Topics
Reimbursement
Elevance, UnitedHealth among insurers accused of alleged price fixing
Elevance, UnitedHealth among insurers accused of alleged price fixing
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
Two CFOs see promise of AI, but have yet to build a dedicated budget
Two CFOs see promise of AI, but have yet to build a dedicated budget
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Almost a quarter of Americans underinsured, survey finds
Survey: Almost a quarter of Americans underinsured
Patient Engagement
HHS, Illinois reach agreement on disability rights laws
HHS, Illinois reach agreement on disability rights
Pharmacy
CerpassRx, Waltz team on AI platform to manage specialty drug spend
CerpassRx, Waltz team on AI to manage specialty drug spend
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Sep 01, 2010 More on Quality and Safety

Medical records in a public dump: HIPAA responsibilities of billing companies

Holly J. Louie

In recent Boston Globe and New York Times articles, billing companies were named in connection with a medical records data breach, one of which apparently involved medical records found in a public dump.

The billing companies named in these media reports were not members of the Healthcare Billing & Management Association. While the full facts are not publicly known, and the HBMA does not comment on individual cases, the mere publication of these articles captured the attention of the organization.

It was determined by the HBMA that this would be an appropriate time to review the general issue of the proper disposal of records containing Protected Health Information under HIPAA and the steps that the HBMA has advised its member companies to take if there is a breach of HIPAA requirements.

The association’s Ethics and Compliance Committee is advising healthcare organizations and medical billers alike that this is an ideal opportunity to re-evaluate procedures, policies, safeguards, contracts and business relationships.

A Compliance Officer’s Worst Nightmare
This recent medical records data breach represents a billing company’s compliance/privacy officer’s worst nightmare – apparently paper medical records involving multiple facilities, with potentially thousands of patients affected were found in a public dump. Bad publicity, irate patients and advocates, loss of trust and reputation may be harsher punishments than the legal and financial costs of a breach such as this.

While there can never be a 100 percent guarantee that something like this will not happen to your organization, there are some basic steps you can take when considering a business agreement with any entity that will have access to patient records and other sensitive information.

For organizations that already have arrangements in place, the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements provide an opportunity to carefully revisit your contracts, policies, procedures, operations, risks and safeguards.

Provider Due Diligence is Crucial
The OIG has published compliance guidance for virtually every facet of the healthcare industry, including third-party medical billing companies, physicians, hospitals and laboratories. These best practices included security and protection of data long before the current HITECH requirements were enacted.

More importantly, a failure in one critical area of compliance may be asserted to be indicative of systemic problems and lack of effective compliance processes throughout the organization. Some basic questions providers should consider when choosing a vendor and/or re-evaluating vendors are:

  • Is the entity you contract with knowledgeable regarding the relevant compliance guidance?  Do they have a real living, breathing Compliance Program? Is there a strong culture of compliance or is compliance viewed as government hassles? Does everyone assigned to your account – i.e. sales, CEO, managers, employees – understand and remain committed to compliance?
  • What is the company doing now to prepare for proposed rule changes that will affect their business operations?
  • Has the company conducted a thorough risk assessment for billing compliance and HIPAA/ HITECH?
  • Site visits can tell you a lot about a company. Are the employees professional? How secure does the location seem? Can anyone walk in and out? Are you escorted to any area outside of a public lobby? Where are system back-ups stored? How and where are paper documents stored? What are the document storage, transportation and destruction policies?
  • Does the company outsource work to subcontractors or agents? Do those entities meet the same level of compliance? Who did that analysis? Is it credible?
  • Have you ever sent the company electronic health information that was not encrypted to the current standard? Did you receive any notification that what you did was improper? Does the company give you electronic data that is not encrypted? If paper records are necessary, are the records routinely transported using unlocked or visible methods?
  • Do you have or will you have regular compliance meetings or communications with the company? 
  • Does the contract you will have with the company include appropriate provisions for compliance responsibility?
  • Does your compliance program mesh with the billing company, contractor or agent’s? (Note: a third party’s Compliance Program – even an excellent one – is not a proxy or substitute for a practice’s own Compliance Program.)

Compliance officers in billing companies and healthcare organizations across the country are taking this opportunity to reinforce the message of patient privacy and security with their own workforce as well as business associates, subcontractors and vendors.

Strict legal and regulatory compliance is essential in today’s complex healthcare environment, and, as always in applying the law, there is no substitute for common sense and good judgment.

Holly J. Louie is chair of the HBMA Ethics and Compliance Committee. Two additional members of the committee contributed to this article: Robert B. Burleigh, President of Brandywine Healthcare Services, and Karen L. Collier, Chief Compliance Officer at Intermedix.
 

News
Ending racism in healthcare often begins with medical education - and is the target of a new national project Ending racism in healthcare often begins with medical education - and is the target of a new national project Inequities can be found in every facet of the industry, but targeting medical students and residents can help stem the tide.