Know Who Your BAs Are
By Ken Camilleis, CPC, CPC-I, CMRS
According HIPAA’s Privacy Rule, covered entities (CEs) such as hospitals, physicians, clearing houses, and certain insurance payers are obligated to safeguard individually identifiable health data, or protected health information (PHI). The HIPAA Security Rule extends liability of CEs to PHI transmitted in an electronic format (ePHI). HIPAA also defined business associates (BAs) as entities that work as “trading partners” with CEs; and, medical billing services under this definition are classified as BAs.
Outsourcing of the medical billing function is a proven cost-effective method of allowing medical practitioners to focus on the clinical side of medicine while the billing company concentrates on effectively managing the practice’s accounts receivable.
Unlike CEs, BAs were initially exempt from HIPAA statutes, but that has changed.
One provision of the American Recovery and Reinvestment Act (ARRA), the Health Information Technology for Economic and Clinical Health (HITECH), contains a stipulation about BAs such as billing companies now being liable for actions under HIPAA for such acts as breach of PHI/ePHI. This raised a stir among billing agencies as to the scope of responsibility under HITECH and also raised the question as to whether independent billing services can be cited under the False Claims Act if a client commits fraud.
The “missing link” in the life cycle of the administrative process is the coder. Independent billing companies do not always have coders on staff; neither do they have ready access to their clients’ medical records. Coders are usually employed by a provider, and they abstract information from the providers’ notes to determine the appropriate codes.
Billing companies serve as a pipeline to the payer, and are not especially vulnerable to false claim charges. However, if the billing company does provide coding services, such as documentation integrity review or code verification, its billers may be liable in the case of an OIG or payer audit should one uncover an act of fraud such as upcoding or unbundling.
Under HITECH, if an independent billing company receives PHI such as on paper registration forms, superbills, and referral forms, it must protect such information, including proper waste destruction with shredders and/or the use of a certified data destruction company. If the billing service handles ePHI, it must ensure that it has appropriate safeguards (such as firewalls and encryption/decryption) as required by the HIPAA Security Rule, and follows proper procedures for certain destruction or initialization of data-storing media.