Collector – August 2019 - 32

sent from providers is not encrypted, and
some of that comes from complacency."
Surprisingly, HHS does not expressly
require that PHI be encrypted. Although
it's optional, encryption provides a layer
of protection that decreases risk to both
the health care provider and its business
associates. Working with providers to agree
on standards for exchanging encrypted data
is simply a good business practice.
"HHS doesn't mandate that data be
encrypted, but when asked for an example
of an acceptable use of unencrypted PHI, an
HHS official couldn't come up with one," said
Scott Brownlee, vice president of operational
strategy for Arcadia Recovery Bureau LLC.
"Ask yourself if there's a situation when you
wouldn't want your own PII or PHI encrypted.
The answer is most certainly never."

Establishing and maintaining meaningful
policies and procedures to protect data are
necessary steps for any agency handling
nonpublic consumer data, but such policies
are worthless without ongoing employee
training and monitoring.
Employees need to know which patient
information they should and should not be
viewing along with their responsibilities for
ensuring that data remains secure and private.
"Agencies need to deploy, actively use and
monitor the same data security that clients
use and require, at a minimum," Brownlee
said. "Being compliant with HIPAA also
requires annual privacy and data security
training, testing and proof employees
have passed. It needs to be thorough and
meaningful. Simply knowing what HIPAA
stands for isn't nearly enough."

HIPAA generally requires health care
providers to have business associate
agreements with any company or individual
performing functions on its behalf that require
access to protected health information. BAAs
define each party's responsibilities regarding
PHI handling and use.
Agencies may be tempted to treat BAAs
offered by clients in the same manner most


In April, the Department of Health and Human Services changed how it applies
regulations for Civil Money Penalties under HIPAA, reducing the maximum annual
fines that can be assessed against covered entities and business associates for
lower-level categories of violations.
Instead of a $1.5 million cap in a calendar year on all violation tiers, now the
maximum fine is $25,000 for violations in the least-severe category, $100,000 in the
second tier and $250,000 in the third tier. The maximum remains at $1.5 million for
top-tier (i.e., the most serious) violations.
HHS said it will use this penalty tier structure,
"as adjusted for inflation, until further notice."

people treat website or software terms of
service, but that would be a mistake.
"A lot of the BAAs we get are boilerplate
agreements," Buck said. "It's important
to read them thoroughly to understand
the liabilities, reporting conditions and
remediation points. Don't just assume that
it's a standard boilerplate, so it must be OK.
Read it and know what's in it."
Agencies should pay especially close
attention to BAA provisions regarding
indemnity clauses and reporting
While HHS does not require BAAs to
include indemnity clauses, providers often
add them. Agencies should ensure that
any such indemnity clauses are reciprocal.
Doing so can provide protection in the event
the covered entity experiences a security
incident outside the agency's control but
involving accounts the agency serviced.
Understanding when and how security
incidents need to be reported under the
terms of BAAs is also essential in the event
of a data breach.
"If you have to report security incidents,
know how long you have under the BAA to
do so," Bender said. "I've seen some crazy
provisions that say 'you must report within
two hours.' It's nearly impossible to know
what happened in an hour or two. Nobody
wants to provide a client with only part of
the story and no solution. You can't reassure
your client that you've safeguarded their

information if you don't even know the
circumstances yet."
Similarly, pay attention to the
requirements for how notice of a security
incident needs to be communicated to the
client or by the client, depending on the
circumstances. Although communicating by
email or fax may seem like the most efficient
method, such technologies also come with
risks. Can you be 100% certain an email
notice won't get stuck in a spam filter or
a fax won't be inadvertently stapled to an
unrelated fax that came in after the security
breach notice?
"Unless you are absolutely sure that an
email or fax that says you have 10 days to
remediate a data security issue is going to be
seen, it might not be the best way to receive
notice," Bender said. "Having a FedEx or
UPS envelope that is clearly marked and
requires someone to sign that it has been
received may be a better way to assure it will
be noticed."
Although covered entities are supposed
to ensure they have written agreements in
place with their business associates, some
don't automatically provide them. When
this happens, business associates can protect
themselves by taking control.
"We have to prove we are servicing
accounts pursuant to a written BAA
because HHS expects us to have one,"
Bender said. "If the client doesn't offer
one, then we need to offer one. Even if the



Collector – August 2019

Table of Contents for the Digital Edition of Collector – August 2019

President’s Page
Industry News
Best Practices
Collection Tips
How a background in making people laugh has helped Roger Weiss, ACA’s new president, educate and engage an industry.
No Good Option
“You’ve got to be a compliance cheerleader for the organization, and that takes a lot of energy.”
Protecting Health Care Data
Honor Roll
Education Spotlight
ACA SearchPoint
Ad Index
Last Word
Collector – August 2019 - Cover1
Collector – August 2019 - Cover2
Collector – August 2019 - 1
Collector – August 2019 - 2
Collector – August 2019 - 3
Collector – August 2019 - 4
Collector – August 2019 - President’s Page
Collector – August 2019 - Industry News
Collector – August 2019 - 7
Collector – August 2019 - 8
Collector – August 2019 - 9
Collector – August 2019 - Best Practices
Collector – August 2019 - 11
Collector – August 2019 - FYI
Collector – August 2019 - 13
Collector – August 2019 - Collection Tips
Collector – August 2019 - 15
Collector – August 2019 - How a background in making people laugh has helped Roger Weiss, ACA’s new president, educate and engage an industry.
Collector – August 2019 - 17
Collector – August 2019 - 18
Collector – August 2019 - 19
Collector – August 2019 - 20
Collector – August 2019 - 21
Collector – August 2019 - 22
Collector – August 2019 - 23
Collector – August 2019 - No Good Option
Collector – August 2019 - 25
Collector – August 2019 - 26
Collector – August 2019 - “You’ve got to be a compliance cheerleader for the organization, and that takes a lot of energy.”
Collector – August 2019 - 28
Collector – August 2019 - 29
Collector – August 2019 - Protecting Health Care Data
Collector – August 2019 - 31
Collector – August 2019 - 32
Collector – August 2019 - 33
Collector – August 2019 - Calendar
Collector – August 2019 - Honor Roll
Collector – August 2019 - Education Spotlight
Collector – August 2019 - 37
Collector – August 2019 - 38
Collector – August 2019 - 39
Collector – August 2019 - 40
Collector – August 2019 - 41
Collector – August 2019 - 42
Collector – August 2019 - 43
Collector – August 2019 - 44
Collector – August 2019 - 45
Collector – August 2019 - 46
Collector – August 2019 - 47
Collector – August 2019 - ACA SearchPoint
Collector – August 2019 - Ad Index
Collector – August 2019 - Membership
Collector – August 2019 - 51
Collector – August 2019 - Last Word
Collector – August 2019 - Cover3
Collector – August 2019 - Cover4