Medical Collections Under HIPAA
Whether it’s a procedure code visible in the patient’s address block on a billing statement or envelope or a medical center inadvertently disclosing treatment dates and balances due in patient bills sent to unverified addresses, the result is the same…HIPAA violation.
When are Medical Collections a Violation of HIPAA?
Is billing information protected under HIPAA?
Yes, billing information is protected under HIPAA.
HIPAA violations involving medical billing and other financial communications happen every day. Patient financial correspondence is absolutely protected health information (PHI) under HIPAA because it contains health information linked to individual identifiers. Every precaution should be made to keep these communications safe, yet healthcare data breaches, both deliberate and accidental, are skyrocketing ‒ along with penalties for violations.
Real-World Costs of HIPAA Violations from Medical Bills
In April 2022, patients filed a costly class-action lawsuit against a New Jersey Hospital. The main plaintiff’s medical billing was for less than $500, and the collection process will not cost the hospital tens of thousands of dollars in legal fees, settlements, and fines.
None of us can afford to get this wrong. Protecting patient information is the law, and it’s the right thing to do.
Here’s what you need to know:
PHI Primer for Medical Billing
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established federal privacy and security standards for patient data. Under HIPAA, protected health information is health data created, received, stored, or transmitted by HIPAA-covered entities, including healthcare providers and health plans, plus their business associates like Nordis Technologies.
Threats Against PHI Are Growing
Hacking and ransomware attacks targeting PHI are rising while employees and business partners are complicit in episodes of unauthorized access and disclosures of PHI. According to the HIPAA Journal, the number of disclosed health data breaches in 2021 was more than double than in 2020, affecting nearly 45 million patient records. As we embark on 2022 and beyond, we must take these risks seriously and continue to build measures that secure our information.
Large Healthcare Data Breaches 2009 – 2020
Find more statistics at Statista
The single biggest health data breach in 2020 involved a medical debt collections agency that exposed more than 12 million patient records.
Medical Billing and the Growing Cost of Data Breaches
Violations of HIPAA rules can result in massive fines and even imprisonment. Additionally, violating privacy-related state laws on medical billing may result in class-action lawsuits. In the largest U.S. health data breach in history, insurer Anthem paid a record $16 million settlement in 2018 following the exposure of the PHI of nearly 79 million people.
Breaches also affect patient confidence, organizational reputation and revenues.
How Nordis Safeguards PHI During Medical Billing
While our clients own their data and hold ultimate responsibility for protecting it, we prioritize data security and privacy as well. Our audited policies and procedures ensure we meet federal and state requirements, comply with client agreements on data handling, and meet the requirements for HIPAA Business Associates.
Compliance with SOC 2 Standards
In addition, we’re audited annually against SOC 2 standards, which attest to the quality of controls that directly relate to security, availability, processing integrity, confidentiality, and privacy at a service organization.
PHI Training to Avoid Medical Billing HIPAA Violations
Every Nordis employee receives PHI training, and if they see a breach or a potential breach, they’re empowered to stop it.
What You Should Do Now
1) Understand your data lifecycle. Really understand how you receive PHI data and how it goes through your organization from digital to print. Consider the following:
- Where are your data collection points?
- Who has access to this data?
- How do you process this data?
- Where are the storing points and the sharing points, including 3rd party vendors?
- What is your destruction point?
2) Do a risk analysis. Under HIPAA, this is an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity or business associate.
3) Conduct HIPAA training for your workforce. If you have PHI (including Patient Financial and Billing information), all staff need to be familiar with key areas of HIPAA, including who is covered, what information is protected use and disclosures of PHI, and individual rights provided in the HIPAA Privacy Rule. Work with your organization’s privacy or compliance officer to create a working team to address the requirement.
It’s easier and less costly to prevent medical collections violations of HIPAA than to clean up their damage. It’s also imperative we all do our part to protect patients.
About the Author
Nicole is the COO for Nordis Technologies and brings to her role over 30 years in Healthcare and Technology. In her career she has been at the forefront of HIPAA Compliance since its inception and has participated on many industry panels, boards and executive teams to drive awareness, and build the industry framework for the protection of PHI.