Tag Archives: HIPAA

All You Need To Know About HIPAA Business Associate Agreements

18 Aug

Source:  Jeff Broudy, PCIHIPAA

Medical and dental practices are hearing more and more about large fines and data breaches surrounding HIPAA (Health Insurance Portability and Accountability Act of 1996).   Many are fearful that significant fines could affect their practice, their patients, and their livelihood.  Is this a real threat?  I believe it is.  HIPAA law is confusing and protecting the security and privacy of your patient information is critical.  And with the enactment of the Omnibus Rule back in 2013, HIPAA compliance now extends to your Business Associates.

The Ponemon Institute states that 39% of all Business Associates have experienced a data breach, and in one case a practice was fined $31,000 for not having a Business Associate Agreement on file.  That’s an expensive document!

As HIPAA Compliance Specialists, a day rarely goes by that we don’t receive questions about Business Associates.  “Who’s a Business Associate?”  “Do I have risks if I don’t have execute the proper agreements?“ What does my practice need to do?”  In fact, out partners at PCIHIPAA created a HIPAA Webinar Series for our clients to help answer these questions.  Let me know if you would like more information on this webinar series, and let me help clarify some of these questions.

) “Do I need to have a Business Associate Agreements on file?”

Yes.  If you are a Covered Entity under HIPAA, you are required to execute Business Associate Agreements. The Health and Human Services website (HHS.gov) defines a Covered Entity as health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

Bottom line:  Examples of Covered Entities under HIPAA are: Doctors, Clinics, Psychologists, Dentists, Chiropractors, Oral Surgeons, Podiatrists, Opthamologists, Nursing Homes, Pharmacies, Health Insurance Companies, HOMs, Company Health Plans, and Labs are all considered to be Covered Entities.

2) “Then, who is a Business Associate?

A Business Associate as any organization or person working in association with, or providing services to, a Covered Entity who handles or discloses Protected Health Information (PHI) or Personal Health Records (PHR.)  A business associate may also be a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.  Think of it this way, if you contract with a person or an entity that needs access to your PHI to do their job, they are most likely a Business Associate.

Bottom line:  Examples of Business Associates are Lawyers, Accountants, IT Programmers and Representatives, Shredding Companies, Marketing Software Companies, Practice Management Software Providers, Data Backup and Storage Companies, and Billing Companies.   

“Are there exceptions?”

Yes.  HIPAA excludes conduits of information (UPS, FedEx), governmental agencies (Medicare and Medicaid), and anyone else this is not required to handle your PHI to do their jobs (Janitors, Landlords, Water Delivery Services).  Also your employees are not considered Business Associates.  They need to be trained on HIPAA, but you don’t need to execute Business Associate Agreements with your employees. 

3) “What exactly is a Business Associate Agreement, and why is it important?”

A Business Associate Agreement is a binding legal document that is now required under HIPAA for you to execute with all of your Business Associates. It is imperative that your practice has Business Associate Agreements in place, with a log kept for reference. Because your practice (as a Covered Entity) is sharing PHI with your Business Associate, this document ensures that the HIPAA mandates are in place and that your patients are protected.   If you use the right Business Associate Agreement, it also includes an “Indemnity Clause.”  The Indemnity Clause protects you financially, if PHI is compromised under your Business Associate’s watch.  This is a crucial clause that should be included in any Business Associate Agreement you execute.

Contact me for more information and/or assistance in creating a Business Associate Agreement (BAA) for your practice.

Click Here to take a free, no-obligation, HIPAA Risk Assessment.  The results will inform you of where you are compliant and where you are deficient in your HIPPA security.

Cyber Security and Debt Collection

20 Nov

Did you know that employees account for 43 percent of data loss, whether intentional or accidental? The remaining data breaches occur because of criminal infiltration. Regardless of the threat, our research shows that data loss and security breaches cost companies an average of $4 million in 2016, during which more than four billion pieces of confidential data were exposed.

Unfortunately, failing to create an effective cyber security system for your data collection efforts could put your customers and your company at risk.

Risks Associated With Cyber Security and Debt Collection

Data is easier to steal than you think.

Debt collection records are particularly sensitive because they contain significant financial information. The sensitivity elevates if you’re in the healthcare industry because your data might include personal health information (PHI).

Since you must report data breaches, your company’s reputation can take a serious hit if your customers’ data becomes compromised. Additionally, you could face serious consequences with regard to your cash flow, accounts receivable management, and stakeholders.

A data breach involving debt collection records could result in a serious fine from a regulatory body. Back in 2012, for instance, an auto dealership and a debt collector had to reach a settlement with the Federal Trade Commission (FTC) over data breaches that took place because of peer-to-peer file sharing.

Unfortunately, data breaches are on the rise. Our research reveals that 2016 saw nearly 40 percent more data breaches than 2015, and 94 of those breaches exposed at least a million confidential records each. Consumers value their privacy. In 2016, more than 15 million American consumers suffered from some sort of identity theft.

Cyber Security Solutions for Debt Collection

Getting best-in-class security for your data can help prevent breaches and other cyber security issues.

Many businesses don’t have the infrastructure necessary to meet HIPAA, NIST, FISMA, and PCI-DSS guidelines. That’s why working with a well-equipped collection agency can become a major asset.

Established collection agencies that secure their data against breaches can help protect your company from lawsuits, fines, reputation hits, and other consequences of a data breach. When you’re looking for a collection agency to handle your accounts receivable, make sure the candidate you choose follows these guidelines:

  • Data protection for data while it’s at rest, in processing, and in transit
  • Secure data center with 100 percent uptime
  • Redundancies in place to preserve data
  • Employees who are experts in specific data security areas, such as HIPAA, depending on your industry

Furthermore, you want to work with a debt collection agency that views security as a priority. As hackers and other criminals find new ways to skim data from victims, debt collectors must keep up with those attempts and find new ways to prevent intrusion.

You also want to make sure that your data is physically safe. Data centers should be equipped to prevent physical intrusion, fire and flood damage, and other catastrophes.

At TSI, our service portfolio is compliant with NIST, FISMA, PCI-DSS, and HIPAA. We employ security specialists with years of experience and expertise in protecting data against loss and corruption. If you’re looking for a debt collection agency to not only promote healthy cash flow and collect outstanding payments but also to preserve your data, we’re here for you. Contact me now to start optimizing your revenue.

Source:TSI

Medical and Dental Practices, What Would You Do?

7 Jan
WWYDLogoWhat would you do if your patient data was stolen or a fire or flood destroyed your office?  Suppose one of your employees opened a malicious e-mail and your patient data was encrypted and held for ransom?   I know this sounds absurd, but just Google “data for ransom”.  What would be your first step?  With most medical records being stored digitally, it’s not a matter of if you’ll experience an incident regarding your electronic patient information; it’s a matter of when.
Technology is moving so fast in every industry, but in the medical industry, technology advancements are leading to more and more protected health information (PHI) theft and data breaches.   Patient information is not being properly protected. As you are well aware, protecting your patient’s confidential information is the law. Computers, laptops, e-mail, mobile devices, and thumb drives, all store and send ePHI.  Without the proper controls in place, your patient information can easily fall into the wrong hands, exposing your OMS practice to large governmental fines, and reputational risk.
HIPAA just announced that they will be conducting random audits starting in 2016.  Their pilot audit program revealed that many small to mid – size medical practices are not taking the necessary steps to protect their patient information and are not complying with even the basic HIPAA Security and Privacy Laws.   The HIPAA Security Rule now mandates that every practice take an annual risk assessment. The government also strengthened its ability to enforce the law in medical practices with fines reaching up to $50,000 per violation with a maximum $1.5 million annual penalty.  This is why Cash Flow Strategies is recommending PCIHIPAA, as a dedicated source for protecting your practice.
Cash Flow Strategies has many of our clients participating in their Compliance Program.  They have agreed to provide a complimentary HIPAA Risk Assessment (a $599 value).  You can take the Risk Assessment online and immediately receive your risk score with no further obligation.  I encourage you to take 5 to 10 minutes as soon as possible to complete the Risk Assessment  by clicking here. You’ll receive a 23- page Risk Analysis, and a 30-minute consultation that you can also schedule online.
Just click here to start your Risk Assessment.  It will be a great way to start your practice off on the right track in 2016.

HIPAA: How to protect yourself and your practice | Medical Economics

13 Aug

HIPAA compliance is getting more complicated, and more essential.  Is your A/R management or collection agency doing anything to protect you from violations of HIPAA, FDCPA, HITECH, and TCPA?  If not, you may be liable for drastic penalties.

HIPAA: How to protect yourself and your practice | Medical Economics.

HIPAA Change is coming | aad.org

3 Jun

HIPAA Change is coming | aad.org.

More Evidence Of The Importance of Compliance. Kaiser Permanente joins a growing list of companies sued for non-compliance.

11 May

“Law360, New York (April 26, 2013, 2:06 PM ET) — Kaiser Permanente was hit Wednesday with a proposed class action that accuses the health care organization of violating consumer privacy and the Telephone Consumer Protection Act by calling a former California customer’s cellphone without consent.

Plaintiff Rafael David Sherman alleges that Kaiser sent an unsolicited automated message to his cellphone April 23, three months after Sherman canceled his health insurance coverage with the Kaiser Foundation Health Plan Inc., according to the complaint filed in the Southern District of California. Kaiser used an automatic dialing system to contact the plaintiff …”

 

Compliance is important, and knowing how to be compliant with all of the laws that govern contact with cusomters/patients, the follow-up of accounts and collections is getting tougher and tougher.  All the more reason to have a partner that will ensure that you stay compliant.

For more information on keeping your business or medical/dental practice compliant with not only HIPAA, but also the TCPA and the FDCPA and other state and local regulations, please contact me.  I’d be happy to help keep you out of court.

Are You Asking The Right Questions?

9 May

TSIquestions-small

 

It is always important to ask questions, especially if you are not 100% certain of the subject matter you are discussing. This is even more important when selecting a company to recover your late payments and call upon people that are delinquent on their accounts. It is paramount to ensure your company of choice is expert in their field.

Today with the ever changing Federal and State regulations, it is more important now than ever to ask questions first before you have to answer for shortcuts or missteps that could result in hefty fines for lack of compliance with the letter of the law.

The next time you talk to a potential collection or debt agency be sure to have the following questions close by so you are not hit with Federal and State regulations later.

1. Is your company compliant with TCPA, HIPAA and familiar with state laws regarding compliancy?
Yes. In fact, Transworld Systems is compliant in all 50 states as well as having a Hold Harmless Statement in our agreement with clients.

2. Does your company perform background checks on collectors in required states?
Yes. We perform background checks on collectors in ALL states.

3. How are cell-phone calls handled?
Rules governing cell phones are complex and change frequently. You want a collections agency that is willing to give you a Hold Harmless Agreement.

4. What is a Hold Harmless Agreement?
Simply put, a Hold Harmless Agreement is an agreement or contract in which one party agrees to hold the other free from the responsibility for any liability or damage that might arise out of the transaction involved.

5. Do you know what PHI is?
Yes. PHI is Protected Healthcare Information. It includes any information about health status, provision of healthcare and payment for healthcare that can be linked to an individual. Be sure the company you choose ensures the security of that information.

6. Is your company licensed to collect in all states?
Yes. If you are billing regional, national or transient customers, it is important that your collections resource can legally collect in the states where your debtors reside.

Contact me for more ways to know if your collection agency will keep you protected from liability and potential penalty.

Is Your Collection Agency Putting Your Medical or Dental Practice at Risk?

6 May

Medical picture

 

The collection agency industry is highly regulated and there are numerous laws on the books designed to protect consumers, which make it more difficult to collect. While it costs agencies more to be legally compliant and hinders their collections efforts, not complying can lead to class action suits and sanctions against the agency (and possibly their clients) that are more costly in the long run if not fatal to the agency’s very existence. Lets examine how this affects your practice.

The Laws You Know

Most Practice Administrators are familiar with the Fair Debt Collection Practices Act (FDCPA) of 1978 which creates a set of guidelines that collection agencies are required to follow as well as penalties for not adhering to the Act. Additionally, practices are familiar with HIPAA laws and the security requirements of Protected Health Information (PHI).

But Do You Know About These Laws?

Despite having been a law since 1991, most practices are not familiar with the Telephone Consumer Protection Act (TCPA)  which also impacts collections. Among other provisions of the TCPA (such as calls can only be made between 8am and 9pm), the TCPA prohibits the use of automated dialers to cell phones or leaving automated messages on cell phones. While auto-dialers represent a technological efficiency that allows a collection agency to make more frequent calls and collect more money, their use is not compliant with the TCPA when the phone number the patient has provided the practice with is a cell phone. In order to be TCPA compliant when calling a cell phone, it must be manually dialed. Even if a live collector will be connected with the consumer upon pick up, a cell phone can not be dialed using a computer.

Medical Collections Impact

A recent data analysis by Transworld Systems, a large national collection agency specializing in medical collections, revealed that 60% of the phone numbers that their medical practice clients are obtaining from patients are cell phones. In order to avoid fines of $1500 per incident and class action suits, Transworld Systems has enforced strict policies of identifying and separating land line numbers from cell phone numbers. Additional research is conducted to see if the patient also has a land line which can be put on an auto-dialer to obtain better contact rates.

What does all this mean for your practice?

Today with the ever-changing federal and state regulations, you need to ask more questions of your collections vendor to find out if they are compliant with all laws. Ensure your practice cannot be named as a co-defendant in a potential class action suit should your agency be accused of being non-compliant. It is important to have a Hold Harmless Agreement in your collection agency contract where the agency agrees to hold your practice free from responsibility for any liability or damage that might arise out of their collection activities. Ask questions first before you have to answer for shortcuts or missteps later that could result in hefty fines for lack of compliance. It is paramount to ensure your company of choice is an expert in their field who stays abreast of, and quickly adapts to, the seemingly endless stream of regulations designed to protect consumers rights, often at the expense of their creditors.

Here is a sample list of questions to ask your current agency and any potential collection agency you are considering working with:

1.    Is your company compliant with TCPA, HIPAA and familiar with state laws regarding collections?

This is not a yes/no question, they should be able to provide additional information including how often their collectors are re-tested for compliance and how their performance is monitored for compliance.

2.    Does your company perform background checks on collectors in required states?

3.    How are cell-phone calls handled?

If they dont maintain a separate policy for handling cell phone calls, that should be a red flag to you to find another vendor.

4.    Do you know what PHI is and what steps do you take to ensure its security during storage as well as communication with our practice? Ask how they receive data from their clients (do they accept secure electronic encrypted data or do they expect you to fax or mail patient files which are more easily compromised?) Do they provide you with a secure website to view collections status and if not, do they at least have the ability to encrypt emails when attaching a list of status updates which include PHI.

5.    Is your company licensed to collect in all states?

Even if your patients are primarily local to your office, sometimes they move out of state and your agency will have to be compliant with the laws that govern the patients new residence.

6.    Is your company bonded and insured?

Ask for copies of the documents proving bonding and insurance to make sure your money wont disappear if your agency goes out of business, either as a result of poor performance or as a result of a fatal class action suit.

Contact me for a 100% compliant option that will keep you and your practice safe during these times of changing and ever-increasing regulations.

 

 

%d bloggers like this: