In an age where full-scale cyber attacks and massive data breaches seem to grab headlines every month, consumers are more paranoid than ever about the security of their personal data. Hackers around the globe covet one target in particular: electronic health records. A widely-regarded study released last year by the Ponemon Institute revealed criminal theft of medical records has increased over 125% over the past five years.
A single electronic patient health information (ePHI) file contains the “identity theft trifecta”–birthdate, Social Security number, and home address–along with their full medical history, which can be used to bill bogus medical charges or obtain prescription drugs trafficked on the black market. So it’s no surprise that the current reported “street value” of ePHIs sold on the “dark web” are up to 60 times higher than stolen credit card numbers.
Protecting Patient Confidence – The HIPAA Solution
With medical record theft so clearly on the rise, tougher data security was an important provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While the Department of Health and Human Services (HHS) would define technical safeguards in this 17-page document, it places broad responsibility on healthcare providers of all sizes–from major hospitals to private practices, to third-party business partners–to employ “reasonable and appropriate” safety measures to protect patients’ electronic records.
What are the consequences of sloppy HIPAA compliance–if not an actual data breach? HHS can impose a civil fine between $100 and $50,000 per incident, or in extreme cases, punitive class action damages could approach as much as $100 million, as one Tennessee-based hospital system discovered after 4.5 million patient records were compromised by hackers in 2014.
For other security lapses affecting as few as 500 records, the penalty may include a permanent listing on the HHS Breach Notification site, also known around the healthcare community as the ‘Wall of Shame’. Halfway through 2016, over 60 new “covered entities” (providers, health plans or business associates) have taken indelible residence upon the Wall of Shame. And in an era where consumers can search online reviews of any business–from luxury hotels to a corner hot dog stand–patients can be expected to monitor their doctor’s performance–including data security.
What You Don’t Know Can Hurt You
HIPAA compliance is a major consideration for providers exploring options for managing preauthorization billing, and other essential data operations. While there’s a slew of vendors touting various data processing services, they’re not always upfront about their “back end” security measures. Where is your data physically stored? How is it transmitted point-to-point? When you allow a third party access to your patient database, you’re actually entrusting them with your practice’s entire reputation.
iBridge: Security Comes First
While many healthcare RCM vendors focus on wooing customers with front-end “bells-and-whistles”, at Infinx we knew early on that developing an advanced security framework would set us apart from the rest of the pack. HIPAA data compliance is at the core of iBridge, our cloud-based workflow automation tool for pre-registration of patients:
- For airtight data storage, we rely upon Amazon S3 cloud infrastructure, featuring multi-layer SSL encryption on US-based servers.
- We access, transmit and store ePHI and other data for no longer than necessary, with strict archiving and purging protocols.
- Per HIPAA guidelines, we routinely audit all iBridge updates as well as conduct periodic system maintenance audits.
- Strong internal password protections and multi-tiered, user-centric controls ensure data is only accessible when required.
From insurance verification and preauthorizations to advanced medical coding and billing, don’t settle for dodgy vendors that may leave your practice’s reputation vulnerable to the Wall of Shame. To learn more about iBridge and other innovative Infinx RCM solutions, visit our website at www.infinxinc.com.