The Health Insurance Portability and Accountability Act (HIPAA) pertains to more than just covered entities and healthcare companies. The HIPAA Privacy Rule was established to set national standards that protect an individual’s protected health information and personal data. The transition to electronic medical record keeping has created a need for secure systematology and methodology to protect sensitive data. This privacy rule applies to:
- Health plans
- Health care clearinghouses
- Health care providers
However, healthcare activities and functions do not solely live within these three areas, and other services or businesses require access to protected health information. The privacy rule allows health plans, clearinghouses, and health care providers the ability to disclose protected health information to business associates such as insurance companies.
The HIPAA Privacy Rule establishes that these business associates only obtain sensitive information for purposes that pertain to the covered entities — along with complying with regulations that the information will be safe from misuse. This requires insurance companies to implement HIPAA practices and resources to ensure the safety and security of protected health information.
A Deeper Dive into Business Associates
According to HIPAA, a “business associate” can either be a person or an entity that uses or discloses protected health information on behalf of a covered entity — or as a service.
Some of these functions or services can include:
- Claims processing or administration
- Data analysis
- Utilization review
- Quality assurance
- Benefit management
- Pricing management
Insurance companies often need to assist with claims processing, which means they are considered a business associate and must be familiar with the HIPAA compliance checklist.
Insurance Companies & Medical Record Retrieval
Insurance companies that are dealing with medical records are required to protect sensitive data at all times. Whether it be during the transfer or storage of protected health information, there must be technical, physical, and administrative safeguards put into place that keep medical records safe from potential breaches.
- Technical safeguards such as NIST encryption standards and breach protocols are required. Insurance companies must implement technical safeguards that HIPAA has established in order to protect themselves from potential breach penalties.
- The servers, cloud systems, mobile devices, work stations, computers, and remote data centers require physical safeguards that offer protection from breaches. Whether it be during the transfer, accessing stage, or storage of protected health information — all of the physical locations mentioned above require physical safeguards that have been established by HIPAA.
- The consequences of a medical record breach, therefore, administrative safeguards need to be put into place by insurance companies to ensure proper risk assessment, contingency planning, risk management, training, and other administrative tasks. This can not only mitigate the potential damage of a breach but is also a necessity for insurance companies.
Insurance companies rely on speedy and secure medical record retrieval, whether they are conducting in-house services or outsourcing their insurance company’s medical retrieval services.
In-house retrieval can be a cheap alternative on the surface, but the potential risks associated with breaches or the time spent by team members on medical record retrieval can be far more costly. Outsourcing medical record retrieval to a trusted service can be a sound alternative to in-house work.
If you’re wondering about how you should choose your designated medical record retrieval partner, we’ve covered some of the basics in an article called “Questions You Should Be Asking Your Medical Record Retrieval Partner.” Some quick takeaways from that article include:
- Inquiring about their core competencies and capacity
- Getting to the bottom of their level of experience
- Understanding which platforms they use
- What are the costs associated with their service
What are the Risks of HIPAA Compliance Failure
Medical record breaches plague many covered entities and business associates every year, costing $6.5 million on average.
Whether these breaches stem from cyberattacks or negligence, the cost of a medical record breach can be severe, causing significant damage to a company’s future. Medical records contain a lot of sensitive data, including personal information that can lead to identity theft and more.
Some of the largest breaches in the history of healthcare have been at the hands of insurance companies. In 2015, Bluecross Blueshielf had three of the largest breaches in the history of healthcare — affecting nearly 100 million people.
The penalties for medical record breaches reflect the severity and reactivity of a business associate, such as an insurance company. There are four tiers, each of which indicates the harshness and price tag associated with the breach. Understanding these tiers, along with the varying consequences of a medical breach, is crucial for insurance companies that want to avoid compliance fines during their time in business.
Why Outsource Medical Record Retrieval
While many insurance companies choose to manage their medical record retrieval processes themselves — it may not be worth the risk, especially today.
The complex HIPAA guidelines structure and intensive compliance requirements can be a challenge to adhere to for busy staff that is splitting their focus on core competencies and medical record retrieval. It’s a detail-driven workload, and simple mistakes or errors can lead to substantial complications.
Outsourcing medical record retrieval to a designated service that is devoted to the ins and outs of protected health information can be a sound investment. The number of resources it takes to manage the retrieval process alone can be worth the cost — but the potential consequences of a medical record breach are where it can become especially cost-effective.
As we mentioned, the millions of dollars that are lost each year by business associates that have struggled with breaches can be devastating, and administrative staff should be doing everything in their power to avoid these risks.
Finding a reliable medical record retrieval partner with a HIPAA compliant portal, seamless system integration, and OCR capabilities can make a significant impact on insurance companies around the country.