HIPAA > HIPAA
INTERESTING article on Compliance issues from using OFFSHORE companies
PMRNC:
Outsourced Billing and Coding - Compliance Risks
http://www.lilesparker.com/2012/08/16/outsourced-billing-compliance-risks/#respond
August 16, 2012 by Robert Liles
Filed under Compliance, Health Law Articles
Outsourced Billing - What's the Risk?
Thinking of sending your medical coding and billing functions out of the
country? You better think twice. While overseas outsourced billing is
growing in popularity for medical office functions, this practice represents
a unique and growing set of problems for both physician practices and 3rd
party billers. And the news is just getting worse.
HIPAA and HITECH Provisions
As you know, the Health Insurance Portability and Accountability Act of 1996
(HIPAA) protects patients' rights to privacy, and requires that "covered
entities" properly secure and safeguard protected health information (PHI).
While HIPAA has long represented an administrative headache for many small
and medium providers, it has only been more complicated by the rise of
electronic data processing and transmission. In 2009, Congress passed the
HITECH Act as part of the American Recovery and Reinvestment Act (ARRA).
HITECH governs the use and disclosure of e-PHI and related computer systems,
and significantly amends portions of HIPAA. For instance, HITECH calls for
HIPAA audits, which are currently being conducted around the country. It
also created an enhanced penalty structure by which the Office for Civil
Rights (OCR) can fine entities up to 1.5 million dollars per year for
wrongful use or disclosure and/or breaches of PHI. But what do these laws
have to do with outsourced billing?
Plain and simple, a provider cannot relieve themselves of their obligations
under HIPAA or HITECH by sending many of their administrative functions
offsite. Instead, it's just the opposite - providers are responsible not
only for their practice, but also the acts of their business associates and
their respective subcontractors. This is a significant wrinkle in the use of
overseas contractors. While there are many benefits, including cost and
efficiency (i.e. sending records at the close of business and getting
everything back when business starts the next day), these incentives are
overshadowed by the problems presented by HIPAA
Compliance Concerns with Outsourced Billing
First of all, you have no guarantees that a coding and billing business
overseas is HIPAA compliant or even understands the law at all. Is the
outside entity taking proactive steps to establish administrative,
technical, and physical safeguards for your patients' PHI? Even if they say
they are HIPAA compliant, how can you verify that information? To counter
this, many outsourced billing companies, such as those in India or Pakistan,
may argue that they will sign a contract indemnifying you for any HIPAA
breaches and the resultant penalties. But if something goes wrong (as it
inevitably does), obtaining a judgment against the outside entity is next to
impossible, takes a substantial amount of time, and costs a lot of money. We
had previously reported that the backlog for having a case heard in India
was nearly 20 years. But recent estimates by the National Bar Association of
India put that figure closer to "350 to 400 years." That is, if you were to
sue an Indian billing company today, you might not go before a judge until
AD 2362 - and that's a long time for your great grandchildren to wait. Not
to mention that suing the outsourced third-party biller for contribution
(i.e. the portion of your penalties for which they are reasonably
responsible) is extremely difficult and complex.
On top of this, employees of foreign companies have recently been extorting
American providers over the PHI in their medical records. In one instance an
employee of a billing company in Pakistan had had enough. She didn't think
she was being paid enough and contacted the hospital whose records she was
currently working on. She demanded a significant sum of money from the
hospital or she would release the medical records on the Internet and
anonymously contact United States authorities. Essentially holding the
records and the PHI they contained hostage, the worked managed to extort
payment from the hospital. And again, attempting to report her to the local
authorities or sue her in a court would be a difficult and probably
unsuccessful endeavor. When employees from outsourced billing companies have
access to this information and bad intentions, they have many providers by
the proverbial "short hairs."
Additional References:
http://nationalbarindia.org/articles/4/backlog-of-cases-in-indian-courts-the-way-out/
PMRNC:
http://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/downloads/r9ss.pdf
"The Centers for Medicare & Medicaid Services (CMS) strictly prohibits any trading partner from outsourcing system functions overseas, unless explicitly authorized in writing by the CMS chief information officer (CIO). System functions include the transmission of electronic claims, receipt of electronic remittance advice or the access to any system for beneficiary and/or eligibility information. Any request for access by an overseas party will be immediately denied by National Government Services pending authorization from CMS."
asilva03:
Thanks Linda. This is very good information.
It makes you wonder why so many physicians are outsourcing to offshore companies. I guess one would be "cheaper", but at what cost is the question I would ask.
It also makes you wonder why some of the Medical Billing Associations advertise for these offshore billing companies. What are you really saying to the providers, it's ok...there's no risk??? I understand there is a risk even for here but not like having your business handled by one of the offshore companies especially when it comes to HIPAA and HITECH regulations.
Thanks again for the great information.
PMRNC:
--- Quote ---It also makes you wonder why some of the Medical Billing Associations advertise for these offshore billing companies. What are you really saying to the providers, it's ok...there's no risk??? I understand there is a risk even for here but not like having your business handled by one of the offshore companies especially when it comes to HIPAA and HITECH regulations.
--- End quote ---
That has been bothering me for QUITE some time.. I WON't TAKE a dime from any offshore company/biller or even a service I know is utilizing offshore practices. I refuse to contribute to the problem. How can an association claim to be AGAINST it and then have a company listing of their certified billers that are overseas?? <scratches head> maybe others don't care.
RichardP:
Re. the link and quote given by Linda above. Just so readers know that paragraph refers to providers of information systems, not doctors:
http://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/downloads/r9ss.pdf
Page 12
A CMS business partner (contractor) is a corporation or organization that contracts with CMS to process or support the processing of Medicare fee-for-service claims. These business partners include Medicare carriers, Fiscal Intermediaries, Common Working File (CWF) host sites, standard system maintainers, regional laboratory carriers, claims processing data centers, Data Centers, Enterprise Data Centers (EDCs), and Medicare Administrative Contractors (MACs) (including Durable Medical Equipment Medicare Administrative Contractors [DMEMAC] and A/B Medicare Administrative Contractors [ABMAC]).
Linda, I searched the link you provided on the word "trading" (from your quote) and got no match found. Do you have a page number for that quote?
Navigation
[0] Message Index
[#] Next page
Go to full version