" phi Archives - LuxSci

Posts Tagged ‘phi’

Is Medical Billing Information Protected Under HIPAA?

Tuesday, August 9th, 2022

Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.

Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.

electronic medical billing

What is Protected Health Information (PHI)?

Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.

To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

The Risks to Medical Billing Companies

It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.

Third-Party Risk

Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.

Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.

How to protect electronic medical billing information

Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:

  • Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
  • Administrative requirements related to how employees access PHI.
  • Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
  • Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.

Protecting Electronic Medical Billing Information In Databases

Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:

  • Using a secure and HIPAA-compliant web and database host.
  • Limiting access to only authorized users.
  • Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
  • Encrypting the contents of the database so they cannot be accessed if there is a breach.
  • Making regular backups of the database and storing them independently of the main system.

Sending Healthcare Billing Notifications Digitally

Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:

  • Encrypting messages in transit
  • Authenticating user identities and sending domains
  • Requiring unique user logins and complex passwords
  • Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
  • Creating audit logs and reviewing them for suspicious activities.

Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.

HIPAA Compliance Checklist

Tuesday, January 11th, 2022

This HIPAA compliance checklist was designed to help organizations understand their obligations under the law. The checklist items are not a complete list, just a starting point for your compliance program. HIPAA requires a yearly risk analysis to identify new vulnerabilities. Any business process change or new technology usage introduces new risk into an organization’s security program, so it’s important to review the standards regularly.

hipaa compliance checklist

Read the rest of this post »

Are Prescription Notifications HIPAA-Compliant?

Tuesday, December 14th, 2021

It is common to receive calls and text messages from pharmacies reminding us that it is time to pick up or renew our prescriptions for drugs or other medical items. Have you ever wondered if these prescription notifications are HIPAA-compliant?

Just because every pharmacy seems to send them, it doesn’t mean they are aware of the compliance requirements. Let’s look into the context and learn how to remind patients of prescription refills and appointments securely.

prescription notifications hipaa compliant

Read the rest of this post »

HIPAA Compliance for Mobile Apps

Tuesday, November 9th, 2021

Many people rely on mobile devices to access the Internet, and apps are a convenient way to deliver online services. The health industry has also turned to mobile apps to provide health care services on the go.

In some industries, developing apps may be relatively straightforward. However, those that deal with PHI need to understand the HIPAA compliance requirements for mobile apps. If your company’s app isn’t HIPAA compliant, it could result in heavy fines or a data breach, which could seriously harm your business’s finances and its reputation.

To develop a HIPAA-compliant app, privacy and security need to be considered from the start.

hipaa compliance for mobile apps

What Exactly Is an App?

Before we get too deep into HIPAA compliance, we should take a step back and clarify what an application is. Most people use them every day, but not everyone will know how they differ from other kinds of software.

At its highest level, an app is a software program that is designed to help users perform activities. This contrasts with system software, such as an operating system, which generally works in the background.

The three main types are web apps, desktop apps and mobile apps. Web apps run in your browser, things like your webmail or Google Translate. Desktop apps tend to be full-featured, while mobile apps are stripped-back versions that focus on making the most out of the tablet or smartphone experience. There are also hybrid apps that embed mobile websites inside apps.

While Microsoft Word and the alarm clock on your phone are both apps, people will often be referring to mobile apps when they use the term.

Does My App Need to Be HIPAA-Compliant?

Health and wellness apps have become more sophisticated and are often recommended by medical practitioners to help patients manage medical conditions. However, not every app is required to meet HIPAA regulations. To determine whether an app should be HIPAA-compliant, consider whether your business practices make you a covered entity or a business associate of an entity.

Another complex aspect is understanding what actually counts as PHI. PHI is identifiable information that includes medical test results, prescriptions, billing details and insurance, among an array of other things. Weight loss data, calories burned, heart rate and other similar readings are not normally considered PHI unless they are attached to identifiable information.

If your business processes PHI as a covered entity or a business associate, you are subject to HIPAA regulations. If your company offers services directly to customers that are unrelated to their healthcare provider or insurance, it is unlikely to be covered by HIPAA.

Because of this, apps like MyFitnessPal are exempt from the regulations, because they don’t process PHI, nor do they conduct their business through healthcare providers. Conversely, an app from your health plan that stores your healthcare records would be regulated under HIPAA. Similarly, email, chat, texting, and video conferencing apps that may be used by healthcare providers to communicate with their patients would also need to be HIPAA-compliant. 

If you do not secure PHI properly, you could be subjected to financial penalties. The FTC recently announced it will begin enforcing the Health Breach Notification Rule for health apps. The rule requires entities to deliver breach notices to customers by first class mail no later than 60 calendar days after discovering a breach. Companies must also notify the FTC and in some cases, the media. Companies can face penalties up to $43,000 per violation per day for noncompliance.

HIPAA Compliance for Mobile Apps

If your company has an app that falls under HIPAA regulations, you will need to put serious consideration into its privacy and security measures. It is best to keep HIPAA in mind from the earliest planning stages to ensure that the app is compliant and to reduce the chance of penalties or any significant breaches. App security starts with corporate compliance; your company and your developers need to do all of the things necessary for compliance (see HIPAA Compliance Checklist), including training, risk assessments, etc.

From the app design stage forward, you should limit the use and sharing of PHI in your App to the minimum that is necessary to complete the task. If your data is processed by any outside entities, you will also need to sign a business associate agreement (BAA) with them to ensure that they are complying with the regulations as well.

You should also understand the additional risks that come with processing PHI on devices. Smartphones and tablets can easily be lost or stolen and they have a range of features that bring new security challenges.

Developing an app brings up a different set of complications when compared to SaaS (software-as-a-service .. i.e. using web-based applications), because apps generally store data locally and need access control measures in place to ensure that the data is secure. Because of this, it is best to go above and beyond HIPAA regulations to safeguard your customer data.

Control Access to Protect PHI

Access control is critical for apps that process PHI. Mobile devices have a high risk of being stolen or accessed by unauthorized entities. With the right access control measures in place, the risk of anyone being able to view sensitive patient data is minimized.

First, ensure that your app can only be accessed with a unique ID. To authenticate their identity, a user also needs to prove who they are. Require the use of a strong password or biometric data (like fingerprints) to login.

If PHI is going to be available in an app, automatic logoff is important for preventing unauthorized access. People often keep their apps logged in and leave their devices unattended. Without automatic logoff after a set period of time, the user’s PHI becomes more vulnerable to unauthorized access. Many apps neglect auto-logoff and keep users logged in indefinitely, relying instead on the device’s own login and logoff functionality instead. This may be sufficient to pass your HIPAA risk assessments; however, it is far more secure (though far more annoying) to institute app-level login and logoff requirements. Perhaps the pervasiveness of biometrics will make remove the annoyance factor of requiring authentication to gain access on demand.

We highly recommend that app developers institute auto-lockout after a short period of inactivity and use fingerprints or other means to resume access. Several access failures should cause your app to back off and require the full regular password to re-authenticate. This mitigates the weaker nature of a fingerprint or pin for access resumption.

Encrypt App Data

Encryption is another key aspect of preventing PHI from being exposed. Data should be encrypted at all times except when it is in use. This prevents anyone who may be listening in from accessing the data. Instead of being able to view the PHI, all they will see is ciphertext. Data encryption can safeguard PHI from other running apps and from attackers who may be trying to break into a device’s hard drive. Relying on a device’s disk encryption provides a basic layer of safety, but it does not protect data against other malicious running apps.

Auditing to Monitor Access

Any HIPAA-compliant app should have mechanisms in place to monitor and log access to PHI. These logs help detect any unauthorized access in the event of a breach.

HIPAA-Compliant Web Hosting

Apps are often just the front-end interface of a company’s website. To protect data on the back-end, host the website with a HIPAA-compliant provider. Your company needs to sign a business associate agreement with the provider to ensure that they are safeguarding PHI. LuxSci offers HIPAA-compliant hosting and we even have a free eBook that goes through the subject in more depth.

Keep Your App Updated

The threat landscape is constantly changing. Update your app whenever new vulnerabilities are discovered to protect patient data. Outdated apps are easy targets for hackers, so it is essential to patch regularly.

Be Careful with Push Notifications

Push notifications are visible even when a screen is locked. Do NOT include PHI in these notifications. If someone else sees a push notification that contains PHI, it could be considered an unauthorized access violation. This unauthorized disclosure could result in fines for your organization.

Mobile Apps Are Easy to Use, but Are They Secure?

Many healthcare organizations are seeing the value in developing apps for their patients because of their simple nature and ubiquity. While apps can certainly be useful, companies need to tread carefully and consider HIPAA regulations from the start.

Devices and apps introduce a range of security and privacy issues. It is exceedingly important that adequate measures are taken to guard the PHI of users. If neglected, your organization could face significant penalties or a serious breach. When developing a mobile application, consider your security and compliance requirements from the start.

Does Sending Email Using BCC Make It HIPAA Compliant?

Tuesday, July 13th, 2021

One common misconception is that sending emails to a list of recipients using BCC (Blind Carbon Copy) makes it HIPAA-compliant. For example, a doctor’s office sends a newsletter to its patients using BCC to hide the other recipients. Patients who receive a message sent via BCC cannot see who else received it. Some may think this email does not contain any identifiable information because the individual recipients are hidden. They assume the messages do not contain any “electronic protected health information” (ePHI) subject to HIPAA regulations.

However, BCC is not good enough to protect ePHI.

email bcc hipaa

Read the rest of this post »