Healthcare Business Management Association - HBMA
Leading the Business of Healthcare Login
HBMA News HBMA News - HBMA Healthcare Business Management Association

HIPAA Security and Privacy Exposure

An article by Ron Sterling, taken from the July/August issue of HBMA Billing.

In the flurry of activities associated with EHRs, ICD-10, and other healthcare industry challenges, many organizations have not maintained proper attention to evolving HIPAA Security and Privacy issues. Of particular importance to your billing service are changes to HIPAA Security and Privacy that were included in the HITECH Act, making Business Associates responsible for liability and remedy of HIPAA Privacy and Security issues. Penalties for these breaches have been increased to a maximum of $1.5 Million.

The recently announced $100,000 settlement with a five-doctor, Phoenix-based practice should trigger a closer look at your own HIPAA Security and Privacy compliance situation as well as the underlying client compliance that enables your services.

On April 17, HHS settled a HIPAA Privacy and Security case with Phoenix Cardiac Surgery. According to the HHS announcement, the practice failed to establish and maintain the policies and procedures needed to protect patient information under the HIPAA standards. Additionally, the practice failed to document appropriate training or even appoint a security officer.

This incident should trigger a review of your own HIPAA Security and Privacy exposure in the following areas:

Business Associates (BA) Agreement

The HITECH changes to HIPAA Security and Privacy includes penalties for Business Associates (e.g., billing services) for breach violations. This is a dramatic change from the previous standards that basically exposed the Business Associate to dismissal by the Covered Entity. This change should trigger the following actions by your organization:

BAs are now responsible for coordinating the response to a breach. You should maintain information on the Security and Privacy Officers for your clients.

Establish an appropriate Security and Privacy procedure to ensure that you maintain appropriate procedures and contact with your clients on HIPAA Security and Privacy matters.

Indeed, the changes to BA responsibilities may present you with a service opportunity to train the Security and Privacy Officers of your clients and to coordinate appropriate training for your clients' staff.


Notice of Privacy Practices (NPP)

As a billing service, you also need to check on the client's NPP to verify if the NPP affects your organization. For example, the NPP may state that PHI will not be used in de-identified form for any purpose. Indeed, a number of practices have outdated and incorrect NPPs. For example, some practices have a NPP form that has not been reviewed in years or updated for changes to the practice or the standards.

Training Staff

Billing services may reconsider training their staff and (perhaps) clients on HIPAA Security and Privacy issues. Note that the Phoenix organization failed to adequately train their staff on HIPAA Security and Privacy. Many practices do not have the time or expertise to train all employees on the HIPAA Privacy and Security standards. Your organization may be in a unique position to advise your clients through your knowledge of their operations and procedures.

Security Risk Guidance

Depending on your service mix, your clients should be asking for information on their own security risks based on your product and service offerings. As importantly, you could define best practices and strategies for your clients to meet the HIPAA Privacy and Security standards. For example, you may include explanations about tracking HIPAA Privacy consent and disclosures using your product. You may also have security recommendations to help clients limit their own exposure. For example, you may include recommendations about electronic storage of PHI from your organization.

Security Risk Analysis

You should review your current security risk status and conduct an analysis if your previous analysis is outdated or has not accounted for changes to your system, software, or procedures. Changes to your backup procedures or communications strategy may require a new security risk analysis. Note that security risk assessments are another potential service you may be able to offer your clients. Security risk analysis is one of the Meaningful Use measures that is part of the EHR incentive requirements.

HIPAA Security and Privacy compliance is not in the current spotlight being dominated by EHRs, ICD-10, and Health Insurance Exchanges. However, recent HIPAA Security and Privacy enforcement actions, including a $1.5 million settlement with an organization that maintained PHI in unprotected laptops, should be a wakeup call to billing services and your clients. Proper procedures and training will mitigate the chance of a problem and may present your organization with an added value service opportunity.


Ron Sterling (800-967-3028, publishes the popular EHR blog,, and authored the HIMSS Book of the Year Award winning Keys to EMR/EHR Success. Ron is a frequent presenter on EHR issues for HBMA. © Sterling Solutions, 2012.

Related Searches: HIPAA, HIPAA Security and Privacy, Healthcare security, medical billing, medical billers