Keeping Medical Billing and Payments Private and Secure

Posted by


Whether it’s a procedure code visible in the patient’s address block on a billing statement or envelope or a medical center inadvertently disclosing treatment dates and balances due in patient bills sent to unverified addresses, the result is the same…HIPAA violation.

HIPAA violations involving patient billing and other financial communications happen every day. Patient financial correspondence is absolutely protected health information (PHI) under HIPAA because it contains health information linked to individual identifiers. Every precaution should be made to keep these communications safe, yet healthcare data breaches, both deliberate and accidental, are skyrocketing ‒ along with penalties for violations.

None of us can afford to get this wrong. Protecting patient information is the law, and it’s the right thing to do.

Here’s what you need to know:

PHI Primer

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established federal privacy and security standards for patient data. Under HIPAA, protected health information is health data created, received, stored, or transmitted by HIPAA-covered entities, including healthcare providers and health plans, plus their business associates like Nordis Technologies.

Threats Against PHI Are Growing

Hacking and ransomware attacks targeting PHI are rising while employees and business partners are complicit in episodes of unauthorized access and disclosures of PHI. The number of disclosed health data breaches in the first nine months of 2019 was more than triple the number in all of 2018, affecting nearly 38 million patient records, according to the HIPAA Journal.  As we embark on 2020, we must take these risks seriously and continue to build measures that secure our information.

The single biggest health data breach in the past few months involved a medical debt collections agency that exposed more than 12 million patient records.

The Growing Cost of Data Breaches

Violations of HIPAA rules can result in massive fines and even imprisonment. Additionally, violating privacy-related state laws may result in class-action lawsuits. In the largest U.S. health data breach in history, insurer Anthem paid a record  $16 million settlement in 2018 following the exposure of the PHI of nearly 79 million people.

Breaches also affect patient confidence, organizational reputation and revenues.

How Nordis Safeguards PHI    

While our clients own their data and hold ultimate responsibility for protecting it, we prioritize data security and privacy as well. Our audited policies and procedures ensure we meet federal and state requirements, comply with client agreements on data handling, and meet the requirements for HIPAA Business Associates.

In addition, we’re audited annually against SOC 2 standards, which attest to the quality of controls that directly relate to security, availability, processing integrity, confidentiality, and privacy at a service organization.

Every Nordis employee receives PHI training, and if they see a breach or a potential breach, they’re empowered to stop it.

What You Should Do Now

1) Understand your data lifecycle. Really understand how you receive PHI data and how it goes through your organization from digital to print.  Consider the following:

  • Where are your data collection points?
  • Who has access to this data?
  • How do you process this data?
  • Where are the storing points and the sharing points, including 3rd party vendors?
  • What is your destruction point?

2) Do a risk analysis. Under HIPAA, this is an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity or business associate.

3) Conduct HIPAA training for your workforce. If you have PHI (including Patient Financial and Billing information), all staff need to be familiar with key areas of HIPAA, including who is covered, what information is protected use and disclosures of PHI, and individual rights provided in the HIPAA Privacy Rule. Work with your organization’s privacy or compliance officer to create a working team to address the requirement.

It’s easier and less costly to prevent HIPAA violations than to clean up the damage from them. It’s also imperative we all do our part to protect patients.

About the Author

Nicole is the VP of Client Services and delivery for Nordis Technologies and brings to her role over 30 years in Healthcare and Technology.  In her career she has been at the forefront of HIPAA Compliance since its inception and has participated on many industry panels, boards and executive teams to drive awareness, and build the industry framework for the protection of PHI.

Nicole MIller
Vice President, Client Services

, ,

Want to Learn More?