OpenEMR is free, open source, and ONC certified. But how does that work? Learn the GPL model, what certification costs, and what it means for your practice.
Multi-Factor Authentication for Medical Billing: What HHS Requires and How to Set It Up
Medical billing accounts are among the most targeted credentials in healthcare. They sit at the intersection of financial data and protected health information, giving attackers two reasons to pursue them. According to HHS, the number of reported healthcare data breaches doubled between 2018 and 2024, affecting approximately 459 million people. Multi-factor authentication for medical billing is no longer a security best practice reserved for large health systems. HHS has classified it as an Essential Goal in its 2024 Cybersecurity Performance Goals, and proposed updates to the HIPAA Security Rule published in January 2025 would make it mandatory for covered entities and business associates. Billing managers, practice administrators, and RCM staff who have been treating MFA as optional need to recalibrate. This guide covers what HHS requires today, what is changing, which MFA methods actually provide protection, and how to roll out MFA across a billing operation without disrupting your team. Why MFA Has Become Non-Negotiable in Healthcare Billing Credential theft is the primary attack vector against billing staff. Phishing emails that mimic payer portals, clearinghouse login pages, and EHR systems are common enough that they no longer require sophisticated targeting. A billing coordinator who enters credentials into a convincing fake login page hands attackers everything they need to access claims data, patient records, and payer accounts. Healthcare records carry high value on criminal markets. A stolen healthcare record contains far more actionable data than a stolen credit card number: names, dates of birth, Social Security numbers, insurance IDs, diagnosis codes, and provider information. That combination enables identity theft, fraudulent billing, and insurance fraud in ways a financial record alone cannot. The scale of this problem is documented by HHS. Reported healthcare data breaches have doubled in a six-year period, with roughly 459 million individuals affected. Billing operations, payer portals, and clearinghouse accounts are consistently among the targeted systems because they are accessible from the internet and often secured only with a username and password. A password alone does not provide adequate protection against phishing, credential stuffing, or brute-force attacks. Multi-factor authentication adds a second verification requirement that remains valid even after a password has been compromised. What HHS Currently Requires: HIPAA and the 2024 Cybersecurity Performance Goals The current HIPAA Security Rule requires covered entities to implement procedures to verify the identity of persons or entities seeking access to electronic protected health information. However, the rule does not specify the verification method. A practice that verifies identity through a password alone is technically compliant with the current rule’s identity verification standard, even though a password-only approach is widely recognized as inadequate. That gap has not gone unaddressed. In January 2024, HHS released its Cybersecurity Performance Goals, a structured framework for healthcare organizations to assess and improve their cybersecurity posture. MFA is classified as an Essential Goal within this framework, not an enhanced or optional one. The framework language is specific: the objective is to “add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly accessible from the Internet.” MFA appears across multiple sub-goals, including Email Security and Unique Credentials. The designation as “Essential” carries a clear message: HHS treats MFA as foundational, not aspirational. The HHS 405(d) Program, which provides the Health Industry Cybersecurity Practices (HICP) framework used by healthcare organizations for voluntary compliance, further specifies what this looks like in practice. The HICP framework includes “Enable Multi-Factor Authentication (MFA) for all Remote Access” and structures MFA under Identity and Access Management practices: 3.M.A (Identity), 3.M.C (Authentication), and 3.M.D (Multi-factor Authentication for Remote Access). For billing operations where staff access payer portals, clearinghouse accounts, and EHR systems from outside the office, these controls apply directly. What Is Changing: The Proposed HIPAA Security Rule Update The current HIPAA Security Rule’s flexibility around identity verification is on track to change. HHS published a Notice of Proposed Rulemaking for updates to the HIPAA Security Rule in January 2025, with a 60-day public comment period that closed in March 2025. The proposed rule would make MFA mandatory for HIPAA-covered entities and business associates. This is a material shift from the current rule, which requires identity verification but leaves the method to the organization’s discretion. Under the proposed changes, using a password alone to access systems containing ePHI would not satisfy the requirement. The rule has not been finalized as of this writing, and the timeline for finalization depends on the regulatory process. But the direction is unambiguous. HHS has signaled through both the proposed rule and the 2024 Cybersecurity Performance Goals that MFA is expected. Organizations that wait for final rulemaking to begin implementation will be behind the compliance curve when the rule takes effect. Practices and billing companies that implement MFA now are meeting the current Essential Goal standard and positioning themselves ahead of the mandatory requirement. Those that do not are carrying documented risk. Not All MFA Is Equal: Why Authenticator Apps Are the Right Choice “Multi-factor authentication” describes a category of security controls, not a single technology. The three most common methods used in healthcare billing contexts differ significantly in their actual protection levels. SMS Text Codes SMS-based authentication sends a one-time code to a registered phone number. It is better than a password alone, but it is the weakest form of MFA available. Attackers can intercept SMS codes through SIM-swapping, a technique where a criminal convinces a mobile carrier to transfer a victim’s phone number to an attacker-controlled SIM card. Once the number is transferred, the attacker receives all verification codes. SIM-swapping attacks have been used specifically against healthcare targets. Billing staff who use SMS codes as their sole MFA factor should understand that this method is being phased out across regulated industries precisely because of this vulnerability. Email-Based Codes Some systems send a one-time code to an email address as a second factor. This approach is vulnerable to phishing: if an attacker has already compromised the email account, they receive the code alongside the attacker. Email codes also require access
OpenEMR 7.0.3 Release: What It Means for Your Workflow, Revenue Cycle, and Patient Experience
OpenEMR has officially released version 7.0.3, and it’s one of the most significant updates yet. As the world’s leading open-source electronic medical record (EMR) platform, OpenEMR continues to evolve to meet the growing demands of modern healthcare. This release delivers enhanced interoperability, smarter clinical tools, and new functionality across billing, telehealth, and patient engagement. At ClaimRev, we work closely with healthcare organizations that use OpenEMR. We’re excited about this release—not just for what it brings to the table, but for how it can improve revenue cycle management, billing workflows, and overall efficiency for providers. What’s New in OpenEMR 7.0.3? Here’s a breakdown of the key new features and improvements that come with this release: ✅ ONC Decision Support Interventions (DSI) OpenEMR now supports B11 Decision Support Interventions, a critical component of the ONC Health IT Certification. This feature helps providers deliver safer, evidence-based care by surfacing actionable alerts and recommendations during patient encounters. ✅ Why it matters: Better clinical support leads to fewer errors and improved documentation—two key drivers in reducing claim denials. WENO Exchange ePrescribing Module This release introduces integration with WENO Exchange, an ePrescribing network that simplifies the prescription process for small and rural practices without traditional access to major networks. ✅ Why it matters: ePrescribing streamlines medication orders, reduces phone calls to pharmacies, and minimizes delays in patient treatment plans—all while staying compliant with eRx mandates. Expanded Module Support: Telehealth, Fax, SMS, and More Version 7.0.3 brings enhancements to a range of functional modules that are critical to day-to-day operations: Telehealth: Smoother video visit capabilities Fax & SMS: Better patient and provider communication Claims Clearinghouse: Improved integration for electronic claims submission Payment Processing: Easier collection of patient co-pays and balances Prior Authorization: Workflow support for securing payer approvals ✅ Why it matters: These tools are directly tied to revenue cycle efficiency. Missed authorizations or clunky communication workflows lead to denials and delays in reimbursement. Enhanced Patient Portal Patient engagement gets a boost with design and usability upgrades to the patient portal. Expect a more intuitive layout, easier access to documents, and better support for mobile users. ✅ Why it matters: Patients who engage with their health data are more likely to show up for appointments, pay bills on time, and respond to follow-up care—which keeps your revenue cycle healthy. FHIR & API Enhancements OpenEMR 7.0.3 strengthens support for FHIR (Fast Healthcare Interoperability Resources) and expands existing API capabilities. This makes it easier for providers to connect OpenEMR to other tools—like clearinghouses, analytics platforms, and billing software. ✅ Why it matters: For ClaimRev clients, this means smoother integrations, better data syncing, and opportunities to automate claim tracking, eligibility checks, and more. What It Means for ClaimRev Users If your practice runs on OpenEMR and uses ClaimRev to manage insurance claims, eligibility, or denials, this update is a step forward. These improvements set the stage for: Faster reimbursements Fewer denials from missing auths or coding gaps Cleaner integrations between clinical and billing tools Improved communication with patients and payers In short: fewer bottlenecks, more automation, and better outcomes for your bottom line. Planning to Upgrade? We encourage all OpenEMR users to review the installation and upgrade guides before moving to 7.0.3. If you’re unsure how this update may affect your current ClaimRev setup, we’re here to support you every step of the way. Need help optimizing your claims process with OpenEMR 7.0.3?Contact our team Learn More OpenEMR 7.0.3 Full Release Notes Release Features Overview ClaimRev proudly supports healthcare practices using open-source tools like OpenEMR. We believe in empowering providers with secure, scalable, and affordable RCM solutions—so you can focus on delivering care.
Maximize Your Revenue with Customized Analytics: 8 Essential Reports for Healthcare Providers
In the competitive landscape of healthcare, maintaining financial stability is crucial. One of the most effective tools for achieving this
7 Steps to Reduce Medical Claim Rejections and Get Paid Faster
A claim rejection and a claim denial are not the same thing. Rejections happen before the claim reaches the payer.
How to Switch Medical Claims Clearinghouses Without Disrupting Your Revenue Cycle
Transitioning to a new clearinghouse can be a pivotal move for any healthcare practice. With over 20 years in healthcare
Cybersecurity for Medical Billing: How to Protect Patient Data and Claims Systems
Medical billing offices are not a secondary target for cybercriminals. They are a primary one. Billing teams handle a combination of data that attackers find uniquely valuable: protected health information (PHI), insurance policy numbers, payer credentials, and financial account details, all in one place. A single compromised billing workstation can expose thousands of patient records, lock a practice out of its clearinghouse accounts, and trigger federal breach reporting obligations. Cybersecurity for medical billing is not an IT problem passed off to a tech vendor. It is a revenue cycle problem that billing managers, practice administrators, and RCM staff need to own. This guide explains what the risks look like, what HIPAA requires, and what steps billing teams can take right now to protect claims systems and patient data. Why Billing Data Is a High-Value Target Healthcare records have long commanded a premium on the black market compared to credit card numbers. The reason is straightforward: a stolen credit card gets canceled within hours, but a patient’s insurance information, Social Security number, and diagnosis codes can be used for fraudulent billing and identity theft for years. Billing offices concentrate exactly this kind of data. A practice management (PM) system or EHR typically holds: Patient demographics, Social Security numbers, and dates of birth Insurance policy and group numbers across multiple payers Authorization codes and prior approval records Explanation of Benefits (EOB) documents Payer portal login credentials Clearinghouse account credentials Ransomware attacks targeting healthcare billing have surged. Attackers know that locking a billing team out of their PM system or clearinghouse connection creates immediate revenue pressure,practices cannot submit claims, cannot receive ERA files, and cannot follow up on denials. That pressure increases the likelihood of paying a ransom quickly. Credential theft is equally common. Payer portal logins give attackers the ability to redirect payments, submit fraudulent claims using the provider’s NPI and Tax ID, and access sensitive patient data without ever triggering a ransomware alert. Billing staff credentials are valuable enough that phishing campaigns target them specifically. Understanding that billing data is a high-value target is the starting point. From there, the response has to be deliberate. What the HIPAA Security Rule Requires for Billing Teams The HIPAA Security Rule applies to any covered entity or business associate that creates, receives, maintains, or transmits electronic protected health information (ePHI). For billing offices, that covers nearly everything: claims files, ERA documents, patient records accessed in the PM system, and data transmitted to or from a clearinghouse. What the Rule Requires The Security Rule establishes three categories of safeguards: Administrative safeguards: Risk analysis, workforce training, access management, and security incident procedures. Most smaller practices underinvest here,they have the technical tools but lack the documented policies. Physical safeguards: Controlling physical access to workstations, servers, and devices that store or access ePHI. This includes screen locks, workstation placement, and policies around who can access billing computers. Technical safeguards: Encryption, access controls, audit logs, and automatic logoff. Clearinghouse-connected systems must encrypt data in transit. ePHI at rest should be encrypted on local drives and servers. Business Associates Are Covered Clearinghouses and billing software vendors that handle ePHI are considered business associates under HIPAA. They are required to sign a Business Associate Agreement (BAA) and comply with the Security Rule. Practices should verify that any clearinghouse, billing platform, or RCM vendor they work with has a current BAA in place. If a vendor resists signing one, that is a compliance problem and a red flag. What Non-Compliance Costs The HHS Office for Civil Rights (OCR) enforces HIPAA and investigates both reported breaches and complaints. Penalties vary based on the level of negligence, ranging from cases where the entity did not know of the violation to cases of willful neglect that are not corrected. The HHS enforcement page documents resolved investigations and the penalties assessed. The financial exposure is significant, but the operational and reputational damage from a billing breach often exceeds the penalty itself. Patients whose data is compromised must be notified. Payers may suspend billing privileges during an investigation. Practices can spend months recovering from an incident that could have been prevented. Access Controls for Billing Systems Most billing data breaches trace back to one of two causes: someone had more access than they needed, or credentials were shared in ways that made tracking impossible. Role-Based Access and Least Privilege Every billing system,whether a PM platform, EHR, or clearinghouse portal,should be configured so that users can only access the data they need to do their specific job. This is called role-based access control (RBAC) and it applies the principle of least privilege. A front desk scheduler does not need access to claim status reports. A biller processing Medicare claims does not necessarily need access to Medicaid account settings. A coding team member reviewing charts does not need access to payment posting. Most PM systems support user roles with configurable permissions,they just require someone to set them up deliberately rather than defaulting everyone to admin access. Multi-Factor Authentication on Billing Portals Multi-factor authentication (MFA) is one of the most effective controls available for protecting billing accounts, and it is not optional. If a biller’s password is stolen through phishing, MFA requires a second verification step before the attacker can log in, even with valid credentials. For billing systems that handle ePHI, MFA is a baseline requirement, not a feature to consider later. Not all MFA methods are equal, and the industry is moving away from codes sent via email or text message. SMS and email codes can be intercepted or redirected through SIM-swapping and phishing attacks. The preferred method today is an authenticator app such as Microsoft Authenticator, Google Authenticator, or Duo. These apps generate time-based one-time codes that are tied to the device itself, making them significantly harder to intercept than codes delivered through email or text. When setting up MFA on billing portals, payer systems, and clearinghouse accounts, configure authenticator app verification wherever the option exists. If a system only offers SMS or email codes, use