We’re excited to announce that Infinx has again been certified for the Health Insurance Portability and Accountability Act (HIPAA) compliance by Control Case, the largest compliance as a service provider.
In addition to this year’s HIPAA re-certification, we’ve also been recently recertified for SOC2 and ISO 27001 security standards. Our compliance certifications ensure that we have implemented the most robust administrative, physical, and technical safeguards to protect the privacy of healthcare consumers and the providers that serve them.
While a HIPAA certification isn’t required by CMS, we proactively ensure HIPAA compliance certification because we handle protected healthcare information (PHI). While many experts recommend provider business associates like Infinx take this step every three years, we get re-certified annually to guarantee the highest level of security to our customers.
Why Is Healthcare Business Associates’ HIPAA Compliance Certification Important?
HIPAA compliance is important for several reasons. It not only protects patient privacy, but it also guarantees patients have rights to their healthcare records, thereby giving them more control over their medical choices. HIPAA compliance certification also demonstrates to consumers and providers that a business associate is dedicated to protecting all parties.
Providers and hospitals ensure compliance with HIPAA in four main ways: training employees, creating policies and procedures, conducting risk assessments, and having physical safeguards in place.
The Department of Health and Human Services has issued [extensive regulations](https://www.law.cornell.edu/cfr/text/45/164.308) with dozens of stipulations covering how any company handling PHI should protect patients. To earn HIPAA compliance, providers and their business associates must demonstrate dedicated processes for:
- Risk management
- Regular risk analysis
- Employee background checks
- Security awareness training
- Facility access
- Workstation security
..and dozens more areas.
Overall, HIPAA sets the standards for how patient information should be kept private and secure by all entities with access to PHI.
How Infinx Complies With HIPAA Requirements
Infinx assigns legal and technical staff to carry out the correct compliance with the regulations delineated in the Electronic Code of Federal Regulations, Subchapter C, Part 164, Subpart C – Security Standards for the Protection of Electronic Protected Health Information, Sections 164.308 – Administrative Safeguards, 164.310 – Physical Safeguards, and 164.312 Technical Safeguards. You can review all stipulations at these links.
We ensure the full administrative, physical, and technical safeguards required are enacted and up to date.
- Administrative safeguards include security management processes such as appropriate clearances, training, login monitoring, data backups, and disaster recovery plans.
- Physical safeguards include facility access controls, controls for appropriate workstation use and security, controls for device and media use and disposal, and more.
- Technical safeguards include access controls including unique user IDs, Emergency access procedures, automatic logoffs, and encryption.
Maintaining compliance is year-round work. Control Case takes six months to review that we meet all stipulations, typically from spring to fall.
How HIPAA Impacts Revenue Cycle Management
HIPAA compliance must be taken into account at every stage of the revenue cycle, from patient registration to billing and collections. Patient health information is involved at every stage, after all. For example, when a patient calls to schedule an appointment, the person who answers the phone must ensure that the caller’s health information is protected. The same goes for when a patient arrives for their appointment and checks in at the front desk. Patients and providers must trust that at each stage of the revenue cycle, safeguards are in place to protect patients’ health information.
HIPAA Penalties Are Designed to Hurt
Although HIPAA regulations spelled are out in meticulous detail, every year, providers and business associates of those providers are fined and even prosecuted for violating these laws. An entity exposing PHI of any patient can be subject to HIPAA violation fines up to a maximum level of $25,000 per violation category, per year. Given that dozens of violation categories exist, it’s no surprise that providers and payers have paid hundreds of thousands or even millions of dollars after breaking the law.
In 2020, the Health and Human Services’ Office of Citizens’ Rights (OCR) collected $13,554,900 in HIPAA violation penalties. In 2021, that figure dropped to $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. Despite this drop, the Department of Justice has recently redoubled its efforts to take action against individuals that have knowingly violated HIPAA rules.
What Happens When a Healthcare Business Associate Doesn’t Protect PHI
The responsibility of protecting patient information is in the hands of providers, groups, hospitals, and the business associates of these organizations. While most do their best to protect all involved, breaches due to negligence or malfeasance occur every year.
The top five most common HIPAA violations involve:
- a non-encrypted lost or stolen computer or another device
- lack of employment training
- database breaches like hacker infiltration
- gossiping and sharing protected health information
- improper disposal of protected health information
While all five result in penalties, database hacking can have the most widespread effects due to the number of patients affected. Unfortunately, the healthcare industry and its business associates are common targets for hackers and cybercriminals.
On April 10, 2014, the FBI informed one Tennessee-based hospital management company that provides legal, accounting, and more management services that the cybercriminal group APT18 had breached its security system. This act exposed the protected health information of 6,121,158 individuals to criminals looking to impersonate and defraud them. Ultimately, they were required to pay HHS a $2,300,000 fine. Many hospitals and individuals were impacted by this failure to protect PHI.
Additional Healthcare Information Security Safeguards
Clearly, protecting consumers’ private health information is essential for healthcare entities and their business associates.
In addition to HIPAA compliance certification, we also obtain SOC Type 2 and ISO 27001 certification yearly. SOC 2, developed by the American Institute of CPAs, is a voluntary compliance standard for service organizations. It sets the standards for how organizations should manage customer information and data. ISO 27001, developed by the International Organization for Standardization, set the standards for the overall management of information security.
Dedication To Patient And Provider Security
HIPAA compliance is essential for any healthcare organization that wants to protect its patients’ privacy and safeguard their data. But compliance isn’t just about avoiding fines. It’s about maintaining trust between patients, healthcare providers, and vendors and ensuring sensitive patient information stays out of the wrong hands. When it comes to revenue cycle management, HIPAA must be taken into account at every stage of the revenue cycle. Your revenue cycle management partner should have the compliance certifications that ensure you keep your patients protected.
To learn more about how we protect your organization’s data security and privacy, reach out to us here to speak to a customer service associate and request a copy of our security and compliance posture.