More and more finance teams are integrating PHI into their accounting systems to facilitate activities including patient collections, new products and services and insight into performance-based reimbursement programs. As a result, financial and business leaders can no longer assume the risk of a potential breach is limited to clinical software and must become more aware of the changing dynamics and risks associated with protecting their patients’ PHI in the financial suite.
If we use 2020 as an example, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a record 19 resolution agreements for the Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy Rule despite the ongoing pandemic.1 This shows that OCR did not lose sight of the continuing need for provider organizations to secure protected health information (PHI) from potential breaches. All signs point to OCR and HHS continuing to enhance HIPAA regulations in response to the continuing pandemic, as provider organizations expand their use of PHI and participate in new business models like value-based reimbursement and more.2
Simply rolling back the use of PHI is not an option either, as the “toothpaste is already out of the tube,” and PHI now plays a critical role in understanding the financial performance of the business. Financial leaders must instead employ strategies to ensure their policies, procedures and financial management systems are HIPAA-compliant.
PHI is defined as “health information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”3 In addition to information contained within medical records, correspondence, billing information or virtually any patient-identifiable information is considered PHI and must be protected from potential breach. That means something as simple as a patient name can be considered PHI.
Healthcare organizations, including health plans, providers and clearinghouses must follow HIPAA guidelines and the HIPAA Privacy Rule, and must also have contracts in place (called Business Associate Agreements) with many of their contractors and subcontractors, to safeguard the use of PHI to ensure it is not disclosed in violation of HIPAA. Organizations that fail to protect PHI or experience a breach put themselves at risk of a HIPAA violation.
Sage Intacct is certified as HIPAA- and HITECH-compliant by Avertium (formerly Sword & Shield) and enters into Business Associate Agreements with eligible healthcare clients.
And the impact can be significant, with healthcare data breaches costing an average of 60% more – or $6.45 million – than cross-industry averages to remedy. That equates to an average of $429 spent per lost or stolen record to implement breach detection and response, notification of affected patients, lost business due to downtime, reputational damage, and impact to patient trust.4
To help finance leaders better manage and protect PHI in their own teams and across the organization, Sage Intacct recently retained market research firm Porter Research to assess finance leaders’ awareness and understanding of the risks associated with PHI and HIPAA violations.
The resulting whitepaper, “New Research: Finance Professionals & PHI,” reviews five key findings including:
As you hit the ground running in 2021 and use PHI to understand the financial performance of your organization, be ready for the next change to HIPAA and the HIPAA Privacy Rule and what it might mean for your business.
Melissa O'Dowd is Principal Industry Marketing Manager, Healthcare at Sage Intacct.