Protecting Health Care Data

How business associates in the ARM industry can ensure policies and procedures are up to par.

8/26/2019 10:30 AM

NewsCollector Magazine
Protecting Health Care Data

Enforcement under the Health Insurance Portability and Accountability Act (HIPAA) is in the spotlight and, with the continuance of data breaches and risk of cyberattacks in the health care space, there is no sign it will dim anytime soon.

But companies and their business associates that evaluate their policies and procedures together on a regular basis can be prepared for risks and how to respond effectively and quickly if a data breach should occur, Tim Dressen, a communications consultant and former Collector magazine editor for ACA International, reports in the August issue.

Here are a few tips to guide you through the process of protecting health care data:

Know where the data is stored

Protecting sensitive data is impossible without a full understanding of how it’s used, where it’s stored and how it’s transmitted. For example, consider how information is transferred over your company’s network. Some copiers, printers and fax machines store past jobs until the data is purged, for example. Do you know whether such purges take place automatically, or could your office equipment take a hard drive full of protected information? Thoroughly evaluating all potential places where data may be accessed, transmitted and stored gives you a chance to identify and patch potential data security weaknesses.

Encrypt your data

Most reported HIPAA data breaches in the first quarter of 2019 resulted from email and network server hacking or similar IT incidents. Storing and transmitting only encrypted data significantly reduces the potential severity of such hacks.

Train and test

Establishing and maintaining meaningful policies and procedures to protect data are necessary steps for any agency handling nonpublic consumer data, but such policies are worthless without ongoing employee training and monitoring. Employees need to know which patient information they should and should not be viewing along with their responsibilities for ensuring that data remains secure and private.

Review agreements

HIPAA generally requires health care providers to have business associate agreements with any company or individual performing functions on its behalf that require access to protected health information. Business associate agreements define each party’s responsibilities regarding the handling and use of protected health information. Understanding when and how security incidents need to be reported under the terms of business associate agreements is also essential in the event of a data breach.

Require vendor agreements

Agencies typically use third-party services as part of the collection process. Requiring such providers to sign business associate agreements containing the same provisions as the agreements between the agency and its covered entity clients help ensure data integrity and reduce risk.

Conduct a risk assessment

To understand where potential liabilities are most ripe, agencies can conduct a risk assessment. Third-party companies specializing in information security can provide a thorough audit to identify weaknesses and recommend solutions. Companies that are unable to commit resources to a third party can conduct a self-assessment.

These tips can help business associates of health care providers, including collection agencies, avoid and mitigate risks. Read more on Protecting Health Care Data in the August issue of Collector magazine.

And, ACA Certified Instructors Leslie Bender, IFCCE, CCCO, CCCA, chief strategy officer and general counsel at BCA Financial Services Inc., and Michael O’Meara, president, The O’Meara Law Office P.S. will lead the CORE Curriculum webinar: Data Security and Privacy I Sept. 10-11. Register today to learn more tips on data security policies and procedures.

ACA’s CORE Curriculum and Hot Topic webinars are also available through the new All Access Training Zone, providing education at a low annual price for members. The All Access Training Zone includes Core Curriculum webinar training sessions to help members achieve any of ACA’s professional designations. Visit the All Access Training Zone website to learn more about this phenomenal value for members.


Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to comm@acainternational.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse.

Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training page to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.


Subscribe to ACA Daily NEWSROOM

Protecting Health Care Data

Enforcement under the Health Insurance Portability and Accountability Act (HIPAA) is in the spotlight and, with the continuance of data breaches and risk of cyberattacks in the health care space, there is no sign it will dim anytime soon.

But companies and their business associates that evaluate their policies and procedures together on a regular basis can be prepared for risks and how to respond effectively and quickly if a data breach should occur, Tim Dressen, a communications consultant and former Collector magazine editor for ACA International, reports in the August issue.

Here are a few tips to guide you through the process of protecting health care data:

Know where the data is stored

Protecting sensitive data is impossible without a full understanding of how it’s used, where it’s stored and how it’s transmitted. For example, consider how information is transferred over your company’s network. Some copiers, printers and fax machines store past jobs until the data is purged, for example. Do you know whether such purges take place automatically, or could your office equipment take a hard drive full of protected information? Thoroughly evaluating all potential places where data may be accessed, transmitted and stored gives you a chance to identify and patch potential data security weaknesses.

Encrypt your data

Most reported HIPAA data breaches in the first quarter of 2019 resulted from email and network server hacking or similar IT incidents. Storing and transmitting only encrypted data significantly reduces the potential severity of such hacks.

Train and test

Establishing and maintaining meaningful policies and procedures to protect data are necessary steps for any agency handling nonpublic consumer data, but such policies are worthless without ongoing employee training and monitoring. Employees need to know which patient information they should and should not be viewing along with their responsibilities for ensuring that data remains secure and private.

Review agreements

HIPAA generally requires health care providers to have business associate agreements with any company or individual performing functions on its behalf that require access to protected health information. Business associate agreements define each party’s responsibilities regarding the handling and use of protected health information. Understanding when and how security incidents need to be reported under the terms of business associate agreements is also essential in the event of a data breach.

Require vendor agreements

Agencies typically use third-party services as part of the collection process. Requiring such providers to sign business associate agreements containing the same provisions as the agreements between the agency and its covered entity clients help ensure data integrity and reduce risk.

Conduct a risk assessment

To understand where potential liabilities are most ripe, agencies can conduct a risk assessment. Third-party companies specializing in information security can provide a thorough audit to identify weaknesses and recommend solutions. Companies that are unable to commit resources to a third party can conduct a self-assessment.

These tips can help business associates of health care providers, including collection agencies, avoid and mitigate risks. Read more on Protecting Health Care Data in the August issue of Collector magazine.

And, ACA Certified Instructors Leslie Bender, IFCCE, CCCO, CCCA, chief strategy officer and general counsel at BCA Financial Services Inc., and Michael O’Meara, president, The O’Meara Law Office P.S. will lead the CORE Curriculum webinar: Data Security and Privacy I Sept. 10-11. Register today to learn more tips on data security policies and procedures.

ACA’s CORE Curriculum and Hot Topic webinars are also available through the new All Access Training Zone, providing education at a low annual price for members. The All Access Training Zone includes Core Curriculum webinar training sessions to help members achieve any of ACA’s professional designations. Visit the All Access Training Zone website to learn more about this phenomenal value for members.


Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to comm@acainternational.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse.

Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training page to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.


Subscribe to ACA Daily NEWSROOM

Loading...

Loading...

Scroll to Top