Outsourced Billing and Coding - Compliance Risks
http://www.lilesparker.com/2012/08/16/outsourced-billing-compliance-risks/#respond August 16, 2012 by Robert Liles
Filed under Compliance, Health Law Articles
Outsourced Billing - What's the Risk?
Thinking of sending your medical coding and billing functions out of the
country? You better think twice. While overseas outsourced billing is
growing in popularity for medical office functions, this practice represents
a unique and growing set of problems for both physician practices and 3rd
party billers. And the news is just getting worse.
HIPAA and HITECH Provisions
As you know, the Health Insurance Portability and Accountability Act of 1996
(HIPAA) protects patients' rights to privacy, and requires that "covered
entities" properly secure and safeguard protected health information (PHI).
While HIPAA has long represented an administrative headache for many small
and medium providers, it has only been more complicated by the rise of
electronic data processing and transmission. In 2009, Congress passed the
HITECH Act as part of the American Recovery and Reinvestment Act (ARRA).
HITECH governs the use and disclosure of e-PHI and related computer systems,
and significantly amends portions of HIPAA. For instance, HITECH calls for
HIPAA audits, which are currently being conducted around the country. It
also created an enhanced penalty structure by which the Office for Civil
Rights (OCR) can fine entities up to 1.5 million dollars per year for
wrongful use or disclosure and/or breaches of PHI. But what do these laws
have to do with outsourced billing?
Plain and simple, a provider cannot relieve themselves of their obligations
under HIPAA or HITECH by sending many of their administrative functions
offsite. Instead, it's just the opposite - providers are responsible not
only for their practice, but also the acts of their business associates and
their respective subcontractors. This is a significant wrinkle in the use of
overseas contractors. While there are many benefits, including cost and
efficiency (i.e. sending records at the close of business and getting
everything back when business starts the next day), these incentives are
overshadowed by the problems presented by HIPAA
Compliance Concerns with Outsourced Billing
First of all, you have no guarantees that a coding and billing business
overseas is HIPAA compliant or even understands the law at all. Is the
outside entity taking proactive steps to establish administrative,
technical, and physical safeguards for your patients' PHI? Even if they say
they are HIPAA compliant, how can you verify that information? To counter
this, many outsourced billing companies, such as those in India or Pakistan,
may argue that they will sign a contract indemnifying you for any HIPAA
breaches and the resultant penalties. But if something goes wrong (as it
inevitably does), obtaining a judgment against the outside entity is next to
impossible, takes a substantial amount of time, and costs a lot of money. We
had previously reported that the backlog for having a case heard in India
was nearly 20 years. But recent estimates by the National Bar Association of
India put that figure closer to "350 to 400 years." That is, if you were to
sue an Indian billing company today, you might not go before a judge until
AD 2362 - and that's a long time for your great grandchildren to wait. Not
to mention that suing the outsourced third-party biller for contribution
(i.e. the portion of your penalties for which they are reasonably
responsible) is extremely difficult and complex.
On top of this, employees of foreign companies have recently been extorting
American providers over the PHI in their medical records. In one instance an
employee of a billing company in Pakistan had had enough. She didn't think
she was being paid enough and contacted the hospital whose records she was
currently working on. She demanded a significant sum of money from the
hospital or she would release the medical records on the Internet and
anonymously contact United States authorities. Essentially holding the
records and the PHI they contained hostage, the worked managed to extort
payment from the hospital. And again, attempting to report her to the local
authorities or sue her in a court would be a difficult and probably
unsuccessful endeavor. When employees from outsourced billing companies have
access to this information and bad intentions, they have many providers by
the proverbial "short hairs."
Additional References:
http://nationalbarindia.org/articles/4/backlog-of-cases-in-indian-courts-the-way-out/