" hipaa compliance Archives - Page 4 of 10 - LuxSci

Posts Tagged ‘hipaa compliance’

Is Medical Billing Information Protected Under HIPAA?

Tuesday, August 9th, 2022

Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.

Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.

electronic medical billing

What is Protected Health Information (PHI)?

Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.

To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

The Risks to Medical Billing Companies

It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.

Third-Party Risk

Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.

Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.

How to protect electronic medical billing information

Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:

  • Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
  • Administrative requirements related to how employees access PHI.
  • Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
  • Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.

Protecting Electronic Medical Billing Information In Databases

Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:

  • Using a secure and HIPAA-compliant web and database host.
  • Limiting access to only authorized users.
  • Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
  • Encrypting the contents of the database so they cannot be accessed if there is a breach.
  • Making regular backups of the database and storing them independently of the main system.

Sending Healthcare Billing Notifications Digitally

Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:

  • Encrypting messages in transit
  • Authenticating user identities and sending domains
  • Requiring unique user logins and complex passwords
  • Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
  • Creating audit logs and reviewing them for suspicious activities.

Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.

Is Microsoft Teams HIPAA-Compliant?

Tuesday, July 12th, 2022

Microsoft Teams is a unified communication platform with workplace chat, video conferencing, and file-sharing tools. It’s a popular program for internal workplace communications. However, healthcare organizations may wonder if they can use it while complying with HIPAA.

Microsoft Teams is designed to work with Microsoft 365 and additional Microsoft products. As readers of this blog may know, Microsoft 365 email products can be used in a HIPAA-compliant manner, but they require additional security configurations to meet compliance requirements. In the same way, organizations must take additional steps to secure Microsoft Teams.

microsoft teams hipaa-compliant

Business Associate Agreement

As we have discussed before, a business associate agreement (BAA) is required for any vendor that will process ePHI on a company’s behalf. These agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the parties.

BAAs are absolutely necessary for HIPAA compliance. Even if Microsoft Teams is correctly configured with the necessary security controls, it would still violate HIPAA if a signed BAA was not in place. If an organization already has a BAA with Microsoft, they should confirm that using Teams is allowed before implementing it. This means that free Microsoft Teams accounts are not HIPAA-compliant.

Configure Security Settings

As mentioned above, using Microsoft Teams in a HIPAA-compliant manner involves more than signing the BAA and downloading the application. The organization must comply with the HIPAA Security Rule, which involves:

  • Ensuring the confidentiality, integrity, and availability of all electronic PHI.
  • Detecting and safeguarding against anticipated threats to the security of the information.
  • Protecting against anticipated, impermissible uses or disclosures.
  • Certifying compliance by the workforce.

Covered entities are responsible for putting the proper controls and reporting mechanisms in place to protect PHI. That includes employing the various safeguards available in the Microsoft Teams platform, such as:

  • Implementing user access controls
  • Requiring multifactor authentication and single sign-on (SSO) for user logins
  • Encrypting data in transit and at rest
  • Tracking and investigating specific activities using audit logs

Note that some features of Microsoft Teams may not be available when the platform is configured for compliance. It’s up to an organization’s IT and compliance teams to implement and enforce the proper technical controls.

Create Policies and Educate Users

Just because Microsoft Teams can be used to transmit ePHI, it doesn’t mean that’s always the best choice. Administrators should create policies that discuss how and when ePHI can be transmitted through Teams. For example, to reduce risk, it may be wise to keep heavy ePHI items like lab results out of the messaging application.

In addition, organizations should determine which devices employees can use Teams on. If allowed to install Teams on their personal devices, the IT and compliance teams must develop policies and institute controls that can remotely wipe and disable personal devices if lost or stolen to prevent unauthorized ePHI access.

Microsoft Teams can make intra-office communication much more straightforward, but it’s essential to determine what is and isn’t allowed before rolling it out to employees. EPHI is very nuanced, and to protect data, it’s essential to thoroughly understand the risks involved with a new communications platform.

Improve Access to Preventative Healthcare with Email

Tuesday, March 22nd, 2022

Next up in our series on patient education and engagement, we look at ways to encourage preventative healthcare with digital technologies.

 

Vaccines and Flu Shot Information

It’s challenging to encourage individuals to get a yearly flu shot. There are many reasons that people do not get annual flu shots. Some of these reasons include:

  • not enough time
  • don’t think they need one
  • don’t know where or when to get one

Accordingly, one way to expand outreach efforts is with a series of personalized and educational emails. Using a patient database, it’s easy to identify the patients who are at the highest risk of suffering severe consequences from contracting the flu. Subsequently, the marketing team can put together a series of educational emails that address some of the common questions including:

  • why flu shots are important to public health
  • how to schedule a flu shot appointment
  • promotions to incentivize populations with lower vaccination rates

In addition, patient education can also help combat vaccine misinformation. The Covid-19 vaccine rollout represents a good example. The lack of compelling information from official sources led people to the Internet and social media to search for information about the vaccines. Despite local and national government efforts, the information void was filled by misinformation. Reaching out to patients before they encountered misinformation could have helped increase trust and increased vaccination rates.

Preventative Healthcare Screenings and Testings

Preventative healthcare screenings for cancer, blood pressure, and diabetes are recommended on a yearly basis. Identifying these conditions and treating them early on can drastically improve health outcomes. However, many people do not know when to get screened. Many tests do not apply until patients reach a certain age bracket or if they have certain risk factors. Email campaigns can target patients who meet the criteria for a preventative screening.

Next, let’s look at another example. Breast cancer screenings are recommended for women when they reach 40 years old. A healthcare marketer could create an email campaign to let eligible patients know how to schedule a mammogram. This campaign could provide educational information on why screenings are important, what patients can expect at their mammogram, and how to schedule an appointment. Promotional tactics can also encourage more signups. Early detection of cancer saves lives, and it’s incredibly important to conduct these screenings.

Appointment Scheduling

Furthermore, it is important that patients come in for annual appointments. These appointments are where many screening procedures occur. Skipping an annual appointment can mean missing the early symptoms of a serious health condition. Email campaigns can help close care gaps and encourage patients who have missed appointments to reschedule. Removing barriers to care and increasing the number of communication touch points can improve patient engagement.

The Power of Personalization in Preventative Healthcare

Finally, emails are even more powerful when they are personalized using ePHI. Marketers can use audience segmentation to break down patient populations into distinct groups and create relevant messaging. However, to segment and personalize email marketing messages with ePHI, the organization must use a HIPAA-compliant marketing solution. Read our other blogs for more information on selecting a HIPAA-compliant email marketing platform.

By targeting distinct patient groups, marketing teams can create highly relevant messages that increase patient engagement. Let’s take the earlier breast cancer screening campaign example. This campaign is particularly relevant to women in their 40s and 50s who may be unfamiliar with the screening process and how to schedule a mammogram. If this campaign was sent to an entire patient population, it would be confusing and annoying. Young women may mistakenly believe they needed to get screened, and men would be annoyed by the unnecessary email outreach.

Targeting the right population at the right time with the right message is key to marketing success. Using patient data in a safe way allows the marketing team to create highly personalized campaigns that help patients access preventative healthcare.

Conclusion

To conclude, educational email campaigns can encourage patients to access preventative care that they may not know is available. To achieve the best results, marketers can use segmentation and personalization to create highly targeted email campaigns to help patients achieve desired health outcomes. For more information on creating HIPAA-compliant email marketing campaigns, check out LuxSci’s Secure Marketing tool.

How to Engage Patients with Email Marketing

Tuesday, February 1st, 2022

Email marketing is one of the most effective ways to communicate with patients. However, health care providers have long avoided it because of HIPAA concerns. In this article, we will provide a few examples of how to use email marketing to engage patients and increase ROI.

engage patients

Don’t Forget About HIPAA!

A quick reminder- the following use cases assume that an organization is utilizing a HIPAA-compliant email marketing platform. Most major email marketing platforms (like Mailchimp and Constant Contact) cannot encrypt outgoing emails and are not HIPAA-compliant. Do not upload ePHI to a marketing platform without first signing a Business Associate Agreement and thoroughly vetting the vendor. Just because a vendor will sign a BAA, it does not mean including sensitive data in emails is permitted. Choosing a platform designed for HIPAA compliance (like LuxSci’s Secure Marketing) is highly recommended to help reduce risks.

Now that’s out of the way, let’s dive into some examples of how ePHI can be utilized in email marketing campaigns to improve patient engagement.

Provider and Network Changes

Changing a healthcare provider can be a tedious task. Instead of relying on staff to call and mail notices to affected patients, use email marketing to engage patients. Suppose Dr. Smith is retiring, and a practice needs to inform his patients of the upcoming change. Using email is a highly effective way to do so. First, create a segment of Dr. Smith’s patients and send an email to them with directions on how to choose a new provider. Marketers could further segment this list by using the patient’s insurance and offering  suggestions of new providers who are in-network and are accepting new patients. By making it as easy as possible for Dr. Smith’s patients to continue care, it increases retention and keeps patients satisfied.

In a similar vein, when a new provider joins the practice, an organization can email all their current patients who are without a provider to encourage them to come in and seek care.

Events Marketing

Almost every health care system offers events that are specifically targeted to different patient populations. Some examples include parenting classes for new moms, nutrition classes for diabetics, and cancer support groups. When using a HIPAA-compliant email marketing program, an organization can use health care data to target these patient populations with personalized marketing messages to increase enrollment and engagement.

For example, let’s imagine that a healthcare organization is running a series of classes for new moms. To promote the classes, the marketing team can get a list of currently pregnant patients and send them emails about the upcoming series. Since these emails are highly relevant to this specific user group, it’s likely the campaign will perform well and increase enrollment. If this email was sent to the entire company email list, it may annoy patients who do not fall into this category, and many would unsubscribe. By only sending emails to relevant groups, it keeps patients interested rather than irritated by marketing messages.

Address Care Gaps

HIPAA-compliant email marketing can also be used to encourage vulnerable populations to seek follow up care. One campaign type  is screening reminders. Many screenings are recommended when certain age and demographic criteria are met. For example, mammograms are recommended when women reach their 40s. An organization could use email marketing to target patients who meet the demographic criteria with information about how to schedule their screening. It’s also possible to exclude women who have already had their mammogram. These highly targeted mailings can automate processes and improve patient health outcomes.

In addition, organizations can create campaigns in different languages to expand outreach efforts to marginalized patient populations. The possibilities for personalization are endless. Sending highly relevant and personalized email campaigns is a surefire way to engage patients.

Conduct Surveys and Gather Feedback

Using a HIPAA-compliant email marketing platform makes it easy to test messaging to increase response rates. Improving patient satisfaction is important to improve reimbursement rates from insurance companies and the federal government. Understanding areas to improve can help organizations deliver a better patient experience and increase profit.

Conclusion: Engage Patients with Email Marketing

These are just a few ways that health care systems can increase patient engagement with HIPAA-compliant email marketing. Healthcare organizations have access to troves of data that can be used to create highly relevant marketing campaigns. However, it’s extremely important to keep sensitive data protected. To successfully and securely engage patients without running afoul of HIPAA regulations, use a HIPAA-compliant email marketing platform.

HIPAA-Compliant Email Hosting or Outbound Email Encryption?

Tuesday, January 25th, 2022

There are many ways to protect ePHI in email. HIPAA is technology-neutral and doesn’t make specific recommendations for how to protect email communications. This article explains the difference between a HIPAA-compliant email host and an email encryption gateway. These are just two of the options for securing email accounts.

email encryption

Read the rest of this post »