Costco's Massive Leap into Healthcare + Critical Role of The HIPAA Business Associate

Rob: 0:00

Hello and welcome VanRein Compliance pod the pod with Dawn and Rob. I'm Rob and I'm Dawn, hello, Dawn, we're back again. Hello, it is fun.

Dawn: 0:07

We've continued to come back.

Rob: 0:08

I have more buttons. Yeah, you don't I do.

Dawn: 0:13

That's going to get really old I want people to tell me if it's too old, we need new buttons. We need new buttons. All right, I'll get. We'll do that in post.

Rob: 0:23

That's it All right. Well, awesome. Well, last pod we talked a lot about yes, we talk about band. Yes, we talk about race. We do all of that, but I like to keep things current, right. So the big news that I came across actually, you came across as well is the Costco deal. What is Costco doing in healthcare now?

Dawn: 0:43

I know right.

Rob: 0:43

Yeah.

Dawn: 0:44

They're kind of joining the Amazon Walmart all the kind of stuff Killers like the Amazon Walmart by offering members $29 telehealth visits as well as lab testing and virtual mental health services. So they are pushing into the primary care market via telehealth.

Rob: 1:06

They're using an online platform called Sesame which I think is a good name, like Sesame Street, like Sesame Street or Sesame Seeds. Sesame Seeds, yeah. Sesame Street, yeah.

Dawn: 1:16

Really yeah, and it is. Yeah, it's so. They are teaming up with the online platform. Same day primary care visits, no wait times yeah.

Rob: 1:27

Whoa, really. No wait times. What happens when we go to the physician now?

Dawn: 1:32

A lot of wait times because what happened is there's not very many physicians. Because of COVID there's not many physicians, unfortunately not enough nurses.

Rob: 1:41

There's not enough staff. So the market has said I'm done and I want a better solution. So when Costco starts building a solution kind of like Amazon did with, was that one medical year ago or something yeah. They bought one medical where you do Teladoc. You do it online through Amazon and then all of a sudden your medication excuse me gets shipped through Amazon and shows up the door that afternoon.

Dawn: 2:09

And the thing here too, to remember is that, in this age of everything, is expensive now right, yeah. Costco. So they're teaming up with Sesame, because Sesame operates outside of insurance networks. They cater to people with high deductible plans who pay out of pocket for basic care, Yep, and they cater to uninsured. So here's the other thing we had remember we had concierge medicine is we're still dabbling in that too.

Rob: 2:38

That's still going yeah.

Dawn: 2:39

This is great for folks that yeah, aren't insured 29 bucks to to get some you know, base. Yeah, access to a physician, obviously you know if you need other stuff, obviously that's you know if you need, you know diagnostic and stuff we're talking you know, but this is great. This is a great option for people that have nothing and to help, to help those. So, uh, yeah, and when Costco? Yeah, this is pretty big.

Dawn: 3:04

When Costco moves in, that's a big deal Cause don't we all look at ooh, what's the Costco deal? Ooh, we can get a car through Costco. We can get insurance through Costco. We can get solar through Costco, we can get I mean pretty much tires through Costco, right, I mean, you can get.

Rob: 3:17

We can get anything through Costco, travel through Costco and the thing is. Costco backs it up. So if the physician, if they don't do their job and they're not- doing well you go to Costco, you got someone, you got a mediator which is you're just like Amazon.

Dawn: 3:30

I love Costco. I gotta go get new eyeglasses at Costco, speaking of that. Anyway, I'll put that on my shopping list.

Rob: 3:38

Um, yeah, so isn't? That?

Dawn: 3:39

isn't that cool, that's yeah, that's, that's, that's pretty big.

Rob: 3:42

That is an in the moment piece of nugget news. So there's Amazon. I know there's about a year or one medical. When is it available? When is it available?

Dawn: 3:50

When is it available? It is. You can start booking services on Monday in every state, every state Like next Monday, the first of October, yep.

Rob: 4:02

Or the first week of October, yep, cause this comes out on what? Friday? Yeah, so Monday folks.

Dawn: 4:07

So yeah, so same day, 29,. So let me give you the pricing 29 dollar. Virtual primary care visits, no wait times. Standard lab panel and console will cost $72. A virtual therapy visit will be $79. So that's good stuff.

Rob: 4:26

How do they do the?

Dawn: 4:27

labs I don't know.

Rob: 4:29

I'm intrigued now, I don't know.

Dawn: 4:31

So starting Monday in every state. The crazy thing about this is every state. Costco I don't think is in every state, are they? I mean, there's not a warehouse in every state.

Rob: 4:42

Well, you don't need a warehouse every state, because your physician is in every state. Oh I, know that.

Dawn: 4:45

But I mean, it's just interesting to me because a lot of times when you see folks roll stuff out I was in insurance for many years and insurance rolls out in certain states and they stay in those states. Okay, we're just doing Texas, california, florida, so this is very interesting because it's all over. But again, it's all telehealth, so yeah, but anyway, there you go. There's a big nugget, and so that is some fun, I'm not plugging Costco.

Dawn: 5:15

but we love Costco because who doesn't like to spend $300 at Costco on a couple items? So anyway.

Rob: 5:21

Well, wait a minute, let's back that up. It's the only place you can go and buy three or four items and feel okay, giving them 300 bucks during Costco. So that means I bet you Sam's Club will be looking the other big holes.

Dawn: 5:33

Well, Walmart already does it. They're already there.

Rob: 5:35

So Costco to jump in.

Dawn: 5:38

So there you go. That's a nugget for today.

Rob: 5:40

Awesome Hip and nugget.

Dawn: 5:43

Don's hip and nuggets Once hungry and they're going to go get a telehealth appointment. You know what?

Rob: 5:48

I'll buy you some chicken nuggets you want to. You put some in the comments. Send me an email says hello, advanced Ryan compliance will buy you some by some nuggets. We like the nugs. We and this goes into what our topic for this, for this podcast, is talking about business associates in healthcare.

Rob: 6:06

So you know hip and compliance for business associates and the reason for business for BA as so Costco is going to be a business associate Also. They're in some states like Texas. They'll be covered entity. And wherever those physician physicians are credentialed, you got to make sure you have your business associate agreements set up and and taking care of properly. Why? Oh, it's in the law. And also, you have to make sure that the data is secure. So why is hip important for business associates? You know why do you need a business associate agreement? Don.

Dawn: 6:39

Well, for example, let's go back, let's use Costco example. They're using sesame. Sesame is the software right. Sesame is where you will be talking to the doc. Are they roasted sesame seed? So sesame is actually the platform, which is the business associate. So you've got, you've got. Costco is kind of the they're the partner. It's sort of a double business associate. Maybe there's a BA and a sub BA, anyway Still a business associate, because a business associate is an organization that does not create that medical record, but they can house that medical record.

Dawn: 7:21

It can be a conduit Conduit. So that's what's happening there. So, but that provider that's on the other side of the screen, they are obviously the covered entity. Now, if something happened, something glitched and there's a huge attack, you know, and all that telehealth information gets stolen, from Sesame Compromise there needs to be a BA.

Rob: 7:48

What that?

Dawn: 7:48

means is that that covered entity knows that that BA is going to help cover what's going on there.

Dawn: 7:58

And it's basically the legal contract we have signed. If it happened on your platform, what are you going to do? How are you going to retain that information back and the covered entity? Same thing is like you know. We need to make sure that we tell our patients what's going on here, and it's really just everyone knowing what each person is doing and, if there is a breach, what we're doing about it and how quickly we're going to rectify it so there you go.

Rob: 8:28

That's true, and it is a legal binding document, which is very important. Also, security measures are big for business associates. So we'll focus on the Costco deal with Sesame roasted Sesame and the key there is I guarantee you they're probably using Azure, they're probably using AWS. Maybe there's some Google GCP in there, maybe they built their own AI, if you don't know. But those are all. Those are also business associates where you must have BA's signed and in place at all locations in all businesses. That's what's required by law. So we must have all of those in place because you have to have those. And also the security measures are important. You know we talk about how to protect PHI. We talked about encryption, access controls, regular risk assessments. You've got to do those annually or when your platform changes. We have a lot of clients sort of looking at well, actually we are wrapping up Q3, aren't we?

Rob: 9:20

Going into Q4 and some are moving forward with changes with EMRs and platforms and some are holding off, so we're gonna have to do a full audit. So, and since we talked last week about all the new audit requirements and if you haven't listened to that one, just go listen to last week that was breaking news from the OCR. That was huge.

Dawn: 9:40

Here's the other thing too. Is that be cautious if the entity you're working with does not want to sign a BA?

Rob: 9:49

Then you can't do business with them. Don't send them the HIPAA. You don't have a signed BA.

Dawn: 9:55

Basically, they're saying that I've done everything I need to to secure this EPHI that is coming through my software, whatever and they're saying, yes, I've done everything I need to do. So also be aware of who you work with and who you trust your customer patient data with.

Rob: 10:17

Yep, exactly those are definite keys and important pieces. Also, breach reporting is important, so you've got to know how a breach or incident will be reported by the covered entity or the business associate and how are they gonna notify not only the department of Health and Human Services but also the patients or individuals, right? So unfortunately, we've all had our information breached, We've all had incidents, and you're gonna get the letter, you may get an email, you may get the tweet or see it on some platform. They have to explain to you what happened and they have to explain to you how they're gonna protect your data and protect your information.

Rob: 11:00

Those are the key pieces Right Yep Definitely. Yep yep, yep, yep. You know, we talk about this. A lot is just. You know, compliance is not about avoiding fines, it's about maintaining that trust and protecting that information. Those are the key pieces. It's going to also increase your revenue. So, as a business associate, so if you are listening to this bit to this podcast and you own a business and you're in the healthcare space, you're a business associate. You do the audit, you have policies and procedures and you complete that training.

Dawn: 11:32

Those are the key pieces that you got. You got to do One, two, three.

Rob: 11:34

Yeah, one, two, three, yeah, yeah, you're just like.

Dawn: 11:41

I thought you were going to play one of the buttons.

Rob: 11:43

Oh, what's the one I got? There you go oh well, that's that's funny. Yeah, yeah, it's funny. Yeah, that's the buttons. Oh my gosh.

Dawn: 11:52

We need more buttons.

Rob: 11:53

Well, we talk a lot about training and education. That's kind of really, really important. So we've built out quite a library here at Van Ryan. Obviously, if a compliance training is a given that is required by law. Cybersecurity training is going to be required. If you use SOC2, high trust, we require it or ISO 27001. Those are key pieces, but what's the value of training Don? What does that give our awesome clients and folks?

Dawn: 12:23

Well, and it's not. I mean sure you could look at it as okay, we checked it off, we did our annual training. Okay, move on. It's really informing yourself and your staff in the business of why what is, what is HIPAA, why, why do I care about it, and what is a business associate? What is this, what is that? And it's just, it's just making sure it's like front, front and center, the terminology and what things are, so everyone understands it. So, and the real important part of that is is, yes, the breach reporting, the notifications, all that kind of stuff. If something happens, what do I do? Incident reporting, all that stuff. So this is all very important stuff. That that it's just annually, it's it's it's good reminder of of what, what to do, what things, what is this, what is that and what do I need to do.

Rob: 13:17

So yeah, those are, those are important pieces. And then also obviously there's you know, there's a book compliance training, cybersecurity training, diversity training.

Dawn: 13:26

PCI training space space specific training specific specific.

Rob: 13:34

Oh, the key to is the security culture. Really think about how are we handling data, how are we handling, how are we handling it properly, and does your leadership team and your entire team know what to do what?

Dawn: 13:50

not to do.

Rob: 13:51

It takes the entire team right. Like the old saying, the old tire village to raise a kiddo. It takes an entire team to protect that data. You know, from an executive level to managers, to associates, to employees, you're all in the same compliance team. It doesn't matter your pay grade or your rank or your number, any of that fun stuff.

Rob: 14:12

You have to protect the data and you have to build that culture. So if you're not getting that culture from from maybe a management or someone, be the change you know, be the culture, create that culture and make sure you you know how to handle the health information and what to really really do. Those are really the key pieces to be a true partner as a business associate.

Dawn: 14:37

And have a partner, a true partner like Van Rank compliance to help you maintain, plug, plug, help you maintain and implement these policies procedures, this culture. You know that's what we we try to, you know, teach those compliance officers to, to basically go to their team and be able to teach this and teach that culture and implement these policy procedures. We help do that, obviously, yes, but it's it's just important to maintain it, it's not a one and done.

Dawn: 15:09

Things change, cultures change, everything's changed. Plus there's you know, there's always going to be some sort of incident, something that's gonna happen.

Rob: 15:17

It's gonna happen, don't just go, breach, don't go.

Dawn: 15:20

It's always a breach. Don't panic starts with an incident, Then from there you know it's just Document what happened and that type of thing. So it is important to to know what to do and it's important to maintain your compliance. Definitely, yeah, definitely.

Rob: 15:36

So, as a business associate sort of listening today, make sure that you take this seriously. I'm doing I'm probably performing two to three B8 audits a week. Now I'm starting to see a lot of that, a lot of teams doing a few more, where we're seeing a lot of software get spun up in the health care space.

Rob: 15:55

We're common right, because it is the second largest industry in the United States and there's a lot of comms and sass. Companies have just popped up and they don't know what they're doing with compliance. I'm just gonna tell you right now Yo, it's you, it's up to you to ensure that they are compliant, because by law it's written that way. A but be your, your. The people, the patients, your customers expect you to protect that data at all time. So think about that. You have questions? Call us, ask us, send us an email and We'll definitely be able to help you. So that's good stuff.

Rob: 16:29

So I'm still excited about the Costco, about the sesame Sesame, costco, sesame. Oh man, that will add us some good stuff for this week's pod Don very good, all right. I think that's it.

Dawn: 16:45

All right, bye, thanks Bye.

Rob: 16:46

Bye you, you.