HIPAA stands for the Health Insurance Portability and Accountability Act, and it has come a long way since it was first launched to tackle the banking frauds in the 80s. It was officially announced in 1996 by Congress to become a part of the US healthcare industry. By establishing checks and balances over the leakage and misuse of personal health information, it manages to protect the privacy of patients. The Act stops the sensitive health data from going out in public by imposing federal punishments in case of a breach. Protected Health Information or PHI contains data (like a social security number) that needs protection from hackers and those who can use it to cause financial, reputational and emotional losses to the patient.
HIPAA Compliant Medical Billing Services
We Believe in a Constructive Relationship
HIPAA is obligatory FOR two types of individuals or organizations – Covered Entities and Business Associates.
Covered entities include –
- Health plans
- Healthcare clearinghouses
- Healthcare providers who electronically transmit any health information.
The Business Associates include medical billing solutions or medical billing outsourcing companies, data hosting firms, etc. Any individual or a third-party organization which handles ePHI on behalf of the healthcare providers is a business associate.
Why Do We Need HIPAA?
The DHHS or the Department of Health and Human Services endorses all organizations or individuals dealing with Protected Health Information (PHI) to take responsibility for it. The fundamental step of this rule is that all such enterprises undergo a risk assessment before implementing safety standards as explained in the HIPAA Security Rule. Once they manage to establish these rules, they will be safe from the penalties in case of HIPAA violations. By demonstrating HIPAA compliance, you don’t need to worry about OCR audits and the hefty fines.
Breaking It Down
HIPAA is divided into three rules – Privacy Rule, Security Rule, and Breach Notification Rule. All of them protect patient information to protect the patients, ultimately.
P3Care offers medical billing services which involve processing of claims electronically. Therefore, we focus on the HIPAA Security Rule. The Security Rule lays down the guidelines on how to protect the electronic health information (ePHI) by applying physical, technical and administrative buffers around it.
The Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS, Office for Civil Rights (OCR) has contributed to the widespread of HIPAA awareness. It means more providers now understand the importance of HIPAA.
What is HIPAA in Medical Billing?
P3Care is a HIPAA medical billing company as it falls in line with the primary and extended principles of HIPAA. As a business associate, it conducts the risk assessment within organizations and pays ultimate regard to the PHI and ePHI. Being part of a digital age, we are in touch with the electronic versions on a daily basis, and, therefore, place all the respective safeguards for protection.
By performing a risk assessment, we exhibit HIPAA compliance and ensure an administrative, physical and technical safe zone to receive, store and transmit patient health information.
HIPAA Requirements for Electronic Claims
HIPAA medical billing insists the medical codes follow certain standards. These codes, as we know, form the basis of electronic claims. The medical billers and coders are bound by law to create & submit claims using an approved format. We know this format as ASC X12 005010 or HIPAA 5010.
HIPAA streamlines the ICD, CPT, HCPCS codes for diagnosis and treatment reporting
HIPAA Compliant Security Risk Analysis by P3Care
HIPAA compliant security risk analysis by P3Care ensures hospitals and medical practices stay away from those penalties. It not only gives them the confidence to face OCR audits when the time comes but also gives others the trust, which applies to us as well. The reputation of a medical billing outsourcing company depends on it. The more we are open about our compliance, the better are the chances for earning new clients.
P3Care identifies the key areas which may need additional measures to avoid data leakages. By filling in those gaps, the healthcare organizations become more safe, secure and HIPAA compliant.
Even reporting security incidents in which PHI becomes a public property mistakenly is a part of HIPAA compliance.
Another HIPAA billing requirement involves the medical billers to use a certain EDI to carry out the billing task. EDI stands for Electronic Data Interchange. Hence, both the medical billing and coding regulations are a part HIPAA billing guidelines.
The Legal and Ethical Ramifications of HIPAA Violations
There are some severe consequences for not following the provisions of HIPAA in letter and spirit. A few types of violations include ‘willful neglect’ and ‘reasonable cause’ being the most prominent among them. As covered entities, if you are guilty of any of these violations, you can face penalties in the form of fines and even more severe punishments. The following chart describes them in detail.
|HIPAA Violation||Minimum Punishment||Maximum Punishment|
|Unintentionally||$100 per violation;|
Maximum $25,000 for repeated violations in a year
|$50,000 per violation; Maximum $1.5 million in a year|
|Reasonable Cause||$1,000 per violation;|
Maximum $100,000 for repeated violations in a year
|$50,000 per violation;|
Maximum $1.5 million in a year
|Willful neglect but a violation is dealt with during the required time period||$10,000 per violation;|
Maximum $250,000 for repeated violations in a year
|$50,000 per violation;|
Maximum $1.5 million in a year
|Willful neglect but a violation is NOT dealt with during the required time period||$50,000 per violation with a maximum penalty of $1.5 million in a year||$50,000 per violation with a maximum penalty of $1.5 million in a year|
The amount of money that healthcare providers have to pay as penalties is far greater than the amount that can make their practice HIPAA compliant. P3Care sees to it that your hospital and medical practice is in accordance with the terms and conditions of HIPAA.
P3Care executes a security risk assessment plan but it depends on the size of your practice. The bigger your organization is, the greater the time required to analyze it.
Expect the following things when you choose us –
- We assign a privacy and security officer within the medical practice
- Devise and write an elaborate plan of rules and regulations
- Hospital staff HIPAA training is part of the package
- Risk assessment includes screening all the pathways of PHI
- Recovery plans if the PHI is lost or there is a data breach
- Systematic disposal of ePHI when necessary (CVS pharmacy was heavily penalized for improper disposal of patient health information)
- Security incident checks, how and when to file an incident to the OCR
The Three-Headed Security
All the covered entities and business associates must have a well-thought-out security plan. The HIPAA Security Rule has three basic components.
1. Administrative Safeguards
These security measures pinpoint the risks; By designating a security officer, executing a plan to prevent unauthorized access, training the hospital staff and supervising them, analyzing the security rules and regulations from time to time, we are well-set on a HIPAA acceptable journey.
2. Technical Safeguards
These security standards mean restricting access to facilities, laptops, desktops, tablets and other mobile devices which contain ePHI. Passing the information through encryption mechanisms is the right way to handle sensitive information.
3. Physical Safeguards
These measures identify the rules and regulations that must be in place to ensure data integrity. The electronic information, buildings, and the equipment need protection from natural and environmental disasters, unauthorized access and any other hazardous events that may jeopardize the patient health information.
|Create procedures and make sure the Staff understands them||Don’t keep patient details (paper-based) by the front desk|
|Review the processes and every stage from which PHI passes, regularly||Don’t log in to access PHI from non-secure mobile devices or networks|
|Perform risk assessment at least once every year||Don’t open patient records without any valid reason|
|Implement provisions in letter and spirit and keep a close eye on controls||Don’t speak about patient details in public, especially on social media|