to fully comply with their obligations as a business associate. Like the covered entities that they serve, overseas billing companies that are functioning as business associates are required by law to fully assess their security risks. a business associate must perform its own security risk analysis to determine what the organization must do to address its security policies, procedures, and workforce training under HIPaa. even if an overseas billing company were to diligently work to adhere to these requirements, the simple fact is that there is very little, if anything, that either the government or a covered entity can do if a breach occurs. In light of the fact that most overseas billing companies are effectively judgment-proof, the government will have little option other than to hold the covered entity liable. ultimately, a provider or billing company cannot relieve itself of its obligations under HIPaa or HITeCH by sending one or more of its ancillary functions overseas. Instead, we believe that the opposite is true: health care providers will remain responsible not only for their own acts, but also the acts of their business associates and any respective subcontractors that may be brought into the picture, with or without their knowledge. This is a significant wrinkle in the use of overseas contractors. While there are many benefits, including cost and efficiency, these incentives may be overshadowed by the privacy and security risks outlined above. Final Thoughts Whether or not to engage in overseas outsourcing is currently an issue of significant debate among healthcare providers, domestic coders, billing companies, transcriptionists, and the various organizations that represent their interests. The american Transcription association (aTa) is one of the few organizations that has taken a clear position of the issue on overseas outsourcing. In its article titled “Off-shoring should be Off Limits,”3 the aTa notes that there is really no way to hold overseas transcriptionists liable for a breach. according to the article: “unlike us medical transcriptionists, foreign transcriptionists are not held to the Health Insurance Portability and accountability act (HIPaa), which is meant to protect a person’s medical records in terms of transporting and storage. That being said, foreign transcriptionists are not liable or penalized for the improper use of the information they receive and can, consequently, do as they please. In fact, there was a case where a foreign transcriptionist threatened to post personal patient information on the Internet if they did not receive their pay within a certain time frame.” Notably, the aTa has been much more vocal regarding their opposition to offshore outsourcing than have many other similarly 24 HBma BILLINg • JaNuaRY.FeBRuaRY.2014 affected coding and billing associations. While many american coding and billing associations oppose offshore outsourcing, few, if any, have restricted membership in their organization to only american-based and operated third-party billing companies. This is understandable when you consider the fact that both Current Procedural Terminology (CPT) and International Classification of Diseases (ICD) coding and classification systems are used and applied in many countries around the world. as you are well aware, the CPT coding classification scheme was developed (and is maintained) by the american medical association (ama). as a result, coders and billers around the world rely on the advice, guidance and training of the american coding and billing associations that work with these coding practices and systems on a daily basis. Nevertheless, there is a distinct difference between encouraging offshore outsourcing and recognizing that overseas coders and billers assisting health care providers in their own countries can greatly benefit from belonging to an american coding or billing association where they can gain knowledge and experience from their american counterparts. ultimately, absent a legislative or regulatory fix, it will remain within the discretion of american billing companies to decide whether overseas outsourcing is really in their best interests and the best interests of their clients and patients. american coders and billing companies need to take the lead in educating providers of the many risks they face (and the risks to their patients) if they transmit PHI or patient financial information overseas. Robert W. Liles, JD, MBA, MS, is managing partner at the health law firm Liles Parker. Mr. Liles represents third-party billing companies and health care providers around the country in health care regulatory and transactional matters He can be reached at: rliles@lilesparker.com or at (202) 298-8750. Resources 1 www.cms.gov/Regulations-and-guidance/guidance/ Transmittals/downloads/r9ss.pdf 2 “modifications to the HIPaa Privacy, security, enforcement, and Breach Notification Rules under the Health Information Technology for economic and Clinical Health act and the genetic Information Nondiscrimination act; Other modifications to the HIPaa Rules; Final Rule.” Federal Register/ Vol. 78, No. 17 / Friday, January 25, 2013. www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/ 2013-01073.pdf 3 www.ataus.org/2010/05/off-shoring-should-be-off-limits (Be Aware of the Risks continued)
Billing_JanFeb14
To see the actual publication please follow the link above