Resend OTP

Data Security: An Essential Component of HIPAA-Compliance

Nearly every industry in the United States has state and federal regulations as well as standards companies must follow to achieve quality control of outcomes. For example, the Sarbanes-Oxley Act for the financial industry is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. The North American Electric Reliability Corp. (NERC) standards for the utilities industry were developed to enforce reliability standards for the bulk-power system of North America.

A major regulation with which healthcare providers and other entities within the industry must comply is the Health Insurance Portability and Accountability Act (HIPAA). One of its key goals is to “assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.”

Under HIPAA, covered entities – which encompasses healthcare providers, payers and clearinghouses that create, receive or transmit PHI – must ensure they’re compliant with the HIPAA Security Rule and its administrative, physical and technical safeguards. The Security Rule was established “to protect

individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.” However, these entities often encounter obstacles in compliance, including securing communication, protecting mobile devices, and addressing outside threats with a changing regulatory environment. A lack of compliance can lead to costly HIPAA violations.

Challenges to HIPAA Compliance

Healthcare providers that fail to address weak spots in HIPAA-compliance risk a loss of revenue, a damaged reputation, along with fines and fees. They also make themselves vulnerable to a possible data breach, in which the average price per record is $360. Stolen medical data can sell for 10-20 times more than credit card information. Medicare numbers can be sold for $500 apiece. In cases where a HIPAA breach compromises protected health information (PHI), the average cost is $7.79 million.

You might be surprised to learn that only about half of data breaches are the result of criminal or malicious intent. The other half can be attributed to human error and system glitches. According to research, the three top security vulnerabilities found in health systems and hospitals are user authentication deficiencies, endpoint leakage and excessive user permissions.

User Authentication

Defined as the verification of an active human-to-machine transfer of credentials required for confirmation of a user’s authenticity, this can be achieved through password strength requirements, single sign-on controls and the locking of accounts after too many failed login attempts. For example, user authentication can reduce the risk when a staff member in a doctor’s office might use a generic password, send an unencrypted email over an external network or have his or her password visible to patients and other staff members.

Security information website Security Boulevard lists password reuse paired with the use of exposed passwords or healthcare staff sharing passwords as the largest password vulnerabilities within the healthcare industry. Lack of user authentication also can occur when a health system, hospital or provider does not implement procedures to govern the release or disclosure of ePHI during an emergency.

Endpoint Data Leakage

Although the leakage of data through various endpoints does not always transpire through a malicious act, healthcare providers that compromise PHI put themselves in an expensive predicament. The International Association of Privacy Professionals (IAPP) notes employees are believed to be responsible for approximately 84 percent of data breaches

One common situation that results in endpoint leakage is the use of mobile devices that utilize endpoint interfaces such as Wi-Fi and Bluetooth. Another is employees copying proprietary information from their computers to portable storage devices. Not all healthcare entities employ education and training to provide their staff members with rules and regulations on how to handle PHI and other sensitive data.

Excessive User Permissions

The Identity Management Institute states, “excessive access rights beyond someone’s normal job functions create an opportunity for errors, accidents and exploits which can affect the confidentiality, integrity and availability of data and systems.” A healthcare employee with unnecessary access to patient data might unlawfully copy, change or distribute it without his or her employee knowing.

Importance of Patient Privacy

Again, not all instances of noncompliance and breaches of PHI are the result of intentional acts. However, that does not make them any less problematic. Patients value the confidentiality of their health records, especially when they have an injury or illness they may want to keep private. Plus, patients who trust their health systems to protect their data likely receive better outcomes

The U.S. government also takes PHI seriously. Criminal penalties for HIPAA violations vary from a fine of $50,000 and up to a year in prison to $250,000 and up to ten years of jail time. Penalties for civil HIPAA violations range from $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations, to $50,000 per violation, with an annual maximum of $1.5 million. Denying a patient access to their PHI or not providing it within 30 days of the request can result in a HIPAA violation as well.

Standards for patient data security provide direction for healthcare providers. The HIPAA Security Rule requires “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.” With many healthcare entities implementing bring your own device (BYOD) policies, these safeguards should also be applied to mobile devices.

Suggestions for Data Security

There are multiple ways hospitals, health systems and providers can protect patient medical records and other PHI. First and foremost is training employees on company and industry policies and procedures correlated with handling PHI. Other recommendations include:

  • Performing a risk assessment to identify, address and correct weaknesses.
  • Defining access authorizations for all devices.
  • Regularly reviewing access permissions.
  • Understanding gaps in the security controls related to user authentication and the percentage of risks around the flaw.
  • Prohibiting employees from connecting to public Wi-Fi networks using a device with access to PHI.
  • Ensuring remediation plans are implemented for user authentication deficiencies.
  • Keeping track of what devices employees are using to access PHI.
  • Verifying PHI and other data is encrypted in transit and at rest.
  • Ensuring all devices use up-to-date antivirus software.
  • Utilizing a virtual private network (VPN).

Streamline Your Compliance Initiatives with maxRVU

maxRVU Charge Capture achieves the utmost secure standards to safeguard patient data using encryption of all data transmission, submission and storage. Data is also strictly controlled by permission-based architecture for authorized, authenticated personnel users. Sign up today to start your free trial of maxRVU – training is included!

  • LoneStar Orthopedics

    Being a physician assistant, I see a lot of patients in and out of the hospital. Keeping track of each charge sheet was immensely tedious and I’m pretty sure I lost a few of them. Ever since I started using maxRVU, I haven’t forgotten or lost a single charge. My biller even told me I’m coding more accurately which I think is because I can submit the session right after it happens, rather than waiting like I used to.

  • University of Louisville – Neurosurgery

    The Neurosurgery group at the University of Louisville were in the market for a better way to track individual RVUs for each physician; on top of ensuring every patient encounter was sent to the biller (including the unscheduled ones.) maxRVU became their quick and easy solution to a complex problem, and they’ve never looked back.

  • University of South Alabama – Mitchell Cancer Center

    Obviously I am a big fan of maxRVU. Very user friendly. Y'all have developed an impressive service.

  • Fort Worth Brain & Spine

    maxRVU helps take a worrisome task and turns it into a pretty simple task I don’t worry about. I love that I can scan the patient labels to capture patient information.

  • OrthoSouth

    The customer service has been super responsive and open to my ideas and suggestions.

  • Park Ridge Health

    My first two months after starting to use maxRVU were my two most productive months by far. My office assistant also loves it, and it makes it very easy for her to submit charges. Thanks!

  • ENTiCare

    I enjoy using the program and the main advantage for me has been more accurate procedure coding and wireless real-time communication with my biller; that has resulted in significant reduction in the time needed to process and submit claims.

  • Texas Brain & Spine

    I am very happy with the product. I like the layout and some of the latest features such as bundled codes and scanning of patient information.

  • Lone Star Orthopedics

    maxRVU has helped me streamline my patient billing…no more paper notes stuffed hastily in my pocket or a stack of superbills with hastily scribbled notes for my assistant to interpret. Most importantly, I am recovering all missed billing opportunities and getting insurance payments faster.

  • Atlantic Neurosurgical and Spine Specialists

    I previously relied on a cumbersome system of facesheets, patient stickers, and notecards to track my patient encounters leading to lost revenue. I discovered maxRVU to streamline my billing sessions and this program is incredible.

  • LoneStar Orthopedics

    We looked around and found solutions costing almost twice as much with the added cost of support. We're a midsize group and the savings with maxRVU made our decision a no brainier.

  • The Women's Cancer Center

    maxRVU has been a great tool for communication between our gynecologic oncologist, who spends 3.5 days per week in the operating room, and our billing/coding staff.

  • Austin Cancer Center

    With maxRVU we were able to reduce time to bill from weeks to days from the very start, while getting more visibility on our facility activity.

  • Dr. Baolien Tu

    I appreciate very much all of the hardwork that you have put into upgrading and adding new features to the app. I have not purchased any app (game or productivity) that brings me as much satisfaction as maxRVU. BaoLien Tu, M.D

  • RPG Logo

    Thanks, as always for your prompt attention! It’s the one thing that I value most in our partnership with maxRVU. You really deliver on customer service.

Sign Up for your free trial today!

Back To Top