In January of this year, Anthem, Inc. a managed care provider, learned of a cyber attack to their IT system. This attack, which occurred over several weeks beginning in December, 2014, compromised the identities over 80 million customers. The breach, in which the healthcare information of millions were compromised, constitutes a serious HIPAA violation, exposing the provider to potentially devastating legal liability.
Unfortunately, this sort of breach perpetrated against healthcare providers is becoming ever more common. The Ponemon Institute, along with ID Experts, issued a report in May this year that showcased healthcare data breaches. The Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data calculates a 125 percent growth in healthcare cyber attacks over the past five years. Although employee negligence and lost or stolen devices still result in many data breaches, a shift is occurring from accidental loss to intentional targeting of data that reveals individuals’ names, Social Security numbers, and other personal information.
The reason that healthcare providers are being targeted is that the information they maintain to provide care for their patients is often substantial enough that cyber criminals can use the data from a single healthcare provider to engage in identity theft. Moreover, cyber criminals target healthcare data because they recognize that many healthcare facilities, including insurance companies, don’t have the resources or technologies to prevent or to detect attacks.
Anthem is a large corporate entity that can afford and use the technology required to protect HIPAA sensitive data, and yet the breach still occurred. What can other healthcare businesses do to prevent or detect a cyber attack on HIPAA sensitive data?
Meeting Standards, Avoiding Fines The growing use of electronic health records and electronic protected health information (ePHI) accounts for the need to protect information contained in these records. But while these records are often well secured, an often overlooked vulnerability point is credit card processing. Payment Card Industry Data Security Standard (PCI DSS) and HIPAA rules require entities to maintain reasonable and appropriate safeguards for protecting credit card payments. What this actually translates into actionable steps, however, is less clear. To that end, here are four rules to follow when accepting credit card payments to ensure that you’re meeting HIPAA/PCI mandated or suggested compliance guidelines:
Ensure Your Processor Doesn’t Send SMS Credit Card Receipts: Some credit card processors, like Square, send electronic receipts to your customers via text or SMS. Because these receipts contain “protected health information” they must only be transmitted over secure technologies, which SMS is not. Therefore, if you want to provide receipts, either make sure they are delivered via secured email, or are exclusively provided in paper form.
Obtain a Business Associate Agreement With Your Processor: If your credit card processor only provides credit card processing, there is an exception in HIPAA that means you don’t need a typical Business Associate Agreement with your credit card processor. That exception, however, is very narrow and only applies to actual credit card processing. That means that if they are providing account analysis, reporting, or any of the ancillary services that processors offer like creating gift cards, etc. you likely need a Business Associate Agreement. That means you have two choices: either limit the services that your merchant account services provider gives you, or obtain a valid Business Associate Agreement with them.
Any Physically Stored Card Numbers Must Be Secured: All businesses, not just healthcare entities, must comply with PCI DSS. Visa, MasterCard, Discover, American Express, and JCB mandate this compliance to protect the customer’s data against theft and fraud. One of the most basic requirements is that if you’re going to keep a written copy of a credit card authorization that lists the customer’s credit card number, that it always be secured under lock and key.
Secure Your Swiping Hardware: Traditionally, credit card payments were swiped via a countertop terminal. Those come off the shelf very secure, so the only concern there is ensuring that the internet connection that terminal uses to communicate is PCI compliant. But if you’re using a new type of swiper like the Clover Station, that converts existing hardware like an iPad or your cellphone into a card accepting device, then that hardware must be made secure.
If your healthcare organization isn’t following the above guidelines, don’t feel alone. In fact, the Ponemon Institute study estimates that less than half of all healthcare organizations and their business associates fully comply with either PCI DSS or HIPAA. The fact that other healthcare providers aren’t fully compliant, however, shouldn’t discourage action on your part. Since 91 percent of healthcare operations and 59 percent of business associates experienced a data breach within the past five years, it’s not if, but when, it will happen to you and your patients.
Related
Dispelling the Myths about HIPAA Compliance
Decoding the New HIPAA Privacy and Security Rules
Managing Your Business Associate Agreements: Ongoing Reviews an Important Part of Compliance
HIPAA rules for medical billing states that you can only have access to a patient's medical history and conditions including treatment information. You are also allowed to view the fees the patients or their respective insurance companies paid for the treatment.
Typically, these terms state that their services should not be used for health record storage. Violating these terms can lead to non-compliance. Data security: Even though credit card payment services are not subject to HIPAA, maintain strong data security practices.
The rule aims to improve the efficiency of healthcare transactions by establishing consistent formats for exchanging health information, such as claims, enrollment, eligibility inquiries, and remittance advice.
The 4 most important parts of HIPAA are the Privacy Rule, the Security Rule, the Breach Notification Rule, and the HIPAA Omnibus Rule. The Privacy Rule protects the confidentiality of patient health information. It sets standards for how patient health information can be used and disclosed.
The HIPAA Security Rule requires physicians to protect patients' electronically stored, protected health information (known as “ePHI”) by using appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information.
Ensuring the protection of patient information, particularly payment details, is not just a regulatory requirement under the HIPAA regulations but a cornerstone of trust between you and your clients.
The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual's authorization, to another health care provider for that provider's treatment or payment purposes, as well as to another covered entity for certain health care operations of that ...
Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; ...
Who Is Not a Covered Entity? Providers that do not work with clearinghouses, accept only cash pay (private pay), provide superbills to patients, and do not submit or request information electronically from the patient's insurer are not subject to HIPAA regulations.
PII also encompasses more than just health information. It includes information such as tax information, credit card numbers or Social Security numbers used in a context unrelated to healthcare operations and services.
If a potential breach occurs, the organization must conduct a risk assessment to determine the scope and impact of the incident—and confirm whether it falls under the notification requirement.
The HIPAA Privacy Rule requires you to have policies that protect and limit how you use and disclose PHI, but you aren't expected to guarantee the privacy of PHI against all risks.
The HIPAA Breach Notification Rule requires covered entities and business associates to provide notification of a breach involving unsecured PHI. A breach is any impermissible use or disclosure of PHI under the Privacy and Security Rules.
Limiting access, limiting disclosure, protecting Patient Health Information (PHI), and notifying the appropriate authorities and anyone impacted by a data breach were the three phases of HIPAA compliance process.
Understanding HIPAA compliance involves grasping the three essential rules that form the foundation of these regulations: the Privacy Rule, the Security Rule and the Breach Notification Rule.
The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Address: 787 Elvis Divide, Port Brice, OH 24507-6802
Phone: +9779049645255
Job: Senior Healthcare Specialist
Hobby: Cycling, Model building, Kitesurfing, Origami, Lapidary, Dance, Basketball
Introduction: My name is Sen. Emmett Berge, I am a funny, vast, charming, courageous, enthusiastic, jolly, famous person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.