going to keep up with But some of that, is there a way to automate some of this?
Joe Gellatly 11:03
Yes, that’s a great question. And well, I see that that burnout is it’s definitely a major issue and very real, a lot of what the tools that we’re working in today are driven initially by regulatory compliance. And this is my opinion, but, but I, I think a lot of what we struggled with in the usability of the health records was when our EMR EHR was designed to meet government requirements first, or pair requirements first, and then be usable as a second. A second requirement right and and so that was something just as an aside, as we design a security we went, you know, usability and design first something that we really intuitive people could step right up into and start using within a couple minutes.
And then took that and, you know, figured out how to meet all the requirements we needed to with that, but I think there are some Some great indicators that it is going to get better. I think what I would say is yes, that’s there’s some automation, there’s tools, that just the same concept as men curity, trying to pull some of this complicated. Some of the things that are maybe tougher to get your arms around and help simplify that, but especially for the physicians, just I like to encourage our our groups to stay experimental and innovative on the IT side, because there’s some technologies that maybe we saw about five years ago and they looked a little rough and look like it may not adapt to the environment.
But now, pick a good example. Now at a recent conference, a vendor was showing their essentially evolved dictation format, but where they had a smart room that could pick up the other, it was miked and a patient and a physician sit down and they have their encounter and Kinda like having an electronic scribe, but all the pertinent details were captured into, into the data elements that were needed. The chart was populated with the visit everything that was captured in there, and and the physician could look over and show and walk through some of those things.
The provider was able to walk through those things with the patient but not be entering the data as they go, it was just filling it in, right into structured data just based off of recognizing context in the in the discussion and pulling that all in. So I, it was really impressive and some of the provider friends as we were looking at this, we’re way more excited about that than then we have in the past few years looking at voice recognition evolve. So I like to look at that as an example of, you know, at some point, we’re gonna hit this point where technology actually becomes truly helpful and is making it even better than it was before instead of just being creating all kinds of administrative an extra work on top of that.
Look for providers. So I think we’re seeing some good signs that the technology is getting there to a point where we may be able to capture information in real time without turning a provider into a data entry person as much. So that’s one example I think, that we we will see and we are seeing some, some good improvements at this point. And so I think just hand in hand with that if you have an AP person or IP vendor to consider press them to bring some pilots to your bring examples of what people are working on to continue experiment, even if you know telehealth is it all in the scope of what we do in the future, to try to do a couple telehealth visits via different formats because that’s come a long ways too. And and patients are beginning right they’re beginning to see how that can be done well and there’s even starting to be a little bit of polar or some piece of populations are expecting, requesting that it’s I think it was rough. In the past, and I think we have some some technology to make that work smooth for our teams, just just different.
Andrew Tisser 15:08
Yeah, I’m hopeful. And the, I think, you know, the basis of the show is about communication. And I’ve had a few guests at this point mentioned that they feel that improving technology has detracted from, you know, interpersonal communication, whether that be between team members or between providers and patients. So, we’re hopeful that that will get better. But I know this is currently a huge, huge issue of frustration with all pretty much across the board, you know?
Joe Gellatly 15:42
Yeah, it was, it was something to see the eyes light up around this. I’ll call it a smart room. I don’t think that’s what the vendor used, but around this technology where they just have mics but it’s just the local storage so you can, you know, explain to them a sentence or two to the patient, that it’s not going anywhere else but that To see the encounter, just populate as a natural conversation occurs, no device, no screen between the provider and the patient. That I think everybody’s pretty excited to see that play out so well. So it looks kind of futuristic, but it’s working now. So as we get that into your daily life and into Karen’s, that that’s something that could start to turn the corner in one piece of what you’re describing is, you know, ologies gotten in between us instead of, I mean, that’s pretty cool. Yeah, it’s pretty cool.
Andrew Tisser 16:35
The it does, like machine learning and artificial intelligence play into that or how it was. I don’t know. Yeah, I’m sure you don’t know the details. But
Joe Gellatly 16:45
yeah, you know, I pay attention to it. We are seeing more experiments. Some of our larger health systems are taking more aggressive so I’m here in the northwest scene. Health Systems here take more aggressive approach to getting pilot someplace that are, that are using AI and machine learning to augment what the physicians are doing. And it’s, it’s going to be interesting. It’s not never smooth, but they’re finding places to begin to, like, slide around chemotherapy pathways, they’re finding places to begin to apply this where it, again, with augment position leading the way in an intervention or in taking care of a patient. But they, they just, yeah, there’s just got to be the right case, case studies of this and some experimenting around it.
But it certainly, it certainly looks like it’s part of the future for us. And in the right way, again, comes back to not breaking the ability for the patient to talk to the physician or to the provider, and and where it’s just augmenting, providing you know, decision support without dictating how that encounter goes, right. And I probably not even not the best person to speak to that. But I see the pilots that are going on, we follow those pretty closely enough with some of the project managers on on those. And in oncology, I think we got some really interesting application for artificial intelligence, backing up the providers workflow.
Andrew Tisser 18:19
Yeah, I mean, pretty cool stuff. Definitely. Definitely looking towards a more futuristic, interesting next few years, though, in technology just in the last 10 years is really exploded. So what the next 10 will bring, who knows? You know, so I mean, the basis again, of the show is team based communication. And I know some of those increases in technology are, are interesting as far as provider patient relationships, do you see any changes and helping us communicate more effectively within the team and the technology sounds?
Joe Gellatly 18:56
Yes, I will take that just a narrow view for important part of what we’re doing at mc curity. It’s a conversation that we have fairly often. We we see a process that I think there’s there’s many processes like this, but we took that risk analysis that I’ve mentioned, that’s currently done by an individual or maybe a third party, it’s handed off in a PDF. And it’s kind of sit there often for a year and then come back and do it again.
And so that, again, at a micro level of concept that we took there was let’s not have this just result in a flat, basically dead on arrival document that’s put on somebody’s desk or put in a binder. We we take what comes out of that some focus areas or recommendations and it’s all available in a dashboard. And you can add with a couple clicks, you can add multiple users, you don’t have to go through a lot of steps. So what we’ve seen is a practice manager in the facilities person and their IT person will be able to each jump into a dashboard they can see their areas responsibilities, they can see overall As they work through this, they can see the risk to the organization be reduced, and you can report on that.
So, again, that’s just a micro level, but I think technology used well will bring some visibility to it. Another place that is getting better is patient population management, right. So those population health tools are now getting to where they’re actually pretty useful flick ways to be able to look at across your, your panel or population and hotspot where you need to focus or target specific segments of that population. And they’re, they’re driven, the pop health side of It’s driven a lot by payer contracts. So that’s been really interesting to watch because the parents get better information they can, you know, basically work with the payer to be incentivized to care for your patients, and in different ways, new ways or added ways.
And I think that’s really interesting because it’s, again, maybe stepping a little bit away from the team. But I think being able to see at a high level dashboard views of what we’re working on. And having conversations around that. Basically, what I see that do is it unifies the team around a mission of what we’re working on. Everybody had has their own perspective and their own view of a project or an initiative or a purpose. And if we can put them on the same page, then they can all see possibly in real time, but they can all see a view of power of what we’re making progress on. That helps a lot from my perspective to have that shared, mission shared understanding of what our result the outcomes that we’re looking for. And so that’s, that’s something that to kind of summarize that that’s the way even internally as a company, we work we have, of course, the mission that we’re working on, we have some key objectives that will that will play into that.
And so for example, we want all of our, our customers to be evangelists and to, you know, be fully excited about the products and the tools, we have results under that. But here’s some specific things that will lead to that. And then we have ownership of those specific items. But all of that rolls up into a shared mission and a shared understanding of objectives. That so I’ve seen technology be able to start to take tasks that you’re kind of you’re up and running on, on just your panel or just these few patients or just this project. And to be able to get a shared view of the overall purpose of why you’re doing this that you can look at with other people. You understand your slice of it, you’re all working together.
It really helps. It helps everybody have a shared language around what they’re doing. It helps and helps you understand your your piece or your fit into the overall mission as a team and it really builds from my perspective, it really builds teamwork. And it helps us make decisions faster and make more sense to everybody. So that’s a rambling answer to how I’ve seen technology play into, I think, unifying teams into having some, some good perspective of a bigger picture. how all these little pieces fit together when we use dashboards, right, when you use
the commands with software like that correctly.
Andrew Tisser 23:26
Yeah, I get a lot of very interesting points there. And I think what you’re saying is generalizable to a lot of different industries. So not rambling at all those are those are some great points. So, Joe, I like to just transition the show a little bit at this point to get to know you a little better to the listeners. So you talked about your company. What do you like to do for fun?
Joe Gellatly 23:51
Well, I am in the Pacific Northwest, which I I love the thing. I love the whole country and I think what we have in this area In Eastern Washington state, we have a lot of lakes nearby a lot of outdoors. And right now building a startup technology startup. It’s pretty consuming. So I just prized those opportunities to get my family, my wife and four kids and we get out of town and get get somewhere close to water or out on the water. Those are the best days. On the other hand, we have we have winter here so so at this, you know, in the spring, we’re kind of counting the days toward the spring and toward that some warmer days so we can get a get out there and getting sunshine on the water. It’s definitely something that refreshes me. We have a lot of fun disco in the area to which I don’t know why I find this golf slightly less frustrating than regular golf. So those of frisbees around we have some great courses that go through the state parks and parks around here. So
using kids outside Yeah,
Andrew Tisser 24:54
yeah, we’re out in Buffalo, New York. So we’re counting the days down to our you know, six weeks to summer that we get Do you have any book recommendations for the listeners or something you’re reading?
Joe Gellatly 25:08
Sure, yes, I actually just reread the show my focus on the business side. But there’s a book called a sense of urgency by john Kotter. And I think that book is really important. I’ve gone back to that several times, where as I don’t, I don’t read a lot of books multiple times. But a sense of urgency is a book that talks through the critical element of speed that we have these days and most businesses to be, you know, moving forward quickly, but without creating panic or unhealthy stress around that.
And so I find that book really helpful because it talks through how to get your team moving quickly. We, you know, from from a healthcare standpoint, we have some really important things to solve in from just right here specifically it made purity we know there are Some some threats that we want to stay ahead of for the sake of our clients. So the speed is really important. And it could easily devolve into just panic where we’re stumbling over ourselves to just move forward fast. And so Kotter talked about in that book he talked about, you know, how to share what’s happening in the market, or what’s happening in the industry, what’s happening with fake competitors, or with our clients or patients, and using that to set and set urgency.
But then he also talked through some of my favorite parts of that you talked through how to behave with with urgency. So as a leader, you know, setting that pace on a daily basis that is controlled, but you’re present, and you’re purging tasks that don’t matter as much. We’re speaking with passion with your team, and be really clear on the direction that we’re headed in. And then approaching those crises that come up and looking for opportunities we can learn out of that. And, and using those to shake up any complacency and settled into our our teams, not just looking at crises as damage control opportunities. So I think I think he just does a very nice job of talking through leadership in an organization and bringing, bringing speed and without the chaos that could accompany that. And so I highly recommend that book. And I just wrapped up reading through that again.
Andrew Tisser 27:28
Yeah, I have not read that one yet. So I will put it on the list. So Joe, if you could just give us just a single piece of advice to physicians and other clinicians and in the US, but maybe from your perspective, from an IT perspective? What would that be?
Joe Gellatly 27:48
So this will maybe summarize some things that we’ve talked about already today. But I would say the experiment, I think I mentioned that it’s sometimes we look at Technology and it isn’t meeting our needs, but it is evolving very quickly. And I have found just to give one example here, I found that some practices that experimented with care transitions and sharing information with other groups in town or hospital system, as patients move through the system, and that was that was broken or at least difficult for a lot of years.
We have some really specific parameters in place now that are pretty well standardized. And you can actually have a very, in almost all EHR is today a very smooth process of sending and receiving information along with a referral on care transition. And, and not just getting a 50 page document in your EHR that you’re never gonna have the time to look through, but getting structured data that can be taken into your system when you’re receiving the patient and confirms to me on the team do that get exactly the information that you want to consumer data. into the EHR system.
So I would say to keep, keep, again, IT folks focused on what’s available now in the HRM. Let’s test it and test it with the community and work on sharing information. But all of that said, there’s still and there always will be an important times to pick up the phone. And and I don’t expect the technologies that are going to replace the value of a clinician, the clinician conversation and some care transitions. And that goes way outside of that example, as well. So I think computer push technology, but we’re going to always have a place for those persons reversing communications and not to have those absorbed into emails or or automation, probably, probably ever.
Andrew Tisser 29:45
Yeah, well, I definitely agree with you there. Well, people want to learn more about your company or get in contact with you. How can they find you?
Joe Gellatly 29:55
Thanks. We are at med curity comm We’re also on the social media. channels of course. So Facebook, on Facebook, we do a net Qt live, weekly, quick live video where we talk through hot topics from primarily a privacy or security standpoint, but also other topics in healthcare. And so that’s a great opportunity to just have a staff member or yourself stay current on what’s going on in this world. And then, again, just our website and welcome any emails or questions or we’re available to provide guidance or whatever’s needed.
Andrew Tisser 30:33
Great, great. I’ll put all that information in the show notes for the listeners, Joe. It’s been very fun and enlightening. I learned a lot about things I didn’t know I didn’t even know about. So I want to thank you again for coming on the show and being part of this.
Joe Gellatly 30:49
Thank you so much. Andrei. enjoyed the conversation and really appreciate your time and, and thoughtful questions.
Andrew Tisser 30:55
All right, Joe. Well, take care. We’ll talk soon. Thank you. Take care.