When most of us hear the acronym HIPAA (Health Insurance Portability Accountability Act), we think about treatment plans, medical records, and progress notes. However, HIPAA privacy regulations cover much more than that. It includes the processes we use to collect patient payments.
Failure to comply with HIPAA standards can be severe, with penalties running as high as $50,000 per incident. In addition, organizations can face legal action and criminal charges, which can damage a business’s reputation.
The good news is that there are more options than ever for organizations that are considered covered entities looking for a HIPAA-compliant payment collection system. However, they need to understand what to look for in a solution to make it compliant.
Here we discuss the criteria to look for to ensure you have a HIPAA-compliant payment collection process.
When most providers think of protected health information (or PHI), they think about medical records or disclosing health status to others. However, patient billing and payment information is protected under HIPAA. Your patient’s name, date of birth, and credit card number are also critical PHI, which is often included on billing statements and payment processing. As a result, it is the responsibility of healthcare organizations to keep the information secure and private.
In addition to payment data, other general individually identifiable health information sometimes included in billing statements is also considered PHI:
- Treatment information
- Medical test results
- Prescription information
Your payment collection methods need to ensure PHI is strictly protected in order to ensure it doesn’t violate HIPAA.
Most organizations are looking for ways to streamline their payment processes with modern solutions. However, you must ensure that your solution meets the required regulations to avoid common HIPAA violations, fines and a damaged reputation.
Organizations must ensure that their statement follows HIPAA guidelines and doesn’t reveal any sensitive information. Patient statements should only have enough information to process a payment, but sometimes patients want additional details about their treatment or the charges. In those cases, having contact information or safeguards for added patient data can help them get the information they want. Some solutions use QR codes or links to the patient payment information that secures it with a log-in.
Secure sign-in and access to details will help protect patient data while ensuring they are happy with the information they receive. The right solutions will only seek out the minimum necessary information only to process payments and not require additional data to make a payment. That means it needs to have safeguards in place for the PHI accessed, used, and shared for all payment transactions.
Manual entry of data not only hurts productivity but is a significant liability for healthcare organizations. Every time data is processed, transferred, or used in either email or printed form, hackers have another point of vulnerability they can exploit for access. Limiting these points of entry by eliminating manual entries is critical. Self-directed payments can help remove the need for handling and disposing of paper forms. Patients can enter payment information directly into the solution.
The right self-pay solution eliminates potential employee error. It saves time while reducing the potential security risk that comes with patient information sitting around until it is entered. Loss or misuse of patient data could leave organizations vulnerable to HIPAA violations, and payment information could be an identifying factor. It’s critical to handle payment information correctly, and digital solutions can eliminate that vulnerability by automating the process.
To help encourage healthcare organizations to adopt electronic health records, the Health Information Technology for Economic and Clinical Health Act (or HITECH Act) was introduced and signed into law by then-President Obama. It expanded the security and protection and privacy scope under HIPAA compliance. HITECH compliance covers specific HIPAA provisions for business associates and puts safeguards in place for providers using third parties to provide payment transactions and cover.
One of the most significant features of HITECH and HIPAA compliance is Business Associate Agreements (or BAA) with third parties. The BAA is a contract that delineates exactly the responsibilities of each party and ensures they are in agreement with their responsibility for managing and protecting PHI data.
BAA also helps ensure that PHI data is not sold or shared with any unauthorized party. Some solutions sell or share their data with other vendors and providers, but those who sign the BAA will not. With a signed BAA in place, you can ensure that your information is protected with any third party.
Research shows that data breaches are not just from break-ins, bad actors, and malware. In fact, a whopping 88% of data breach incidents result from employee error. Sending a statement to the wrong address or hitting “reply all” to an email often results in compromised information and HIPAA violations.
Automating the payment process with personal statements is one of the best ways organizations can avoid human error as a potential vulnerability. The right solution will enable your staff to streamline your collection workflow with pre-programmed statements and analytics-driven solutions to find the best time to call that will increase your patients’ propensity to pay.
The right solution will not only increase your security, but help improves payments.
There are three common ways that organizations charge patients for their healthcare expenses:
Most organizations provide patients with the ability to pay for their products or services right on the spot. Rather than allowing debt to pile up, many providers and businesses enable patients to set up payments and take credit cards, cash, and debit card. It helps increase the odds of being reimbursed over sending a bill months later.
There are HIPAA-compliant online automated systems that organizations can leverage to collect payments after services are rendered. These help providers streamline their processes and help reduce the amount of error that can come from manual payments.
There are times when patients cannot pay up-front and billing statements go unanswered. In fact, this is becoming the norm for many patients: 78% of providers said they could not collect bills over $1,000 in 30 days. Non-obtrusive, patient-oriented campaigns can help providers offer patients convenient payment options and reminders. It helps ensure higher patient connect ratios and secure, HIPAA-compliant payments.
Many providers are struggling to collect bad debts from patients. In the same survey as above, 66% stated that patient receivables were a primary revenue concern for them. Phone payments enable them to start collecting old payments without wasting time or violating HIPAA regulations.
Healthcare payment models are shifting. Between the increased need for security and patient demand for convenience, many providers seek ways to use payment solutions. However, choosing a partner that understands HIPAA and can provide HIPAA-compliant solutions is critical.
If you’re looking for a partner that can help you provide patients with security and convenience, GeBBS Healthcare Solutions can help. We offer a seamless and simplified patient experience that allows businesses and patients to adhere to HIPAA regulations. Our workforce management and technology prioritize a patient-focused approach to payment processing. To see how we can help you, contact us at gebbs.com to speak with one of our professionals today.