Billing Services Not as Liable
By Ken Camilleis, CPC, CPC-I, CMRS
According to the HIPAA Privacy Rule, covered entities (CEs) such as hospitals, physicians, clearinghouses, and insurance payers are obligated to safeguard protected health information (PHI). The HIPAA Security Rule extends liability of CEs to PHI transmitted in an electronic format (ePHI). HIPAA also defines business associates (BAs) as entities working as “trading partners” with CEs. Medical billing services under this definition are classified as BAs; however, unlike CEs, BAs were initially exempt from HIPAA statutes.
One provision of 2009’s American Recovery and Reinvestment Act (ARRA), referred to as Health Information Technology for Economic and Clinical Health (HITECH), contains a stipulation that BAs (e.g., billing companies) are liable for actions under HIPAA, such as breach of PHI/ePHI. This raised a stir among billing agencies as to scope of responsibility under HITECH and whether independent billing services can be cited under the False Claims Act if a client commits fraud.
Outsourcing of the medical billing function is a cost-effective method allowing medical practitioners to focus on the clinical side of medicine while the billing company concentrates on a practice’s A/R. The coder is the missing link in the life cycle of the administrative process. Independent billing companies don’t always have coders; neither do they have ready access to their clients ‘ medical records. The provider usually employs the coders. The billing company merely serves as a pipeline to the payer and isn’t vulnerable to false claim charges. But if the billing company does provide coding services – such as documentation integrity review or code verification – its billers may be liable in the case of an OIG or payer audit.
Under HITECH, if an independent billing company receives PHI, such as on paper registration forms, superbills, and referral forms, it must protect it, to include destroying it with shredders or the use of a certified data destruction company. If the billing service handles ePHI, it must ensure that it has appropriate safeguards as required by the HIPAA Security Rule.