How business associates in the ARM industry can ensure policies and procedures are up to par.
8/26/2019 11:30
Enforcement under the Health Insurance Portability and Accountability Act (HIPAA) is in the spotlight and, with the continuance of data breaches and risk of cyberattacks in the health care space, there is no sign it will dim anytime soon.
But companies and their business associates that evaluate their policies and procedures together on a regular basis can be prepared for risks and how to respond effectively and quickly if a data breach should occur, Tim Dressen, a communications consultant and former Collector magazine editor for ACA International, reports in the August issue.
Here are a few tips to guide you through the process of protecting health care data:
Know where the data is stored
Protecting sensitive data is impossible without a full understanding of how it’s used, where it’s stored and how it’s transmitted. For example, consider how information is transferred over your company’s network. Some copiers, printers and fax machines store past jobs until the data is purged, for example. Do you know whether such purges take place automatically, or could your office equipment take a hard drive full of protected information? Thoroughly evaluating all potential places where data may be accessed, transmitted and stored gives you a chance to identify and patch potential data security weaknesses.
Encrypt your data
Most reported HIPAA data breaches in the first quarter of 2019 resulted from email and network server hacking or similar IT incidents. Storing and transmitting only encrypted data significantly reduces the potential severity of such hacks.
Train and test
Establishing and maintaining meaningful policies and procedures to protect data are necessary steps for any agency handling nonpublic consumer data, but such policies are worthless without ongoing employee training and monitoring. Employees need to know which patient information they should and should not be viewing along with their responsibilities for ensuring that data remains secure and private.
Review agreements
HIPAA generally requires health care providers to have business associate agreements with any company or individual performing functions on its behalf that require access to protected health information. Business associate agreements define each party’s responsibilities regarding the handling and use of protected health information. Understanding when and how security incidents need to be reported under the terms of business associate agreements is also essential in the event of a data breach.
Require vendor agreements
Agencies typically use third-party services as part of the collection process. Requiring such providers to sign business associate agreements containing the same provisions as the agreements between the agency and its covered entity clients help ensure data integrity and reduce risk.
Conduct a risk assessment
To understand where potential liabilities are most ripe, agencies can conduct a risk assessment. Third-party companies specializing in information security can provide a thorough audit to identify weaknesses and recommend solutions. Companies that are unable to commit resources to a third party can conduct a self-assessment.
These tips can help business associates of health care providers, including collection agencies, avoid and mitigate risks. Read more on Protecting Health Care Data in the August issue of Collector magazine.
And, ACA Certified Instructors Leslie Bender, IFCCE, CCCO, CCCA, chief strategy officer and general counsel at BCA Financial Services Inc., and Michael O’Meara, president, The O’Meara Law Office P.S. will lead the CORE Curriculum webinar: Data Security and Privacy I Sept. 10-11. Register today to learn more tips on data security policies and procedures.
ACA’s CORE Curriculum and Hot Topic webinars are also available through the new All Access Training Zone, providing education at a low annual price for members. The All Access Training Zone includes Core Curriculum webinar training sessions to help members achieve any of ACA’s professional designations. Visit the All Access Training Zone website to learn more about this phenomenal value for members.