been properly screened will be impossible to verify. moreover, how can you be sure that the electronic data you have sent to the billing company has been encrypted and is being safely stored? unfortunately, short of traveling overseas to verify these issues yourself (or hiring a third party to do so), you are forced to rely on the representations, promises, and guarantees that have been made by the overseas contractor. PATIENT CONSIDERATIONS most billing companies interact directly with patients on a daily basis. Patients may need to verify that their payor has covered a procedure, set up a payment plan to cover the cost of non-covered services, or discuss other financial issues related to their care. Will you feel comfortable advising patients that their medical and financial information has been transmitted overseas? If not, you need to think twice about utilizing an overseas billing company. IS THE OVE RSEAS OUTSOURCING OF CODING AND BILLING FUNCTIONS LEGAL? In light of the risks outlined above, you may wonder if it is even legal to outsource your coding, billing, medical transcription, or other ancillary service to a company operating outside of the united states. While you might expect to find federal statutory restrictions barring the overseas disclosure or transfer of sensitive patient medical and financial information, no such restraints have been implemented at this time. FEDERAL LEGISLATIVE EFFORTS Notably, as early as 2004, legislation was introduced in the senate that would have placed a number of safeguards in place to protect patient health information that has been shared with an overseas subcontractor. among its various provisions, the “safe-ID act” (s. 2312 (108th)) would have required that an individual would have to be notified and given an opportunity to object to the disclosure of his/her financial or health information to an overseas organization prior to the disclosure taking place. moreover, if a breach THe JOuRNaL OF THe HeaLTHCaRe BILLINg aND maNagemeNT assOCIaTION 23 were to occur, the proposed legislation provided that: “a business enterprise that knowingly and directly transfers personally identifiable information to a foreign branch, affiliate, subcontractor, or unaffiliated third party shall be liable to any person suffering damages resulting from the improper storage, duplication, sharing, or other misuse of such information by the transferee.” (emphasis added) The safe-ID act was referred to committee but no further action on the legislation was taken. It was reintroduced in 2005 as the “safeguarding americans from exporting Identification Data act” (s. 10 (109th)), with the same result. In 2009, legislation entitled the “Notify americans Before Outsourcing Personal Information act” (H.R. 427 (111th)) was introduced in the House of Representatives. as with prior legislative efforts of this type, it was referred to committee and no action was ultimately taken. several states have taken action to restrict the unfettered transfer of personal data to companies operating overseas, but measures to restrict the transmission of PHI and patient financial information to overseas billing companies have yet to be enacted. CMS RESTRICTIONS While Congress has failed to enact broad, legislative controls to safeguard the utilization, disclosure, or overseas transfer of PHI and patient financial information, the Centers for medicare & medicaid services (Cms) has taken action to restrict medicare contractors from outsourcing any system function overseas without first obtaining the permission of Cms. as the “medicare Business Partners systems security manual” states: “all external information system services shall include specific provisions requiring the service provider to comply with Cms Is policies, standards, and guidelines; and shall be monitored for compliance. Cms shall define the remedies for any loss, disruption, or damage caused by the service provider’s failure to comply. Service providers shall be prohibited from outsourcing any system function overseas, unless explicitly authorized, in writing, by the CMS CIO or his/her designated representatives with concurrence from CMS’ personnel security department.”1 (emphasis added) ExPANDED PRIVACY OBLIGATIONS OF HEALTH CARE PROVIDERS AND THIRD-PARTY BILLING COMPANIES While the federal government has not barred the overseas outsourcing of coding, billing, and other ancillary services, recent regulatory enhancements arising out of the “Omnibus Final Rule”2 have greatly raised the bar to be met by both health care providers (as covered entities) and third-party billing companies (as business associates). The Omnibus Final Rule contains some of the most significant changes to the HIPaa privacy, security, and enforcement rules since their inception. The new rule also strengthens the ability of the Department of Health and Human services Office for Civil Rights to enforce the rules and levy fines for any violations. among its many changes, this change now makes any business associate of a covered entity directly liable for compliance with certain HIPaa Privacy and security Rule requirements. arguably, these latest restrictions will make it even more difficult for overseas billing companies
Billing_JanFeb14
To see the actual publication please follow the link above