HIPAA / HITECH Enforcement – Page 15 – RISC Management and Consulting

The HIPAA Omnibus Rule enhances requirements and penalties for covered entities and business associates alike. As organizations rush to comply with the new rules, many are turning to Gazzang, the big data security experts, for help securing protected health information (PHI) and partner RISC Management to assess, document, and achieve compliance.

Join Chris Heuman- Practice Leader of RISC Management & Consulting along with David Tishgart-Senior Director of Marketing at Gazzang as they present information to understand what constitutes a breach and how best to protect regulated data such as electronic Protected Health Information (ePHI). Discover the best route for navigating the breach risk assessment requirements and minimize your chances of having to report a breach!

Gazzang zNcrypt™ for Health Care can be applied easily, quickly, and economically as a solution for data privacy and security requirements defined within HIPAA and HITECH. Through AES-256 encryption, advanced key management, and process-based access controls, zNcrypt provides transparent data encryption for any database or application running on Linux, including big data environments. Additionally, Gazzang zTrustee™ protects the Gazzang encryption keys with several layers of advanced techniques to ensure the key is only accessible by authorized parties. In the event of a data breach, encryption can help organizations protect sensitive PHI and may enable them to claim “Safe Harbor.”

“Data breaches such as the one experienced by Advocate Health Group affecting more than four million patients, and the subsequent huge class action lawsuit need not occur. A thorough risk analysis, as required by HIPAA, and implementation of stable, supportable encryption technology could have saved the organization a great deal of cost and time, and more than four million patients a lot of stress.” said Chris Heuman, Practice Leader at RISC Management.

Gazzang and RISC Management are hosting a webinar titled, “Are You Ready for the Final HIPAA Omnibus Rule Changes?” on Wednesday, November 6 at 12:00 p.m. ET. Click here to register and learn what constitutes a breach and how best to protect regulated data such as ePHI.

About RISC Management

RISC Management is an organization dedicated to data privacy and information security, focused primarily on healthcare, banking and finance, and higher education. RISC helps to protect the regulated and sensitive data of our clients and their customers. RISC provides a wide array of compliance and security services to help ensure our clients understand legal and industry requirements. Our experts identify, analyze, document, and remediate risks and vulnerabilities to protect sensitive information. For more information visit www.RISCsecurity.com .

Media Contact

RISC Management
Rose Rienton, MSN, RN

Rose.Rienton@RISCsecurity.com

About Gazzang

Gazzang provides data security solutions and expertise to help enterprises protect sensitive information and maintain performance in big data and cloud environments. Our technology enables SaaS vendors, health care organizations, financial institutions, public sector agencies and more to meet regulatory compliance initiatives, secure personally identifiable information and prevent unauthorized access to sensitive data and systems. The company is headquartered in Austin, Texas and backed by Austin Ventures and Silver Creek Ventures. For more information, visit www.gazzang.com.

Media Contact

Gazzang
Cybele Diamandopoulos

(512) 535-4422

cybele@foliocom.com

Ghost Cards for Claims Payment? Should Healthcare Providers Be Scared?

By Renae D Price, CMPE, CHFP, CPA

Boo All healthcare industry stakeholders and others have heard about electronic claim payments and Medicare has been paying hospitals electronically since 1993. A new payment mechanism is being adopted by claims payers that will be seen by most, if not all, providers across the United States in 2014. Health plans and third party administrators are implementing “ghost card” or “virtual card” card payments for claim payments. In contrast to receipt of a check or a direct deposit, providers may receive a paper document or a fax that contains a WebEx link to access for release of fund. Providers are instructed by the document to go to the web and process a one-time payment that will pay the claim through the merchant card network. Providers who “accept” this form of payment will receive their funds along with other funds for credit card payments from consumers.

Should providers readily accept virtual card payments?

Providers are sometimes told that they MUST accept such card payments based on their contract with the merchant card provider, which requires acceptance of all presented cards. That agreement requirement is about presentment of physical cards and does not include these virtual cards….But how many collectors know the details of their merchant card contract? Many simply process the payment to help meet monthly collection goals.

Generally speaking, the typical merchant card vendor used by a provider imposes an “interchange rate” or a discount fee applied to such a payment at a rate of 3.0 % or more of the claims payment amount. That means a provider only receives 97 cents for every dollar paid by the health plan in this process. How many provider organizations can afford to give up 3% of their revenues? The attraction of this “ghost card” process to claims payers is it changes the transactional claims-payment expense into a revenue center instead of an expense center. The merchant card network is able to pay a rebate back to the claims payers that may be as high as 1.5% of claims paid in this fashion. Health Plans and self-insured claims payers are not the only users of this process as the VA system has adopted it as well. Many hospitals use this type payment processing to pay supplies and other vendors but this use for claims payments is relatively new.

After January 1, 2014, any ambiguity about how providers are to be paid goes away. The Affordable Care Act (Obama Care) made electronic claim payments through electronic funds transfer a required HIPAA standard. Under the ACA “Operating Rules” that standard is promulgated and clearly defined as an electronic claim payment as an ACH (Automated Clearing House) transaction, not a card transaction. If readers are not familiar with ACH payments, think about your direct deposit of payroll or monthly social security payments. The adopted ACH format is known as a CCD plus addenda or CCD+ format.

The cost to the providers to accept ghost card payments varies greatly between card and ACH payment methods. For an example, consider the impact of processing a $2,500 claim payment. A $2,500 claim payment paid via an ACH would result in bank charges at or around 34 cents. The same transaction paid via a ghost card would result in an interchange fee (cost to provider) of $47.60. Providers in some states have seen requests to pay six figure claims in this manner and if accepted pay thousands of dollars to process one claim payment. Every market indication is that more payers will be attempting to pay via cards in 2014 due to the attraction of a rebate to them.

What should providers do?

It is important for senior financial management staff to set policy with regard to health plan card payments for claims payment. Some providers may opt to accept virtual card payments as a matter of routine, yet staff should be provided specific guidelines and possibly claims payment amount limits. If an organization opts to never process virtual card payments, revenue cycle staff and management should ensure adherence to the “no ghost cards” processing policy. A strict no-acceptance and no-exception policy by a Providers is possible beginning January 1, 2014 based on Obama Care provisions that supersede prior ambiguous legalities cited by health plans requiring Providers to accept virtual card payments. They now have no legal leg to stand on as The Operating Rules clearly state that HIPAA covered plans MUST comply and provide an ACH electronic funds transfer. During initial implementation, healthcare financial professionals may have to quote chapter and verse of the operating rules. They may also have to go so far as to use the new CMS anonymous complaint mechanism to ensure HIPAA compliant claims payments.

For further details, please contact renae.price@RISCsecurity.com or phone 502.727.3787 to leave contact information.