While behavioral health providers focus on safeguarding patient data, they might be unaware that their own financial data is at risk. It might sound like a scam, but the reality is that while patient data is protected under HIPAA, a provider’s financial data isn’t—and it’s being captured and sold.
Understanding the Risk
HIPAA regulations are designed to protect patient data, also known as Protected Health Information (PHI). Providers often assume their business associate agreements (BAAs) with vendors like EHR providers and clearinghouses cover all their data. However, these agreements typically only protect PHI, leaving financial data exposed.
In recent years, data brokers who trade in de-identified patient information have discovered the value of provider financial data. They’ve approached major EHR vendors and clearinghouses, offering to buy information such as the number of patients seen, revenue generated, and practice locations. Unlike de-identified patient data, provider financial data can be sold with identifiable information, such as the practice’s name and location.
The Appeal of Provider Financial Data
Provider financial data is valuable for several reasons:
- Acquisitions: Companies looking to acquire practices want detailed financial insights before making offers.
- Market Analysis: Firms can identify profitable regions and successful practice types for expansion.
- Poaching: Competitors may use the data to target and poach profitable practices.
- Credit Ratings: Credit rating agencies can assess a practice’s financial health.
- Cybersecurity Threats: Hackers might use the data to obtain tax IDs and National Provider Identifiers for fraud.
- Payment Theft: Thieves could potentially reroute claim payments intended for the practice.
Why Providers Are Unaware
The sale of provider financial data is typically kept quiet by the EHR vendors, clearinghouses, and data brokers profiting from it. These entities have little incentive to disclose such practices to providers, who often remain unaware their data is being sold.
Steps to Protect Your Practice’s Data
To safeguard your financial data, consider these steps:
- Reevaluate Contracts and BAAs: Understand that your current agreements likely do not protect your financial data. BAAs focus on patient data security, not the financial data of your practice.
- Direct Inquiry: Ask your EHR vendor or clearinghouse directly if they sell your financial data. Even if they claim they do not, request a signed agreement stating they will not sell your data in the future.
- Examine Third-Party Access: Investigate what third parties have access to your data through your clearinghouse. While some third-party processing is necessary, ensure your clearinghouse is transparent about these practices.
Concerns with De-Identified Patient Data
In addition to financial data, data brokers remain interested in de-identified patient data from clearinghouses and EHR vendors. While providers might see this as harmless, the growing volume of digital data makes it increasingly difficult to ensure true de-identification. Data from various sources can be combined to re-identify individuals, particularly in rural areas where patient information is less anonymized.
Reassessing Data Sharing Practices
Behavioral health providers should consider their comfort level with vendors selling de-identified patient data. Revisiting BAAs with an emphasis on restricting the sale of any patient data, including de-identified information, can help mitigate risks.
Conclusion
Behavioral health administrators need to be vigilant about protecting not just patient data but also the financial data of their practice. By thoroughly understanding and addressing how vendors handle and potentially sell this information, practices can better protect their interests and maintain control over their financial health.
Rob Stuart is founder and president of Claim.MD, a leading electronic data interchange (EDI) clearinghouse helping to streamline the billing and collection process for providers, payers and software vendors.