Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.
Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.
What is Protected Health Information (PHI)?
Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:
- An individual’s past, present, or future physical or mental health or condition.
- The past, present, or future provisioning of health care to an individual.
- The past, present, or future payment-related information for the provisioning of health care to an individual.
As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.
To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:
- Name
- Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voiceprints
- Photographic images
- Any other characteristic that could uniquely identify the individual
The Risks to Medical Billing Companies
It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.
Third-Party Risk
Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.
Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.
How to protect electronic medical billing information
Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:
- Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
- Administrative requirements related to how employees access PHI.
- Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
- Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.
Protecting Electronic Medical Billing Information In Databases
Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:
- Using a secure and HIPAA-compliant web and database host.
- Limiting access to only authorized users.
- Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
- Encrypting the contents of the database so they cannot be accessed if there is a breach.
- Making regular backups of the database and storing them independently of the main system.
Sending Healthcare Billing Notifications Digitally
Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:
- Encrypting messages in transit
- Authenticating user identities and sending domains
- Requiring unique user logins and complex passwords
- Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
- Creating audit logs and reviewing them for suspicious activities.
Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.
