Scope of Liability for Billing Services
According to the HIPAA Privacy Rule, covered entities (CEs) such as hospitals, physicians, clearing houses, and certain insurance payers are obligated to safeguard individually identifiable health data, known as protected health information (PHI). The HIPAA Security Rule extends liability of CEs to PHI transmitted in an electronic format (ePHI). HIPAA also defined business associates (BAs) as entities that work as “trading partners” with CEs, and medical billing services under this definition are classified as BAs. Unlike CEs, BAs were initially exempt from HIPAA statutes, but that has changed.
One provision of American Recovery and Reinvestment Act (ARRA), passed in January 2009, called Health Information Technology for Economic and Clinical Health (HITECH) contains a stipulation about BAs such as billing companies now being liable for actions under HIPAA for such acts as breach of PHI/ePHI. This raised a stir among billing agencies as to the scope of responsibility under HITECH and also raised the question as to whether independent billing services can be cited under the False Claims Act if a client commits fraud.
There’s one missing link in the life cycle of the administrative process, and that’s the coder. Independent billing companies do not always have coders on staff; neither do they have ready access to their clients’ medical records. Coders are usually employed by their provider, and they abstract information from the doctor’s notes to determine the appropriate codes to be designated on the superbill. Billing companies serve as a pipeline to the payer, and are not typically vulnerable to false claim charges. However, if the billing company does provide coding services, such as documentation integrity review or code verification, its billers may be liable in the case of an OIG or payer audit should one uncover an act of fraud such as upcoding or unbundling.
Under HITECH, if an independent billing company receives PHI such as on paper registration forms, superbills, and referral forms, it must protect such information, including proper waste destruction with shredders and/or the use of a certified data destruction company. If the billing service handles ePHI, it must ensure that it has appropriate safeguards (such as firewalls and encryption/decryption) as required by the HIPAA Security Rule, and follows proper procedures for certain destruction or initialization of data-storing media.
By Ken Camilleis, CPC, CPC-I, CMRS