At the core of the scheme is the fact that HIPAA protects only patient data (protected health information, or PHI). As a provider, you have business associate agreements (BAAs) with your vendors, including your EHR provider and your clearinghouse, to uphold HIPAA regulations. Most providers don’t realize those agreements don’t cover their own financial data because it’s not PHI.

In the last few years, the data brokers who deal in obtaining and reselling deidentified patient data have realized that there’s value in provider financial data (more on this in a moment). They’ve approached large EHR vendors and clearinghouses to see if they’re willing to sell data such as the number of patients a practice sees in a month/year and how much money the practice makes. Those vendors have access to every patient record and/or claim, easily revealing the broader financial picture. And unlike patient data, which can only be purchased in a de-identified form, provider data includes the name and location of the practice.

To read the full article, authored by Rob Stuart, founder and president of Claim.MD, visit BC Advantage Magazine.