Sensitive Information Access Levels

HIPAA Development Can be Tough. Let the Experts Help Encrypt and Secure your Data
Protect Sensitive Information from Prying Eyes

Developing Levels of Access for Sensitive Information

Medical billing portals usually store PHI (Protected Health Information), along with other sensitive personal data that is relevant to a patient and their caregiver. Therefore, medical billing portals have to comply with HIPAA requirements for privacy and security. The rules of HIPAA generally apply to the overall operations of the system. One of the key requirements a site and organization have to satisfy when leveraging HIPAA-compliant medical billing software is the concept of access restrictions within the HIPAA security rules.

HIPAA is broken into different rules, guidelines and requirements that organizations must adhere to. The one that applies heavily to web applications is referred to as the HIPAA security rule. Within this lies a requirement that user access to sets of data -specifically PHI- is limited and role-based restrictions are in place. Those access rights can immediately be revoked if the need arises. For example, if an administrative or service-related role within the organization is terminated, then they are no longer able to access PHI.

In addition to that, it's also critical for customer data to be removable upon the user’s request. A niche configuration needs to ensure the effective removal of all personal PHI that is stored in the system. From a secure and sensitive data perspective, user information can no longer exist in the system upon their request.

There are different ways to achieve the above requirements, but the general concept revolves around various roles who are handled through a role-based security system. Users are given specific rights within the application based on their respective roles. For example, an administrative user would have certain rights and system access tied to their role. That set of rights may differ among other positions in the organization, like a customer service representative, who could be assigned another role.

Encryption & Validation Protection

Authentication Considerations for Medical Billing Portals

Depending on the conditions, it might be a suitable idea to implement multi-factor authentication. A common way is through email verification where a token is generated whenever someone attempts to log in. The recipient will then verify that token value from the link in their email. Another frequently used way is to send the token via a text message.

There are certainly other formats of multi-factor authentication, but email and text are the most prevalent. It's also possible to set up single sign-on to tools, like Okta, or other forms of user authentication. However, the internal users would typically require more robust login and authentication methods due to their role.

That practice would allow the system administrators to know when somebody is logging in as an elevated role with high access to PHI data. As overall administrators, they have the ability to remove access from other users immediately and even eliminate roles.

This is imperative for HIPAA compliance, as one of the big components of the security rule is that information needs to be limited and restricted on a need to know basis. We want to make sure that users are able to view content which is physically reduced to what is absolutely required for their role.

Within the medical billing portal, it’s also possible to set up separate:

  • Segments of users
  • Sets of accounts
  • Groups of regions
  • Distributions of users to customer service reps
  • Structures to manage those groups of users and granting access
Tailor-Made Solution for Your Business

Choosing a Suitable System

Searching for the right medical billing portal involves extensive research, digging in, checking out different vendors and appraising their various options. The most important factor when evaluating solutions is ensuring the system indeed is HIPAA compliant; that it does, in fact, follow this rule of essentially minimal access to information based on roles and strictly as needed.

In addition to that, it's really helpful to utilize distinctive roles and record who is accessing what information and when. This makes up another component of HIPAA which dictates we must log who accessed what data and keep a history of any performed changes. That is another part of the baseline for HIPAA compliance and assists us with data security. In case of any breaches or issues, we will be able to notify the end customer or patient about the status of their data.

To sum up, an important aspect on the patient side of things with the medical billing portal is the following: to be able to remove their sensitive data from the system at a moment's notice, after the customer requests a deletion. This is typically a simple function, but we want to make sure the capability is there and proper notifications to that user are set up.

Important Data Handling Considerations

Procedures for Deleting User Data

We definitely don't want to remove anything that is critical to the operation of the business or the user account functionality. For example, a user might accidentally click the wrong thing or believe they're doing something else while they're actually removing their data. An approval process that users have to complete can effectively prevent accidental data loss. So, users may typically be able to log in with just their username and password for other account activities. But for something like removing all their data, we may actually send them an email and require them to click a link that verifies their account ownership.

In some cases, it might be best to have the users interact with a live contact, just to make sure they understand the outcome. Customers may even be asked to sign off on the consequences if their data is removed from the system. The kind of verification depends on the business model and what makes the most sense for your business in relation to how you store and handle the data within your medical billing portal.

We certainly encourage you to reach out and join a discussion with our knowledgeable staff. Our friendly team will be happy to provide you with a complimentary consultation on your upcoming HIPAA compliant portal project. If you’d like, you may also review the articles below that include additional relevant information about medical billing portals.