Policy & Regulation News

HIPAA Compliance within Revenue Cycle Management

By Stephanie Reardon

The inclusion of HIPAA transactions intends to reduce administrative costs, but to do so, medical practices will need to strengthen their revenue cycle management processes.

- The healthcare industry is constantly striving to prevent fraud and abuse within the system, and emphasize compliance and accuracy. Revenue cycle management (RCM), the process that include claims management processing, payment, and revenue generation, is a hospitals first line of defense against these issues. Still, the revenue cycle process could be flawed, causing further problems if not suitably standardized.

The HIPAA Security Rule, which was enacted on April 14, 2001, specifically focuses on the safeguarding of electronic protected health information. HIPAA started because of congressional concern about the portability and continuity of health coverage. Congress passed legislature, “In order to increase the efficiency, effectiveness, and cost savings through the use of electronic data interchange in the healthcare industry,”

HIPAA “requires all healthcare providers, healthcare clearinghouses, and health plans to implement and utilize standardized formats when transmitting electronic data.” The inclusion of HIPAA transactions intends to reduce administrative costs, but to do so, medical practices will need to strengthen their RCM processes.

The RCM process starts with patient scheduling. The key to this step is in gathering the most vital patient information as possible. Medical practices should ensure that any protected health information (PHI) is stored and catalogued appropriately. As required by the HIPAA law, practices must “Identify assets and information systems that create, receive, transmit, or maintain” PHI. Hardware in which PHI is stored or shared must be catalogued as required.

In addition to identifying these devices, a practice should have hardware and software firewalls in place and should maintain updates to these programs as needed. Data encryption is also an important way for a practice to remain HIPAA compliant within its RCM process. The following are examples of information that must be encrypted to assure HIPAA compliance:

  • Billing information
  • Case management data
  • Lab and clinical data
  • Patient reports and transcripts
  • Emails between patients and doctors, and between referral doctors

Once the patient is scheduled and appears for their appointment, medical documentation must take place. Maintaining clear and detailed patient files is an important part of a practice’s RCM. Without well-maintained documentation, services rendered to a patient may come into doubt as well as payments received. To prevent missing information and to remain HIPAA compliant, a practice should put a written set of standards in place to maintain accurate documentation.

A practice should then run a risk assessment of these standards and practices to confirm that they “are reasonable and appropriate to provide adequate protection against reasonably anticipated threats or hazards to the confidentiality, integrity, or availability” of PHI. If the risk assessment confirms the suitability of the standards, then they should be implemented.

After the patient’s medical data is recorded and the services are rendered, it’s time for a provider to be reimbursed. Yet, often claims can be denied, and bills go unpaid. To prevent this, a practice should implement additional standards to prevent revenue loss.

An example of revenue loss due to denied claims isn’t difficult to find, and each one leaves unhappy customers in its wake. In New York, a health insurance subcontractor allegedly mishandled the protected health information (PHI) data of approximately 500 patients, causing denial letters to be sent to the wrong members. The resolution required additional notification to be sent and cost valuable company time and money.

It’s not enough just for a practice to have these processes in place in order to be HIPAA compliant in their RCM. These processes need to be checked and re-checked regularly in order to ensure HIPPA compliance standards are maintained at all times. As the HIPAA law is being changed and amended regularly, a practice that fails to stay on top of these changes can suddenly find itself no longer HIPAA compliant.

The penalties for a practice not meeting HIPAA compliance standards can be fiscally damaging. A practice that violates HIPAA rules will be fined, with a cost ranging from $100 to $50,000 per violation (or per record), up to a maximum of $1.5 million per year and can carry criminal charges which could result in jail time.

These fines and charges are measured, and broken down into two different categories: Reasonable Cause and Willful Neglect. Reasonable Cause fines imposed upon a practice can range from $100 to $50,000 per incident (release of 500 medical records) and does not involve jail time. However, Willful Neglect fines on a practice range from $10,000 to $50,000 for each incident and can result in criminal charges and jail time.

With full patient records selling for about $500 on the black market, it’s not difficult to see why medical information is considered valuable to modern-day criminals. Along with the unpleasant possibility of steep fines and jail time, this is all the more incentive for medical providers to buckle down on their HIPAA compliance.

Remaining HIPAA compliant in their RCM will not only prevent a practice from the harsh penalties of non-compliance, but will also protect their patients from losing their personal information in a possible cybersecurity breach. In the long run, keeping HIPAA its RCM HIPAA complaint will increase a practice’s efficiency, and save them valuable time and cost.