HIPAA’s Privacy and Security Rules specify 18 data elements that an individual could use as a means to determine a patient’s identity. The majority of this vulnerable data are easily understood (e.g., name, address, phone number, etc.) and can be applied to nearly any business, however, there are some elements that relate specifically to the healthcare process, including a patient’s insurance information and medical record numbers. One area that is especially vulnerable for all businesses, including medical practices, and physicians is payment processing.Neglecting to Safeguard Credit Card Information Could Lead to Penalties
The Data Security Standards (DSS) set forth by the Payment Card Industry and HIPAA require that health providers protect credit card information by maintaining reasonable and appropriate safeguards, neglecting to adhere to these DSS can lead to penalties.
These penalties include:
- Large fines.
- A suspension in the practice’s ability to accept credit card payments.
- The potential for legal liabilities.
Causes of Protected Health Information Breaches
JAMA Internal Medicine conducted a study to determine how breaches occur and what steps a breached organization takes to ensure this security issue does not recur. The cases that the researchers analyzed occurred between Oct. 21, 2009, and Dec. 31, 2017. The 1,138 breach cases that are included in this study affected the patient health information of 164 million Americans.
Theft by unknown parties or outsiders made up 32.5 percent of the data breaches, making it the number one cause of breaches in data. Other causes include theft by current or former employees, which totaled 9 percent and mailing mistakes caused 10.5 percent of the breaches in data. The number of patient health information breaches originating within the organization itself is startling, accounting for 53 percent of these breaches.
Besides determining the cause of these breaches, researchers investigated the location where the breaches occurred as well. Paper records and network servers accounted for nearly 30 percent of the breaches, (28.7 percent and 29.3 percent, respectively). Nearly half (46.1 percent) of the 1,138 breaches included in this JAMA study occurred on mobile devices.
Corrective actions the organizations in the study took included:
- Encrypting their devices and restricting the use of devices when storing patient health information data.
- Monitoring access and strengthening their network’s firewalls.
They increased email and mail security by implementing several safeguards, including:
- Encrypting content.
- Mandatory verification of recipient.
- Copy protocol.
Insurance Records and Billing Information Are Frequently Targeted
According to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, 56 percent of this study's respondents stated that insurance records and billing are frequently targeted: These are also the areas that are most often successfully breached. In addition, 45 percent of respondents indicated that lost or stolen payment details are also a problem.
Securing Patient Information Can Be a Challenge
Although health providers realize the importance of safeguarding patient information, securing this data can be challenging. The tips below can help strengthen a provider's ability to safeguard all their patients’ information, including the payment processing data.
3 Tips for Safeguarding Patient Health Information, Including Payment Processing
The best way a health care provider, hospital or clinic can prevent a breach is by implementing a multi-layered strategy for security. Although there is no guaranteed method for protecting patient information, there are various tools that can reduce the likelihood of a breach. A multi-layered security strategy should include identity proofing, device recognition and fraud management. In addition, educating staff about security threats and the warning signs to look for is essential: Obviously, the sooner a breach is recognized, the better.
1. Educate Staff Members on Security Threats and the Signs of a Potential Breach
Data breaches can stem from human error, for example an employee may accidentally leave patient health information in a public area (e.g., laptop left in a taxi); mail a patient’s data to the wrong address; or unknowingly publish sensitive data on a public website. Educating staff members on the possible pitfalls can help protect patients’ confidential information. In addition, let the staff know what to look for that may indicate a breach (e.g., the computer acts differently, virus warnings, new toolbars, etc.).
2. Prevent a Breach in Unencrypted Payment Card Data by Choosing Not to Store it
Unencrypted card numbers that can be easily read and are visible to employees, are at a high risk of finding their way onto emails, sticky notes, paper statements and internet browsers. One of the best ways to prevent breaches in this area is to use one of the software platforms designed for processing card payments: These platforms process payments without keeping any of the sensitive information on file, thus, protecting the patient and the organization.
3. Use Payment Terminals Supporting EMV Chip Card Technology
Although there are risks associated with credit card processing, it has become a universal form of payment in retail settings, health establishments and via online portals. Staff may assume that all the security that is needed are automatically included in the payment process, or they may believe that ensuring a transaction is secure is not their responsibility. Furthermore, physicians, medical practices and hospitals may not realize that some payment devices are more secure than others.
Some of the most secure devices are those supporting EMV (Europay/Mastercard/Visa) chip card technology. The computer chip was created to provide a more secure method for data storage on payment cards. With EMV chip card technology, instead of swiping the magnetic strip on the card, the patient just slides the computer chip on the card into the front of the EMV supported payment device.
Although EMV supported devices are not required, as of Oct. 1, 2015, liability for a fraudulent payment on a card shifted from the card companies to the merchant, including medical practices. Therefore, even though an EMV card reader is more expensive than devices without this capability, investing in an EMV capable card reader may be less costly than dealing with the damage to a practice’s reputation and monetary losses resulting from a breach.
A breach in patient health information can negatively affect an organization’s brand and financial standing. Therefore, if you have concerns related to secure payment processing and protecting your patients’ health information, contact M-Scribe Technologies, LLC today by emailing us at email Patrick.Dougherty@m-scribe.com by calling 770-666-470. With M-Scribe handling your coding, medical claims billing and auditing, you know your patients’ information is secure.