By Kevin Eberman
Technology continues to disrupt organizations across industries—the way we work and go about daily operations has changed, and the healthcare sector is no stranger to these disruptions. COVID-19 has further accelerated this disruption with the adoption of telehealth and digital health solutions. Healthcare professionals are increasingly needing tools that provide quality care while also ensuring Health Insurance Portability and Accountability Act (HIPAA) compliance and the confidentiality of patient information.
In addition to embracing telehealth technology, healthcare organizations are undergoing a similar wave of digitization in the back office. One top priority is finding an automated accounts payable (AP) solution designed for paperless invoice capture, coding, and approval, along with electronic payment execution. AP automation was developed not only as a way to make it easier for practices to pay their suppliers electronically via ACH, check, virtual card, and FX, but to free AP and finance staff of the burdensome task of processing invoices and payments manually.
Despite the positives that come alongside digital transformation, there are also some concerns pertaining to data privacy and the protection of patient data. As HIPAA regulations continue to become more stringent, healthcare organizations will need to simultaneously learn how to adapt to digital changes while ensuring the safety of electronic protected health information (ePHI).
Emerging HIPAA Compliance Concerns for Accounts Payable and Digital Healthcare
Healthcare is growing more and more reliant upon digital solutions as an industry. This has been made apparent through the growth of AP automation as well as the transition to telehealth, the rise in digital marketing strategies, and the development of online patient portals. Expedited by the pandemic, doctor’s offices shutting down, and an increase in health-related anxiety, providers wanted to utilize telehealth and digital solutions as efficiently as possible so that they could continue providing excellent care over video—while ensuring confidential information was not compromised. Healthcare providers interested in video consultations were encouraged to provide services through technology vendors that proved to be HIPAA-compliant and had entered a HIPAA business associate agreement (BAA).
When it came to choosing an accounts payable automation solution that accommodated for the uptick in sensitive information being shared via digital invoices, it was equally as important to be mindful of HIPAA compliance. But how can organizations looking to implement an automated AP solution go about it the smart way?
First, it’s important to understand what is protected and what is not protected under HIPAA. In total, there are 18 specific data elements that covered entities and business associates are required to protect, including things like names, telephone numbers, Social Security numbers, email addresses, and more. If businesses fail to protect any of these elements, they risk setting themselves up to face not only hefty fines, but loss of patient trust. Above all, they risk compromising patient safety and security.
For example, healthcare organizations will often need to reimburse patients for services via check; this may be due to an insurance payout or settlement. When sent electronically, the names on these checks need to be protected or encrypted in order to maintain confidentiality and compliance under HIPAA. However, when these checks are sent by mail, putting a name on the envelope is unavoidable. The Office for Civil Rights acknowledges these instances and provides exceptions when they do arise. Understanding the exceptions provided for under HIPAA is equally as necessary as knowing what must be protected.
Ensuring HIPAA Compliance with an AP Automation Solution
Automated AP solutions can help organizations adhere to HIPAA guidelines when executing accounts payable and invoice management. Look for an AP solution that has proven to be HIPAA compliant and ensures the security of your invoices and payments. Not all automated solutions were designed with healthcare in mind and are simply not equipped to handle and protect the sensitive data specific to this setting, so it’s important to do your due diligence before purchasing any one product.
It’s recommended that you look for a solution that annually goes through an independent audit; for example, SOC 2 Plus or SOC 2 with HIPAA mapping, to ensure best practices and internal controls are being met by your organization and its associated vendors. With this kind of audit, you can ensure your AP solution accounts for the following trust security principles:
Information and systems are protected against unauthorized access, unauthorized disclosure of information, or damage to systems that could compromise the availability, integrity, confidentiality, or privacy of data.
Evaluation of this principle ensures the protection of any electronic information collected, used, processed, and stored by health systems. Controls over security, incorrect processing, theft, unwanted removal of information, improper access, alteration, destruction, or disclosure of information are all evaluated. With an AP automation solution, many of these internal security controls are already built in, such as limiting user access, requiring dual approvals for payments, and signaling of potential fraud.
This principle refers to the accessibility in which a system operates as defined in its contract. The performance level acceptability is defined by both parties.
Evaluation of this category does not necessarily address system functionality, but it does address security-related criteria that may affect availability. For example, if your AP system fails to signal regarding a potential fraud, or doesn’t ensure a check has been authorized by the appropriate party before being sent to its supplier, this limits its availability and ability to perform its intended function under HIPAA.
3. Processing integrity
This category evaluates whether or not the system is achieving its purpose of delivering the right data to the right place at the right time.
In regard to AP automation, this means that any information inputted into your solution, like an invoice number or amount due, is done with accuracy. One way to ensure processing integrity is to choose an automated AP solution that eliminates the need for manual, error-prone invoice capturing. Many solutions will automatically input all information without the need for human intervention. This data can then be retrieved at any time by authorized parties, ensuring complete visibility into invoice status.
Evaluating this category ensures the entity’s ability to protect information deemed confidential through its entire life cycle—collection or creation through its final destination and removal from the organization’s control.
For healthcare organizations using AP automation, there needs to be safeguards in place through the entire end-to-end invoice approval process that ensure confidentiality as defined by HIPAA. Not all AP automation solutions are created equal, so be sure to do your due diligence and check whether or not your solution of choice is able to protect confidential data before you make your decision.
This principle refers to how a company’s system collects, uses, retains, discloses, and disposes of personal information. It ensures that any personally identifiable information (PII), or data related to health, race, religion, or sexuality is given an extra level of protection. The entity should be providing the following privacy protocols:
- Provides notice to data subjects about its objectives related to privacy (i.e., a privacy statement).
- Communicates choices available regarding the use, collection, retention, disclosure, or disposal of personal information to data subjects. For example, opt-in/opt-out statements.
- Only collects personal information that is necessary to fulfill a specific function. For example, collecting credit card information in order to process an invoice.
- Limits the use, retention, and disposal of personal information to meet its objectives.
- Provides data subjects with access to their personal information for review or correction.
- Discloses personal information with the consent of the data subjects. Notification of a potential breach or incident is provided to affected data subjects, regulators, and others as soon as possible.
- Collects and maintains accurate, up-to-date, complete, and relevant personal information.
- Monitors HIPAA compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.
Lastly, it’s important to realize that all HIPAA regulations not only pertain to covered entities but to the third parties they work with as well. Know that you are responsible for ensuring your third- and fourth-party vendors are compliant and making them aware of HIPAA guidelines. This is typically achieved through a business associate agreement and a written commitment to provide and extend security to subcontractors and fourth parties.
HIPAA-Compliant Automated AP Solutions are the Future of Healthcare
Despite the concerns healthcare organizations have about privacy in regard to telehealth and automated AP, accounts payable teams and consumers alike can agree that digital is here to stay. Through the use of digital tools, consumers and healthcare providers have certainly become accustomed to the ease and flexibility that comes with taking doctor’s appointments online and paying suppliers electronically. With accounts payable automation, healthcare organizations can ditch manual, paper-based processes for increased efficiency and improved ROI. The best AP solutions pride themselves in having internal controls like segregation of duties, access, dual approvals, and signaling of potential fraud worked right into the platform to ensure customers are protected on all fronts. For health systems, the right AP automation solution provides a solution you can trust when it comes to safeguarding PII and maintaining HIPAA compliance in accounts payable.
Kevin Eberman is the senior director of information at MineralTree.