Dodge Third-Party Biller Compliance Conundrums
Proper vetting of these companies, before you trust them with your claims data, will save you a bundle.
Even though your practice understands how to handle sensitive patient data, your business partners may not. That’s why it’s important to revisit compliance protocols with your billing associates on an annual basis and to investigate the protocols of third-party billers you’d like to hire — before you go into business with them.
Know Who Is Responsible for Billing Snafus
Hiring a third party may appear to be a positive business move. You’ll lighten your practice load and take the pressure off your in-house billers. However, it’s still your responsibility to ensure that the company you hire is compliant; that’s why it’s essential to investigate the biller before hiring them.
Practices that utilize third-party billers should set up a meeting before they enlist their services to go over how they code and submit claims. This is critical because many providers may not realize that the responsibility of claims submitted by their partners falls on them.
Federal Update Highlights Importance of Biller Check-Ups
It’s vital to vet all vendors and check into their backgrounds and associations before you enter into business with them. Why? Last year, the Centers for Medicare & Medicaid Services (CMS) issued a final rule that investigates providers’ affiliations with bad actors before they even enroll in Medicare. The agency hopes this new focus on integrity will cut down fraud and abuse while boosting compliance in the federal healthcare space.
A clinician might say, “I’ll have our billing company handle that, so I don’t have to worry about a lot of compliance issues.” This attitude is fraught with risk as there are just as many bad billing companies as good ones.
Now that the feds are specifically investigating your business relationships, it’s critical to do the necessary research before engaging a billing firm.
It’s essential to check references that are in the same specialty as your practice. Coding is very specialty-oriented, particularly regarding the use of modifiers. A biller that’s very adept at pathology billing may not be as effective for a family practice because they won’t be familiar with evaluation and management coding, for instance.
If you’re geographically positioned to visit the biller’s office, vetting may include an in-person visit. Check the professionalism and competence of the billing company. Touring the facility will give you quick answers, especially if your visit is unannounced and you ask to speak with the compliance officer.
During the visit, check to see whether their staff has the most recent HCPCS Level II, CPT®, and ICD-10 editions. Find out how often their coding software is updated. Ask to see a copy of their compliance manual and recent memos of their training class schedule or emails. This will tell you how serious they are
about training. Review the code of conduct and data security policy, as well.
Don’t Forget About HIPAA Compliance
Over the last year, many of the biggest HIPAA breaches have been related to third-party business associates’ (BAs’) risk management issues. More often than not, BAs don’t fully understand the nuances of HIPAA compliance. They may not even realize that they’re required to abide by the rules as part of their business arrangements with covered entities (CEs) and must safeguard patients’ protected health information, too.
In fact, because so much confusion exists over the role vendors and BAs play in care delivery and HIPAA compliance, the Office for Civil Rights (OCR) released an updated fact sheet reminding these partners exactly where their liability falls. The list of 10 provisions focuses on the BA’s responsibility to the rules and how ignoring them leads to OCR enforcement.
HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont, explains that the new guidance outlines and clarifies which party is ultimately responsible for the satisfaction of various responsibilities and patient rights. “Where the BA is not responsible, the hiring entity is,” he says.
“The guidance doesn’t reduce the BA responsibilities so much as define the legal liability boundaries between entities,” Sheldon-Dean adds. “It is overall a useful document, even though in many cases now it clearly puts the covered entities on the hook for making sure their business associates are providing services on their behalf according to the rules.”
5 Steps for Investigating Third-Party Billers
Thoroughly researching your practice’s billing associates is imperative to not only ensure compliance but to safeguard the practice and its patients.
Take these five steps when researching a third-party biller:
1. Request references. Then, ask for a second set of references. The best references will be on the first list; a more accurate picture will emerge from the second.
2. Review the compliance plan. A primary question should be whether the biller has a compliance program in effect and how they’re implementing and auditing the plan.
3. Check training protocols. It’s critical that the billing company keeps on top of staff education. They should be continuously training their staff on compliance, state and federal mandates, data security, and more.
4. Assess coding and billing knowledge. A reliable and competent billing firm must know, at the very least, the basics of coding and billing. Plus, they should be able to respond to questions on modifiers, appeals, denials, secondary payer arrangements, and overpayments.
5. Scrutinize IT processes. Because billers transfer patients’ protected health information daily, they must have clear-cut data protection policies and procedures. These should include dedicated IT staff who can do risk assessments, make contingency plans for outages, manage devices and software maintenance, and implement password controls and encryption.
BAs Need to Know the Logistics on Breach Notifications, Too
OCR guidance cautions that both CEs and BAs “have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.”
Remember, the HIPAA Notification Rule extends to BAs, too, and requires them to follow through on required notification procedures; however, CEs do have the extra duty of fulfilling other administrative requirements per OCR and HIPAA after a breach.
According to OCR, CEs are held to a higher standard and must follow up after a breach with certain administrative requirements, including written breach notification policies and procedures; staff training on the protocols; and sanctions against employees who don’t comply with the rules.
You might feel compelled to disregard BA violations, but you need to address these issues upfront. Don’t ignore a breach — accept it and follow the policies and procedures, cautions attorney Lauren M. Ramos with McGuireWoods LLP in Richmond, Virginia. “Collect all the facts as quickly as possible, mitigate the damages to [the] greatest extent possible, and loop in legal counsel as early as possible,” she advises.
Ramos says OCR looks favorably on those who comply with the HIPAA breach requirements. “Providers should remember that OCR does not investigate every breach, especially small ones,” she says. “In fact, OCR likely investigates only a small percentage of all reported breaches. Following the correct procedures and reporting a breach does not mean that an OCR investigation is inevitable.”
4 Questions to Check Third-Party Billers’ Compliance
Whether you’re changing billing companies or in the process of vetting your current provider, you may want to write up a biller checklist to confirm compliance practices. Consider asking the third-party biller these four questions:
1. Is an active compliance program in place at your company?
2. Do you have written coding and procedures policies?
3. Is there a denial review procedure in place?
4. How do you safeguard patients’ privacy and security?
OCR direct liability guidance: www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html
OCR breach notification guidance: www.hhs.gov/hipaa/for-professionals/breach-notification/index.html