Article

Policies for Revenue Cycle Management to Consider to Prevent Data Breaches

Share via LinkedIn Share via Twitter Share via Facebook Share via Email

Policies for Revenue Cycle Management to Consider to Prevent Data Breaches

Resolving medical payments may seem like a never-ending hassle for healthcare providers, but it’s no match for the slew of cybercriminals that are increasingly targeting hospitals and stealing patient data to sell on the black market. It’s relatively simple for expert hackers to breach an organization’s network and swipe large batches of PHI. Bad actors can also often operate undetected for long periods of time—that is, until patients begin receiving erroneous bills for expensive services and procedures they did not receive.

Medical records are worth 10 times more than credit card information on the black market, with the average data breach costing hospitals $429 per record, according to a 2019 report by the Ponemon Institute and IBM Security. Not only does this cost hospitals millions of dollars in damages, but also it can put patients at-risk and tarnish a hospital’s reputation for years to come.

Though some hospitals may lack the resources to invest in a high-tech, iron-clad data security system, they can protect themselves from the onslaught of cyberattacks by establishing a stronger culture of compliance, especially regarding their revenue cycle management practices. Enhancing the following compliance safeguards, programs and internal checks and balances can help safeguard hospitals from data breaches that compromise patient privacy and expose them to lawsuits.

Identity theft: Hackers use stolen medical and financial data from patients for everything from filing bogus health insurance claims to buying medical equipment and drugs to resell for profit. Hospitals can squash these attacks by ensuring that PHI in electronic medical records is stored properly in systems with the latest hardware and software firewalls and patches in place. IT staff should regularly perform audits to review security controls, expose system vulnerabilities and potential threats and create hospital-wide procedures for alleviating risks. With the growing use of medical and digital devices in hospitals, providers must also ensure that PHI is encrypted at every stage, from patient scheduling to discharge to payment.

Codes of conduct: Hospital leaders should make sure they are communicating cybersecurity risks to staff across departments and set proactive policies for securing patient records. This might include limiting the amount of patient data hospital users can access and restricting it to only the data they need to do their jobs. Managing permissions for data access and requiring identity verification for patients logging into portals helps keep sensitive information out of the wrong hands and makes monitoring unusual activity easier. With malware attacks fueling a growing percentage of data breaches, hospitals should educate employees on how to recognize and handle suspicious emails and other phishing attempts so they don’t unknowingly expose their systems to hackers.

HIPAA privacy training: With many hospitals and clinics still transitioning from paper to electronic records, it’s important to train employees on how to keep PHI secure at all times and how to properly dispose of or share files.

Biller education: Employees can serve as a frontline of defense against cyberattacks, but hospitals must do their part by providing staff with continuous education and training to keep them up to speed on changing regulatory requirements for data security and protocols they need to follow to protect patient privacy and thwart attacks. Administrators should set up internal checkpoints for employees who communicate with patients about billing and train them to avoid negligent practices, such as transcribing credit card numbers on slips of paper, leaving patient forms lying around or working remotely from unsecured networks.

TCPA: The Telephone Consumer Protection Act (TCPA) already requires providers to obtain proper consent from patients before calling them to collect payment for healthcare services. But along with validating and updating patient contact information, hospitals must also take steps to secure this information from cybercriminals who could use it for fraudulently.

Curious to learn how Parallon utilizes a culture of continuous compliance to guide revenue cycle management? Reach out to one of our experts today to learn more.