Healthcare Business Management Association - HBMA
Leading the Business of Healthcare Login
Public News Public News - HBMA Healthcare Business Management Association

Not a Question of If Your Billing Company Needs Accreditation, but When


Health plans and health systems are getting serious about data security, both internal security and that of their business associates —including third party billers.

Statistics about breaches directly occurring from RCM companies can be hard to come by from the Office for Civil Rights (OCR), keepers of the “Wall of Shame” where breaches of 500 or more medical records must be disclosed. In many cases, breaches that may have been caused by a business associate (BA) roll up under the affected healthcare provider instead of the BA.

In one recent example, a breach at an outside billing firm1 potentially compromised more than 500 patient records at Mercy Hospital & Medical Center in Chicago. The breach was discovered in August after the biller lost hospital documents, according to a report.

An increasing number of health system, health plans and other providers now require, or will soon require, business associates to obtain the same or similar industry certifications to help increase data security.

For even the smallest RCM companies that service healthcare providers and health plans, the question is not whether operational certification or accreditation is needed—but when.

Healthcare Records Are Valuable
Since its founding in 2009, the OCR’s breach portal2, better known as the Wall of Shame, has recorded more than 1,750 breaches that affected 500 or more health records. A review of those breaches among hospitals and health systems shows that 75 percent of incidents3 were the result of ill intent, either theft (40 percent), unauthorized access (26 percent) or hacking (10 percent).

The OCR has been getting tough on breaches4, negotiating settlements with covered entities and the BAs to the tune of nearly $15 million in the first six months of 2016. In July alone, two health systems settled HIPAA violation claims for $5.5 million for breaches that hit 13,000 patient records. The per-record settlement fee in one of these cases was $2,000 per record!

Healthcare records are highly prized among thieves because of their value on the black market. A patient record often includes a Social Security number along with enough demographic information that can be used to open credit cards, other types of credit or fraudulently bill for additional healthcare services. A healthcare record on the black market can fetch more than $350 per record5, topping the list in terms of value. The second most valuable are educational records, which command half the price as a health record does.

Like any set of security measures, some areas will be weaker than others, which is something that a security audit can reveal. Looking across industries, employees are the top source of breaches, according to the Global State of Information Security Survey6. Employees can be innocent victims, clicking on an errant website, losing a laptop or being the victim of a phishing attack where cyber-attackers purposefully send bogus emails to employees at target companies. However, employees also can be the perpetrators, intentionally looking up unauthorized information or stealing it. Incidents traced to partner companies increased by 22 percent, which is cause for concern among healthcare providers who have invested heavily in data security, only to find a BA is the weak link.

A new survey of healthcare attorneys indicates that medical records are the most sought-after target of cyberattacks (60 percent). Nearly half indicated that SSNs and credit card data were being targeted, and 40 percent said the targets were billing and insurance records7.

Advertisement. Click on image to visit advertiser's website. Story continues below.

How Certification and Accreditation Can Help
While healthcare providers are spending more money on cybersecurity, they’re also looking to their business associates to have the same type of protection they have through security audits and industry-recognized data security certifications. Vendors are accustomed to providing requested documentation or attesting to certain levels of liability insurance, non-discriminatory hiring practices, disadvantaged company status and many other measures. As cybersecurity continues to be front-page news in the healthcare industry, data security attestation is the next logical step in the process.

Last year, the Health Information Trust Alliance (HITRUST) unveiled an expansion of its CSF (Common Security Framework) Assurance program to “efficiently and effectively manage the third-party assurance process8.” According to a news release, the expansion was in response to the increasing numbers of healthcare organizations that were requiring CSF Certification for its business associates within the next 24 months. The change affects an estimated 7,500 BAs.
HITRUST certifications are used by 84% of the nation’s hospital and health plans, in addition to other healthcare organizations and business associates.

And in October, my group, the Electronic Healthcare Network Accreditation Commission (EHNAC), joined forces with HITRUST to streamline accreditation and certification efforts to increase data security while lowering barriers that differing standards can present to healthcare organizations. EHNAC will replace our HIPAA-related privacy and security criteria with HITRUST CSF while maintaining the company-specific benefits of accreditation.

Under the collaboration, EHNAC will become the only organization that can provide both EHNAC accreditation and HITRUST CSF certification.

Don’t Let Bad Things Happen to Your Organization
If your RCM company hasn’t been hit by a data breach or other security incident yet, count yourself lucky. But, crossed fingers and positive thoughts won’t protect you from professional cyber-hackers that can exploit the security weaknesses in your IT systems, APIs, and other connections that let you send and receive protected health information and other sensitive data.

Not only do breaches occur more frequently than you might imagine, they also can be expensive to deal with. According to the Ponemon Institute, 90 percent of healthcare companies9 have reported a breach in the past two years—and 45 percent have experienced five or more. In the aftermath of a breach, healthcare organization pay on average of $2.2 million in remediation costs, while BAs pay more than $1 million.

In addition, your organization may not even be aware a security breach has occurred. The security company McAfee reports that 80 percent of breaches are found by outside groups or through audits10. Even in the wake of higher corporate IT security spending, the amount of breaches that internal IT teams discover represent just 10 percent of the total, a figure that has been dropping steadily in the past decade.

Data security is a critical consideration for the healthcare organizations that you serve. Even if your company isn’t being required to obtain certification or accreditation for your IT systems and security practices, the negative impacts of a breach are simply too high to ignore this issue any longer.

Lee Barrett is executive director of EHNAC, a non-profit, federally recognized standards development organization designed to improve transactional quality, operational efficiency and data security in healthcare.

1 See

2 See

3 See
source=newsltr-blog&utm_source= newsletter&utm_medium=email&utm_campaign=10-18-16

4 See

5 See

6 See information-security-survey.html

7 See

8 See

9 See 6200/f-04aa/1/-/-/-/-/Resources%20-%20Sixth%20Annual%20Benchmark%20Study%20on%20Privacy%20and%

10 See