Mnet Health News delivers the latest news and information articles for the world of healthcare.

A+ A A-

Data Security Issues in Offshore Revenue Cycle Management 

Virtual Partner

Offshoring revenue cycle management has been an increasing phenomenon in the healthcare landscape today. Primary drivers for this include cost-efficiency, controlled management, specialization and expertise, economies of manpower, and an affordable edge in information technology. 

However, seemingly apparent economic advantages have given rise to controversies and popular debate against offshore outsourcing. With offshoring, data transfer is inevitable because once access is given to foreign third-party service providers, it is almost impossible to prevent data from leaving the company and the country. In the event of offshore data breaches, healthcare companies may become target of domestic lawsuits.

According to a 2013 Trustwave Global Security Report of  450 global data breach investigations, 63% were linked to third party component of IT administration. The report says that outsourcing, itself, is not necessarily risky but that bad decisions are being made. Part of the problem, according to Trustwave is that service providers don’t view security as being as valuable as their American clients do. 

An example of an infamous data breach incident happened on October 7, 2003 which sent terror throughout the medical system. The University of California at San Francisco (UCSF) Medical Center received an email from a Pakistani medical transcriber threatening to disclose private records if UCSF did not pay her a certain amount she claimed it owed her in backpay. UCSF then verified the authenticity of the records she possessed and launched an investigation. Authorities uncovered a chain of subcontractors of whom UCSF was completely unaware.

Privacy violators are subject to both civil and criminal penalties. According to the United States Department of Health and Human Services Office for Civil Rights (HHS OCR), these are the penalties for each tier: 

Tier 1: $100-$50,000 per violation, capped at $25,000 per year the issue persisted

Tier 2: $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted

Tier 3: $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted

Tier 4: $50,000 per violation, capped at $1.5 million per year the issue persisted

The healthcare industry has long been a target for hackers and it seems the trend is still increasing. According to the US Department of Health and Human Services' breach portal, in 1st quarter of 2017 there were 22 breaches recorded in the US while this figure soared to a high of 99 in 2nd quarter of 2018. Email was also the top source of data breaches in the healthcare industry in 2018.

An analysis of 1,138 health data breaches affecting a total of 164 million patients from October 2009 through the end of 2017 in the breach portal shows that the top cause of data breaches (42 percent of cases) was theft of equipment or information by unknown outsiders or by current or former employees. Another 25 percent of cases involved employee errors like mailing or emailing records to the wrong person, sending unencrypted data, taking records home or forwarding data to personal accounts or devices.

This means that more than half of breaches were due to internal negligence and thus to some extent preventable.

With recent data breaches surrounding outsourcing and offshoring, it is essential to assess your third-party vendors' operations, data security capabilities, and procedures in safeguarding member data privacy to avoid all that comes with a data breach.

It is essential for healthcare organizations to go beyond the standard HIPAA compliance standards. 

Think twice before offshoring the more sensitive aspects of your revenue cycle. 

Always have a data security program in place that allows your organization to stay on top of the latest cyber threats and be able to respond and then recover when a breach takes place. You may not completely get ahead of all online risks, but that doesn’t mean you can’t be prepared.

Data security problems arise from poor management and negligence. Whether the decision to offshore is on the table or not, healthcare facilities must regularly check measures and defenses to prevent threats to data breaches and cyberattacks. 


Senator Chuck Grassley to IRS: How Many Hospitals Comply with 501(r) Requirements?

Senator Chuck Grassley to IRS: How Many Hospitals Comply with 501r Requirements?

In an ongoing effort to evaluate nonprofit hospitals required to follow Section 501 (r) of the Internal Revenue Code focused on charity care, U.S. Sen. Chuck Grassley, R-Iowa, has requested data on the number of hospitals that are in compliance with the requirements from the Internal Revenue Service in the last year.

Hospitals subject to 501 (r) must complete a community health needs assessment, meet financial assistance policy requirements, adhere to limitations on charges and follow billing and collection practices.

The IRS’ 501 (r) requirements for nonprofit hospitals, in effect on Dec. 29, 2015, marked a complex change for the health care collections industry, health care providers, patients and more.  Grassley has been a watchdog for the program for several years, prompting a recent letter to IRS Commissioner Charles Rettig with the request for information on nonprofit hospitals’ compliance.

Specifically, Grassley is seeking information about whether tax-exempt hospitals are meeting the statutory requirements laid out in section 501 (r) of the Internal Revenue Code, according to a news release.  “Making sure that tax-exempt hospitals abide by their community benefit standards is a very important issue for me,” he said.

In February 2018, Grassley and former Senate Finance Committee Chairman Orrin Hatch, R-Utah, pressed the IRS for information on enforcement practices and compliance data on nonprofit hospitals.  Grassley has continually urged greater compliance among nonprofit hospitals.  On an annual basis, according to Grassley’s letter, the IRS reviews about one-third of the approximately 3,000 tax exempt hospitals for compliance.

The letter requests an update on those reviews, including those that were resolved upon contact with the hospital, required a compliance check or follow-up investigation as well as how many hospitals were not in compliance with these specific requirements:

Community Health Needs Assessment

Financial Assistance Policy Requirements

Requirements on Charges Billed to Patients

Billing and Correction Policies

Read more on Senator Grassley’s request here:  What is your experience as a hospital required to comply with 501 (r) or as a collection agency working on revenue cycle management with these hospitals? Share your thoughts with ACA International’s Communications Team at, Attn: Katy Zillmer.

Harry Strausser, ACA International’s Education and Membership Development Director, and Irene Hoheusle, vice president of collections and education at Account Recovery Specialists Inc., recently discussed health care collections trends, including 501 (r), in an episode of ACA Cast.


Safe & Sound-How Well Do You Understand Privacy Considerations Under HIPAA

Safe & Sound-How Well Do You Understand Privacy Considerations Under HIPAA

If your agency collects health care accounts, you need to be familiar with The Health Insurance Portability and Accountability Act (HIPAA.) HIPAA privacy laws were put in place to safeguard consumers’ protected health care information, or PHI. HIPAA governs how you access, distribute and protect PHI, and failure to comply can result in huge consequences, not only for your company, but for you, personally.  

While there is no private right of action under HIPAA, Health and Human Services can take action against those who violate HIPAA and consumers can file complaints with them for HIPAA violations. In 2010, for instance, a doctor who accessed medical records without a valid reason was fined $2,000 for violating HIPAA and sentenced to four months in prison. And in 2015, a lab employee at a student health center was fired after she mentioned the results of a patient’s pregnancy test to a coworker. 

What is PHI? As a debt collector, you are expected to help protect consumers’ sensitive and confidential health care information. Anything that could be used to identify consumers in relation to their health care information is considered PHI. This can include a person’s name, address, phone number, medical history, insurance details and health care bills. 

How Can You Protect PHI? Don’t discuss information in the consumer’s file with anyone but the consumer—unless the consumer has given you permission to do so. This includes idle chit-chat with co-workers, even if you don’t mention the consumer’s name. Sometimes a situation may call for you to contact the consumer’s insurance company or you may get an information request from an attorney.  

Before you email, fax, mail or discuss PHI with third parties, ask yourself: Do my company’s rules authorize me to do this? If so, has the consumer consented to the PHI release under HIPAA, and will the information I send be encrypted? (Email in particular is an often-overlooked PHI disclosure risk because it might not be secure.)  

Although the Fair Debt Collection Practices Act allows you to communicate with a consumer’s spouse, parent or guardian, HIPAA may not. If consumers request that they do not want certain people, such as family members, to have knowledge of their situation or condition, you can’t disclose any health information to third parties. 

How Should You Store PHI? While your company is responsible for securing its computer system and designing its collection notices to protect PHI, you also play a key role in this process. Don’t leave consumer information on your computer screen when you’re not at your desk, even if you just get up for a minute to get a drink of water.  

Only print out documents containing PHI when you have a legitimate business reason to do so, and even then, you’ll need to dispose of those papers in a secure environment—a shredder your company uses for such a purpose, for example, not the day-to-day recycling bin by your desk.  

Even written notes you leave on your desk referencing PHI can be considered a HIPAA violation, so either avoid doing this altogether or use HIPAA as good motivation to keep your desk clean and free of clutter, safely disposing of these written reminders as soon as possible.


Cyber Liability Insurance 101: Will it Help Agencies and Providers Combat Data Security Threats?

Data security risks are not going away in the health care sector and while strategies such as employee training and a strong data breach response system help, a new option to protect your business is emerging: cyber liability insurance.

Health care cybersecurity spending is predicted to grow to $65 billion between 2017 and 2021, according to the Experian 2018 Data Breach Industry Forecast.  Experian also reports health care organizations will be the most targeted industry this year as new and sophisticated attacks are on the horizon.

The U.S. Department of Health and Human Services (HHS), media or state attorneys general received 233 breach industry reports from January to June 2017.  “For the 193 attacks for which there are numbers, 3,159,236 patient records were affected,” according to Experian.  

Providers are increasingly purchasing cyber liability insurance policies to ensure financial protections and resources to work through data breaches and maintain their reputation are in place, Becker’s Hospital Review Content/Strategist Editor Brooke Murphy reports in the white paper “Can Health Care Providers Afford Not to Have Cyber Insurance in 2018?”

“As cyber threats become the reality, and as [insurance] carriers have identified how significant and complex online exposure is, cyber liability policies have become more refined and more necessary,” James Fasone, senior vice president and national health care practice leader for Key Insurance & Benefits Services said in the white paper.

Purchasing cyber liability insurance may ultimately be more affordable than the costs to providers after a data breach occurs, from attorney’s fees to purchasing credit monitoring systems for affected consumers, according to the white paper. That’s not to mention the costs from any disruptions to providers’ business and as a result of time spent notifying patients.

And, even if providers spend money on the front end to protect their company and data from a cyber-attack, cyber criminals continue to find their way around firewalls and security systems.  And, remember, the strongest security protections can still be put at risk by human error if not used properly.

Employees continue to present a big risk to companies, according to Experian.  Regular training and a refresh of your data security policies are critical to staying ahead of threats and risks to sensitive information and data.  It’s also helpful to limit the number of employees who have access to sensitive data, especially on mobile and portable devices. Make sure you have a strict policy for access and transport of mobile and portable devices containing sensitive information.

“Cyber liability insurance helps hospitals cover the costs of a data security breach for things like identity protection solutions, public relations, legal fees, liability and more due to loss, theft and unauthorized disclosure of data,” according to Becker’s Hospital Review.  

When considering if cyber liability insurance is right for your business, and the level of insurance that is the best fit, it comes down to matching coverage with your “business objectives, asset vulnerability, third-party risk exposure and other external factors,” Murphy reports. 

“The cyber insurance industry in the last three to five years has rapidly evolved to meet the needs of health care businesses in a digital world,” Fasone said in the white paper. “That means there are many more companies in the market offering a greater variety of coverage.”


News & Notes

CMS Funds Quality Payment Program Training

The Centers for Medicare and Medicaid Services is funding training and education about the Quality Payment Program for small healthcare practices. The training will especially help clinicians in rural and medically underserved areas and those with healthcare professional shortages. 

Read original article:


Report: Discovery Rate for Data Breaches Increases

Healthcare data breaches affecting patient records declined in February, however it is taking longer for incidents to be discovered and reported and “insider-related breach incidents have doubled,” according to the monthly Breach Barometer report from Protenus. In February, it took an average of 478 days for organizations to notify the U.S. Department of Health and Human Services, compared to 174 days in January.

Read original article:


CMS Projects Growth in Medicare, Health Spending

According to the Centers for Medicare & Medicaid Services’ Office of the Actuary National Health Expenditures Data projections for 2016-2025, growth in Medicare spending is projected to average 7.1 percent. Healthcare spending by federal, state and local governments is “projected to outpace growth by private businesses, households and other private payers,” it reports.  

Read original article:


Government Accountability Office Finds Imbalance in Uncompensated Care Payments

Funding hospitals receive for uncompensated care is not in line with the actual costs they have, according to a report from the Government Accountability Office: “Federal Action Needed to Better Align Payments with Costs.”  Since 2000, hospitals have issued more than $502 billion in uncompensated care to patients, according to an American

Hospital Association report from January 2016. Uncompensated care is the total of bad debt and charity care a hospital provides.

The GAO was asked to review federal support for hospital uncompensated care, including “key sources and amounts of federal support for hospital uncompensated care costs; the basis for determining hospital uncompensated care payments made under Medicaid and Medicare; and the extent to which Medicare (uncompensated care) payments align with hospital uncompensated care costs,” according to a summary of the report.

Hospitals receive about $50 million each year in uncompensated care payments from Medicare and Medicaid, according to the report.  The GAO finds that Medicare uncompensated care payments are not in line with the hospitals’ costs for two reasons:

  • Payments are mostly based on hospitals’ Medicaid workload instead of the actual uncompensated care costs they have; and
  • The Centers for Medicare and Medicaid Services does not consider Medicaid payments hospitals receive to offset uncompensated care costs when issuing payments through Medicare. In 2014, for example, most of the Medicare payments—about 85 percent or $7.7 billion—were based on hospitals work for Medicaid patients; meaning they may also receive payments from Medicaid based on that care.

“CMS officials acknowledge this could result in payments not aligned with uncompensated care costs, particularly in states that have expanded Medicaid resulting in fewer uninsured individuals and lower uncompensated care costs,” according to the GAO report.  CMS proposed a rule in April that includes consideration of “using hospitals actual uncompensated care costs as the basis for making Medicare UC payments.”

The GAO notes in its report that CMS officials said the Medicare and Medicaid programs are run separately.

“Medicare UC payments that are not aligned with uncompensated care costs or adjusted to reflect Medicaid payments undermine CMS’s efforts to efficiently pay for healthcare services,” according to the report.

The GAO issued recommendations for CMS to improve the connection between Medicare UC payments and hospitals’ costs and take Medicaid payments into consideration when also issuing UC payments under Medicare.

The Department of Health and Human Services has proposed to transition to a new data source to identify hospitals’ uncompensated care costs, according to the GAO report, which includes comments from HHS.  “Specifically, HHS proposes to define uncompensated care costs as the costs of charity care and non-Medicare bad debt,” according to the report.

HHS also concurs with the GAO’s recommendations and is considering comments on its own proposed rule including the data source transition for determining uncompensated care before finalizing its rule.  “We agree that aligning uncompensated care payments to actual uncompensated care costs is important and helps make sure that HHS is directing these payments to hospitals appropriately,” HHS notes in its comments. 

“In the event HHS finalizes its proposal to begin using uncompensated care cost data from the Medicare cost report to determine the distribution of these Medicare payments, we intend to continue to review the definition of uncompensated care as appropriate.”  More information:


Checking in With ICD-10 (Part II-A Look Back at Preparing for ICD-10)

The WEDI survey also shows there was value in testing ICD-10 claims during the implementation process, but the delays in the deadline had both positive and negative effects. “When additional time was provided, some organizations did not take advantage of this time. The extended implementation period also added costs for many organizations.”

In advance of the implementation date, BillingTree recommended its healthcare provider clients focus on preparing their infrastructure and technology systems for ICD-10 while communicating with patients and ensuring they had current contact information for payments they could use as permitted under the Telephone Consumer Protection Act. That way when a claim is processed, a provider can easily follow up with a patient about any balance due and resolve the account for both parties.

According to WEDI, a majority of healthcare providers responding to the survey indicated costs of ICD-10 were in line with their expectations or higher, but many also said the expenses were less than expected.  “The majority of respondents indicated that they did not expect to realize any [return on investment] with ICD-10,” according to the news release.

“The interesting part about ICD-10 was that it’s kind of like Y2K,” said Lyman Sornberger, chief healthcare strategy officer for Capio Partners LLC, during a presentation at ACA International’s Spring Forum and Expo. “Everybody panicked [and] it got delayed.”  Once some time passed, Sornberger said denials were inconsistent, reflecting increases from 3 percent to as high as 30 percent, mostly related to smaller hospitals being unprepared for the transition.

Now that ICD-10 has been in effect for several months, CMS is beginning to audit healthcare providers’ charts to test their use of ICD-10.  According to the CMS ICD-10 assessment and maintenance toolkit, providers should select high-risk cases to audit as well as cases representing a shift from the use of ICD-9 to ICD-10 diagnostic codes to identify any patterns of incorrect coding.

Sornberger said he knew of one healthcare provider that received a request from CMS for 1,000 charts, but there is no limit on how many they can request.  There are still some questions regarding if patients will notice any changes from ICD-10 or if the additional diagnostic codes will ultimately change the billing process.

Yohe said that if any delay in claims occurs under ICD-10, patients might be frustrated if they get a bill many months after they received care when they thought it had already been processed under their insurance.  To help smooth out any bumps, Yohe said healthcare providers should designate staff to work with patients on payments or determine a way they can easily pay over the phone or online.

“We saw an uptick in getting a phone system established specifically for payments,” Yohe said. He also recommended providers make sure they accept payments from medical savings accounts and flexible spending accounts.

“At the end of the day, the patient won’t get their bill until their insurance claim is settled and the patient balance is settled,” Yohe said. “That means passing the claim back and forth a few times between the administrative office and the healthcare provider before they get it right to establish patient responsibility.

As a provider, you’re at the mercy of two different parties getting paid.” Now that an initial set of ICD-10 codes—which bring consistency between the U.S. healthcare system and systems in other industrialized countries—are in place, more could be added in October, according to the website 

There will be more than 3,600 new procedure codes and nearly 2,000 pending diagnosis codes. Yohe said that in the healthcare world, discussion is already starting about when we will see ICD-11. According to, however, ICD-11 is not estimated to be ready in the U.S. until 2023.

For now, healthcare providers should continue to communicate with patients and insurance companies and test their key performance indicators. According to CMS, tracking performance indicators can help providers address problems with productivity, reimbursement and claims submissions.  The WEDI survey results show the impact to productivity experienced by vendors and health plans was mostly neutral, but providers experienced a slight decrease in productivity.  

“Once you have established baselines for your KPIs, compare data pre-and post-October 1, 2015, to put your current KPIs in context,” according to CMS. “Tracking KPIs can help you detect problems and identify opportunities for improvement.”


Checking in With ICD-10 (Part 1)-Katy Zillmer

The updated ICD-10 medical diagnostic coding system, which took effect last year, has allowed healthcare providers to more accurately describe a patient’s care for insurance reimbursement, but mistakes can cause claim denials and delays—ultimately impacting their revenue cycle process.

ICD-10 is a replacement for ICD-9, which is used to document medical diagnoses and inpatient procedures.  The switch to ICD-10 added more than 69,000 codes for diagnoses and more than 71,000 for procedures, according to the Centers for Disease Control and Prevention. All entities covered by the Health Insurance Portability and Accountability Act were required to implement the new system by Oct. 1, 2015.

“At its core, ICD-10 is not a bad thing,” said David Yohe, vice president of marketing for Billing Tree, which works on payment processing for healthcare provider clients. “It’s about having a more granular way to reflect what the physician or the care given ended up being for.”  Yohe said his provider clients have not reported a noticeable difference in the dollars they collect; just a delay in their revenue cycle processes.

“It’s just pushing their revenue cycle out longer,” he said. “It’s adding 20 to 40 days to the receivables cycle as a result of the back-and-forth and the coding.  They are not sure that it’s going to have a big effect in the long term as far as the amounts due.”  Looking back at the time leading up to implementation of ICD-10, which included multiple testing processes and delays of the effective date by the Centers for Medicare and Medicaid Services, Yohe said providers were most concerned about getting their systems ready and whether they would experience a large number of insurance reimbursement claim denials.

In May, the Workgroup for Electronic Data Interchange released post-ICD-10 implementation survey results showing the delays by CMS “improved the ability to perform testing and resulted in a smoother transition.” The survey, conducted in March, is one of several completed by WEDI to track the status of the implementation process in the healthcare industry. WEDI shared the findings with the U.S. Department of Health and Human Services.

“We wanted this post-implementation survey to be a closing chapter of assessment on why the transition went so well overall and also to leverage specific lessons learned for future large implementations,” said Jean Narcisi, chair of WEDI in a news release.  WEDI received a low response rate to the March survey compared to others, indicating ICD-10 project personnel are reassigned to other work “and likely a lack of interest in further ICD-10-related activities that are not operational in nature.”

Common themes in the survey responses included the value of starting the testing process early, communicating with partners and conducting extensive testing, according to the WEDI news release.  Overall, the transition on Oct. 1, 2015 was considered “non-eventful” by some in the industry, according to WEDI and survey participants said CMS’ ICD-10 website, WEDI’s website and coding materials from industry organizations were all helpful tools.

There was a slight decrease in productivity for providers, especially in the areas of coding and clinical documentation, but the impact for vendors and health plans was primarily neutral, according to the survey.  Overall, WEDI concludes from the survey that the collaboration in the industry was a “major factor in the success of the ICD-10 transition.”

Part II “A Look Back at Preparing for ICD-10” will appear in our next issue.


New Rules for Patient Credit Reporting Begin-With More on the Horizon

The month of June saw the enactment of some new changes in the area of credit bureau reporting that were previously announced earlier this year.  All three of the most prominent credit bureaus put out a statement in March, pointing out that the goal was to ensure transparency for consumers and patients.  This came about as a result of plans that had been put in motion by several Attorneys General from multiple states.

One of the new requirements put forth is that the name of the original creditor and classification code must be reported.  Another new stipulation is that an agency or debt purchaser cannot report debt that did not come about based on an agreement to pay or a contract such as an assessment, ticket, or even some types of fines.

More changes are yet to come; on September 1, 2016 collection agencies will need to file a monthly report that includes information on accounts currently open, accounts that require correction or deletion, and that have been paid within the last 90 days.

The following year, on September 15 of 2017, several more changes will go into effect.  The most noteworthy include:

-Medical debt collection accounts should not be reported if they are less than 180 days of age

-Full date of birth must be reported for any authorized new user  on all accounts

-A delete must be reported for all accounts being paid by insurance or for those that were already paid by insurance

-Reporting must be done using new minimum reporting requirements for a patient or consumer’s personally identifiable information

The statement that was put out in the month of March encouraged all who are tasked with submitting data to credit bureaus to ensure implementation of these upcoming changes on or before the effective dates.



News & Notes

HHS Continues Audit for HIPAA Compliance 

The U.S. Department of Health and Human Services Office for Civil Rights is conducting its next phase of audits of covered entities and their business associates. The audit program is used to assess HIPAA compliance, identify best practices and risks and vulnerabilities and enable HHS to address problems before they may result in a data breach.

Healthcare Sector Jobs Exceed Nationwide Average 

A new report from CareerBuilder shows job growth in the healthcare industry is expected to exceed the national average for full-time, permanent jobs. Overall, 34 percent of employers plan to add fill-time permanent employees in the second quarter. In the healthcare industry, 44 percent of companies with 50 or more employees are expected to increase their staff counts, according to the report.

Health Spending Growth Factors Change Since Great Recession 

The Kaiser Family Foundation and Bureau of Economic Analysis recently found the factors influencing health spending trends have changed since the Great Recession. The economic recovery, leading to more people seeking treatment, the Affordable Care Act and a decline in prescription drug prices all influenced spending trends.


Health Industry Will be a Target of Data Breaches in 2016

The healthcare industry will be more susceptible to data breaches this year as the transition to electronic medical records continues and the black market value for those records grows. In its third annual Data Breach Industry Forecast, Experian’s Data Breach Resolution group says the healthcare industry will be a target in 2016, and businesses need more internal employee training to prevent security risks. 

There have been more than 15,000 data breaches over the last decade; and according to Experian, security risks to businesses will continue this year. Healthcare data breaches continue to be a threat in 2016 based on prominent cyber-attacks on Anthem, Premera BlueCross Blue Shield and more organizations. According to a separate study by Privacy Analytics, because many individuals are not familiar with “deidentifying” data, it may be shared in ways that presents a high risk of a data breach. 

According to “The State of Data Sharing for Healthcare Analytics 2015-2016 Change, Challenges and Choice,” by Privacy Analytics, more than two-thirds of respondents to a survey of healthcare organizations said they lack complete confidence in their organization’s ability to share data without privacy risks.  Health records are the most common type of data being stored or shared (55 percent), followed by medical claims data (44 percent), according to the survey. 

Changing Landscape of Data “In 2015, research from the Ponemon Institute revealed that while more companies now have a data breach response plan in place, many are still not confident in their ability to manage a significant incident,” according to Experian’s report. “Concerns regarding the effectiveness of response plans indicate a need for business leaders to reevaluate and audit their programs.” 

Experian also reviewed its predictions on data breaches for 2015 and how businesses faired based on those predictions. In 2015, employee errors continued to be one of the leading causes of data breaches and employee training programs needed improvement. As a result, it is also essential for companies to increase their preparation for a data breach and response plans should one occur, according to Experian. 

“The landscape has changed with hackers targeting organizations for different types of data that could be used for extortion or to simply cause harm,” according to the Experian report. “While traditional data breach threats remain, it is important that business leaders take note of emerging trends and update their data breach response plans accordingly.” 

According to the Privacy Analytics study, one in five respondents said their healthcare organization has taken steps to reduce risk and improve deidentification in the records that are shared. Healthcare organizations are slowly starting to make data available for secondary uses, but two out of three respondents to the Privacy Analytics survey said they lack total confidence in their organization’s ability to share data without creating privacy risks. 

“The demands for data, combined with the magnitude of PHI [Protected Health Information] being collected in electronic medical records, medical monitoring apps and other healthcare networks makes this cause for concern,” according to Privacy Analytics. Nearly 50 percent of respondents to the survey said preventing patient “reidentification” is a top challenge when they share or store data and the concern is highest among organizations that are already sharing data. 

Privacy Analytics also reports results of its survey reflecting that employee errors or the need for more employee training may contribute to challenges in information security among healthcare organizations. “Additional challenges include low staff knowledge on managing data safely (26 percent), low staff knowledge of data sharing practices and tools (25 percent), cost concerns (24 percent), and lack of organizational policies (23 percent),” according to the Privacy Analytics survey. 

Overall, according to Privacy Analytics, the results of the survey show there is a gap between regulatory requirements and healthcare organizations’ ability to meet them and an overall growing demand for health data. “The growing demand to share health data brings with it growing risks. The proliferation of PHI and subsequent requests for data is pushing the boundaries of compliance as organizations try to satisfy demand. The response has been to err on the side of caution and keep data locked away,” according to Privacy Analytics.

But those who do share and store PHI must do so responsibly, and the survey reflects their struggles to prevent patient re-identification and meet compliance requirements. “Many organizations feel unprepared to responsibly store and share data for secondary purposes, and thus, are unable to advance analytics in their organization,” according to Privacy Analytics. Experian recommends for healthcare organizations to continue investing in data security technologies and training employees on proper security practices in 2016. More information: and


Medical Company Sued Following Change to Medical Debt Collection Rules

Last summer the rules that govern the collection of medical debt became tighter when the FCC gave voice to a ruling that made it more difficult to reach out to patients on their mobile devices without first providing express consent for such a call.  

A hospital chain based in California has become one of the first healthcare providers in the country to be sued based upon that ruling made last July.  The focal point of the class-action lawsuit is Prospect Medical Group’s Southern California Hospital at Culver City.  The allegations set forth in the suit claim that an automated dialer was used by the hospital to contact the cell phone of a patient named Donna Ratliff to collect on a debt without having prior consent to call her mobile device.

The medical debt collection industry originally asked the FCC to give greater clarification on the Telephone Consumer Protection Act in the hopes that greater flexibility would be extended.  The medical debt collection industry was also hoping that the FCC could address more recently related issues such as consent to call, reaching wrong numbers and auto-dialing mobile devices.  But instead, the FCC pointedly asserted that collectors of medical debt must have prior consent before contacting a cellular phone, leaving few options for phone numbers that have been reassigned.

Prospect Medical issued a statement that makes it clear that they follow necessary protocols to obtain the proper consent to make contact with patients on mobile devices.  The statement said  “All of our patients are asked to sign an irrevocable authorization permitting our hospitals to contact them via telephone—including, specifically, via cellphone—in their efforts to collect outstanding debt."  

Hospitals have previously enjoyed a measure of room to move when calling patients for the purpose of medical debt collection as a part of the medical encounter.  However, medical providers must ensure diligence about ensuring that the debt can be linked back to the medical encounter when the patient first provided the cell number to the provider.

“At this point, best practice for providers is to secure written consent during the initial intake process that very clearly states and obviously makes note of the fact that auto-dialers could be used and that mobile devices will be contacted if that is the number that the patient has provided to the facility” said Mnet Financial CEO David Hamilton.

Violations of TCPA are already quite active with lawsuits related to the TCPA increasing between 2010 and 2014 more than 560% based on data provided by the Association of Credit and Collection Professionals (ACA).  “With the FCC’s latest clarification, we are seeing an increase of these kinds of lawsuits and it isn’t likely to change in the near future” said Hamilton.  The penalties for such infractions can range from as little as $500 per phone call, up to as much as $1,500 for a willful violation.

The California case does deal with the matter of express consent but does not, however, broach the issue of what happens when a medical debt collector reaches out to someone erroneously.  The FCC does allow collectors of medical debt to call a wrong number once without threat of penalty, whether or not someone answers the call.  However, studies show that more than 100,000 mobile phone numbers are changed each and every day.  This situation has led to ACA International suing the FCC in challenge to the order issued last July.  

“It’s increasingly difficult for medical debt collectors to keep up with the risk involved” said Hamilton.  “It’s nearly impossible to confirm that the person you are reaching out to is going to actually be the person you are trying to reach.  It’s a very difficult situation.

Mr. Hamilton says that the best possible way for a provider to protect themselves is to create a very thorough process for obtaining consent from the patient and simply respecting the wishes of those who choose to opt out.

Subscribe to this RSS feed