Overseas Outsourced Billing and Coding – Compliance Risks

(August 16, 2012): Thinking of sending your medical coding and billing functions out of the country? You better think twice. While overseas outsourced billing is growing in popularity for medical office functions, this practice represents a unique and growing set of problems for both physician practices and 3rd party billers. And the news is just getting worse.

I. HIPAA and HITECH Provisions:

As you know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects patients’ rights to privacy, and requires that "covered entities" properly secure and safeguard protected health information (PHI). While HIPAA has long represented an administrative headache for many small and medium providers, it has only been more complicated by the rise of electronic data processing and transmission. In 2009, Congress passed the HITECH Act as part of the American Recovery and Reinvestment Act (ARRA). HITECH governs the use and disclosure of e-PHI and related computer systems, and significantly amends portions of HIPAA. For instance, HITECH calls for HIPAA audits, which are currently being conducted around the country. It also created an enhanced penalty structure by which the Office for Civil Rights (OCR) can fine entities up to 1.5 million dollars per year for wrongful use or disclosure and/or breaches of PHI. But what do these laws have to do with outsourced billing?

Plain and simple, a provider cannot relieve themselves of their obligations under HIPAA or HITECH by sending many of their administrative functions offsite. Instead, it’s just the opposite – providers are responsible not only for their practice, but also the acts of their business associates and their respective subcontractors. This is a significant wrinkle in the use of overseas contractors. While there are many benefits, including cost and efficiency (i.e. sending records at the close of business and getting everything back when business starts the next day), these incentives are overshadowed by the problems presented by HIPAA.

II. Compliance Concerns with Outsourced Billing:

First of all, you have no guarantees that a coding and billing business overseas is HIPAA compliant or even understands the law at all. Is the outside entity taking proactive steps to establish administrative, technical, and physical safeguards for your patients’ PHI? Even if they say they are HIPAA compliant, how can you verify that information? To counter this, many outsourced billing companies, such as those in India or Pakistan, may argue that they will sign a contract indemnifying you for any HIPAA breaches and the resultant penalties. But if something goes wrong (as it inevitably does), obtaining a judgment against the outside entity is next to impossible, takes a substantial amount of time, and costs a lot of money. We had previously reported that the backlog for having a case heard in India was nearly 20 years. But recent estimates by the National Bar Association of India put that figure closer to "350 to 400 years." That is, if you were to sue an Indian billing company today, you might not go before a judge until AD 2362 – and that’s a long time for your great-grandchildren to wait. Not to mention that suing the outsourced third-party biller for contribution (i.e. the portion of your penalties for which they are reasonably responsible) is extremely difficult and complex.

On top of this, employees of foreign companies have recently been extorting American providers over the PHI in their medical records. In one instance, an employee of a billing company in Pakistan had enough. She didn’t think she was being paid enough and contacted the hospital whose records she was currently working on. She demanded a significant sum of money from the hospital or she would release the medical records on the Internet and anonymously contact United States authorities. Essentially holding the records and the PHI they contained hostage, the worked managed to extort payment from the hospital. And again, attempting to report her to the local authorities or sue her in a court would be a difficult and probably unsuccessful endeavor. When employees from outsourced billing companies have access to this information and bad intentions, they have many providers by the proverbial "short hairs."

III. Conclusion:

This is why we recommend that healthcare providers "buy American." The protections of United States law, and the relative ease with which you can resolve any conflicts between your practice and a billing company, more than make up for the additional cost. You should consider retaining an experienced, local 3rd party biller for assistance with medical billing. For more information on coders and billers in your area, we recommend contacting the American Medical Billing Association.

Robert W. Liles - Managing Partner - Senior Health care attorneys - Liles Parker

Robert W. Liles counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans. In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1 (800) 475-1906.