Paperless systems are fast becoming the standard across different industries in the U.S., and healthcare is no exception. Even the U.S. government is moving in this direction, as the U.S. Department of Treasury adopted a fully electronic invoicing system in 2012 — a change that it estimates saves the federal government up to $450 million per year.[1]
In the healthcare industry today, much of the third-party payer system is already conducted by electronic means. Yet, medical costs that are the patient's responsibility are still often transacted through paper billing and check payment. There are, however, several macro-level trends that are rapidly driving adoption of electronic payment tools for patient co-pays and deductibles. The growth of high deductible health plans is requiring more providers to collect $1,000, $5,000 or more from patients at the point of care. Almost all of these transactions are occurring through some form of electronic payment. Further, consumers are increasingly paying bills for many home and personal services electronically and are holding healthcare providers to a similar standard. Finally, according to the American Medical Association, the cost for a provider to send a paper bill to a patient can range from $5 to $14 per patient.[2] As such, text-to-pay and email-to-pay strategies offer significantly cheaper alternatives to paper billing.
As healthcare providers prepare to convert their patient-responsible billing and collections to an electronic form,[3] there are (at least) three important regulatory items to keep in mind.
- HIPAA. Most healthcare providers realize they are subject to privacy and security regulations under HIPAA. But what they may not realize is that the privacy and security regulations under HIPAA extend to electronic billing activities.
- Security of electronic payment information. In addition to the security of PHI through e-billing, healthcare providers must consider the security requirements associated with receipt of patient payment information. Maintaining the security of e-payments means complying with a number of consumer protection laws, including the Electronic Funds Transfer Act[11] and the Payment Card Industry Data Security Standards.[12] These requirements include, but are not limited to, (1) building and maintaining a secure network (e.g., maintaining a firewall configuration to protect data), (2) protecting cardholder data (including encryption of transmitted data), (3) maintaining a vulnerability management program, (4) implementing access control measures, (5) regularly monitoring and testing networks and (6) maintaining an information security policy. If a healthcare provider relies on a third party to conduct the e-payment transactions on its behalf, the provider should ensure the third party is compliant with all applicable consumer protection laws. For example, providers should know whether the processors and gateways they utilize to facilitate electronic payments are HIPAA- and PCI-compliant. In the healthcare sector, a common risk factor that should be analyzed is the location of stored credit card information. For example, providers often will store credit card information in the patient's electronic medical record. If the EMR is compromised, not only is there a risk that the patient's PHI will be harmfully misused, but also the theft of credit card information creates the potential for additional harm (and additional liability for the provider).
- Flexibility. Healthcare providers should be prepared to accommodate patients who prefer a paper-based system. According to a report from the U.S. Census Bureau, in 2011, approximately 25 percent of Americans did not have access to a computer at home, and slightly fewer (about 30 percent) did not have access to the Internet at home.[13] In addition to access issues, some patients may simply mistrust electronic means of transacting. Older patients tend to prefer paper records and some cultures simply prefer the opportunity for conducting business in person. While text-to-pay and email-to-pay strategies are important tools for patient convenience and lowering costs, healthcare providers likely do not want to alienate those patients who prefer to continue with the paper-based system of billing and payment. Therefore, it is important to consider flexibility in this transition to e-billing and e-payment, retaining the means to also send patient bills and receive patient payments in paper form.
Generally, HIPAA requirements apply to (1) health plans, (2) healthcare clearinghouses and (3) healthcare providers who transmit any healthcare information in electronic form in connection with transactions[4] covered under the HIPAA regulations, collectively known as "covered entities."[5] Providers who already submit claims to Medicare, Medicaid or private third-party payers are covered entities and subject to the HIPAA requirements, whether or not these providers send bills to their patients electronically. As such, these "covered entity" providers must consider the implications of sending healthcare information to a patient electronically for purposes of collecting patient-responsible balances, particularly as it relates the privacy and security of that transmitted information under HIPAA.
For example, e-bills should contain the minimum necessary information to enable the patient to identify the context of the patient's payment obligation for his or her medical care. Because transmitting sensitive patient information electronically exposes the provider to certain security issues, it is good practice to provide minimal information in the actual transmission of the e-bill while also enabling the patient to access additional information in person, by phone or on a secure website, if such additional information is needed. This can minimize the risk of unauthorized access to protected health information that could constitute a breach under HIPAA and potentially trigger HIPAA's breach notification provisions.[6]
Prior to sending any information to a patient in an electronic form, it is good practice to obtain the patient's signed authorization.[7] Although the regulations under HIPAA do not specifically address patient e-billing, providing the patient with an explanation about e-billing and giving the patient an opportunity to authorize or decline an e-billing format is in line with the intent and protections of HIPAA. Moreover, the practice of obtaining patient authorization affords healthcare providers an opportunity to ensure that the email address on file for each patient is correct — an additional safeguard against unauthorized disclosure of PHI. In the case of shared email accounts, for example, prior patient authorization protects the healthcare provider from unknowingly disclosing PHI to a party other than the intended patient.
Also, the HIPAA regulations do protect an individual's right to restrict use or disclosure of his or her PHI, including for purposes of treatment, payment or healthcare operations.[8] As such, the patient has the right to restrict e-billing formats that would involve the use or disclosure of his or her PHI.
In addition to electronic transmission of health information through an e-bill, HIPAA may also govern the receipt of electronic payments. For example, if a healthcare provider contracts with a financial institution to handle all patient e-payments, and in so doing, provides that financial institution with access to certain PHI, the financial institution might be considered a business associate under HIPAA.[9] If so, the healthcare provider and the financial institution would be required to have a business associate agreement in place that meets the requirements of HIPAA.
Healthcare providers should also be cognizant of state privacy laws that may affect health information that is transmitted electronically. As it pertains to PHI, the more stringent law (in the context of comparison of state law to the standards under HIPAA) generally controls.[10] This means a state law, subject to certain exceptions, that has more stringent requirements will govern over the requirements under HIPAA.
The structural changes ongoing in the healthcare provider area are significant. Changes in insurance plans that require greater patient responsibility are causing all providers to develop electronic payment strategies to collect funds at the point of care. Further, these tools that allow patients to pay bills electronically give patients greater flexibility while lowering the costs of collections. As providers transition to these e-billing and e-payment formats, it is important that they ensure compliance with appropriate federal and state requirements for the protection of patient and financial data.
More Articles on Electronic Payment:
CMS: Health Plans Can't Delay, Reject Electronic Payment Requests
What Healthcare Providers Need to Know About Electronic Payments
5 Benefits of Shifting to Electronic Healthcare Payments
[1] U.S. Dep''t of Treasury, Resource Center, ""Electronic Invoicing,"" available at http://www.treasury.gov/resource-center/fin-mkts/fit/Pages/FIT-Electronic-Invoicing.aspx.
[2] American Medical Association, Point of Care Pricing Toolkit: How much can your practice save by collecting from patients at the time of service?, available at http://www.ama-assn.org/ama/pub/advocacy/topics/administrative-simplification-initiatives/electronic-transactions-toolkit/point-of-care-toolkit.page (last visited April 6, 2014).
[3] ""Electronic form"" includes, but is not limited to, electronic mailing and text messaging (i.e., patient billing done by email or text notifications).
[4] ""Transaction"" means the transmission of information for administrative or financial activities related to healthcare. 45 C.F.R. § 160.103. For example, any healthcare provider who transmits PHI electronically to Medicare, Medicaid, or private insurance for the purpose of receiving payment is considered a ""covered entity"" under HIPAA and subject to its requirements.
[5] 45 C.F.R. § 160.102.
[6] 45 C.F.R. § 164.400 et seq.
[7] This authorization may be obtained in the initial patient encounter as part of the ""new patient paperwork."" For patient paperwork that is completed remotely, electronic signatures can be obtained for the authorization.
[8] 45 C.F.R. § 164.522.
[9] 45 C.F.R. § 160.103.
[10] 45 C.F.R. § 160.203.
[11] Originally enacted in 1978, this law protects consumers engaging in electronic fund transfers from errors and fraud. More information on the EFT Act can be found at http://www.fdic.gov/regulations/laws/rules/6000-1350.html#fdic6000titlexeft.
[12] PCI DSS is a set of requirements for enhancing security of payment customer account data and was developed by the founders of the PCI Security Standards Council. For more information on PCI DSS compliance, visit https://www.pcisecuritystandards.org/merchants/.
[13] U.S. Census Bureau, Computer and Internet Use in the United States: Population Characteristics, May 2013, available at http://www.census.gov/prod/2013pubs/p20-569.pdf.