Redefined Business Associate Agreements Create Concern
Guard against liability when someone else mishandles your practice’s patient records.
True story: A journalist reported finding patient medical records at a trash transfer station. An investigation revealed that a Massachusetts physician group’s billing company improperly disposed of the private health information (PHI). Although there was no direct evidence of patient harm, a court ruled this event a security breach under the new Health Insurance Portability Accountability Act (HIPAA) Omnibus Rule. The physician group was fined $140,000.
Rule Changes Require Quick Action
According to John Brewer, president of Med Tech USA, LLC, a firm that provides HIPAA compliance consulting and solutions, “The HIPAA Omnibus Rule has altered business associate agreement (BAA) requirements pretty drastically. Before, having a BAA basically allowed you to wash your hands of liability if the business associate had a breach of your data. Now, a practice has to put any business associate under more scrutiny.”
The rule was enacted in January. Practices have until Sept. 1 or Sept. 23 to comply, depending on whether the BAA is with a new associate, or an updated version of a BAA is in place with a current associate, respectively.
“The big change is the same rules that apply to your practice, now apply to your business associates,” explained Michael Sacopulos, attorney and founder of Medical Risk Institute, Terre Haute, Ind., and general counsel for Medical Justice, a firm protecting physicians who have been frivolously sued. “One example is that a billing service—no matter how big or small—must have privacy and security policies, just like a practice does,” he said.
Yet, many billing services, as well as other vendors, don’t have such policies. Government studies show that almost half of all breaches come from business associates. With fines now being calculated per incident (i.e., per patient’s data breach), you can’t afford not to scrutinize every associate’s privacy and security procedures.
The Massachusetts physician group dropped the ball. “There was no BAA in place when they shared PHI with the billing service, and the billing service had failed to train its workforce about HIPAA guidelines,” Sacopulos said. His message to practices: Be prepared and pay attention. “If the practice had policies and procedures in place, the breach may still have occurred, but the fine would likely have been a fraction of the $140,000,” he said.
Karen Zupko, president of KarenZupko & Associates, Inc., a practice management consulting and training firm based in Chicago, said she encounters this sort of negligence all the time. “We commonly see clients hire small billing companies that can get a claim out the door, but that are unaware of the extraordinary regulatory environment in which we all live,” she said. “Practices that engage in these relationships carelessly put their business at great risk.”
For example, Zupko asked a recent client to provide a copy of his billing company’s service contract. “The only person who had signed it was the doctor,” she said. “The vendor never co-signed and executed the agreement.”
Three other clients Zupko recently visited used billing companies that could produce neither a service contract nor a BAA. Digging deeper, she discovered some of the same concerns Sacopulos has for his physician clients. “These companies had no policies about what to do during a breach, no internal security audit procedures, and no HIPAA training for employees,” Zupko said. “I was very distraught to find casual email communication between the practice and the billing service.”
What’s more, Zupko added, “Practices must insist on vendor accountability and responsibility.”
Initiate a Frank Discussion
“I tell doctors and practice managers that if the billing company can’t answer a few basic questions, they probably don’t understand HIPAA,” said Brewer. He recommends asking the basics, such as:
- What is your computer password policy?
- How often is electronic data backed up?
- Is this data ever taken off site and if so, is it encrypted when this occurs?
- How often does HIPAA training occur?
This line of questioning engages a frank discussion that practices must have with billing companies, as well as any other business associates with whom they share PHI.
“You entrust a billing company with your patient records and financial data, do you really want to do business with a company if it carries no liability insurance? Do you want to give access to a company that hires without conducting background checks and doesn’t require HIPAA training for employees?” Zupko asked. “A proper BAA ensures these requirements are met.”
Most of the time, the right business infrastructure in small billing companies does not exist, experts say. And there may not be good accountability systems in place as a result. That doesn’t mean you shouldn’t work with them. But it does mean your practice must take the lead when it comes to the privacy and security of your patients’ PHI.
Who Has Access to Your Accounts?
As part of your assessment of a billing company, verify that they perform background checks on of all their employees.
“I’ve got five cases where people have embezzled money from the billing company or the practice,” Sacopulos said. “You are turning over your entire revenue cycle to this company. If they don’t conduct employee background checks, you risk having unscrupulous individuals make off with your PHI.”
According to Sacopulos, billing, collection, and medical record departments and companies are ripe for infiltration by unsavory characters. This is because they have easy access to valuable identity theft information: date of birth, Social Security number, and photo identification. “Bank records are sold for $3 per person on the black market and medical records sell for $50,” Sacopulos said.
A billing clerk at Louisiana State University (LSU) Health System in Baton Rouge, La., copied and sold PHI for years before anyone caught wind of it. The Secret Service called LSU after the local sheriff’s wife’s identity was stolen. Inves-tigators traced the theft back to the health system and found she was one of many victims. The crime ring reached into more than a dozen states, all fueled by a billing clerk in Baton Rouge.
“If a billing company employee mishandles your PHI, they are liable. But, so are you,” Sacopulos said. HIPAA business associate training should be a requirement; ask to see the billing company’s employee training records and policies.
If a company uses subcontractors (individuals or companies), verify that each has signed a BAA with the billing company and is held to the same standard as employees. “It can make sense from a business perspective for a subcontractor to outsource part of the work load,” Sacopulos explained. “Ask to be notified when outsourced deals are made, so you can make sure their practices are up to your company’s standards.” One way to do this is to check if a BAA has been signed with the subcontractor.
It’s OK for billing companies and practices to allow telecommuting, as long as the home office environment follows the identical security and privacy policies your practice does.
“All home-based workers must understand security and privacy requirements,” Brewer said. “We find that staff and phy-sicians in our client offices often access PHI from the same home computers that they allow their kids to play games on. Or, they access the practice’s network via unencrypted wireless network.” Both put PHI at risk.
Brewer uses a checklist with his client’s home-based employees and subcontractors (see the “HIPAA Checklist Audit” for information and training material). “They mark off all the measures they’ve taken in the home office, and sign off that they are operating in a way the practice requires,” Brewer said. Although HIPAA does not require this level of scrutiny yet, it’s good business practice.
Stop Using Email, Start Encrypting Access
“If a billing company tells you they communicate with clients by email, that’s a red flag,” warned Brewer.
In years past, email communication may have been acceptable, with the right policies and caveats, but with meaningful use stage II looming, secure messaging will be required soon. Practices should quickly move toward it. Bottom line: “No emailing of PHI. Ever,” said Brewer.
“Secure messaging requires an ID and password and is sent over an encrypted channel. Email is sent over the public Internet,” Brewer explained. “The service contract or BAA should clarify how the company will securely transmit and handle data when it is accessed from the billing location.” He also suggests changing expectations by changing terminology. For example, Brewer said, “Never say, ‘we’ll email you.’ ‘We’ll secure message you’ is better.”
The best way to access, share, and transmit data is through an encrypted protected electronic health record (EHR) portal. That way, all information is transmitted from one repository. It’s the most practical way to minimize steps and manual cutting and pasting, both of which can be risky. Any opportunity for someone to “forget” to complete a step is an opportunity that critical data doesn’t get into the patient’s record.
If the EHR is cloud-based, the billing company should be issued a unique account for each employee and subcontractor who will access data. If not, “set up a virtual private network (VPN) for them to access your network securely,” advised Brewer.
These are the only two acceptable options for access, according to Brewer and Sacopulos. If you don’t use encrypted sign-on or a VPN, the only other option is to go analog. “Or, you could have someone from the billing company come to your practice once or twice a week and enter data on-site,” said Brewer. “But that’s not very efficient.”
Move from Tacit to Explicit
Sacopulos finds two clauses frequently missing in a billing company’s BAA: indemnification and insurance coverage. The HIPAA Omnibus Rule also requires business associates to have a breach policy and procedure.
Sacopulos explained, “If the billing company submits unintended, fraudulent billing, if they miscode or perform poor work on your behalf, your practice needs to be ‘indemnified’ of the wrong doing,” An indemnification clause holds the practice “harmless” from these types of mistakes.
Insurance coverage is another must-have for any billing company. If the company has a security breach and all your patient records have been hacked, where will the money come from to pay for the breach communications, potential lawsuits, and other restitution activities? Sacopulos recommends “practices must insist on both general liability and errors and omissions coverage.” As for policy limits, it depends on the practice’s business volume. But generally speaking, Sacopulos recommends coverage of $1 million or more for each policy.
A breach policy and procedure must also now be included in your billing company’s BAA. Make sure it includes specific details about internal and external documentation, notification, and timelines, the investigation process, and ongoing risk assessments to decrease future breach risk.
Be Prepared for a Potential Breakup
Finally, the BAA must address what happens when the relationship with the billing company ends.
“In the old paper days, physicians didn’t think too much about these issues,” said Sacopulos. “But because everything is now ‘out there’ forever, you must insist on termination policies and procedures that protect sensitive digital data.”
An obstetric/gynecology group of two in the Midwest turned over their billing to the practice administrator’s relative’s neighbor, who had just started a billing company. “The person was very responsible, very likeable—a real go-getter,” Sacopulos said. The problem was, she had no experience with physician billing, and she became overwhelmed by the claim volume. Claims were rejected. Accounts receivable climbed. “By the time the practice caught on, she had made a total mess.”
In any case, you must have clear procedures that outline how you get your data back; how all instances of your PHI will be returned and/or destroyed; and that access to your systems will be disabled.
“The procedure should include activities such as disabling accounts, passwords, and any access the vendor has with your systems,” advised Brewer.
“Make sure there are clear details about how the vendor will deal with PHI,” Sacopulos added. “How will it be returned to the practice? Encrypted transmission? Digital media storage devices such as flash drives, hard drives, or CD-ROMs? How will the billing company destroy all incidences of your PHI: on paper, electronic media, and removable media? All this must be clarified in the BAA.” There also should be a clear plan for informing patients and a process for transferring the revenue cycle process to a subsequent vendor.
The new BAA may seem burdensome, but it’s really an excellent risk reduction and business management tool. Instead of resisting the rigor of reviewing existing BAA terms with your billing company, use the HIPAA Omnibus Rule as a golden opportunity to evaluate them and other vendors at a more granular level to ensure your patient and financial information are in good hands.
Business Associate Evaluation Checklist
Use this checklist to ensure your billing company and other business associates with whom you share PHI meet the new BAA requirements in the HIPAA Omnibus Rule. Do not sign the agreement or share PHI until all issues on this checklist have been resolved.
Employees and Subcontractors
- Do you conduct (or use a service to conduct) a background check on every new employee?
- Have all employees completed initial HIPAA business associate training?
- Have all employees of more than one year completed annual refresher training?
- Does your company use subcontractors? If yes:
- Has each contractor signed a BAA that complies with the same requirements?
- Has each contractor completed initial HIPAA business associate training and refresher training after one year?
- Do you have either employees or subcontractors who telecommute? If yes:
- Has each contractor’s home environment and network been audited to ensure privacy and security standards are met?
Do you use a secure messaging system? If yes, which software is used? If no, how do you communicate with and transmit PHI to clients?
- If you download information from the practice’s system, is it encrypted during data transmission? If it’s stored on removable or temporary storage devices, how are these accessed, stored, protected, and destroyed when no longer needed?
- How often is electronic data backed up? Is it taken off site and, if so, is it encrypted when this occurs?
- How is printed PHI stored, transferred, maintained, and disposed of? Who has access?
- In the event our relationship is terminated, what is the process for returning our data and then destroying all instances of it within your company? Provide the process for data on paper, Internet, all types of removable storage media, and digital copies.
- Have all employees and contractors been supplied with screensavers/privacy screens?
- Does your system automatically log people off after approximately 10 minutes, and require a password to regain access?
Make Sure the BAA Contains These Essential Clauses
- Indemnification clause
- General liability and errors and omissions insurance coverage, each with a coverage limit of at least $1 million
- Breach notification procedure
- Data security policy
- Secure messaging policy and procedure, including specifics of how the vendor will communicate digitally with the practice
- Procedure for returning PHI to the practice at the termination of the agreement, and destroying all incidences of digital and paper records; procedure for disabling billing company employee access to your system
Cheryl Toth, MBA, is a consultant and writer with Chicago-based KarenZupko & Associates. She brings 20 years of consulting, management, training, software product, and executive management experience to her projects.