Decoding Delaware's Data Law + Filing a HIPAA Violation + Taylor takes over the NFL

Rob: 0:00

Hello and welcome back to the VanRein Compliance pod with Dawn and Rob. Hey, I'm Rob this time.

Dawn: 0:06

Yep, I'm Dawn, I'm always Rob, you are. I've maintained that name Ro bert, .

Rob: 0:20

Robert his week, Dawn. We're talking about rights, your rights, the HIPAA and how to report HIPAA violations. Right.

Dawn: 0:28

Yes.

Rob: 0:29

We dive deep into that. But first, before we get into all the fun things of how to report when your HIPAA has been violated, let's talk about some news. What's new? What's going on with life? How are things?

Dawn: 0:40

Let's see Well marching band.

Rob: 0:41

Yes, we'll talk about that. That's what we're in. It is marching band season in the Van.

Dawn: 0:46

Buskirk household and many households around the world, I'm sure, a lot of laundry. Texas football marching bands. This is just how we roll. We are now coming into marching band competition season. But I got to chaperone again and I did get to be on the.

Rob: 1:06

Oh, I get my button.

Dawn: 1:08

Oh, there we go. Thank you for.

Rob: 1:09

Good job, I appreciate it. Good job. Chaperoning yes.

Dawn: 1:13

I did get to chaperone on the and we actually rode on a actual school bus, not the comfy charter buses, because it was only up the road.

Rob: 1:24

And how was that? How was?

Dawn: 1:25

it, it was fun.

Rob: 1:27

Does it smell the same as when we were kids?

Dawn: 1:29

Yes, yes. And the young coach, the young lad, if you will. That was driving the bus. I think he just figured out how to drive the bus. So there was a beeping going on. He couldn't turn it off, so he powered it down, powered it back up and pushed some buttons and got the beeping to turn off. It was a little bit of a humorous trying to pull out of the school. And then we of course went the long way.

Rob: 2:00

So a 20-minute ride turned into a 45-minute ride. Ooh, we don't want that, and we were the lead bus, so that was kind of fun, oh boy.

Dawn: 2:07

But, that being said, I got a lot of good music on the way there and back.

Rob: 2:12

The kids.

Dawn: 2:13

Good thing they're in music and not choir, because they can't sing very well and it becomes more of a scream. But it was everything from Britney Spears to Dua Lipa to I can't remember the name of the. It's an old 70s song, but anyway, a variety of music.

Rob: 2:32

Did you do any, taylor?

Dawn: 2:34

No, they did not do Taylor, no Taylor.

Rob: 2:36

They didn't do Taylor. No Swifties on the bus. There's Swifties, there's always. Swifties on the bus, oh yeah there is, but the Swifties were at the game, at the Chiefs game last weekend, I know right the. Swiftie D Because we tried to stay current here at the old VanRein pod and check things out.

Dawn: 2:50

That was nuts, you told me a stat about that.

Rob: 2:53

What was some stat?

Dawn: 2:55

Oh, it's now she's infiltrated the NFL. So now people in the NFL are like is Taylor here, is Taylor here? And so yeah, who would have thought? I mean Carrie Underwood has already been in the NFL.

Rob: 3:08

Oh, true, I mean, she does, she does it still.

Dawn: 3:11

No, she does it still.

Rob: 3:12

No, she does it all the time yeah, she was yeah, but now, yeah, it is news Now.

Dawn: 3:17

this is super interesting. She continues to be amazing in that Global domination. Yeah, global domination, there you go, so, but anyway, so yeah, so that was fun. So marching band this Friday we marched the fair, the Camal County Fair.

Rob: 3:35

The Camal County Fair. So in Texas you get the day off. There's no school on Friday because it's fair day, it's the county day Well, it's called unfair day which is very strange, but it's the fair day I know.

Dawn: 3:47

That's what they call it here. Yeah, unfair day. So we do that Friday, and then Saturday morning we are off all day to Flugerville.

Rob: 3:55

Flugerville, north of Boston, yes To go to a competition.

Dawn: 3:59

Yes, the US Bands, I believe.

Rob: 4:01

It has begun, so wish us well, a lot of good stuff. Go Ranger Band. So A lot of good stuff.

Dawn: 4:07

There it is. Yeah, there it is. There it is. That's my report, that's your report. That's kind of how all this works.

Rob: 4:15

It's all pretty much about the same. It's all the same report.

Dawn: 4:18

Yes.

Rob: 4:18

Pretty much. It's kind of how we roll here, and next week I'll be going to, we do a lot of work and then Telefinancing Service space will be visiting the great folks of the Great Lakes. We've got a conference next week.

Dawn: 4:31

So I'm doing a teaching deal.

Rob: 4:33

Detroit, detroit.

Dawn: 4:35

Yes.

Rob: 4:36

Yeah, maybe the UAW will get there. There are things in order, and I say it that way because I found this. You weren't talking about stats. Yeah, did you? Only 4% of Americans are represented or joined a union in this country.

Dawn: 4:51

But don't you have to be a union if you want to work in a car, like on the?

Rob: 4:56

in this company line For the big three, oh yeah, for the big three, but not for Tesla or Rivian, or no, no, no, I know that.

Dawn: 5:03

But that's only 4% of people that work on the lines In unions? Yeah, do they have to be in the union to join the union, to be work on the lines.

Rob: 5:10

Yeah, because they unionize the lines.

Dawn: 5:12

So what's?

Rob: 5:12

interesting about that is is is a part of interesting. It's all about the facts. You know, when data security and compliance and everything is facts. We've seen a decline in membership in unions over the last probably eight to 10 years, so averaging 4% to 6% per year, which is interesting, right, but it's also interesting how, how they are obviously at the top of the of the media right now. So they they're controlling that. So it's interesting facts.

Rob: 5:42

I don't have opinions on it, right, but it's interesting to see companies that are non unionized and see profit margins versus companies that are unionized and their profit. But not only the profit, but the pay. So if we switch, if you look at at the Tesla framework and you look at, we'll say Ford, right, we'll pick them. Now they are playing together with their NCIS, they they've Ford's adapted the NCIS Tesla adapter. The pay on the line at Tesla is higher, plus you get stock options and vestatures earlier than Ford. Just interesting, right. Um, two totally different worlds. They're two totally different beasts. So they have known people who work at both. So they're two different beasts. Likewise, if you go, it looks sounds like the?

Rob: 6:28

um, the writer strike is ending, which is good because we all like our shows but it's something I found interesting is, if you look at the writer strike over the last, what it's been a few months, um, you've seen a decline in stock from the other Disney's, abc's, cbs, I mean, uh, you just the peacock, nbc's all of those have declined in value. It's not been able to create shows, right, but what? What one medium, what one platform? Has almost doubled its, its revenue and its content in the last few months.

Dawn: 7:03

Netflix Cause don't they mostly um film in like Canada?

Rob: 7:09

It. You know a lot through Europe.

Rob: 7:11

A lot through the UK, a lot through the EU, and they don't have the constraints of the union. So they like, we're just going to move our business there and that's what they've been doing, and they're still providing a great wage to to people, to writers, and a lot of people are like I'm done over this and I'm trying to move on. Now I could say we get the old compliance podcast. Here is maybe it's time to revisit the minimum wage in the country, cause everything's gone up and everybody listening we saw everything's gone up.

Dawn: 7:41

Yeah.

Rob: 7:42

Everything has gone up. So, but minimum wage I hasn't been touched in decades. It's time for like a federal minimum wage. Now don't don't be sending in the hate mail. Rob's got all socialists on me, but it's like we need to adjust the income and that's I'll be honest with you that's what we do here at Van Ryan with our team is we look at the value. We look at the market Like what does it cost to live now? Well, the service industry is.

Dawn: 8:06

I mean you go to the salon, the spa, whatever, ladies, eyebrow waxing, you know things like that haircut barber. Some salons have gone with you pay X, price includes good point yeah. But then there are some that they get paid per person that's there per appointment and so, and there is no minimum wage, it's just a commission. So then it's like there's some really different different the service industry is very different.

Dawn: 8:42

And then waitresses they make a very low wage because typically they make a lot of tips. But honestly, because you know, because of COVID and everything and a lot of the shortage of workers and that type of thing, you know that's not always a good thing now because if there's not enough people there to get you know tips and stuff, so yeah, it is interesting. I mean that brings up an interesting point that I'm sure there's probably many other podcasts and opinions on all that.

Rob: 9:13

But yeah, all we can say is that we no-transcript.

Dawn: 9:20

Like any small business, we strive to have great people. We treat them well. It's about the culture and it's about just doing good work, loving what you do and you just, you hope, you just nurture and keep those people. You got good people. Just do what you need to do.

Rob: 9:41

Yeah, and pour into the people, they pour into your customers and then you get. You get there, we go Amazing handwritten thank you notes from clients and you know who you're talking about, because then you're listening in Georgia. We both got a wonderful handwritten note from a client this week. Very exciting that say thank you to you and your team for helping them maintain their data security and compliance. Secure the data and when new work. But not only did we as owners get it, who else got it on our team.

Dawn: 10:13

Alex, our customer success manager. She also, because it is her customer. Handwritten note and yeah, I mean, that is amazingly cool, I thought you were working for right there. Oh yeah, to get a thank you from a customer and get a gift card from them. I mean that's just crazy, I mean that's just so cool. I mean that's like ooh, I think I can sit back for a second and just soak this in, so very, very amazing so yes, we love it.

Rob: 10:45

We love it. Okay, well, dawn, I think it's time to transition to the news. All right, now we're ready to focus on some of the compliance news.

Dawn: 10:58

Do we have that like doodododododododododod? You remember that news that used to yeah evening news, the news we do a little editing. Okay, we do a little editing.

Rob: 11:06

You wanna go old school, you wanna go new school.

Dawn: 11:08

Oh, I like the old stuff.

Rob: 11:09

Okay, well, here which one? This one. Oh no, I'm sorry. All right, folks.

Dawn: 11:15

We only have like four buttons, so we'll have to do that post right.

Rob: 11:18

We'll have to put that in post. We'll fix the post in the behind the post. Dawn has the HIPAA news. Dawn, we got some new stuff this week.

Dawn: 11:24

So we do so. As many of you all know, hipaa compliance is a federal regulation, but our states have all taken it upon themselves to have state privacy laws. We have a new one, 2025. So typical, typical government, typical, typical of the way that things go laws come into law, being law, they get written and they go through the process, process and then they become law. It takes some time. So this actually, ironically, was effective September 11th of this year and it's not effective till January 1st of 2025. This is Delaware.

Rob: 12:08

Oh, Delaware is good. It's here for Delaware. Woo, oh, here we go.

Dawn: 12:11

Delaware, woo, yes, and their governor is John Carney, just so all of y'all know they're, and everyone loves to do the acronyms like California's, like CPRA. You know that kind of thing.

Rob: 12:24

Oh yeah, what's the acronym?

Dawn: 12:25

This is DPDPA, dip-dip-a, dip-dip-a.

Rob: 12:30

Yeah.

Dawn: 12:30

Delaware Personal Data Privacy Act.

Rob: 12:34

Oh man.

Dawn: 12:35

Anywho, this is great. So basically what this is, it applies to entities that conduct I can talk business in Delaware or produce products or services that target Delaware residents. So this is kind of interesting. All these states have little nuances so you kind of have to read through it, but this is basically the caveat to this entity is you control or process at least 35,000 Delaware consumers personal data?

Rob: 13:05

Yep.

Dawn: 13:07

And control or process at least 10,000 Delaware consumers personal data and derive more than 20% of their gross revenue from the sale of personal data. I know that just sounds like a bunch of gibberish. The gist of it is is that, again, when you're looking at whom you do business with, what states, what residents and what states it's important to look at all this. What? Is the limits, Because there's always these dollar figures. Cpra revenue, isn't it at one million?

Rob: 13:41

There's different, different revenues that you have to reach, so anyway, that being said, this is one that's coming out 2025.

Dawn: 13:50

So those folks that are in Delaware just be advised of that. So we love to keep everyone apprised of what's what's coming up. So this year we had five. This was a big year.

Rob: 14:01

Yeah, we had a lot this year.

Dawn: 14:02

But this is 2025, so we'll keep you updated with any more and it's.

Rob: 14:06

It's framed like California's law, right when it's doing business in Delaware or and or have Information or data from the residents of Delaware.

Dawn: 14:15

Yeah, yeah, this one's interesting though, because conduct business Okay, or Produced products or services that target Delaware residents, that's different. The wording there is very different, yeah, so anyway it. This is very interesting. Just just wanted to apprise everyone of that. So there you go. That is the State privacy law news.

Rob: 14:38

There we go Good deal. We gotta keep it. We gotta keep a car here on the old pod. Well, now we're gonna dive into how to report a hip of violation. So one thing that we've, one thing that we do is, you know, is marketing right. Everybody, you got a market, your product, you got to sell your products.

Rob: 14:56

So we, we run the Google ads and one thing we've noticed with the Google ads is a Huge increase in interest around how to report violations, to the point where Lacey and our team has gotten a lot of phone calls Because she, she also helps out with the phones Of people reporting hip of violations. And I got us thinking it's like well, how do we report it? We know because we preach it and we talk about it. But what we do is when we get those calls, we coach people through, we, we, we tell them. By law you have the ability to file a complaint with the government and or the privacy officer at the Business that here she feels their, their hip has been violated, their health information is violated, and there's some, there's some very there's some heart-wrenching Phone calls and on.

Rob: 15:45

You've gotten a few and I've gotten a few as well.

Dawn: 15:48

Yeah, these are not. I mean just to be clear. Yeah, people really just want to talk to someone. A lot of times they're like Compliance great. Sounds like they know what they're talking about.

Rob: 16:00

Hipaa great Okay we can do it.

Dawn: 16:01

Yeah, some of these calls are more of personal Vendetta's, if you will, where we have friends, or thought they were friends, posting medical information on Facebook or any social other social media platforms, and and just you know, there's a lady who's living in a small town and that's what happened to her.

Dawn: 16:27

Yes, it's a HIPAA violation. You have to be have to kind of figure out what happened, why, what did you tell her? What did you give her access to him or her access to? Again, all this is is all part of when you, when you think about is this have have, has my hip have been violated, okay, well, let's go through and understand what happened. And when you're filing a complaint, whether it's through a doctor's office, whether it's through Facebook I mean you know there's the social platforms meta. I mean there is definitely where you can. I mean you can get turn people in for things they've said.

Dawn: 17:02

So obviously they have their own but you have to know, you have to really tell them what happened, description of what happened. You have to be explained and be very descriptive, and the OCR, if you file it directly with them, they're gonna want that as well, Cause they have to then go and do some research on it. So we're here to listen. You know we're not counselors by any means, but sometimes you know, sometimes we are.

Dawn: 17:29

We don't want to be, but we're here to listen. But there's just been some interesting calls and I think for us it's more of you know. We want to direct people in the right direction and to let them know is this a valid violation or you know? And what to do.

Rob: 17:45

And the first step always is to document the violation. If it's personal or it's business, right, If it's in your practice, it's in your business, it's in your any business.

Dawn: 17:56

In.

Rob: 17:56

Texas we have the HB300 regulations where everybody's a cover entity is. You have to document. I don't care, I tell people if it's a napkin, if it's a note, grab your phone. Everybody's got the phone. Get your notepad out and just document it or just do a voice memo. What happened?

Rob: 18:10

You got to get the details down because that is gonna become a legal document. So write down all the details as you can remember dates, location, time, people involved, all of that. Those are all key pieces that auditors as us, that we look for government looks for obviously any attorneys we have to, unfortunately, get that involved. So document the violation. Also, when you call the, when you're calling the doctor that you if it's a business you feel that they've violated your HIPAA compliance rights, the privacy officer at the practice is gonna need all that information so he or she can complete that privacy form and fill out that report for you.

Dawn: 18:51

And hopefully they have a poster hanging up.

Rob: 18:54

No, they shouldn't.

Dawn: 18:55

Or they can give you a privacy policy with that information.

Rob: 18:58

Yes.

Dawn: 18:59

And if they can't, then that is a huge red flag. Yeah, legally they have to provide that Then you're just gonna go straight to the OCR and be like they had nothing for me, and that's a whole other issue, because by law they have to provide that. If they can't provide that, then get fine for that. So yeah, Yep yes yes.

Rob: 19:18

All right, what's the step two?

Dawn: 19:21

Oh, privacy officer supervisor yeah. So, we kind of talked about that a little bit already.

Rob: 19:26

But if you work in a practice, you work in a business, you work as a SaaS company or any type of company that handles health information, you need to go to your privacy or compliance officer and notify them. Hammer her out of that.

Dawn: 19:41

And sometimes Robert can be the human resources director.

Rob: 19:46

Could be the Sometimes it's HR, sometimes it's IT.

Dawn: 19:48

Sometimes, sometimes a certain companies, they are kind of the catch all, they kind of do it all. So just be aware too. And sometimes in a company we've had calls where it is kind of an HR. I remember during COVID during COVID people were like well, can my company tell everyone that I have COVID? That was a whole thing. We're taking temperatures as we walk in, so on and so forth. And it was go to your HR director, see what?

Dawn: 20:22

their policies are, if they have any, and make sure that you tell them what you're aware of, what's happened and have them do the research and that type of thing. So yeah, sometimes it can't be the HR person, but yeah, oh yeah. But really, if you're not getting anywhere with the two, come to to above, like me the two hello.

Rob: 20:51

The the other two thing, the privacy officer, the privacy officer or just you know the HR person yes you can always go to where the government, hhs yes, health and human services, and and we always make a little bit of fun because this government a but B. The way the law is written is is you have the right, a legal right, to a constitutional right to be able to submit a violation of your health information that's been breached, or even a simple incident, and it's all right there. We'll put it in the show notes. It's all right there. In the OCR's website, health and human services officer civil rights website, there's an 800 number. There's a simple online form.

Dawn: 21:35

They have an email address. They made it very simple. You could even mail. Oh, you can mail. You can remember the government mails.

Rob: 21:43

They don't email you spammy things saying it's your tax. Clearly, tax payments do so, yes, so exercise that right. It's important to document that now. I will tell you we know government is slow. We know we have helped many clients work through Audits with the government and their months eight to nine months or ten months, just because the machine is slow, but that's how it is. But they will get to. It may take a couple months but they'll get to and it's also documented so that practice and or person will have to be investigated, yep, yep. The next piece really is kind of that Confidentiality piece is making sure that you maintain the confidence out even reporting the violation. That means don't go on social.

Rob: 22:28

Don't tell all your friends that you talked about the salon earlier, or the restaurant or the bar or your buddies or whatever, because people talk. So don't don't discuss the case with colleagues, I don't need to know, right so she knew workplace Environment or friend environment seems like a lot of the phone calls We've gotten have been friends or people who thought they were friends, unfortunately, yeah, or disgruntled employees we've got a few of those disgruntled employees and Keep it close to vest.

Rob: 22:56

You don't need to put all the laundry out there on the but, more importantly, when you submit that, what else you got to do, don?

Dawn: 23:08

well, the, the OCR, they they definitely will follow up with with the, with you. They have a process so you probably have to get in line to get in line, but there is a process and they do have a follow-up to the, the status of your, of your complaint, so, and you know, and the other. The other part of this too is that you know making the complaint, but then we have gotten a couple calls where there was a couple people that they probably needed to seek an attorney.

Rob: 23:43

Yeah, because yeah, there is.

Dawn: 23:47

You know, to make a civil case a, you know. Mm-hmm against a person personally. So, and fortunately, that's the reality and but that is always an always an option, and I know that's an expensive option, but it could be your best. It could be your best option as well. So, but that's always, that's always there.

Rob: 24:08

Yeah yeah and we've told, we've told clients that before you know we we have retained legal counsel. We know we can reach out to her as needed, but we guide people until like, oh, you can deal with it this way with the privacy compliance officer, or now we unfortunately have to go down the legal route. So you don't want to jump to that conclusion.

Rob: 24:29

Yeah right, but what you want to do is you want to document everything and put that case together. So then you get to that point. Your attorney can look at that and go, yeah, you've got a case, or it's like you know what we're, we're gonna handle this a different way.

Rob: 24:41

Yeah, Yep yep, and then, obviously, after we document everything, we maybe you have an unfortunate to talk to to an attorney is want to protect your data and privacy. Remember your info has been out there, you know it's either been an incident, and remember Data security compliance and HIPAA covers oral conversations, so if you can hear it, then it's covered by law. So protect that identity. How hard you go into that doll like how order? Some ways listeners can protect their data identity besides Not talking about it.

Dawn: 25:19

Well, you know, you could do simple things, you know, changing your passwords, passphrases, updating those. I just did that the other day, you know, I Got a new phone and there was just some old stuff on there and I was like, well, I can just update some passwords and and it takes some time, sure, but it actually helps you update email addresses I had an old email address and a few things and Kind of helps keep things clean. Google will actually, because Google knows everything, it seems.

Rob: 25:50

No.

Dawn: 25:50

Google will actually tell you if you have reused passwords, yeah, or if if passwords have been part of a breach. It it's pretty interesting, google crawls everything. So you know, just again, be smart. You know, don't use the same password for everything, just be smart and kind of. It's like that hygiene thing, yeah, cyber hygiene kind of thing and and yeah, and you know what, I Know people love Facebook and they want to share pictures and all this stuff about all this different stuff. But be careful what you post.

Dawn: 26:20

I mean, I think, I think just be mindful of it, you know, because it there are creepers out there. So um yeah. I don't know. It's, it's, again, it's, it's. You just have to know what you're doing, yeah, and you have to know what your risk is. So just be smart.

Rob: 26:35

Yeah, yeah, definitely be smart, be smart. So if you feel like you've been, you know, either a victim or just a question about your, your rights under the HIPAA compliance laws, obviously you reach out to us here at Van Rijn compliance. We can guide, you, can give you some information. You can also go ahead and file a complaint right with Health and Human Services, with the government, or, if it's a practice or business, call that practice or business and Ask to speak to the compliance officer to file a complaint, and by law they have to do that and hold them to it, because it's your data. Remember, it's your data folks, it's not the providers.

Dawn: 27:10

Mm-hmm done.

Rob: 27:11

Good start, I think that's the pod.

Dawn: 27:14

All right, see you next time. Bye, bye, bye bye you.