Hiring out Billing? Ensure PHI is Protected
By Ken Camilleis, CPC, CPC-I, CMRS
Just because you have outsourced your practice’s billing doesn’t meant you aren’t responsible for protecting protectedhealth information (PHI). Here are some tips to help protect your practice.
According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, covered entities (CEs) such as hospitals, physicians, clearinghouses, and insurance payers are obligated to safeguard PHI. The HIPAA Security Rule extends liability of CEs to PHI transmitted in an electronic format (ePHI). HIPAA also defines business associates (BAs) as entities working as “trading partners” with CEs. Medical billing services under this definition are classified as BAs; however, unlike CEs, BAs were initially exempt from HIPAA statutes.
One provision of the American Recovery and Reinvestment Act of 2009 (ARRA), referred to as Health Information Technology for Economic and Clinical Health (HITECH), contains a stipulation that BAs (e.g., billing companies) are liable for actions under HIPAA, such as breach of PHI and ePHI.
Since the 1980s, outsourcing of the medical billing function has proven a cost-effective method, allowing medical practitioners to focus on the clinical side of medicine while the billing company concentrates on a practice’s accounts receivable. The billing company serves as a pipeline to the payer and isn’t vulnerable to false claim charges. But if the billing company provides coding services, such as documentation integrity review or code verification, its billers may be liable in the case of an Office of Inspector General (OIG) or payer audit.
Under HITECH, if an independent billing company receives PHI, such as on paper registration forms, superbills, and referral forms, it must protect it, to include destroying it with shredders and/or the use of a certified data destruction company. If the billing service handles ePHI, it must ensure it has appropriate safeguards as required by the HIPAA Security Rule.