Beyond HIPAA: 4 Security Regulations That Should Inform Your Revenue Cycle Best Practices
When was the last time you updated yourself on the slew of regulations that impact hospital revenue cycle?
If you have to think too hard, that’s probably a good sign you and your organization are at risk of running afoul of one of the many standards that silently hover above your daily operations. While they might seem like an annoyance, from the right perspective, they can actually be a benefit.
Checking in with the regulatory landscape won’t just help you avoid fines, penalties, and PR nightmares — some fall directly in line with your most pressing initiatives and can even help keep you on track with your key strategic communications and patient experience goals.
This isn’t an exhaustive list, but it will get you caught up in some of today’s most pertinent revenue cycle regulations.
IRS 501(r) and Your Financial Communications
501(r) is a perfect example of a government regulation that feeds directly into crucial hospital initiatives. At its heart, IRS section 501(r) addresses the financial relationship between 501(c)(3) hospitals and their financial assistance patients, calling for these hospitals to meet four requirements:
- Establishing written financial assistance as well as emergency medical care policies
- Limiting the amount charged for medically necessary and emergent care for individuals who fall under a hospital’s financial assistance policy
- Not engaging in collection actions against an individual until reasonable efforts have been made to determine their eligibility for assistance under the hospital’s financial assistance policy
- Conducting a Community Health Needs Assessment (CHNA) at least once every three years and adopting an implementation strategy
All four of these elements fall directly in line with strategic communication initiatives that prioritize charity patients and vulnerable uninsured populations. Watch our short regulatory video series to learn more about 501(r).
PCI DSS and Your Credit Card Transactions
If you’re making strides in your POS payment options, PCI Data Security Standards (DSS) should be a standard with which you’re familiar.
Introduced over 10 years ago, the standards help reduce the risk of payment data breaches that are common in the industry. The standards apply to any entity (vendors included) that stores, processes, or transmits cardholder data and address security requirements around the management of devices used in the protection of cardholder PINs and other payment process activities. Requirements are similar to best practices and involve goals such as:
- Building and maintaining a security network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
We’re now on PCI DSS version 3.2 where updates include changes to the treatment of multi-factor authentication and penetration testing on segmentation controls. If you’re looking to update your own payment security best practices and vendor management policy, the latest PCI DSS is a great place to start.
SSAE 16, SOC 2 and Your Security Standards
Most security professionals agree HIPAA is just the beginning of healthcare security standards. Still, determining what life beyond HIPAA looks like can be difficult, and this is where regulations like Statement on Standards for Attestation Engagements, Service Organization Control (SSAE SOC) come in.
Born out of the world of accounting, SOC 2 (and SOC 3) reports deal with a service organization’s controls and how they treat the security, availability, or processing integrity of that organization’s system or the privacy or confidentiality of the information the system processes.
These reports (and the associated seals) are especially useful in a world of cloud computing and outsourcing, where hospitals still hold liability for breaches and security issues that might occur with a vendor or business associate. Here are a few additional details on SOC 2:
- Uses the Trust Services criteria
- Includes a description of the service auditor’s tests of controls and results
- Holds some similarities to SOC 1
- SOC Type 2 reports cover management’s description of a service organization’s system as well as the operating effectiveness of controls and suitability of the design
SOC does tie into other security frameworks, which is why AICPA offers mapping documents like this.
PCI P2PE and Your Credit Card Devices
Circling back to credit card data protection, PTPE (point-to-point encryption) has granted hospitals the ability to skip past network segmentation and still maintain secure payment environments. The PCI P2PE standard was established by the PCI Standards Council and covers encryption of data from the point of a swipe or dip until the data makes it to a solution provider’s security decryption environment.
For hospitals, this comes down to device compliance standards around in-person and phone payments and includes controls around tamper-evident packaging, chain-of-custody management, and installation. PCI Security also offers resources to help you find qualified integrators and resellers who meet their standards.
In this complex patient engagement and security environment, revenue cycle leaders must find an equilibrium between meeting existing standards and keeping a pulse on future regulatory expansions — a necessary balancing act in building effective security and communication strategies that support a comprehensive approach to data security.
This article was originally published on RevSpring and is republished here with permission.