There’s No Place Like Home: HIPAA, Pandemics, & Cybercrime

There’s No Place Like Home: HIPAA, Pandemics, & Cybercrime

As the number of folks working from home has skyrocketed during the pandemic, the effects of being more digitally connected have been both good and bad. Reports of suspected attacks by cybercriminals to the Federal Bureau of Investigation’s Cyber Division (known as the “IC3” or Internet Crime Complaint Center) are up 400% from pre-pandemic reports.1

The targets for attacks are not only large global companies, but are also governmental authorities, small businesses, non-profits, healthcare organizations and even individuals. According to a report issued by Baracuda.com, nearly half of all businesses expect a significant data breach or cybersecurity incident due to some sort of remote workforce strategy. Some of the most trusted brands like Honda, Garmin and Canon first reported “technical difficulties” and later confirmed they had experienced a cyber attack.2

 In addition to the destructive ransomware attacks, phishing or social engineering attacks targeting individuals have grown more believable and effective. Cyber experts report that in the United States alone scams like phishing and social engineering attacks against individuals range from 20,000 to 30,000 daily. 

There’s No Place Like Home: HIPAA, Pandemics, & Cybercrime

Click infographic to enlarge.

Share this image on your site:
<a href="https://www.pdcflow.com/payment-security/theres-no-place-like-home-hipaa-pandemics-cybercrime/" target="_blank" rel="noopener noreferrer"><img src="https://www.pdcflow.com/wp-content/uploads/2020/10/Cyber-Attacks-Stats-2020_PDCflow-scaled.jpg" alt="Cyber Attacks Statistics 2020 PDCflow" width="800px" border="0"></a>
So for credit or collections businesses handling revenue cycle and collections work for healthcare organizations, what are some HIPAA and other privacy concerns that merit a closer look while the pandemic continues?

Practical Issue 1: Verifying Right Party Contacts (RPCs)

Now more than ever our customers are reading the news about privacy, cybercrime, scams, and other fraudulent schemes to be wary of. Taking time to do a refresher with your consumer-facing employees may be helpful focusing on properly self-identifying on calls and actively listening when verifying to assure they have reached the right party. Consider some role-playing or other live (if virtual) interactive opportunities to reinforce the privacy message. 

Both the Fair Debt Collection Practice Act (“FDCPA”) and the Health Insurance Portability and Accountability Act of 1996 (and accompanying regulations – “HIPAA”) contain prohibitions against third party disclosure. Taking extra steps to trust but verify that a caller or called party is who he or she represents himself/herself to be makes good sense given the increase in fraud and cybercrime.

Practical Issue 2: Too Much Information (or Protecting TMI)

Concerns are running high about what to believe in the news about the coronavirus – when you may be exposed to it, when you should self-quarantine, when you should be tested, and how rampant the virus may be in your community. Double check any policies or procedures you have in your office with the materials that have been frequently updated by the Department of Labor, Centers for Disease Control & Prevention, and other federal organizations.3

As more circumstances come to light these agencies offer bulletins, frequently asked questions and other materials to help businesses (and individuals) interpret what information can and should be shared in an employment context and how to best protect the safety of employees in their workplace.

Practical Issue 3: Privacy Regulations for Medical and Healthcare Organizations

Although the national minimum standard for medical privacy is found in the Health Insurance Portability and Accountability Act of 1996 and its regulations and amendments known as HiTRUST (collectively, “HIPAA”), long before HIPAA was enacted, most of the states in the United States had some form of varying medical privacy laws. HIPAA is a great starting place for understanding the privacy rules of the road related to medical billing and healthcare collections (as well as some of the data breach, data security, and standardized electronic transactions rules as well).

Practical Issue 4: Privacy Concerns for Front-Line Agents

Among the top privacy concerns that may impact front line agents are: 

1) a caller (malicious) impersonating the customer to try and get confidential information or commit some form of financial fraud; 

2) money laundering situations in which a third party “overpays” and then demands a refund of all or a portion of the funds supplied (but the original payment may be flawed in some manner); 

3) a malicious caller who “socially engineers” and pretends to be the customer, a federal agency, a court, a consumer advocacy group, or even an attorney general and demands immediate information that is sensitive or proprietary (which information would later be used to perpetrate some form of fraud).

There’s No Place Like Home: HIPAA, Pandemics, & Cybercrime

Practical Issue 5: Remote Workforce Concerns in Healthcare Collections

Depending upon the manner in which collections are conducted, among the top issues being addressed with a remote workforce are the methods by which consumer payments are taken (is it contactless from the agent’s/consumer’s perspective?) or that consumers may share non-public information with the collection agency. Secure portals and “curbside” contactless payment options that allow a front line agent to speak with a customer who has his/her own secure way to submit payment information or self-service debt substantiation are among the solutions agencies are considering to handle this challenge.  

Agencies that have retained their key telephony and computing resources in secure environments and to which agents log in/out securely (but with no paper or other electronic information actually stored in agents’ homes – and subject to the same control factors) may have no greater privacy/data security risks than if agents were working on premises with similar set ups.

Practical Issue 6: Consequences of Violating Privacy and HIPAA Regulations

Nothing has changed here since enforcement of HIPAA began in 2003 (although in 2009 the fines and penalties increased when the law changed). There are both civil and criminal penalties for violating HIPAA.  

The consequences are shaped to fit the gravity of the abuse, misuse or theft of patients’ non-public information known under HIPAA as “protected health information” or “PHI.” While there is not a private cause of action for violating HIPAA, in recent years we have seen many creative plaintiffs’ attorneys bringing actions with privacy sounding claims. For example, if a third party has allegedly gotten a call about a collection matter a plaintiff’s attorney may insert a claim in a lawsuit stating the consumer has suffered a “breach of privacy” or an “intrusion into seclusion.”

PDCflow's HIPAA and PCI compliant FLOW Technology allows agents to collect payments without the risk of a data breach – even when working remotely. To learn how to FLOW Technology can improve your remote work compliance and security, download our how-to guide.

Share this post!
– ABOUT THE AUTHOR –
Hannah Huerta - PDCflow Marketing Specialist
Leslie Bender

Leslie Bender, IFCCE, CIPP/US, CCCO, CCCA, is an articulate corporate executive with over 30 years of experience handling compliance, regulatory, transactional and legal matters for hospitals and financial services companies.  Recognized as a national expert on HIPAA and other information privacy and security laws, she was one of the first privacy officers internationally accredited as a Certified Information Privacy Professional. 

LinkedIn - Leslie Bender

Related Articles