Medical billing providers and healthcare programmers cannot simply be satisfied with standard hosting, but instead should implement HIPAA-compliant hosting whenever sensitive health data is transferred server-side. This is because organizations like medical billing companies and healthcare programmers are business associates that have direct responsibility for compliance; because the expenses for breaches (which HIPAA hosting is intended to prevent) extend far beyond the fines; and because the definition of a breach is broader in recent years than it was prior to 2013.
This article explores those three reasons that billers and coders should only use a HIPAA hosting provider for any regulated data, as well as covers a list of basic action items for these organizations to achieve compliance.
Because business associates have direct responsibility
Many of the online articles related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and compliance with its parameters are focused on organizations that are described as covered entities under the law. These types of companies – healthcare providers, plans, and data clearinghouses – are the first and most obvious place to address healthcare privacy and security, key concerns within the law’s Title II, aka the Administrative Simplification Provisions.
There is another core group that must meet HIPAA stipulations as well, a much broader and more diverse category. That type of organization is the business associate, any firm that handles protected health information (PHI) or ePHI (electronic PHI) on the covered entity’s behalf. These companies include shredding services, hosting companies, medical billing businesses, and healthcare coding outfits. The relationship between a covered entity and a business associate must be outlined within a business associate agreement (BAA) that details which of the organizations is responsible for data safety as it changes hands, is processed, or is stored outside the walls of the healthcare plan, provider, or clearinghouse.
The basic and straightforward reason that business associates such as medical billing and healthcare coding companies have to be compliant with HIPAA is because of an addendum to HIPAA that went into effect in 2013 (finalized on January 25, and with compliance required by September 23). The HIPAA Omnibus Final Rule directed that business associates would now be directly responsible for compliance and could be fined for violations accordingly.
Because the definition of a healthcare breach has broadened
Another core reason business associates should choose HIPAA managed hosting is that the rule changes in 2013 broadened what constitutes a data breach – as noted by Kansas City law firm Husch Blackwell.
This modification is critical because breaches are so central to HIPAA compliance; for instance, when breaches occur, the party that was compromised must notify the affected patients and the OCR, as well as the media in some cases (as directed by the Breach Notification Rule), a process that not only can quickly become time-consuming and expensive, but also can negatively influence your brand’s reputation.
Prior to the Final Rule, a breach was considered to be an incident in which PHI/ePHI was used or disclosed inappropriately, as well as in a manner that could cause patients or companies to experience significant loss of money, damage to credibility, or other ill-effects. At that point, the government had to be able to establish that negative impact in order for the event to be considered a breach. Now (as of the Final Rule), any unauthorized or noncompliant disclosure or use of this data is considered a breach upfront “unless the covered entity or business associate, as applicable, can demonstrate that there is a low probability that the PHI has been compromised,” notes Husch Blackwell.
Since it is so important for a business associate to be able to know how to defend against allegations of a breach, it is critical to know the four factors that the HHS uses to determine if one has:
- The type and scope of the health data affected;
- Characteristics of the unauthorized party that either used the data or had it wrongfully provided to them;
- The nature of the breach to determine if sensitive health data was, in fact, accessed or seen by incorrect individuals;
- The forward steps that have been taken to mitigate vulnerabilities that exposed the PHI.
Because it’s not just about the fines
An analysis published in Becker’s Hospital Review revealed how far beyond the HHS fine (or in the absence of one) the costs of a data breach can extend. The elements of cost that follow a breach include forensic investigation; remediation to introduce protections that could prevent similar intrusions; notification (assuming that at least 500 patients have been impacted); credit monitoring and ID theft solutions (approximately $10 per month per affected patient); disruption of business operations; loss of patients or customers; and lawsuits (which tend to average about $1000 per compromised individual).
HIPAA action items for medical billing companies and coders
Los Angeles healthcare attorney Robert A. Polisky described a number of tasks that should be completed by billing companies – via the nonprofit Healthcare Business Management Association (HBMA):
Healthcare plans, providers, and clearinghouses should take the parameters of the Final Rule into account in all BAAs that they have with programming or billing firms. One aspect that makes things a little less stressful is that the Office for Civil Right (OCR; the division of the federal Department of Health and Human Services that is charged with development and enforcement of HIPAA regulations) allows companies a reasonable amount of freedom related to the stipulations of a BAA contract. That is positive for medical billing and coding firms, and they should take advantage of that fact to comply with law while also properly safeguard their own interests. As stated by Polisky, “[I]t is important for [business associates] to ensure that they are not overcommitting to responsibilities or deadlines that are not required under HIPAA.”
A business associate has its own business associates, its subcontractors that perform work for it that relate to the protected data. It is necessary, therefore, for healthcare billing and coding firms to create BAAs for those relationships as well.
Programming and billing companies have to perform risk assessments, launch security plans related to their HIPAA data, assign the role of a HIPAA security officer, and build parameters of the healthcare law into their privacy policies (see the OCR’s Security Rule guidance).
You and your business associates (subcontractors) will want to perform a gap analysis (to uncover the differences between where you want to be and where you are currently, or a study of the gap that exists between business goals and your current ecosystem).
Any firms that perform medical coding or billing should have breach notification policies with all subcontractors and covered entities with whom they interact at the level of safeguarded data, along with proper software to allow them to perform risk assessments in the interest of determining when a breach notification is needed.
Billing companies should have a process in place that either identifies or notes any records for which everything has been completely paid. That way, the data within it will not be sent to health plans for reimbursement, audits, or other purposes accidentally.
You must have adequate training resources so that your staff (or anyone else within your workforce) is able to know how to stay compliant.
Your HIPAA compliant hosting plan
As indicated above, meeting the parameters of HIPAA has become essential to medical programmers and billers, for multiple reasons. Since that’s the case, it is critical that your infrastructure is properly protecting any ePHI at all times.
At Atlantic.Net, healthcare hosting is one of our primary areas of expertise. See our SOC 1 & SOC 2 certified HIPAA Hosting Services.