March 2023 - Health Edition

Remote work presents a unique challenge for information security because remote work environments don't usually have the same safeguards as the office. When an employee is at the office, they are working behind layers of preventive security controls. While not perfect, it is harder to make a security mistake while at the office.

However, when computers leave the perimeter and people work remotely, new risks arise and additional security measures are essential. Below is a high-level overview of common controls (always check with your IT department for current policies and helpful hints) for enhancing security when working remotely. While intended for work computers, similar steps can and should be taken on any other device that may be used to access data of an organization (such as smartphones, tablets, or pads).

A simple and important first step is to familiarize yourself with the policies and procedures put in place by your organization’s own IT security experts, typically available on their website.

Keep Work Data on Work Computers

Thinking about taking care of a few work emails at home before bed? It can be tempting to use your personal computer if your work computer is in a different room or you forgot your charger at the office. Organizations typically have dedicated IT personnel that are installing regular updates, running antivirus scans, blocking malicious sites, etc., activities that may be transparent to you. You may not have followed the same protocols, and by introducing a personal computer to a work network you may put the organization’s networks at risk.

Keep Your Devices Safe

Simple steps can go a long way in keeping your devices safe:

• Create strong passwords for all logins and all devices. Many cyber criminals utilize sophisticated password-cracking tools and techniques and can easily crack weak passwords.
• Enable automatic locking (locks after a certain amount of inactivity) on your device.
• Enable location tracking, so you may be able to find your device if it is lost or stolen.
• Make sure devices are current on all software and security updates.

Protect Sensitive Data in Emails and on Your Device

Sending emails with sensitive data is always going to be a risk. If you encrypt the data attached to an email, it will prevent an unintended recipient from viewing the information. You can easily encrypt a document with a password in basic applications like Microsoft Office and Adobe Acrobat. Additionally, you may be able to share confidential work files via an encrypted file-sharing application. Utilize multifactor authentication and be sure your device is set to have all stored data encrypted in case of theft.

Make Sure Your Wi-Fi is Secure

Making sure your Wi-Fi is secure is an important cybersecurity control. Here are some measures you can take:

• Change the default password for your Wi-Fi router to a new, unique password.
• Change the wireless network name to something that excludes personal information (like name or address).
• Use a virtual private network (VPN) to encrypt your connection and secure your browsing data from cybercriminals.
• Avoid public Wi-Fi! Public Wi-Fi networks are common targets for cybercriminals as they are either poorly encrypted or not encrypted at all. This introduces significant security risks and should be avoided if at all possible.

Physical Protection

Physical security should not go out the window when you are working remotely. Just as you would protect your workspace and devices in the office, do the same when working out of the office:

• Lock up or secure your remote office or workspace when you are not actively working.
• Never allow family members or friends to use your work devices.
• If working in a public location, block site lines and choose somewhere private. Try not to have your back to windows or doors, to avoid “shoulder surfers” or use a privacy screen.
• Do not leave work devices in a car; keep devices on your person at all times.
• Never use a thumb drive if you do not know where it came from or if it can be trusted.

Small steps can make a big difference in improving security and protecting organization data while working remotely.

The No Surprises Act (NSA) was signed into law as a part of the Consolidated Appropriations Act of 2021, as Title I of Division BB of the Consolidated Appropriations Act. The purpose of the NSA is to protect patients from surprise medical bills and improve transparency in healthcare costs¹. Since its enactment, the NSA has faced a multitude of challenges surrounding its enforcement. Read this article to see where we are today.

What’s required?

Balance Billing Protections

Balance billing is the practice of charging out-of-network fees². Under the NSA, providers and facilities can no longer charge out-of-network fees for:

• Emergency medical services
• Non-emergent service without issuance of a notice & consent form
• Out-of-network ancillary providers and services at an in-network facility
• Out-of-network air ambulance providers

Good Faith Estimates

A good faith estimate (GFE) is a notification of expected charges for scheduled or requested items or services. Any discussion or inquiry of potential costs of items or services must be taken as a GFE request. GFEs must be issued:

• Directly to uninsured and self-pay individuals
• In any written format requested by the patient
• At least every 12 months for recurrent services
• For estimate requests and services scheduled to be performed in 10 or more business days, GFEs must be issued within 3 business days after scheduling (or request)
• For services scheduled to be performed in 3-9 business days, GFEs must be issued within 1 business day after scheduling

Provider Directory Information

The NSA requires that health insurance plans verify and update their provider directories every 90 days. Each payor has a different process in place to verify and update provider information. Because providers and healthcare facilities are required to send the information upon request of the payor, many payors have shifted responsibility to health care providers and facilities.

• What to send: Name, Addresses, Specialty, Telephone numbers, Digital contact information
• When to send: At the beginning or end of a network agreement, upon request of the payor, or “any other time determined appropriate by the provider, facility of HHS Secretary³.”

Provider Directory Requirements by Insurance Plan:

• BlueCross BlueShield of Alabama
• United Healthcare
• Cigna (p. 62)
• Aetna (p.7-8)
• Humana

Continuity of Care

If a contract termination between a health insurance plan and healthcare provider/facility, or if a Benefits termination (due to a change in the terms of provider participation) occurs, then continuing care patients have the option to continue receiving care for up to 90 days after the termination. A continuing care patient is one that is “undergoing treatment for a serious and complex condition, receiving institutional or inpatient care, is scheduled to undergo a non-elective surgery, or is terminally ill and is receiving care for such illness⁴."

Penalties and Enforcement

• Surprise Medical Billing: up to $10,000 for each violation
• Good Faith Estimates: patients have the right to dispute any charges over $400
• Continuity of Care: Monetary penalties are pending future rulemaking. Providers are currently expected to comply “using a good faith, reasonable interpretation of the statute.”
• Provider Directory Information: If patient relies on this information to find an in-network provider, and the information is incorrect, then the patient must be billed as though the provider is in-network.

For regulatory updates pertaining to the NSA, please visit the link below:

https://www.cms.gov/cciio/resources/regulations-and-guidance#No_Surprises_Act

Additional resources for NSA Compliance:

The Department of Billing Compliance

USA Health Office Park, 3rd floor

Office: 251-434-3500

cholland@health.southalabama.edu

CMS: NSA Provider Requirements and Resources

AMA: NSA Toolkit for Physicians

HHS: Guidance on Good Faith Estimates and Patient-Provider Dispute Resolutions

CMS: Examples of Disputable Good Faith Estimates

[1] https://www.cms.gov/cciio/programs-and-initiatives/other-insurance-protections/caa

[2] 45 CFR § 149

[3] 42 U.S. Code § 300gg–139 - Provider requirements to protect patients and improve the accuracy of provider directory information

[4] 26 U.S. Code § 9818 - Continuity of care

We're Hiring!

Are you (or someone you know) looking to grow professionally, help direct and enrich an internal audit function, and positively impact the lives of students and patients? If so, we're looking for you in the Office of Internal Audit!

We are seeking an Internal Audit Supervisor to join our team. See the job posting here.