Data security breaches present a significant risk for credit and collection agencies and their healthcare provider clients, especially with the growing use of technology and the switch to electronic records in the healthcare industry. “Most credit and collection organizations believe they are at low risk for a data breach,” Jeffrey Hausfeld, managing director for Financial Management Solutions, LLC, said during an ACA International seminar, “Practical HIPAA Security and Privacy,” in October.
In fact, he said the risk has never been greater, and collection agencies working with healthcare clients have an added layer of security they need to provide under the Health Information Technology for Economic and Clinical Health (HITECH) Act to ensure HIPAA compliance.
Collection agencies that perform a service or function for a healthcare provider or health insurance plan are generally considered their business associates, Hausfeld noted. Adam Bullian and Robert Zimmerman, COO and managing partner of QIP Solutions, respectively, also contributed to the presentation on risk assessments, audits and training related to healthcare data security.
“HIPAA requires you maintain the same security [as] your healthcare provider [clients],” Hausfeld said. According to the Ponemon Institute Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, which includes input from healthcare providers and their business associates, more than 90 percent of healthcare organizations have experienced a data breach and 40 percent experienced more than five in the last two years.
The Ponemon Institute study, released in May 2015, also shows that criminal attacks are the number one cause of data breaches for healthcare organizations, and they increased by 125 percent compared to five years ago. “In fact, 45 percent of healthcare organizations say the root cause of the data breach was a criminal attack and 12 percent say it was due to a malicious insider,” according to the study.
The Ponemon Institute reports that the economic impact of a data breach has remained consistent over the past five years of the survey, however the cause of the incidents has shifted from lost or stolen devices to criminal attacks on the data of healthcare organizations and their associates.
“At the same time, employee negligence remains a top concern when it comes to exposing patient data,” according to the study. It can be costly to invest in resources for securing protected health information (PHI) and your organization’s technology, but it is necessary to remain compliant and the expense in the aftermath of a data breach is much more.
According to the Ponemon Institute, the average cost of a data breach for healthcare organizations is more than $2.1 million. And business associates of healthcare organizations can face fines if HIPAA compliance is not in place after an audit of their operation. Fortunately, there are many steps business associates can take to maintain and improve their compliance and minimize risks if a data breach should occur.
Assess, Prepare, Train
“We strongly suggest you take a risk-based approach and focus on critical risks before other items,” Zimmerman said. Organizations that complete an internal audit of their security systems or have an external audit often find they have an incomplete risk analysis, undocumented movement of PHI data, limited security awareness training and lack tests of their disaster recovery plan if a data breach occurs. Companies should complete a risk assessment to set a baseline for controls they have in place and develop a process to resolve any risks.
“It’s also going to reduce your costs because you have a process,” Zimmerman said. “It is definitely the first step toward HIPAA compliance.” Partners of business associates in the healthcare industry want verification that these measures are in place. In fact, an agreement is required for business associates working with providers and insurance plans as well as their subcontractors with access to PHI.
Organizations should also take inventory of where PHI is stored, such as computers or mobile devices, who has access to it and if that access is authorized. When evaluating access to PHI, organizations can designate a team of employees to go to if a data breach occurs and train them to mitigate the risks quickly and as much as possible. Creating that team can be a part of your organization’s training process for new employees and a refresher for existing staff. Training is one of the most effective ways organizations can safeguard PHI and maintain compliance with HIPAA.
Bullian recommends training should be tailored to your organization by evaluating who should participate, how often it should be held and the best format, such as online, virtual, email reminders or a combination of those options. Training should include review of password security procedures, how to identify a phishing email and evaluation of mobile device security if those are used by your organization. “Another best practice is to have supplemental training throughout the year,” Bullian said.
Keep it Simple Maintaining and improving security and privacy measures does not need to be overwhelming; the longer a process is in place and evaluated on a regular basis, the more reliable your practices will be over time. A sound and consistent plan provides assurance to your healthcare organization and insurance partners that HIPAA compliance remains in place.
“This is not a one and done type of effort,” Zimmerman said. “When you use a process, it should be very effective and very efficient. The main thing is really to ensure that your organization is secure and that you can show others.” ACA International is offering a two-part online training on Data Security and Privacy Dec. 9-10. The training will cover implementing policies and procedures, how to notify consumers in the event of a data security breach and strategies to develop a data security compliance program. Visit acainternational.org/ education to access the events calendar and training registration.