Can Your
Health IT Service Provider Ensure Security For ePHI?
Outsource Strategies International www.outsourcestrategies.com
Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
Outsourcing your healthcare documentation, medical coding and billing, and other back office tasks can help save time and money and improve your productivity and efficiency. However, as a physician, there’s one question that you should ask yourself – is my health IT service provider conscious about the safety of my data? Poor IT security policies can land you in troublesome and costly penalties for HIPAA (Health Insurance Portability and Accountability
Act)
violations.
Even
a
well
known
institution like the Idaho State University was recently penalized for a health information security breach. So before
you
outsource
your
back
office
tasks,
it’s
important to ensure that your health IT service provider has the following policies in place to ensure security of electronic protected health information:
Outsource Strategies International www.outsourcestrategies.com
Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
Check whether the IT provider offers encryption for both active (in use) and inactive (not in use) ePHI. Otherwise, the ePHIs are at risk
Encryption for ePHI
of security breaches and HIPAA violations. Suppose that your
medical billing
service
provider
accesses
your
ePHI
via
an
unencrypted network. There is a chance that someone can intrude the network and access the information when it is being transferred. The same applies to the ePHI stored in a computer, laptop or USB drive. If the device is stolen, misplaced or lost, ePHI confidentiality is at stake. In 2012, BlueCross BlueShield of Tennessee, a leading Health Benefit Plan company in Tennessee paid around $1.5 million to the Department of Health and Human Services (HHS) when 57 unencrypted computer hard drives containing the protected health information of more than 1 million people was stolen.
Business Continuity & Disaster Recovery Plans
The service provider that you select should have business continuity and disaster recovery plans. Even though most service providers plan how to handle an immediate service interruption, testing usually doesn’t take place until an emergency occurs! This is a bad practice. So ensure that your service provider has a tested and proven disaster recovery plan system in place. This will reduce wait time for updates – for you as well as your patients.
Outsource Strategies International www.outsourcestrategies.com
Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
Data breaches may occur if the patients’ health information is not
Proper Shredding of
disposed off safely and securely. For data stored electronically, the
ePHI
potential for unauthorized access, erasing, altering, or losing, is high. Even if documents are deleted from the recycle bin, they are prone to unauthorized access via hard disk recovery. When disposing of data stored on computer disks, the disks need to be erased several times and it should be ascertained that the data cannot be recovered from them. The service provider should be able to recognize when, how and in what circumstances the ePHIs were destroyed.
Identify Data Breaches Most data breaches are difficult to detect. As per the Verizon Data Breach Investigations Report 2013, around 66 percent of data breaches would take even months or years to discover. So you should ensure that your service provider has an efficient system (anti-virus software, malware detection tools, advanced analytic tools) to identify different types of data breaches.
Outsource Strategies International www.outsourcestrategies.com
Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
Regular Risk
Make sure that your service provider performs risk assessments
Assessment
regularly to address changing threats and policies so that effective and stringent security measures can be implemented. For example, the HIPAA Omnibus Final Rule effective from March, 2013 considers even the risk of data breach as a violation. Changes in technology can bring about new risks. It’s important that your service provider stays up-todate with such changes and conducts regular risk adjustments to detect and deal with security violation threats.
HIPAA Business Associate Agreement
If your service provider is willing to sign a HIPAA business associate agreement (BBA) with you, this is an indication of their commitment to security for your ePHI. The contract ensures safety for
personal
health
information
in
accordance
with
HIPAA
guidelines. The agreement should clearly show how your health IT service provider will report and respond to any kind of data breach. Also, make sure that the provider can produce evidence for routine audits such as SSAE 16 reports or PCI certification.
Outsource Strategies International www.outsourcestrategies.com
Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
The bottom line: when you outsource your documentation or medical coding or billing tasks, look for a medical transcription company or medical billing company that is HIPAA complaint.
Outsource Strategies International www.outsourcestrategies.com
Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809