Who Pays for PHI, HIPAA, and Cyber Attacks in 2025?
Healthcare may be Broken, but Security should never be!
Ask any US Taxpayer, and they will tell you that the US Healthcare System is broken. From the double-digit premium increases members face every year while the Big Health Plans score profits in the Billions to the growing denial rates for authorizations and claims that have a legitimate medical necessity to the increasing fraud prevalence that both providers and payers either knowingly or indirectly participate in. With mergers and acquisitions soaring from private equity and the Big National Health Plan, things regarding affordable healthcare will only worsen for patients. Providers will continue to see their margins decrease, forcing them to downsize, merge, or sell their independent practices.
But the #1 thing that should never be broken is Healthcare Technology Security!
$9 Billion in Healthcare Losses due to Cyber Security Failures
Providers lost $21.9 billion dollars in 2024 due to security breaches from payers, payment processors, and EHRs combined. Folks, that’s Billions with a “B.” Since 2022, there have been 55 reported Ransomware and Healthcare Technology cyber attacks that have left providers and payers unable to pay or receive payments for 17-27 days on average!
Change Healthcare Breach
Change Healthcare is a subsidiary of UnitedHealth Group (UHG) and, before the cyber attack, processed about 50% of all US Healthcare claims as a payment processor. This means that Change Healthcare was responsible for paying hospitals and providers for the work they had already been authorized to conduct and authorizing medical services yet to be rendered. Reports vary, but 60-80% of providers who relied on Change Healthcare reported losses, and many stated they had to downsize personnel and restrict hours. That means less patients help, more hospital admissions… It was a catastrophic event and a complete system failure on behalf of UHG.
Why downsize?
We love providers here at PCG, but providers and hospitals across America are notorious for being great at providing care but historically negligent about producing short and long-term capital.
More Governmental Regulations for Providers is not the Answer
The U.S. Deputy National Security Advisor (Anne Neuberger) and the Department of Health and Human Services (HHS) have banded together to solve HIPAA breaches, or are they?
By instituting new regulations on hospitals and providers to encrypt every message and deploy new tactics to safeguard patient information (PHI), we are asking an already strained healthcare workforce to do the work that a payment processing company and Billing software should already do!
The price of this new implementation and enhanced security for hospitals and clinics is estimated to be $6-$9 billion every year. The blame is being pushed on providers, hospitals, and small health plans when, in reality, big health plans and software companies are dropping the ball.
No cyber attacker will risk life in a federal prison targeting a small health plan when the big plans use the same software and can afford to pay $2 million to $20 million to restore their data and security.
When will we as a nation place the security burden on the Software companies that build this so-called HIPAA-compliant software?
A provider or medical staff should be able to include as much confidential past and present patient information as possible in an authorization so that it passes medical necessity. This reduces the initial authorization denial and future reductions and denials of claim payments.
What Every Billing Software Should Do…
Every EMR, EHR, or Billing Software should have HIPAA privacy settings that cross-reference the domain of the sender, the user permissions of the sender, the receiving party domain, the receiving party participants, and then apply the ability to accept as-is and send encrypted, send to only those with clearance and need to view/see per HIPAA, or not send the entire claim or information to any party because one or more parties is restricted.
What Every Billing Software Should Do…
Every EMR, EHR, or Billing Software should have HIPAA privacy settings that cross-reference the domain of the sender, the user permissions of the sender, the receiving party domain, the receiving party participants, and then apply the ability to accept as-is and send encrypted, send to only those with clearance and need to view/see per HIPAA, or not send the entire claim or information to any party because one or more parties is restricted.
How do we know?
Our software solutions can be integrated with Payer Claims Software, EMR, EHR, Billing Software, and Payment Processing software. We have built our HIPAA standards to never store, identify, or receive patient information. Creating software that submits authorizations and claims to a payer or assists with payment needs more security and scrutiny. Still, it’s the responsibility of that software company to make it. Our HIPAA standards ensure we never store, identify, or receive patient information. This is achievable because our software solutions integrate with Payer Claims Software, EMR, EHR, Billing Software, and Payment Processing software. While software that submits authorizations and claims to a payer or assists with payment requires higher levels of security and scrutiny, it is the responsibility of the software company to implement these measures. PCG followed the rules, and companies like Change Healthcare did not.
SFTP Security Breaches History
SFTP (Secure File Transfer Protocol), as a reminder, is a secure version of the File Transfer Protocol (FTP), which is used for transferring files over the internet. It is a secure protocol that provides strong encryption for data transferred over the network and user authentication. It uses Secure Shell (SSH) to encrypt the data and session information so that the data is not exposed while transferring. Additionally, it allows the server to authenticate the client and the client to authenticate the server before any data is exchanged. This ensures only authorized users have access to sensitive data. Finally, users can also employ digital signatures to verify the integrity of their data.
SFTP is more secure than FTP, as it encrypts all data transferred between the client and server, including usernames and passwords. Additionally, SFTP requires user authentication, meaning only authorized users can access the data. Moreover, SFTP allows the server to authenticate the client and the client to authenticate the server before any data is exchanged, providing an extra layer of security. All these features make SFTP safer than FTP.
IT departments prefer using SFTP, as it offers a high level of security for data transferred over the network. It allows users to configure access control quickly, so only authorized users can access sensitive data. Furthermore, with SFTP, they can also use digital signatures to verify the integrity of their data. All these features make SFTP the preferred choice for IT departments.SFTP, or Secure File Transfer Protocol, is a secure version of FTP that transfers files over the internet. It provides strong encryption for data transferred over the network and user authentication by using Secure Shell (SSH) to encrypt the data and session information.
Additionally, it allows the server to authenticate the client and vice versa before any data is exchanged. This ensures that only authorized users have access to sensitive data. Finally, users can also employ digital signatures to verify the integrity of their data.
SFTP is more secure than FTP because it encrypts all data transferred between the client and server, including usernames and passwords. It also requires user authentication, so only authorized users can access the data. Due to these features, SFTP is the preferred choice for IT departments. Additionally, it allows users to configure access control easily and to use digital signatures to verify the integrity of their data.
In PCG’s 30-year years of doing business, we’ve never had a HIPAA violation or security breach on our record.
Virtual Examiner® as a Case Study in HIPAA Compliance
Our software Virtual Examiner ® (VE) is Payers' code and claim auditor. VE is installed on the Payer’s dedicated server. Linked to the Payer’s adjudication software, it reviews today’s claims against three years of claims (episode of care), never identifying who the patient or provider is (just the member ID number and billing ID). It then quarantines those claims for human overview and decision-making. You can only access those claims if your Payer organization has allowed you to download the report. Again, the report can never identify a patient or providers.
With vast changes in medical coding affecting both authorizations and claim payments, claims adjudication software must be updated through Virtual Examiner code updates so that daily audits are compliant and accurate. This requires code updates via a secured SFTP transfer twice a quarter. This is how VE has kept patient data, provider data, and payer data not just safe but the Payer's responsibility because the Payer buys our software. The risk and liability of HIPAA breaches are left solely to the adjudication software company and the payer's IT security.
VEWS™ as a Case Study in HIPAA Compliance
The same AI engine that powers Virtual Examiner ® (VE) for Payers can help Providers and Hospitals. Our Virtual Examiner Web Services™ (VEWS) can be installed on an owned and operated Billing Software that pre-claims code auditing warnings. If you are about to bill the wrong code within a claim or are missing a modifier, etc. You could be notified and attempt to correct or reduce denials or incorrect approvals with a later denial from the payer claims team. Again, no patient information is viewed, stored, or reported by VEWS; it just looks at codes. This process places HIPAA compliance on the EMR, EHR, or billing software used and the payment processors that send the actual claim to the payer.
iVECoder® as a Case Study in HIPAA Compliance
iVECoder ® (iVE) is a manual code auditor that helps review claims from a portal accessed from a username and login. iVE does not integrate into the Billing Software and cannot input a patient or provider name or data other than sex and birth date. You can never tell who’s receiving or providing the care with no names. Just input the details of a claim and see what the Medicare and Medicaid guidelines will tell you about the compliance and likelihood of this claim getting paid.
Looking for Increased HIPAA Compliance and Savings?
PCG Software helps payers reduce overpayments, fraud, and waste with VE. PCG also helps hospitals and clinics through claims auditing pre-submission with VEWS. If your organization is looking to save time and money but is also concerned about PHI, then contact us today to learn more about our HIPAA-compliant coding solutions.
Contact our Chief Strategy Officer, Will Schmidt, at
wschmidt@pcgsoftware.com
