Compliance

The One Big Beautiful Bill Act overhauls federal healthcare funding, coverage and eligibility verification, with major implications for revenue cycle performance. The first webinar in Experian Health’s three-part series focused on the key policy changes and what healthcare organizations should do now to prepare.

Providers must adopt OBBBA preparation strategies and new technologies to brace for the impact of increased self-pay patients, who account for the highest percentage of bad-debt write-offs, as well as additional administrative and documentation requirements, such as stricter eligibility checks and reporting mandates.

Hospitals that treat Medicaid patients should update their eligibility and billing systems now to prepare for the One Big Beautiful Bill Act (OBBBA), which will bring major changes to Medicaid.

To meet evolving price transparency regulations, University of Tennessee Medical Center (UTMC) partnered with Experian Health to implement Patient Estimates. This integrated solution helped UTMC maintain compliance, increase estimate delivery and empower patients with clearer cost breakdowns.

Key takeaways: Changes to Medicaid, Medicare and the Affordable Care Act provisions in H.R. 1 are expected to increase financial pressure across the healthcare system. Hospitals could face higher uncompensated care costs and a growing administrative burden as millions lose coverage and payer rules grow more complex. Revenue cycle leaders should focus on strengthening eligibility checks, improving claims accuracy, and automating operations to remain financially resilient. On July 4, the budget reconciliation bill known as the “One Big Beautiful Bill Act” was signed into law, introducing sweeping changes to Medicaid, Medicare and Affordable Care Act (ACA) marketplace plans. At almost 900 pages, H.R. 1 sets out new eligibility, coverage and funding rules that will reshape how hospitals are reimbursed. This article explains what revenue cycle leaders need to know about the reforms and offers practical strategies for maintaining financial stability. Understanding the healthcare implications of H.R. 1 The healthcare provisions in H.R. 1 reflect a broader push by lawmakers to contain federal spending and return more control to states. While the reforms are framed as efforts to improve fiscal sustainability, they also introduce new financial risks for hospitals, particularly those serving low-income and high-utilization populations. Is your revenue cycle team ready for OBBBA? Join us for an engaging and actionable three-part live webinar series to learn how to protect your financial performance before 2026 reforms take effect. Save your spot > How does the Act affect Medicaid? Enrollment H.R. 1 makes major changes to Medicaid enrollment, with direct implications for hospital revenue and patient coverage. Starting in 2027, states will be required to run automated eligibility checks every six months for Medicaid expansion adults, and cross-check against federal databases to remove ineligible or deceased enrollees. The Act pauses implementation of a federal rule related to streamlining enrollment in Medicaid and the Children’s Health Insurance Program. Eligibility Eligibility rules are also changing. A new community engagement requirement will require some enrollees to demonstrate that they work, volunteer, or are in education for at least 80 hours a month, unless exempted. While aimed at reducing fraud, waste and misuse, changes to eligibility and enrollment could result in more patients losing coverage and increase churn and care gaps – particularly among vulnerable populations. Uncertainty around citizenship status could deter patients from seeking care, and even affect staffing in hospitals that serve immigrant communities. Cost-sharing and funding To ensure beneficiaries have a financial stake in their care, the law introduces cost-sharing requirements for some enrollees. Providers will need to be ready to help patients understand their costs and adjust collections workflows accordingly. There are also new financial penalties for states that fail to recover overpayments, and limits on how provider taxes and supplemental payments can be used to boost federal matching funds. Over time, these provisions could constrain how hospitals are reimbursed for Medicaid services, especially in non-expansion states. How does the Act affect Medicare? For Medicare, the Act offers some short-term financial relief along with longer-term reductions. Outpatient providers will see a 2.5% increase to the Medicare Physician Fee Schedule in 2026, partially offsetting inflation and COVID-related losses. However, spending cuts of 4% per year are projected to reduce Medicare funding by more than $500 billion over eight years, beginning in 2026. In addition, the law brings Medicare eligibility in closer alignment to Medicaid, by restricting access for individuals without verified lawful status or sufficient residency history. It also delays until 2035 a rule that would have made it easier for low-income beneficiaries to enroll in Medicare Savings Programs. The Congressional Budget Office (CBO) estimates that this means 1.38 million fewer beneficiaries  will be covered by MSPs. How does the Act affect the ACA? One of the most immediate concerns for hospitals involves the end of enhanced premium subsidies for low-income ACA marketplace plan enrollees. Unless Congress steps in, these will expire at the end of 2025, making coverage less affordable for many. This comes as insurers prepare to increase premiums by an average of 15% in 2026, the most significant rise since 2018. H.R. 1 also modifies eligibility and repayment rules around subsidies. Subsidies will no longer be available to individuals disenrolled from Medicaid due to immigration status. Starting in 2027, most enrollees in marketplace plans will need to verify their eligibility for premium tax credits each year, effectively ending automatic re-enrollment. Without these subsidies, over 4 million people are likely to be uninsured in 2034. For hospitals, this means more self-pay patients, delayed collections and higher uncompensated care, especially in areas with large working-age populations. Financial risks: Medicaid cuts and rising uncompensated care The CBO projects that over 10 million people could lose health coverage by 2034 due to combined Medicaid and ACA reforms. This is a major financial risk for hospitals, particularly safety-net and rural providers. The Center for American Progress suggests that uncompensated care costs could increase by at least $36 billion by 2034 – a figure that will be especially painful in the context of reduced federal funding. Some newly uninsured patients may not seek alternative coverage, potentially leading to higher emergency department use. Those with ongoing health needs are more likely to find new coverage, but hospitals could still see a smaller insured population overall, and it could well be one that is older, sicker and more expensive to treat. Revenue cycle teams should prepare for an increase in self-pay volumes and greater demand for charity care and financial assistance. Organizations in high-Medicaid regions may need to reassess cost estimation tools, financial assistance screening and collections workflows to manage the effects. See how Patient Financial Clearance is helping Community Health System prepare for a potential rise in uninsured patients in 2026 by automating eligibility verification and coverage screening. Strengthening front-end access and eligibility workflows Jason Considine, President at Experian Health, says that providers can be proactive in ensuring their revenue cycle operations are ready to adapt and scale, if and when the time comes: “It’s an uncertain time. However, as we wait to see how the changes to coverage and reimbursement play out in practice, providers aren’t just looking for predictions. They need actionable strategies. Strengthening front-end eligibility and financial clearance processes is one of the most immediate ways to reduce risk and support patients through coverage transitions. Experian Health helps organizations do that by offering automated tools that uncover hidden coverage, verify eligibility in real time, and provide clear, accurate patient estimates.” Here are a few examples: Getting eligibility right. Patient Access Curator™ uses artificial intelligence to run multiple data checks at once, covering eligibility verification, coordination of benefits, Medicare Beneficiary Identifiers, demographics and coverage discovery. Minimizing the risk of uncompensated care. Patient Financial Clearance uses real-time data to identify patients who may qualify for charity care and recommends suitable payment plan options, while minimizing manual work for staff. Helping patients figure out their financial obligations. Patient Payment Estimates draws on real-time data, including insurance coverage, payer contract terms and provider pricing, to give patients an accurate breakdown of their treatment costs. This improves transparency and reduces the risk of missed payments. Case study: Experian Health and Exact Sciences See how Exact Sciences added $100 million to their bottom line in just two quarters with Patient Access Curator. Optimizing claims and collections in a tighter reimbursement environment In addition to strengthening front-end processes, providers need to ensure their back-end operations are ready to handle the ups and downs. Denied claims are already a major challenge for providers: in Experian Health’s 2024 State of Claims survey, 73% said denials are increasing and 77% report more frequent payer policy changes. More than half have seen a rise in claims errors, highlighting an opportunity for improvement. As automation and AI continue to advance, healthcare providers have a chance to improve claims management and reduce denials. Embracing these solutions can reduce the costly burden of reworking claim denials and improve cash flow. If claims workflows are already struggling, providers can’t afford any extra friction. However, the H.R. 1 reforms will likely increase the administrative burden and make timely reimbursement even harder to secure. This makes digital transformation increasingly urgent. Some priorities to tackle with automation and analytics include: Improving first-pass claim accuracy.  AI Advantage™– Predictive Denials  uses artificial intelligence, machine learning and predictive analytics to scan claims before they are submitted to root out errors and flag high-risk submissions so they can be corrected. It analyzes historical payment data and real-time payer behavior to determine whether a claim is likely to be rejected, so staff can work faster and more efficiently to increase clean claim rates. Streamlining claims management. ClaimSource® helps providers manage the entire claim cycle from a single application. Voted Best in KLAS for Claims Management and Clearinghouse for the last two years, the platform automates claim submission to reduce manual work and support cleaner submissions. It performs customizable edits, formats and submits claims, and allows staff to create custom work queues for greater efficiency. Using data to optimize collections. Collections Optimization Manager uses data-driven insights to help revenue cycle management (RCM) teams focus on the right accounts and collect more, faster. By segmenting patients based on their propensity to pay and screening out accounts unlikely to yield returns (such as deceased, bankrupt or charity accounts) the tool helps reduce the cost to collect and saves valuable staff time. Case study: Experian Health and Weill Cornell See how Weill Cornell increased collections by $15 million with Collections Optimization Manager. Preparing for volatility with scalable technology Revenue cycle teams can’t control policy changes or budget decisions, but they can control the systems that keep their operations running. Experian Health’s end-to-end revenue cycle solutions are designed to support this kind of operational resilience. From coverage discovery to claims analytics, scalable platforms give providers the flexibility to respond quickly to financial disruptions using consistent and familiar technology. “When so much is out of your hands, the smartest move is to focus on what you can control. Scalable tech gives RCM leaders that control, so when payer rules shift or self-pay volumes spike, they’re ready to respond without slowing down,” says Considine. “It also helps them stay ready for compliance shifts and respond faster to regulatory changes without overhauling their workflows.” Blog: Revenue cycle management checklist - improve experience and profits Get a practical checklist to optimize patient access, collections and claims management, while building a resilient and patient-centered revenue cycle. Readiness today protects financial resilience tomorrow The H.R. 1 bill has introduced significant changes across Medicaid, Medicare and the Affordable Care Act. New eligibility requirements, adjustments to reimbursement formulas, reduced subsidies and greater administrative complexity are all expected to influence how patients access coverage and how care is financed moving forward. While the long-term impact will vary by market and patient population, disruption is coming. Hospitals and health systems that rely on outdated workflows or fragmented technology will face growing challenges in managing changing coverage patterns and rising uncompensated care. As the specific effects of the “One Big Beautiful Bill” become clearer, revenue cycle leaders will be tasked with making fast choices under pressure. How will coverage changes affect patient behavior? What happens to reimbursement if eligibility gaps widen? The focus won’t just be on protecting revenue, but also on supporting patients who may be confused or anxious about what the new rules mean for them. The ability to track changes and adapt accordingly will be a competitive advantage for providers looking to stay ahead. Find out how Experian Health can help hospitals prepare for reforms by modernizing revenue cycle operations and reducing exposure to revenue loss. Learn more Contact us

Highlights: Transparent pricing puts the patient in control of their healthcare and financial decisions. However, many providers don't have the right tools to provide accurate, upfront estimates. The February 2025 executive order put added pressure on hospitals to comply with new healthcare regulations and deliver proof of meeting new compliance standards. Price transparency solutions help providers provide solid estimates, reliable delivery and reporting that stands up to scrutiny. While price transparency in healthcare has improved, it still needs some work. According to the latest Experian Health data, 88% of providers say there's an urgency to improve or implement accurate estimates. Along with the Hospital Price Transparency rule (CMS-1717-F2) that took effect in January 2025, providers are also feeling the heat from a newly signed executive order aimed at strengthening regulations around hospital price transparency—and must take swift action to get compliant. While the full impact of the new executive order is still being defined, now is the time for healthcare organizations to double down on meeting existing price transparency requirements—and get audit-ready. Leveraging price transparency solutions can help hospitals meet regulatory mandates, improve the patient financial experience and keep revenue cycles on track. What is healthcare price transparency? Healthcare price transparency is the practice of providing clear, upfront information to patients about the cost of medical care, including services, tests and prescriptions. In February, the U.S. President signed an executive order aimed at strengthening the enforcement of hospital price transparency. By May 26, 2025, three federal departments—Health and Human Services, Labor, and Treasury—must take action to: Require hospitals and health plans to post actual prices for items and services (not estimates) Ensure price data is standardized and easy to compare across providers and plans Improve enforcement and compliance through updated guidance or proposed rules These changes are designed to make healthcare pricing clearer and more accessible for patients and build on two existing regulations, the Hospital Price Transparency Rule and the No Surprises Act. The Hospital Price Transparency Rule aims to provide consumers with easy-to-understand information about hospital pricing, empowering patients to make informed choices about their healthcare. In addition, the No Surprises Act offers patients protection from surprise billing when certain emergency and non-emergency services are received from out-of-network providers at in-network facilities. The CMS Hospital Price Transparency Rule is evolving—and so are the expectations. Find out what’s changing, what’s at stake, and how to prepare your organization for audit-readiness and long-term success. Watch now > Why healthcare cost transparency matters to patients Patients want to understand the true cost of care, with 38% of patients saying that understanding the cost of care in advance of treatment made for a better payment experience. Yet, according to The State of Patient Access 2025, 56% of patients say they struggle to understand what their insurance covers without help from their provider. Patients also want more accurate estimates. However, despite increases in patients receiving estimates, accuracy has unfortunately gone down for the third consecutive year. Without an estimate before treatment, patients are left uncertain about how much they'll owe and are likely to postpone or cancel care. State of Patient Access 2025 report Download The State of Patient Access 2025 report for a full run-down of patient and provider views about access to care. How cost transparency in healthcare improves patient decision-making The patient financial journey can be daunting, especially as healthcare costs continue to rise. Today's patients crave improved access to understand how much care will cost, check their budget and figure out if they can afford the cost. They often also want to know the cost ahead of time to compare costs, have time to save up for the bill or explore payment options. Cost transparency puts patients in the driver's seat. When providers send accurate, transparent patient estimates upfront, patients are empowered to make more informed healthcare and financial decisions. Patients also want to understand their financial responsibility after insurance, with 77% of patients saying it's important that their provider be able to explain what their insurance covers before treatment. Additionally, 81% of patients also report that accurate estimates help them better prepare to pay their medical bills. This can lead to patients getting the care they need instead of putting it off due to unknown costs. Benefits of hospital price transparency for providers Non-compliance with price transparency regulations can lead to penalties and public notices that impact your reputation. With the passing of the new executive order, the Centers for Medicare & Medicaid Services (CMS) is ramping up enforcement of price transparency regulations. In the first two months of 2025 alone, more actions were taken than in all of 2024. Healthcare organizations with price transparency tools in place will be in a strong position to meet current regulations and whatever comes next. Price transparency also comes with financial benefits, like an increased chance for prompt patient payments, which can help keep revenue cycles on track. According to Experian Health data, 38% of patients report that understanding the cost of care before treatment made for a better payment experience. When patients can pay their bills in full or through a payment plan, providers spend less time chasing collections. More on-time collections help providers maximize revenue, avoid revenue leaks and minimize the potential for bad debt. The role of price transparency tools in the healthcare system Regulatory requirements around price transparency are rapidly evolving. Price transparency tools help hospitals stay compliant, improve the patient financial experience and reduce administrative burden for busy staff. Tools like the Patient Estimates from Experian Health and Cleverly + Associates offer the following benefits: More accurate estimates: Experian Health's Patient Estimates solution generates real-time estimates using the most up-to-date payer contracts, fee schedules and historical claim data. Audit protection: Patient Estimates includes four built-in reports to align estimates with actuals, track collections, and prove compliance, so hospitals are always audit-ready. Improved workflows: Efficient solutions that streamline estimate delivery, reduce estimate errors and easily scale to replace time-consuming manual processes and disjointed delivery systems. Improved patient access to estimates: A self-service portal allows patients to conveniently access personalized estimates. Hospitals can also use complementary tools, like Patient Financial Advisor, to text estimates to patients or download an estimate PDF in-office. With this solution, some clients have reported a direct correlation between automated estimate delivery and collections increases by nearly 133%. Moving toward a more transparent healthcare future with Experian Health Experian Health is committed to developing solutions that strengthen price transparency in healthcare. Through a partnership with Cleverley + Associates, Experian Health is making it simpler for hospitals to be in compliance with price transparency regulations and help patients understand the cost of care. Learn how price transparency solutions from Experian Health and Cleverley + Associates can help healthcare organizations stay compliant with current regulations and help patients better understand their costs. Learn more Contact us

Full implementation of the Appropriate Use Criteria program has been indefinitely delayed, giving providers more time to prepare. The Centers for Medicare and Medicaid (CMS) introduced the consultation mandate to ensure that advanced diagnostic imaging services would be provided to Medicare beneficiaries only where medically necessary. Originally slated to commence in January 2022, the penalty phase had already been pushed back until January 1, 2023, at the earliest, due to logistical challenges and concerns about the administrative burden on providers. While penalties for non-compliance won’t kick in just yet, claims submitted before full implementation could still be subject to denial. Providers should take advantage of the extended educational and operations testing period to stress-test their pre-claims infrastructure for any Medicare claims that would fall under the program or that require other forms of pre-authorization. This means implementing alerts to comply with the Appropriate Use Criteria program and prior authorizations requirements To support providers to manage these changes, Experian Health’s Prior Authorizations solution now includes informational alerts for Medicare plans where a patient order needs to comply with AUC or requires prior authorization. Recap: what the Appropriate Use Criteria program means for providers The AUC program requires providers to consult a Clinical Decision Support Mechanism (CDSM) any time they want to order specific advanced diagnostic imaging services for certain Medicare outpatients. The CDSM online portal will check the patient’s record to confirm whether AUC requirements apply. The ordering physician must pass on this information to the imaging services provider. Any physicians whose ordering patterns are considered outliers will need to seek prior authorization. The process for this hasn’t yet been determined. To secure reimbursement for diagnostic imaging services, imaging service providers will need to have the appropriate certificate of compliance. This means that while the administrative responsibility lies with the ordering provider, the financial consequences of non-compliance sit with the service provider. That may or may not be the same facility. Clear communication, robust records management and interoperable data will be essential to avoid claim denials. Pitfalls of manual prior authorizations and pre-claim reviews Many healthcare providers still rely on manual paperwork for prior authorizations and pre-claim reviews. However, these processes are inefficient and prone to error, especially as claims increase in volume and complexity. The Council for Affordable Quality Healthcare (CAQH) estimates that manual status inquiries take up to 30 minutes each, with automated alternatives reducing this by up to a third. The financial impact is compounded by staff time wasted on unnecessary rework, non-compliance penalties and denied claims. Automated compliance checks can help ensure that no pre-claim requirements are missed. With tools such as Experian Health’s online prior authorizations solution, claims are more likely to be complete and compliant, denials will be less likely, and staff will be able to work more efficiently than if they attempt the process manually. This online service automates prior authorization inquiries with auto-filled payer data, only prompting users when their involvement is needed. Inquiries take place behind the scenes, using dynamically updated knowledgebase stores. Now, the knowledgebase will facilitate quick checks to see if a procedure also requires AUC adherence and alert users accordingly. Enhanced automated pre-claim checks for cleaner claims the first time The new informational alerts are the latest enhancement to Experian Health’s pre-claim management solutions to help providers stay compliant. Earlier in 2022, the Medical Necessity application was adapted to include informational alerts when a procedure needs AUC adherence or prior authorization for Medicare patients. Medical Necessity prevents denials and fines by automatically validating medical necessity checks for Medicare claims. Beyond requirement checks for Appropriate Use Criteria and prior authorizations, automation can also be used to improve other aspects of claims management increase claim accuracy and avoid denials. For example, Claim Scrubber reviews each claim line-by-line, verifying that the claim is coded correctly before it’s submitted to the clearinghouse or payer. Claim Scrubber generates general and payer-specific edits, which now also include AUC adherence checks. Users receive alerts with detailed explanations of why a claim was flagged, so modifications can be made before the claim is submitted. These tools integrate seamlessly with electronic medical record systems so claims and patient orders can be checked against payer rules for medical necessity, frequency, duplication and updated modifiers, and to ensure patient information is current. This also facilitates a more reliable exchange of information between all those involved in the provision and reimbursement of healthcare services. Not only does this promote compliance with Medicare rules and reduce the risk of penalties and denials, but it also promotes better communication between healthcare organizations to deliver high-quality care and a better patient experience. Find out more about how Experian Health’s enhanced pre-authorization solutions support better claims management and help healthcare providers comply with Appropriate Use Criteria and other prior authorizations requirements.

The No Surprises Act, effective Jan. 1, 2022, requires that healthcare providers include a “Good Faith Estimate” that covers all relevant codes and charges. This was established to increase price transparency for patients. For a summary of the No Surprises Act, read our previous blog. In our recent webinar, hosted on December 15, 2021, industry expert Stanley Nachimson, principal of Nachimson Advisors*, answered our audience’s most pressing questions about “Good Faith Estimates.”** To read the FAQs from our first webinar, click here. Experian Health can help your healthcare organization navigate the regulatory landscape  and implement solutions ranging from transparent, patient-friendly estimates to our all-new FREE No Surprises Act (NSA) Payer Alerts Portal.  Here’s what Nachimson had to say: Q1: What are the top things to do now to prepare for the No Surprises Act by Jan. 1? SN: Set up processes to avoid out-of-network billing for emergency and in-network facility services Out-of-network providers need to make sure they have the right processes set up to avoid surprise billing patients. Evaluate in-and-out of network status for all providers Implement Good Faith Estimate for Uninsured/Self Pay from a single provider Make sure to have a process in place for self-pay or uninsured patients Prepare patient notice documents Train staff and ensure they’re aware of new rules and changes Q2: What must be included in the Good Faith Estimate starting 1/1/22? SN: Starting Jan 1, 2022, the only Good Faith Estimates required are for “self-pay” or uninsured patients. These are the only ones that will be enforced/mandated on January 1st. CMS has created forms that show what GFEs should include. This includes individual services that will be provided in an encounter, line-item descriptions of services, procedure codes, diagnosis codes, and more. Estimates should be within $400 of the final bill for any provider or facility that was included, assuming there are no extenuating circumstances. Q3: How should providers deliver the Good Faith Estimate to the patient? Payers? SN: For patients, Good Faith Estimates should be delivered in a written document. This can be done through email, USPS, or delivered in person. Currently, providers do not need to worry about sending anything to payers. Regulators put this requirement on indefinite hold until they have more clarity on the technical delivery/transition of this data. CMS expects to provide a ruling clarification on this in 2022. Experian Health is now offering a FREE comprehensive, updated list of No Surprises Act (NSA) payer policy alerts for United States hospitals, medical groups, and specialty healthcare service organizations. Q4: What are the differences between Insured & Self-Pay Good Faith Estimates that providers should consider starting Jan. 1? SN: There will probably be no significant difference in the GFEs for self-pay vs insured individuals. However, the GFEs will be sent to health plans for the insured individuals. At this point, there is no standard electronic delivery method. Individual providers/organizations may come up with their own paper or electronic form, assuming it contains all the required information. At some point in the future, the GFEs will be sent to health plans for insured patients, and that will most likely be a standard transaction. CMS is currently waiting on guidelines for what this transaction will look like. Q5: How does an estimate get calculated when there are multiple providers involved? Who is the “convening provider?” SN: A convening provider is the provider that (1) is responsible for scheduling the primary item or service(defined as “the initial reason for the visit”), or (2) receives a request from an individual shopping for an item or service)—must determine at the time an item or service is scheduled or when a patient is shopping for care whether the patient is a self-pay patient, as defined above. This will not be enforced on Jan. 1, 2022. In 2022, each provider will be expected to provide the GFE for their own services. Because there aren’t any processes in place, the healthcare industry will have at least 1 year to develop a standard guideline for gathering this information. The requirement that the convening provider combines all provider GFEs into one GFE will not be enforced until 2023.This means that over the course of 2022, the convening provider will not be required to include estimates from other providers.  The industry will need to create a standard guideline and establish communication processes first. Until then, patients will need to ask every provider involved for a Good Faith Estimate.  Providers may wish to consider how they will accomplish this during 2022. Q6: Does the Good Faith Estimate apply to all services – even office visits? Labs? Urgent care? Drop-ins? SN: It applies to all types of services. However, depending on when the service is scheduled, the timeframe will vary on when the Good Faith Estimate can be sent out. Q7: If the actual charges are more than $400 greater than the Good Faith Estimate, what consequences will be there for providers starting Jan. 1? SN: The latest rule established an independent dispute resolution process.  The patient must initiate the process within 120 days of receiving the bill, file the required documentation and pay a $25 administrative fee. Webinar Series: Unpacking The No Surprises Act and Q&A with an expert Industry expert Stanley Nachimson, Health IT Implementation Expert, recently hosted a series of webinars to help providers get up to speed on what they need to do to comply with the No Surprises Act. Learn about the Good Faith Estimate, how NSA will apply in different care settings, and more. *Stanley Nachimson is not an employee or representative of Experian Health. **The scope and details of the No Surprises Act are evolving. The information provided here is up to date as of December 23, 2021. This content is intended for information and education purposes only.  Experian Health cannot and does not provide legal and compliance guidance.  It is recommended that all organizations review the regulation thoroughly and seek appropriate legal and compliance guidance to determine an appropriate strategy for compliance. Experian Health offers solutions across the healthcare journey – including patient engagement, revenue cycle management, identity management, care management and analytics – that may contribute to meeting compliance requirements.  

Healthcare data breaches are nothing new, but their size and frequency are increasing: CVS Health lost over a billion search records when a third party accidentally made an online database publicly accessible in March 2021. A ransomware data breach at prescription management vendor CaptureRx affected over a million patients at 17 healthcare providers in February 2021. More than 3.47 million individuals and at least 10 healthcare organizations were affected by a massive data breach at file transfer company Accellion, which spanned multiple global industries in December 2020.   Further illustrating the risks to healthcare organizations, Scripps Health in San Diego was hit with two class-action lawsuits that assert that the organization should have done more to protect patient data. If upheld, it will set a precedent for healthcare organizations to be held legally responsible for failing to protect data – to the tune of $1000 per patient. The direct monetary cost of fines and lawsuits, however, may ultimately be a secondary concern as damaged reputation is often a more difficult setback to overcome. Patients increasingly approach healthcare as “consumers” and a breach – or a poorly managed breach situation – might prompt them to look elsewhere for care. “Incidents happen every day. However, the real threat lies in how quickly and efficiently an organization can respond. This is what customers will remember. You need to be able to make prompt updates to your website, scale up call center capacity, and have answers ready when consumers need them.” The growing frequency and scale of health information breaches means it’s no longer sufficient to say, “we’re careful with our health data – this won’t happen to us.” Medical identities are extremely valuable, which makes them an attractive target to cybercriminals. In addition, the sudden increase in virtual care and remote working during the pandemic has created new vulnerabilities in data security.   A recent FBI alert that a major ransomware group is targeting the healthcare sector with phishing attacks is a cl reminder that healthcare organizations can’t relax when it comes to cybersecurity. It’s a case of “when, not if” a healthcare organization will have to deal with a breach. Prevention is the goal, but preparation is the smart strategy.   Shifting from data breach prevention to preparedness   During the pandemic, the volume of data being shared within and between healthcare organizations sky-rocketed, as providers offered more virtual care services and workforces became more distributed. While these innovations meant access to healthcare and work could continue safely, the shift to cloud-based data sharing and storage, means the data perimeter is much broader and tougher to secure – if there remains a perimeter at all. Data must be secured at the device- and employee-level now.   While prevention is better than cure, the hard truth for healthcare cybersecurity teams is that they’re increasingly likely to have to deal with a breach. Unfortunately, many organizations don’t have the technology, resources, or time to prevent breaches all the time, at every access point.   Chris Wild, vice president at Experian Health, says:   “We’re seeing an increased frequency of cyber threats across the whole industry. Hardly a week goes by that we don’t hear of a health system under attack from hackers or ransomware. The statistics show us there’s a health data breach nearly every single day, so it’s just a matter of time before it impacts any one provider, pharmacy, payer or physician group.”   Instead of focusing solely on prevention, healthcare organizations need a strategy to prepare for what happens when a breach occurs. If they don’t, they risk a long, public struggle to contain the breach, resulting in brand damage, patient loss, and financial consequences in the form of fines and lost revenue.   Building a data breach response plan   Recovering from a data breach requires a speedy and thorough response. With a plan in place, action can be taken as soon as the dreaded call comes in. Knowing exactly what needs to be done to meet HIPAA notification requirements, helps reassure consumers and regulators alike that every effort is being made to contain the breach. Not only will this help minimize fines, but it will also mitigate against the reputational damage caused by the security breach.   A breach is bad enough but compounding the negative impact of exposed data by failing to provide sufficient support to worried consumers is even worse. Wild says: “Incidents happen every day. However, the real threat lies in how quickly and efficiently an organization can respond. This is what customers will remember. You need to be able to make prompt updates to your website, scale up call center capacity, and have answers ready when consumers need them.”   A robust response plan calls for C-suite engagement, clear success metrics, and regular pressure-testing. Above all, it must be flexible to adapt to whatever size and type of breach occurs.   The best support for the worst-case scenario A data breach response plan isn’t going to prevent the breach itself, but it can help a healthcare organization take the right steps in the aftermath. Having serviced thousands of data breaches over the last 17 years, Experian Health’s Reserved Response™ program is based on real world experience and has evolved as the threats and consequences have increased. In a recent survey, clients using Reserved Response reported 15% fewer data security incidents than those who did not. Furthermore, any incidents that did occur tended to be smaller in scale.   Because the risk and impact of data breaches is trending upwards, this year Experian Health has introduced a new Reserved Response Hub. This digital, self-service tool helps to prepare and test a data breach plan, including: the new and improved 2021 Data Breach Response Guide downloadable readiness reading materials tried and tested notification templates a pre-breach incident checklist access to Experian’s full Reserved Response service, which provides support before or after a breach to ensure regulatory compliance and support for those impacted.   Reserved Response can help healthcare organizations put together a data breach preparedness plan in as little as three days.