43. Michael Mead: "Training is not just for HIPAA security, but cybersecurity."

Sierra Reed: Hi, Michael, can you provide some background on The Medical Cost Savings Solution?

Michael Mead: Sure. The Medical Cost Savings Solution is a cost containment company. Our clients include health-sharing ministries, self-funded businesses, self-funded insurance companies, and also self-pay patients. 

We use repricing methodologies, advocacy bill negotiation to save our clients healthcare dollars. Over the last three years, we've actually saved our clients a collective $1.5 billion from their health care bills.

Sierra: Wow, that's crazy. That's a huge amount.

Michael: Yep. We also have included a TPA, where we do back-office operations for self-funded employers and health-sharing clients. We process claims, medical bills, provider disputes to member services, provider service calls and handle the providers’ financial aspect. So all-around business, but those cost containment and back-office solutions for health sharing ministries and self-funded insurance companies.

Sierra: Well, fabulous! I know that you are the chief operating officer. Can you provide some background on yourself and your current role?

Michael: So, I am in charge of all operations of both the cost containment and TPA or back-office operations. I have 86 employees that I am in charge of. I’m in charge of client relations. I report right to the CEO, who owns the company.

Sierra: Yeah, you wear a lot of hats. You mentioned IT and being head of IT. How is HIPAA involved in that role?

Michael: Well, it's very involved because we deal directly with the patients and the members. So, we're always trying to ensure that the patients and members are not sending PHI out in the open, faxing it, or anything along those lines. 

We utilize a lot of technology and have a lot of policies and procedures put in place to safeguard that PHI. Even providers tend to fax things wide open without a cover sheet or with a tiny cover sheet at the top. We have to be very careful since we're dealing with people who sometimes email their bills to us through AOL. It's an everyday concern for me.

Sierra: Right. Nobody wants a data breach. I'm sure that is top of mind for you every day.

I know that you have been in healthcare for about 14 years. Can you discuss some challenges for the healthcare industry that you see now?

Michael: Well, it's still coordination between doctors, providers, and other specialists through sharing of information even today with statewide EHRs. 

For instance, in Ohio, we're on the way to launching a statewide EHR, facilitating sharing of medical records between providers, hospitals, and specialists. But, even today, that’s still a hindrance. 

In everyday healthcare, where it tends to be the patient carrying around their records with them, that’s another HIPAA issue, going from one doctor to the next. Each doctor has all the pertinent information they need to facilitate care. 

Next is transparency with pricing. That's a big one for me. In my current role, where even the latest regulation coming last year (requiring hospitals to publish their fee schedules) didn't help. Because if you're looking for orthopedic surgery, for example, a rotator cuff, that surgery has its ticket code on the chargemaster. 

But there's also the actual medical materials that have a cost. There's an anesthesiologist that has a cost. There's the follow-up care that has a cost. So we’re working with regulators and the government to see if we can get some type of global rate or some type of group, like TRG, to help better explain what pricing would be for a patient when they're looking to get care from a hospital or a provider.

Sierra: You mentioned many challenges and solutions, but do you have more solutions to the challenges you had mentioned? I'm sure a lot of our listeners are experiencing the same things.

Michael:  Well, it’s primarily researching. A lot of the information is out there; it’s just very tough to aggregate very easily. 

Utilizing a company like The Medical Cost Savings Solution, where we have all that data, we have the cost-to-charge ratios. We have many historical bills and historical charges related to those bills over time that can help a patient, the employee, self-funded employer, group, or health ministry understand the appropriate amounts to pay, especially when there's a lot of egregious billing going out there. And agree “billing” is a loaded word. It doesn't mean that it's on purpose. It just means that that's how they typically bill because their contract with the insurance company designates what its going to pay. So there’s always a discrepancy between what is being billed and what will be paid by Medicaid, Medicare, and the different insurance companies they have contracts with. 

So, a lot of it is calling and getting a deep understanding, doing your research, and utilizing a cost containment company. Or if you're a self-pay patient, a patient advocate. Who are easily found on the internet to help you navigate issues related to the pricing and fair pricing when you don't have a contract with that provider.

Sierra: You mentioned research and trying to stay abreast of the latest things that are out there. Are you seeing any new innovative healthcare-related technology that is emerging or that our listeners should be aware of?

Michael: Well, the Internet of Things is always on the rise, and new IoT devices are coming out every day. I recently saw, last week, a handheld device that takes all your vitals, including blood pressure, that doesn't include a cuff; you just hold it in the palm of your hands. That will transfer the biometric data back to your provider or to the cloud that can then be made available to your provider or providers. 

Again, you know, HIPAA comes into play there. It will be interesting to see how they protect that data to make sure that it's available only to those who need access to it. I see something new and innovative that will help people manage their health and get the healthcare they need better, cheaper, faster over time. 

Sierra: You were the HIPAA security officer for a different company in the past; how have you trained your team on compliance?

Michael: Well, I'm still the IT security officer of this company because we don't have a CIO. I'm like the COO and CIO. I've been the IT security officer at two health plans and a hospital. 

Training is not just for HIPAA security, but cybersecurity, working very closely with the privacy officer to ensure that privacy concerns are programmed into their continuous reminders and newsletters as often as possible. If not monthly, then yearly training, a yearly assessment ensures that everybody understands it. 

Having the policies and procedures readily available and easily read and used is the basic framework for ensuring HIPAA security. Everybody understands what those policies and practices are, who to go to, what's referred to, having cybersecurity training, also about email phishing. Especially in the environment that I'm in now because we deal with a lot of email. 

Again, the training and certification. It's training, assessments, and communication as often as possible, making sure those policies are readily available and accessible to everyone.

Sierra: Right. We talk about this a lot. I talk about this a lot on our podcast, is user error being a huge component of PHI breaches. I completely agree that training is super important. We get trained, we get phished, I've been phished, everyone on our team has been. Knowing what those attack vectors are, what threat actors are doing, what those emails look like, and education awareness on the greatest and most recent phishing scam.

Michael: Also, we do a lot of faxing for us because many providers out there still don't use electronic email or/and require faxing. Part of our HIPAA training verifies the fax number, so you're not faxing PHI to the wrong fax number and making sure that all the title sheets have that correct disclaimer information at the bottom. It's not just cybersecurity, not just email. It's also as non-cyber as a regular fax machine.

Sierra: I'm glad you mentioned that because we did a white paper on why the fax is dead. We did statistics about how many healthcare companies are still using fax and the challenges with that. It's an overwhelming amount. So I'm glad that you're talking about some of the things you're doing with fax. 

Lastly, most PHI breaches result from unencrypted data and the transmission of unsecured PHI over open networks. How are you currently keeping your company's PHI safe?

Michael: Well, again, we do a lot of email. So obviously, we're using Paubox. You guys offer an excellent, straightforward solution that took me less than a half-hour to set up 80 email addresses. 

We also have full auditing turned on with an exchange. So we know who's accessing what, and where we have a front end on top of our main email address, a web portal internal-only that allows us to see all those emails coming in and trace them and track them. Then, of course, that portal is HIPAA certified, so we know who's accessing what and what's being transferred, what's being downloaded, and what's not. 

We have your typical HIPAA requirements where we have how long we will allow that and who will be allowed to have access to it because some of our employees are members of that client. We want to make sure that only one person has access to those records and so forth. 

It's a combination of Paubox, especially for email, HIPAA secure fax software in a portal that's been HIPAA certified. Everything is encrypted and not “in rest”. Our entire database is encrypted as unencrypted over the wire to the front end, making the software a little bit slower but not too slow and still usable. It makes sure that we're entirely HIPAA compliant. 

And no paper. We're entirely paperless. We do not print anything.

Sierra: I appreciate you going granular about your IT stack and how you are doing that. I'm sure this would be valuable for our listeners.