HIPAA From the Eyes of a Physician and Business Associate: Bottom Line... It Pays to Be HIPAA Compliant!

Surgeons are taught from the beginning of our training to listen carefully to our patients, diagnose the problem at hand, create a comprehensive plan to address the concern and when necessary, perform a surgical procedure to physically alter and thereby improve the patient's health and wellbeing. But learning how to be a surgeon, especially in the field that I had practiced, Otolaryngology and Facial Plastic Surgery, was no easy task. Before the advent of slim microscopic cameras attached to delicate instrumentation, or headlights equipped with video cameras that could display the operator's field of view on a giant screen, the fledgling surgeon was positioned behind the primary operator, hoping to get a quick glimpse of the surgical field in order to better understand the anatomy and the procedure being performed. Too many times to mention, I can remember staring at the back of my mentor's head and being asked, "Did you see what I did there?" Too afraid to say "Of course not," I usually answered in the affirmative, while always thinking to myself "Do you think your father was a glazier?"

The point is that technology is rapidly changing and as healthcare providers and vendors to the medical profession, we must all recognize our roles in the safekeeping of our patients' health information in a world of ever-increasing threats to the security of that data. The good news is that there are software programs available to healthcare professionals, as well as medical billers and debt recovery specialists, which clearly disclose the roadmap to compliance. They offer efficient methods of implementation for these complex HIPAA Privacy and Security regulations. Healthcare professionals, as well as covered entities such as Billing and Collection companies, must be compliant with the HIPAA HITECH regulations. As someone who has bridged both worlds and meshed both of these cultures, allow me to give you my perspective on why it makes sense for Business Associates to expend the time and energy to be security and privacy compliant.

Billing and collection companies have many priorities. Too often, one of them is not ensuring the security and privacy of personal health information (PHI) and fully complying with the HIPAA HITECH requirements. If you handle PHI, you are a Business Associate and must comply with all the HIPAA HITECH requirements including critical items like performing periodic risk assessments, documenting and implementing security and privacy policies and procedures, conducting HIPAA awareness training, and regularly testing disaster recovery and business continuity plans. But you may ask; "Should I worry if I'm not compliant? Could my business operations be disrupted by a data breach? Am I prepared if my customers and partners require me to be HIPAA compliant?" The answers to all of these should be an unqualified YES.

The risks are real and they need to be managed. Here are just a few:

A KPMG study reported that 81% of healthcare organizations have been hit with a breach in the last two years. Some speculate that number could be even higher given that there could be some data breaches that remain undetected or go unreported.
In another recent survey, privacy, security, and risk management leaders felt employee negligence was the largest privacy and security threat. Given the number of recent breaches caused by malicious cyber-attacks, this is an interesting observation by the professionals in the field. Furthermore, over 50% of respondents believe healthcare-related organizations will remain the industry most at risk in 2016. What do you think is the largest privacy and security threat in your organization?

Most billing and collection companies have similar gaps. Do these sound like what your organization looks like?

Being HIPAA HITECH compliant can pay dividends to your organization. It can help you generate more revenue and increase new potential business opportunities. If you haven't already noticed, more and more business partners are asking "Are you HIPAA compliant?" Many will not work with you if you can't answer affirmatively to that simple question. This is especially true in a system where a greater number of physicians are employed by a large institution and are no longer opting for a traditional private practice. Being HIPAA compliant can also be a business development differentiator, reduce the impact of a costly lawsuit over PHI mishandling or access, prevent reputational damage and consumer mistrust, and minimize potential fines from breaches and audits. Once you have completed all required remediation activities and are compliant, demonstrating your commitment to adhering to HIPAA HITECH regulations can go a long way to obtaining and maintaining critical business relationships.

It doesn't have to be expensive. There are several software solutions to guide your project and allow you to focus on only what you really need to do. This can make being HIPAA compliant a cost-effective and potentially revenue-enhancing initiative. So what steps should you take right now as we enter the year 2016?

At a minimum, you should complete basic HIPAA HITECH security activities to minimize risks and be prepared to respond to business partners and new customer requests.

This means completing at least the following:

Key activities include:

Conduct workforce training to ensure staff understands what security risks exist and what actions every staff member must take on a daily basis to maintain a secure environment. This, along with some privacy training, is the typical measure that most Business Associates have in place and feel like they have thereby completed their HIPPA compliance. The advancement and ubiquity of data storage and transfer in healthcare makes this effort only a part of the overall, comprehensive plan to be HIPAA HITECH compliant in 2016.
Completing these activities should put you in position to comply with critical HIPAA HITECH requirements. As HHS leadership strongly states: "Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients' health information … Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information" (HHS OCR Director Jocelyn Samuels).

Many healthcare-related organizations have purchased a data breach insurance policy to protect them in the event they face a breach. While this insurance can be very useful in helping to cover the rising costs of a healthcare breach, it is not a standalone solution to protecting an organization from the costs of a breach. In most instances, the insurance carrier still requires the Business Associate to complete the above critical compliance activities. As the following recent story indicates, the organization must be actively working to protect PHI.
In December 2013, Cottage Health Systems notified almost 33,000 patients that their PHI had been compromised. Cottage Health filed a claim with their breach insurance, Columbia Casualty Insurance, which has paid out over $4.1 million for costs associated with this breach. However, Columbia recently filed suit against Cottage Health to recoup the money it has paid associated with this breach. According to Columbia, Cottage violated its policy because it did not perform the necessary due diligence to safeguard PHI.

The other key initiative to reduce risk is to ensure you have Business Associate Agreements (BAAs) in place with any organization with which you exchange PHI.

Here are some quick Business Associate Agreement best practices:

By now, I know what you are all thinking. Isn't it enough that we have to deal with the FDCPA, FCRA, TCPA, CFPB, etc.? Now HIPAA HITECH too? Let me share with you a recent letter I received from a debtor, posing as a validation request (coming in well after the 30 day validation period) and my response.

To whom it may concern:
I recently sent you a letter that you basically ignored. HIPAA requires that you maintain the same level of security that the health care maintains. Please provide me with your current process for securing my information and the agency that inspected your facility. Also send me a copy of the assignment between you and the health care provider.
In the event of noncompliance, I reserve the right to file charges and/or complaints against you and the health care provider with the OCR on HIPAA violations and appropriate County, State & Federal authorities, the BBB and State Bar associations for violations of the FDCPA, FCRA, and Federal and State statutes for fraudulent slander of credit and illegal reporting activities on an account that is time-barred as well as North Carolina medical privacy rules.
I will wait 15 days to file my complaint.

Dear Mr. XXXX,
I am in receipt of your communication and attached please find the documentation you requested verifying your debt.
In regards to the questions you put forth regarding the HIPAA regulations, as a retired surgeon, I am well aware of the HIPAA requirements and FMS is in compliance with all state and Federal regulations regarding the protection of personal health information. I have reviewed your account and see no evidence of a breach in security. The information you are requesting is proprietary in nature and is not required to be disseminated to the general public without evidence of a breach in security regarding your personal health information.
Allow me to add that your letter has many inconsistencies in that your debt is not time-barred and has nothing to do with the North Carolina medical privacy rules.
A representative will be available to discuss how you would like to handle your outstanding balance after you have reviewed the documents verifying your debt.
Sincerely Yours.

Dr. H.

Since this was the first notice received by my company, and the debt was not out of statute and had no relation to North Carolina, it was clear to me that the content was merely cut and pasted, probably from some debtor advocacy internet site. Mark my words, it won't be long before the plaintiff attorneys begin trolling for HIPAA cases against healthcare Business Associates!

In summary, the time for taking effective steps to secure protected health information is now. Medical billing and debt collectors are coming under the microscope of regulators and business partners and must be able to demonstrate their safeguard protocols. As businesses and consumers become ever more computer savvy and as large data breaches are announced frequently in the media, they are already starting to ask "Is my Personal Healthcare Information data secure and do you follow good security and privacy practices?" As technology advances and interoperability becomes more than a fairytale, standards to do business in this environment will be increased. While not easy by any standard, becoming HIPAA compliant doesn't have to be overwhelming or cost prohibitive. This investment will pay for itself many times over. It will be mandatory for business leaders to adopt practices so that their firms will be viewed as secure, auditable, and compliant with Federal and state healthcare regulations. Get ahead of the curve. Bottom line…It pays to be HIPAA compliant!

Jeffrey N. Hausfeld, MD, MBA, is the Managing Director of FMS Financial Solutions, a debt recovery firm in Greenbelt, Maryland. He is a Medical/Business consultant to QIP Solutions, a software platform for HIPAA HITECH compliance. Dr. Hausfeld is also the Chairman of the Board and Founder of the Society of Physician Entrepreneurs.