This article was originally written by Privacy Attorney, Leslie Bender and published in October, 2020. It has recently been updated and republished.
As the number of folks working from home has skyrocketed during the pandemic, the effects of being more digitally connected have been both good and bad.
Reports of suspected attacks by cybercriminals to the Federal Bureau of Investigation’s Cyber Division (known as the “IC3” or Internet Crime Complaint Center) are up 400% from pre-pandemic reports.
The targets for attacks are not only large global companies, but also governmental authorities, small businesses, non-profits, healthcare organizations, and even individuals.
According to a report issued by Baracuda.com, nearly half of all businesses expect a significant data breach or cybersecurity incident due to some sort of remote workforce strategy.
Some of the most trusted brands like Honda, Garmin and Canon first reported “technical difficulties” and later confirmed they had experienced a cyber attack.
In addition to the destructive ransomware attacks, phishing or social engineering attacks targeting individuals have grown more believable and effective. Cyber experts report that in the United States alone scams like phishing and social engineering attacks against individuals range from 20,000 to 30,000 daily.
For credit or collections businesses handling revenue cycle and debt collection work for healthcare organizations, what are some HIPAA, data protection and privacy concerns that merit a closer look?
Privacy Protection Practical Issue 1: Verifying Right Party Contacts (RPCs)
Now more than ever our customers are reading the news about privacy, cybercrime, scams, and other fraudulent schemes to be wary of.
Taking time to do a refresher with your consumer-facing employees may be helpful. Focus on properly self-identifying on calls and actively listening when verifying to assure employees have reached the right party. Consider some role-playing or other interactive opportunities to reinforce the privacy protection message.
Both the Fair Debt Collection Practice Act (FDCPA) and the Health Insurance Portability and Accountability Act of 1996 (and accompanying regulations – HIPAA) contain prohibitions against third-party disclosure.
Taking extra steps to trust (but verify) that a caller or called party is who they represent themselves to be makes good sense, given the increase in fraud and cybercrime.
Privacy and Data Protection Practical Issue 2: Too Much Information (or Protecting TMI)
During the height of the pandemic, concerns were running high about what to believe in the news about the coronavirus – when you may be exposed, when you should self-quarantine, when you should be tested, and how rampant the virus may be in your community.
Double check any policies or procedures you have in your office with the materials that have been frequently updated by the Department of Labor, Centers for Disease Control & Prevention, and other federal organizations.
As more circumstances come to light, these agencies offer bulletins, frequently asked questions, and other materials to help businesses (and individuals) interpret what information can and should be shared in an employment context and how to best protect the safety of employees in their workplace.
Patient Privacy Practical Issue 3: Privacy Regulations for Medical and Healthcare Organizations
Although the national minimum standard for medical and patient privacy is found in the Health Insurance Portability and Accountability Act of 1996 and its regulations and amendments known as HiTRUST (collectively, HIPAA), long before HIPAA was enacted, most of the states in the United States had some form of varying medical and patient privacy laws.
HIPAA is a great starting place for understanding the personal data privacy rules of the road related to medical billing and healthcare collections (as well as some of the data breach, data security, and standardized electronic transactions rules).
Practical Issue 4: Privacy Protection Concerns for Front-Line Agents
Among the top privacy concerns that may impact front-line agents are:
1) a caller (malicious) impersonating the customer to try and get confidential information or commit some form of financial fraud;
2) money laundering situations in which a third party “overpays” and then demands a refund of all or a portion of the funds supplied (but the original payment may be flawed in some manner);
3) a malicious caller who “socially engineers” and pretends to be the customer, a federal agency, a court, a consumer advocacy group, or even an attorney general and demands immediate information that is sensitive or proprietary (which information would later be used to perpetrate some form of fraud).
Patient Data Privacy Practical Issue 5: Remote Workforce Concerns in Healthcare Collections
Among the top issues being addressed with a remote workforce are the methods by which consumer payments are taken or that consumers may share non-public information with the collection agency.
Secure portals and “curbside” contactless payment options allow a convenient method for front-line agents to speak with a customer. This also gives consumers a secure way to submit payment information or self-service debt substantiation.
Agencies that retain their key telephony and computing resources in secure environments let agents log in/out securely, without storing other paper or electronic information in agents’ homes.
These systems have no greater privacy and data security risks than if agents were working on premises with similar setups.
Data Protection and Privacy Practical Issue 6: Consequences of Violating Privacy and HIPAA Regulations
Nothing has changed here since enforcement of HIPAA began in 2003 (although in 2009 the fines and penalties increased when the law changed). There are both civil and criminal penalties for violating HIPAA.
The consequences are shaped to fit the gravity of the abuse, misuse or theft of patients’ non-public information known under HIPAA as “protected health information” or “PHI.”
While there is not a private cause of action for violating HIPAA, in recent years we have seen many creative plaintiffs’ attorneys bringing actions with privacy sounding claims.
For example, if a third party has allegedly gotten a call about a collection matter, a plaintiff’s attorney may insert a claim in a lawsuit stating the consumer has suffered a “breach of privacy” or an “intrusion into seclusion.”
PDCflow for HIPAA Compliance, Data Protection and Privacy
PDCflow's HIPAA and PCI compliant Flow Technology allows agents to collect payments without the risk of a data breach – even when working remotely. Send HIPAA compliant communication workflows that can be delivered via email and SMS. Organizations can send messages or documents, get esignatures, or request photos, files, and payments while keeping PHI safe.
Our secure messaging and payment platform provides:
- End-to-end encryption: messages and payments are encrypted in transit and at rest, so data is kept secure.
- Dual authentication: companies can require recipients to enter a PIN before accessing messages, so they remain private.
- Uneditable final documents: Sensitive data and documents sent for review or esignature can’t be altered.
- Audit trail: PDCflow’s digital audit trail includes geolocation information, date/time stamp, and delivery method of a message, for both you and recipients to keep for your records.
- Access controls: Administrators can lock down workflows by template, location, department, and user. Protect PHI by controlling who can access information.
- Integration: using open APIs, your company can integrate HIPAA compliant esignatures and secure messaging into a current system of record.
Do you want to protect patient PHI and speed up the office processes when sending protected and privacy related data? Request a demo with a PDCflow Sales Executive today.
Book a Demo:
Want to know more about PDCflow Software?
Press ▶️ to watch our explainer video
REDUCE RISK
- ABOUT THE AUTHOR -
Leslie Bender,
Leslie Bender, IFCCE, CIPP/US, CCCO, CCCA, is an articulate corporate executive with over 30 years of experience handling compliance, regulatory, transactional and legal matters for hospitals and financial services companies. Recognized as a national expert on HIPAA and other information privacy and security laws, she was one of the first privacy officers internationally accredited as a Certified Information Privacy Professional.