Mnet Health News delivers the latest news and information articles for the world of healthcare.

A+ A A-

Safe & Sound-How Well Do You Understand Privacy Considerations Under HIPAA

Safe & Sound-How Well Do You Understand Privacy Considerations Under HIPAA

If your agency collects health care accounts, you need to be familiar with The Health Insurance Portability and Accountability Act (HIPAA.) HIPAA privacy laws were put in place to safeguard consumers’ protected health care information, or PHI. HIPAA governs how you access, distribute and protect PHI, and failure to comply can result in huge consequences, not only for your company, but for you, personally.  

While there is no private right of action under HIPAA, Health and Human Services can take action against those who violate HIPAA and consumers can file complaints with them for HIPAA violations. In 2010, for instance, a doctor who accessed medical records without a valid reason was fined $2,000 for violating HIPAA and sentenced to four months in prison. And in 2015, a lab employee at a student health center was fired after she mentioned the results of a patient’s pregnancy test to a coworker. 

What is PHI? As a debt collector, you are expected to help protect consumers’ sensitive and confidential health care information. Anything that could be used to identify consumers in relation to their health care information is considered PHI. This can include a person’s name, address, phone number, medical history, insurance details and health care bills. 

How Can You Protect PHI? Don’t discuss information in the consumer’s file with anyone but the consumer—unless the consumer has given you permission to do so. This includes idle chit-chat with co-workers, even if you don’t mention the consumer’s name. Sometimes a situation may call for you to contact the consumer’s insurance company or you may get an information request from an attorney.  

Before you email, fax, mail or discuss PHI with third parties, ask yourself: Do my company’s rules authorize me to do this? If so, has the consumer consented to the PHI release under HIPAA, and will the information I send be encrypted? (Email in particular is an often-overlooked PHI disclosure risk because it might not be secure.)  

Although the Fair Debt Collection Practices Act allows you to communicate with a consumer’s spouse, parent or guardian, HIPAA may not. If consumers request that they do not want certain people, such as family members, to have knowledge of their situation or condition, you can’t disclose any health information to third parties. 

How Should You Store PHI? While your company is responsible for securing its computer system and designing its collection notices to protect PHI, you also play a key role in this process. Don’t leave consumer information on your computer screen when you’re not at your desk, even if you just get up for a minute to get a drink of water.  

Only print out documents containing PHI when you have a legitimate business reason to do so, and even then, you’ll need to dispose of those papers in a secure environment—a shredder your company uses for such a purpose, for example, not the day-to-day recycling bin by your desk.  

Even written notes you leave on your desk referencing PHI can be considered a HIPAA violation, so either avoid doing this altogether or use HIPAA as good motivation to keep your desk clean and free of clutter, safely disposing of these written reminders as soon as possible.


Cyber Liability Insurance 101: Will it Help Agencies and Providers Combat Data Security Threats?

Data security risks are not going away in the health care sector and while strategies such as employee training and a strong data breach response system help, a new option to protect your business is emerging: cyber liability insurance.

Health care cybersecurity spending is predicted to grow to $65 billion between 2017 and 2021, according to the Experian 2018 Data Breach Industry Forecast.  Experian also reports health care organizations will be the most targeted industry this year as new and sophisticated attacks are on the horizon.

The U.S. Department of Health and Human Services (HHS), media or state attorneys general received 233 breach industry reports from January to June 2017.  “For the 193 attacks for which there are numbers, 3,159,236 patient records were affected,” according to Experian.  

Providers are increasingly purchasing cyber liability insurance policies to ensure financial protections and resources to work through data breaches and maintain their reputation are in place, Becker’s Hospital Review Content/Strategist Editor Brooke Murphy reports in the white paper “Can Health Care Providers Afford Not to Have Cyber Insurance in 2018?”

“As cyber threats become the reality, and as [insurance] carriers have identified how significant and complex online exposure is, cyber liability policies have become more refined and more necessary,” James Fasone, senior vice president and national health care practice leader for Key Insurance & Benefits Services said in the white paper.

Purchasing cyber liability insurance may ultimately be more affordable than the costs to providers after a data breach occurs, from attorney’s fees to purchasing credit monitoring systems for affected consumers, according to the white paper. That’s not to mention the costs from any disruptions to providers’ business and as a result of time spent notifying patients.

And, even if providers spend money on the front end to protect their company and data from a cyber-attack, cyber criminals continue to find their way around firewalls and security systems.  And, remember, the strongest security protections can still be put at risk by human error if not used properly.

Employees continue to present a big risk to companies, according to Experian.  Regular training and a refresh of your data security policies are critical to staying ahead of threats and risks to sensitive information and data.  It’s also helpful to limit the number of employees who have access to sensitive data, especially on mobile and portable devices. Make sure you have a strict policy for access and transport of mobile and portable devices containing sensitive information.

“Cyber liability insurance helps hospitals cover the costs of a data security breach for things like identity protection solutions, public relations, legal fees, liability and more due to loss, theft and unauthorized disclosure of data,” according to Becker’s Hospital Review.  

When considering if cyber liability insurance is right for your business, and the level of insurance that is the best fit, it comes down to matching coverage with your “business objectives, asset vulnerability, third-party risk exposure and other external factors,” Murphy reports. 

“The cyber insurance industry in the last three to five years has rapidly evolved to meet the needs of health care businesses in a digital world,” Fasone said in the white paper. “That means there are many more companies in the market offering a greater variety of coverage.”


News & Notes

CMS Funds Quality Payment Program Training

The Centers for Medicare and Medicaid Services is funding training and education about the Quality Payment Program for small healthcare practices. The training will especially help clinicians in rural and medically underserved areas and those with healthcare professional shortages. 

Read original article:


Report: Discovery Rate for Data Breaches Increases

Healthcare data breaches affecting patient records declined in February, however it is taking longer for incidents to be discovered and reported and “insider-related breach incidents have doubled,” according to the monthly Breach Barometer report from Protenus. In February, it took an average of 478 days for organizations to notify the U.S. Department of Health and Human Services, compared to 174 days in January.

Read original article:


CMS Projects Growth in Medicare, Health Spending

According to the Centers for Medicare & Medicaid Services’ Office of the Actuary National Health Expenditures Data projections for 2016-2025, growth in Medicare spending is projected to average 7.1 percent. Healthcare spending by federal, state and local governments is “projected to outpace growth by private businesses, households and other private payers,” it reports.  

Read original article:


Government Accountability Office Finds Imbalance in Uncompensated Care Payments

Funding hospitals receive for uncompensated care is not in line with the actual costs they have, according to a report from the Government Accountability Office: “Federal Action Needed to Better Align Payments with Costs.”  Since 2000, hospitals have issued more than $502 billion in uncompensated care to patients, according to an American

Hospital Association report from January 2016. Uncompensated care is the total of bad debt and charity care a hospital provides.

The GAO was asked to review federal support for hospital uncompensated care, including “key sources and amounts of federal support for hospital uncompensated care costs; the basis for determining hospital uncompensated care payments made under Medicaid and Medicare; and the extent to which Medicare (uncompensated care) payments align with hospital uncompensated care costs,” according to a summary of the report.

Hospitals receive about $50 million each year in uncompensated care payments from Medicare and Medicaid, according to the report.  The GAO finds that Medicare uncompensated care payments are not in line with the hospitals’ costs for two reasons:

  • Payments are mostly based on hospitals’ Medicaid workload instead of the actual uncompensated care costs they have; and
  • The Centers for Medicare and Medicaid Services does not consider Medicaid payments hospitals receive to offset uncompensated care costs when issuing payments through Medicare. In 2014, for example, most of the Medicare payments—about 85 percent or $7.7 billion—were based on hospitals work for Medicaid patients; meaning they may also receive payments from Medicaid based on that care.

“CMS officials acknowledge this could result in payments not aligned with uncompensated care costs, particularly in states that have expanded Medicaid resulting in fewer uninsured individuals and lower uncompensated care costs,” according to the GAO report.  CMS proposed a rule in April that includes consideration of “using hospitals actual uncompensated care costs as the basis for making Medicare UC payments.”

The GAO notes in its report that CMS officials said the Medicare and Medicaid programs are run separately.

“Medicare UC payments that are not aligned with uncompensated care costs or adjusted to reflect Medicaid payments undermine CMS’s efforts to efficiently pay for healthcare services,” according to the report.

The GAO issued recommendations for CMS to improve the connection between Medicare UC payments and hospitals’ costs and take Medicaid payments into consideration when also issuing UC payments under Medicare.

The Department of Health and Human Services has proposed to transition to a new data source to identify hospitals’ uncompensated care costs, according to the GAO report, which includes comments from HHS.  “Specifically, HHS proposes to define uncompensated care costs as the costs of charity care and non-Medicare bad debt,” according to the report.

HHS also concurs with the GAO’s recommendations and is considering comments on its own proposed rule including the data source transition for determining uncompensated care before finalizing its rule.  “We agree that aligning uncompensated care payments to actual uncompensated care costs is important and helps make sure that HHS is directing these payments to hospitals appropriately,” HHS notes in its comments. 

“In the event HHS finalizes its proposal to begin using uncompensated care cost data from the Medicare cost report to determine the distribution of these Medicare payments, we intend to continue to review the definition of uncompensated care as appropriate.”  More information:


Checking in With ICD-10 (Part II-A Look Back at Preparing for ICD-10)

The WEDI survey also shows there was value in testing ICD-10 claims during the implementation process, but the delays in the deadline had both positive and negative effects. “When additional time was provided, some organizations did not take advantage of this time. The extended implementation period also added costs for many organizations.”

In advance of the implementation date, BillingTree recommended its healthcare provider clients focus on preparing their infrastructure and technology systems for ICD-10 while communicating with patients and ensuring they had current contact information for payments they could use as permitted under the Telephone Consumer Protection Act. That way when a claim is processed, a provider can easily follow up with a patient about any balance due and resolve the account for both parties.

According to WEDI, a majority of healthcare providers responding to the survey indicated costs of ICD-10 were in line with their expectations or higher, but many also said the expenses were less than expected.  “The majority of respondents indicated that they did not expect to realize any [return on investment] with ICD-10,” according to the news release.

“The interesting part about ICD-10 was that it’s kind of like Y2K,” said Lyman Sornberger, chief healthcare strategy officer for Capio Partners LLC, during a presentation at ACA International’s Spring Forum and Expo. “Everybody panicked [and] it got delayed.”  Once some time passed, Sornberger said denials were inconsistent, reflecting increases from 3 percent to as high as 30 percent, mostly related to smaller hospitals being unprepared for the transition.

Now that ICD-10 has been in effect for several months, CMS is beginning to audit healthcare providers’ charts to test their use of ICD-10.  According to the CMS ICD-10 assessment and maintenance toolkit, providers should select high-risk cases to audit as well as cases representing a shift from the use of ICD-9 to ICD-10 diagnostic codes to identify any patterns of incorrect coding.

Sornberger said he knew of one healthcare provider that received a request from CMS for 1,000 charts, but there is no limit on how many they can request.  There are still some questions regarding if patients will notice any changes from ICD-10 or if the additional diagnostic codes will ultimately change the billing process.

Yohe said that if any delay in claims occurs under ICD-10, patients might be frustrated if they get a bill many months after they received care when they thought it had already been processed under their insurance.  To help smooth out any bumps, Yohe said healthcare providers should designate staff to work with patients on payments or determine a way they can easily pay over the phone or online.

“We saw an uptick in getting a phone system established specifically for payments,” Yohe said. He also recommended providers make sure they accept payments from medical savings accounts and flexible spending accounts.

“At the end of the day, the patient won’t get their bill until their insurance claim is settled and the patient balance is settled,” Yohe said. “That means passing the claim back and forth a few times between the administrative office and the healthcare provider before they get it right to establish patient responsibility.

As a provider, you’re at the mercy of two different parties getting paid.” Now that an initial set of ICD-10 codes—which bring consistency between the U.S. healthcare system and systems in other industrialized countries—are in place, more could be added in October, according to the website 

There will be more than 3,600 new procedure codes and nearly 2,000 pending diagnosis codes. Yohe said that in the healthcare world, discussion is already starting about when we will see ICD-11. According to, however, ICD-11 is not estimated to be ready in the U.S. until 2023.

For now, healthcare providers should continue to communicate with patients and insurance companies and test their key performance indicators. According to CMS, tracking performance indicators can help providers address problems with productivity, reimbursement and claims submissions.  The WEDI survey results show the impact to productivity experienced by vendors and health plans was mostly neutral, but providers experienced a slight decrease in productivity.  

“Once you have established baselines for your KPIs, compare data pre-and post-October 1, 2015, to put your current KPIs in context,” according to CMS. “Tracking KPIs can help you detect problems and identify opportunities for improvement.”


Checking in With ICD-10 (Part 1)-Katy Zillmer

The updated ICD-10 medical diagnostic coding system, which took effect last year, has allowed healthcare providers to more accurately describe a patient’s care for insurance reimbursement, but mistakes can cause claim denials and delays—ultimately impacting their revenue cycle process.

ICD-10 is a replacement for ICD-9, which is used to document medical diagnoses and inpatient procedures.  The switch to ICD-10 added more than 69,000 codes for diagnoses and more than 71,000 for procedures, according to the Centers for Disease Control and Prevention. All entities covered by the Health Insurance Portability and Accountability Act were required to implement the new system by Oct. 1, 2015.

“At its core, ICD-10 is not a bad thing,” said David Yohe, vice president of marketing for Billing Tree, which works on payment processing for healthcare provider clients. “It’s about having a more granular way to reflect what the physician or the care given ended up being for.”  Yohe said his provider clients have not reported a noticeable difference in the dollars they collect; just a delay in their revenue cycle processes.

“It’s just pushing their revenue cycle out longer,” he said. “It’s adding 20 to 40 days to the receivables cycle as a result of the back-and-forth and the coding.  They are not sure that it’s going to have a big effect in the long term as far as the amounts due.”  Looking back at the time leading up to implementation of ICD-10, which included multiple testing processes and delays of the effective date by the Centers for Medicare and Medicaid Services, Yohe said providers were most concerned about getting their systems ready and whether they would experience a large number of insurance reimbursement claim denials.

In May, the Workgroup for Electronic Data Interchange released post-ICD-10 implementation survey results showing the delays by CMS “improved the ability to perform testing and resulted in a smoother transition.” The survey, conducted in March, is one of several completed by WEDI to track the status of the implementation process in the healthcare industry. WEDI shared the findings with the U.S. Department of Health and Human Services.

“We wanted this post-implementation survey to be a closing chapter of assessment on why the transition went so well overall and also to leverage specific lessons learned for future large implementations,” said Jean Narcisi, chair of WEDI in a news release.  WEDI received a low response rate to the March survey compared to others, indicating ICD-10 project personnel are reassigned to other work “and likely a lack of interest in further ICD-10-related activities that are not operational in nature.”

Common themes in the survey responses included the value of starting the testing process early, communicating with partners and conducting extensive testing, according to the WEDI news release.  Overall, the transition on Oct. 1, 2015 was considered “non-eventful” by some in the industry, according to WEDI and survey participants said CMS’ ICD-10 website, WEDI’s website and coding materials from industry organizations were all helpful tools.

There was a slight decrease in productivity for providers, especially in the areas of coding and clinical documentation, but the impact for vendors and health plans was primarily neutral, according to the survey.  Overall, WEDI concludes from the survey that the collaboration in the industry was a “major factor in the success of the ICD-10 transition.”

Part II “A Look Back at Preparing for ICD-10” will appear in our next issue.


New Rules for Patient Credit Reporting Begin-With More on the Horizon

The month of June saw the enactment of some new changes in the area of credit bureau reporting that were previously announced earlier this year.  All three of the most prominent credit bureaus put out a statement in March, pointing out that the goal was to ensure transparency for consumers and patients.  This came about as a result of plans that had been put in motion by several Attorneys General from multiple states.

One of the new requirements put forth is that the name of the original creditor and classification code must be reported.  Another new stipulation is that an agency or debt purchaser cannot report debt that did not come about based on an agreement to pay or a contract such as an assessment, ticket, or even some types of fines.

More changes are yet to come; on September 1, 2016 collection agencies will need to file a monthly report that includes information on accounts currently open, accounts that require correction or deletion, and that have been paid within the last 90 days.

The following year, on September 15 of 2017, several more changes will go into effect.  The most noteworthy include:

-Medical debt collection accounts should not be reported if they are less than 180 days of age

-Full date of birth must be reported for any authorized new user  on all accounts

-A delete must be reported for all accounts being paid by insurance or for those that were already paid by insurance

-Reporting must be done using new minimum reporting requirements for a patient or consumer’s personally identifiable information

The statement that was put out in the month of March encouraged all who are tasked with submitting data to credit bureaus to ensure implementation of these upcoming changes on or before the effective dates.



News & Notes

HHS Continues Audit for HIPAA Compliance 

The U.S. Department of Health and Human Services Office for Civil Rights is conducting its next phase of audits of covered entities and their business associates. The audit program is used to assess HIPAA compliance, identify best practices and risks and vulnerabilities and enable HHS to address problems before they may result in a data breach.

Healthcare Sector Jobs Exceed Nationwide Average 

A new report from CareerBuilder shows job growth in the healthcare industry is expected to exceed the national average for full-time, permanent jobs. Overall, 34 percent of employers plan to add fill-time permanent employees in the second quarter. In the healthcare industry, 44 percent of companies with 50 or more employees are expected to increase their staff counts, according to the report.

Health Spending Growth Factors Change Since Great Recession 

The Kaiser Family Foundation and Bureau of Economic Analysis recently found the factors influencing health spending trends have changed since the Great Recession. The economic recovery, leading to more people seeking treatment, the Affordable Care Act and a decline in prescription drug prices all influenced spending trends.


Health Industry Will be a Target of Data Breaches in 2016

The healthcare industry will be more susceptible to data breaches this year as the transition to electronic medical records continues and the black market value for those records grows. In its third annual Data Breach Industry Forecast, Experian’s Data Breach Resolution group says the healthcare industry will be a target in 2016, and businesses need more internal employee training to prevent security risks. 

There have been more than 15,000 data breaches over the last decade; and according to Experian, security risks to businesses will continue this year. Healthcare data breaches continue to be a threat in 2016 based on prominent cyber-attacks on Anthem, Premera BlueCross Blue Shield and more organizations. According to a separate study by Privacy Analytics, because many individuals are not familiar with “deidentifying” data, it may be shared in ways that presents a high risk of a data breach. 

According to “The State of Data Sharing for Healthcare Analytics 2015-2016 Change, Challenges and Choice,” by Privacy Analytics, more than two-thirds of respondents to a survey of healthcare organizations said they lack complete confidence in their organization’s ability to share data without privacy risks.  Health records are the most common type of data being stored or shared (55 percent), followed by medical claims data (44 percent), according to the survey. 

Changing Landscape of Data “In 2015, research from the Ponemon Institute revealed that while more companies now have a data breach response plan in place, many are still not confident in their ability to manage a significant incident,” according to Experian’s report. “Concerns regarding the effectiveness of response plans indicate a need for business leaders to reevaluate and audit their programs.” 

Experian also reviewed its predictions on data breaches for 2015 and how businesses faired based on those predictions. In 2015, employee errors continued to be one of the leading causes of data breaches and employee training programs needed improvement. As a result, it is also essential for companies to increase their preparation for a data breach and response plans should one occur, according to Experian. 

“The landscape has changed with hackers targeting organizations for different types of data that could be used for extortion or to simply cause harm,” according to the Experian report. “While traditional data breach threats remain, it is important that business leaders take note of emerging trends and update their data breach response plans accordingly.” 

According to the Privacy Analytics study, one in five respondents said their healthcare organization has taken steps to reduce risk and improve deidentification in the records that are shared. Healthcare organizations are slowly starting to make data available for secondary uses, but two out of three respondents to the Privacy Analytics survey said they lack total confidence in their organization’s ability to share data without creating privacy risks. 

“The demands for data, combined with the magnitude of PHI [Protected Health Information] being collected in electronic medical records, medical monitoring apps and other healthcare networks makes this cause for concern,” according to Privacy Analytics. Nearly 50 percent of respondents to the survey said preventing patient “reidentification” is a top challenge when they share or store data and the concern is highest among organizations that are already sharing data. 

Privacy Analytics also reports results of its survey reflecting that employee errors or the need for more employee training may contribute to challenges in information security among healthcare organizations. “Additional challenges include low staff knowledge on managing data safely (26 percent), low staff knowledge of data sharing practices and tools (25 percent), cost concerns (24 percent), and lack of organizational policies (23 percent),” according to the Privacy Analytics survey. 

Overall, according to Privacy Analytics, the results of the survey show there is a gap between regulatory requirements and healthcare organizations’ ability to meet them and an overall growing demand for health data. “The growing demand to share health data brings with it growing risks. The proliferation of PHI and subsequent requests for data is pushing the boundaries of compliance as organizations try to satisfy demand. The response has been to err on the side of caution and keep data locked away,” according to Privacy Analytics.

But those who do share and store PHI must do so responsibly, and the survey reflects their struggles to prevent patient re-identification and meet compliance requirements. “Many organizations feel unprepared to responsibly store and share data for secondary purposes, and thus, are unable to advance analytics in their organization,” according to Privacy Analytics. Experian recommends for healthcare organizations to continue investing in data security technologies and training employees on proper security practices in 2016. More information: and


Medical Company Sued Following Change to Medical Debt Collection Rules

Last summer the rules that govern the collection of medical debt became tighter when the FCC gave voice to a ruling that made it more difficult to reach out to patients on their mobile devices without first providing express consent for such a call.  

A hospital chain based in California has become one of the first healthcare providers in the country to be sued based upon that ruling made last July.  The focal point of the class-action lawsuit is Prospect Medical Group’s Southern California Hospital at Culver City.  The allegations set forth in the suit claim that an automated dialer was used by the hospital to contact the cell phone of a patient named Donna Ratliff to collect on a debt without having prior consent to call her mobile device.

The medical debt collection industry originally asked the FCC to give greater clarification on the Telephone Consumer Protection Act in the hopes that greater flexibility would be extended.  The medical debt collection industry was also hoping that the FCC could address more recently related issues such as consent to call, reaching wrong numbers and auto-dialing mobile devices.  But instead, the FCC pointedly asserted that collectors of medical debt must have prior consent before contacting a cellular phone, leaving few options for phone numbers that have been reassigned.

Prospect Medical issued a statement that makes it clear that they follow necessary protocols to obtain the proper consent to make contact with patients on mobile devices.  The statement said  “All of our patients are asked to sign an irrevocable authorization permitting our hospitals to contact them via telephone—including, specifically, via cellphone—in their efforts to collect outstanding debt."  

Hospitals have previously enjoyed a measure of room to move when calling patients for the purpose of medical debt collection as a part of the medical encounter.  However, medical providers must ensure diligence about ensuring that the debt can be linked back to the medical encounter when the patient first provided the cell number to the provider.

“At this point, best practice for providers is to secure written consent during the initial intake process that very clearly states and obviously makes note of the fact that auto-dialers could be used and that mobile devices will be contacted if that is the number that the patient has provided to the facility” said Mnet Financial CEO David Hamilton.

Violations of TCPA are already quite active with lawsuits related to the TCPA increasing between 2010 and 2014 more than 560% based on data provided by the Association of Credit and Collection Professionals (ACA).  “With the FCC’s latest clarification, we are seeing an increase of these kinds of lawsuits and it isn’t likely to change in the near future” said Hamilton.  The penalties for such infractions can range from as little as $500 per phone call, up to as much as $1,500 for a willful violation.

The California case does deal with the matter of express consent but does not, however, broach the issue of what happens when a medical debt collector reaches out to someone erroneously.  The FCC does allow collectors of medical debt to call a wrong number once without threat of penalty, whether or not someone answers the call.  However, studies show that more than 100,000 mobile phone numbers are changed each and every day.  This situation has led to ACA International suing the FCC in challenge to the order issued last July.  

“It’s increasingly difficult for medical debt collectors to keep up with the risk involved” said Hamilton.  “It’s nearly impossible to confirm that the person you are reaching out to is going to actually be the person you are trying to reach.  It’s a very difficult situation.

Mr. Hamilton says that the best possible way for a provider to protect themselves is to create a very thorough process for obtaining consent from the patient and simply respecting the wishes of those who choose to opt out.


What to Do When Your Data Security Policies Need a Checkup

Data security breaches present a significant risk for credit and collection agencies and their healthcare provider clients, especially with the growing use of technology and the switch to electronic records in the healthcare industry. “Most credit and collection organizations believe they are at low risk for a data breach,” Jeffrey Hausfeld, managing director for Financial Management Solutions, LLC, said during an ACA International seminar, “Practical HIPAA Security and Privacy,” in October. 

In fact, he said the risk has never been greater, and collection agencies working with healthcare clients have an added layer of security they need to provide under the Health Information Technology for Economic and Clinical Health (HITECH) Act to ensure HIPAA compliance. 

Collection agencies that perform a service or function for a healthcare provider or health insurance plan are generally considered their business associates, Hausfeld noted. Adam Bullian and Robert Zimmerman, COO and managing partner of QIP Solutions, respectively, also contributed to the presentation on risk assessments, audits and training related to healthcare data security. 

“HIPAA requires you maintain the same security [as] your healthcare provider [clients],” Hausfeld said. According to the Ponemon Institute Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, which includes input from healthcare providers and their business associates, more than 90 percent of healthcare organizations have experienced a data breach and 40 percent experienced more than five in the last two years. 

The Ponemon Institute study, released in May 2015, also shows that criminal attacks are the number one cause of data breaches for healthcare organizations, and they increased by 125 percent compared to five years ago. “In fact, 45 percent of healthcare organizations say the root cause of the data breach was a criminal attack and 12 percent say it was due to a malicious insider,” according to the study. 

The Ponemon Institute reports that the economic impact of a data breach has remained consistent over the past five years of the survey, however the cause of the incidents has shifted from lost or stolen devices to criminal attacks on the data of healthcare organizations and their associates. 

“At the same time, employee negligence remains a top concern when it comes to exposing patient data,” according to the study. It can be costly to invest in resources for securing protected health information (PHI) and your organization’s technology, but it is necessary to remain compliant and the expense in the aftermath of a data breach is much more. 

According to the Ponemon Institute, the average cost of a data breach for healthcare organizations is more than $2.1 million. And business associates of healthcare organizations can face fines if HIPAA compliance is not in place after an audit of their operation. Fortunately, there are many steps business associates can take to maintain and improve their compliance and minimize risks if a data breach should occur. 

Assess, Prepare, Train 

“We strongly suggest you take a risk-based approach and focus on critical risks before other items,” Zimmerman said.  Organizations that complete an internal audit of their security systems or have an external audit often find they have an incomplete risk analysis, undocumented movement of PHI data, limited security awareness training and lack tests of their disaster recovery plan if a data breach occurs. Companies should complete a risk assessment to set a baseline for controls they have in place and develop a process to resolve any risks. 

“It’s also going to reduce your costs because you have a process,” Zimmerman said. “It is definitely the first step toward HIPAA compliance.” Partners of business associates in the healthcare industry want verification that these measures are in place. In fact, an agreement is required for business associates working with providers and insurance plans as well as their subcontractors with access to PHI. 

Organizations should also take inventory of where PHI is stored, such as computers or mobile devices, who has access to it and if that access is authorized. When evaluating access to PHI, organizations can designate a team of employees to go to if a data breach occurs and train them to mitigate the risks quickly and as much as possible. Creating that team can be a part of your organization’s training process for new employees and a refresher for existing staff. Training is one of the most effective ways organizations can safeguard PHI and maintain compliance with HIPAA.

Bullian recommends training should be tailored to your organization by evaluating who should participate, how often it should be held and the best format, such as online, virtual, email reminders or a combination of those options. Training should include review of password security procedures, how to identify a phishing email and evaluation of mobile device security if those are used by your organization. “Another best practice is to have supplemental training throughout the year,” Bullian said. 

Keep it Simple Maintaining and improving security and privacy measures does not need to be overwhelming; the longer a process is in place and evaluated on a regular basis, the more reliable your practices will be over time. A sound and consistent plan provides assurance to your healthcare organization and insurance partners that HIPAA compliance remains in place. 

“This is not a one and done type of effort,” Zimmerman said. “When you use a process, it should be very effective and very efficient. The main thing is really to ensure that your organization is secure and that you can show others.” ACA International is offering a two-part online training on Data Security and Privacy Dec. 9-10. The training will cover implementing policies and procedures, how to notify consumers in the event of a data security breach and strategies to develop a data security compliance program. Visit education to access the events calendar and training registration.


Recent TCPA Ruling Observations


Recently the Federal Communications Commission (FCC) released a Declaratory Ruling that was effective upon its release.  The reason for the issuance of the Order by the FCC was to acknowledge and bring clarity to requests brought by petitioners questioning how the Commission interprets the Telephone Consumer Protection Act (TCPA) while enhancing consumer protections and acting to bring a close to any loopholes.

Congress originally passed the TCPA in 1991 to bring regulation to pre-recorded messages and auto-dialer usage that was perceived as being out of control.  The Act was created to serve as a protection to consumers by restraining companies from participating in unwanted telemarketing activities.  Eventually the FCC confirmed that the TCPA was designed to restrict text message telemarketing activities as well.  Thus, new rules were enacted in 2013 to prevent companies from contacting consumers through text messages or phone calls from a representative without express written consent.  

A company’s failure to abide by these regulations could ultimately result in regulatory action as well as the expense of litigation.  TCPA lawsuits have increased markedly since those new rules were enacted in 2013.  Across multiple industries nationwide, companies that make unsolicited calls to consumers or text them have become the target of multiple class action lawsuits; resulting in huge fines for companies; including many notable American brands.

Best Dialing Practices

So what are the best practices for the healthcare industry based on the most recent Order?  Mnet Financial CEO David Hamilton recommends the following:

*Make certain that you have determined the type of phone you are calling; whether it is a landline or a wireless phone.  There are phone “type” solutions that can provide identification services.

*Capture and secure proper consent from patients before contacting them and be certain that consent covers contact through a wireless device.

*Review office practices to ensure that your list of wireless numbers is current.

*Ensure the phone has not been reassigned and that the person who originally gave consent is still the owner of the phone.  There are services that make it clear when a number has been recycled and is now being used by someone else.

*Always repeat the process of verification for any new patient records or records that have not recently been verified.

*Since one call can be made to a reassigned phone number without liability, be selective about using the exemption.  

*Review messaging being delivered to wireless devices to be certain they are compliant.

It should be noted that on the same day the FCC released their Ruling, the Association of Credit and Collection Professionals (ACA) immediately filed a lawsuit seeking judicial review of the Ruling from the U.S. Court of Appeals in the D.C. Circuit.  Since then, other organizations have filed suit as well, seeking to challenge the FCC’s interpretation of the TCPA.  We will keep you updated as the story develops.

Subscribe to this RSS feed