Choosing the wrong billing service can give you nightmares and cost you money.
Courtesy of Thinkstock


Published 2/1/2014
Cheryl Toth, MBA

Avoid Billing Service Nightmares

Use business rigor to reduce your risk

Recently, an orthopaedic surgeon remarked that he was thinking about outsourcing his billing so he could avoid learning ICD-10 and make ICD-10 “the billing service’s problem.”

But hastily outsourcing billing and collections without carefully evaluating the company can lead to problems. Choosing the wrong billing service or outsourcing for the wrong reason can quickly become a nightmare of risk and lost revenue. Performing due diligence before signing the contract can mitigate risk and performance issues before they become acute.

Regulatory risks
“We frequently see surgeons select a billing service based solely on low rates, without considering the risks,” said Karen Zupko, president of KarenZupko & Associates, a practice management consulting and training firm based in Chicago.

“Many small companies can process a claim but are unaware of the regulatory environment,” she said. “They have no errors and omissions insurance, no privacy, security, or document destruction policies, and may not even know what a Business Associate Agreement (BAA) is, let alone supply one to the practice.”

The requirements for business associates handling billing recently underwent a major overhaul when the Health Insurance Privacy and Accountability Act (HIPAA) Omnibus Rule took effect Sept. 23, 2013. All business associates are now required to have rigorous privacy, security, and breach procedures, just as medical practices do.

“The HIPAA Omnibus Rule puts the practice on the hook for everyone it does business with,” explained Michael Sacopulos, an attorney and founder of the Medical Risk Institute. “The BAA with a billing service must contain a security policy, a privacy policy, and have a breach notification procedure in place and ready in case a breach occurs. The billing service becomes a legal agent for the practice and the practice may be completely liable for the service’s actions on its behalf.”

For example, if the billing service doesn’t shred accounts receivable reports or paper Explanation of Benefits, and these fall into the wrong hands, the practice may still get fined. The billing service’s security policy should cover the details of protecting both digital and paper personal health information (PHI). It should answer questions such as:

  • Who has access to documents that contain PHI, and how are they destroyed and disposed of?
  • Are data transmissions between the practice and the billing company encrypted?
  • How is data stored? Are temporary storage devices such as flash drives protected?
  • How are temporary storage devices destroyed when no longer needed?

Practices should read and scrutinize the BAA carefully and ask specific questions about the security policy for electronic communication. Secure messaging and encrypted access—rather than casual email—are the baseline requirements for billing services. Secure messaging requires an ID and password and is sent over an encrypted channel.

Practices should also inquire about privacy policy and procedures. Who has access to confidential patient data and for what reason? Do employees use computer privacy screens? Do electronic systems log people off after approximately 10 minutes of inactivity?

The billing service’s breach notification procedure should explain how it will handle the possibility of PHI being stolen, hacked, or improperly accessed.

“Make sure the service has developed written procedures for how it will notify the practice if a breach occurs. The practice is legally responsible for notifying patients, so make sure notification occurs in enough time to meet the notice deadlines,” suggested Mr. Sacopulos.

Finally, billing service employees must receive HIPAA privacy and security training. Verify this by asking for training records. Who did the training? Ask for a copy of the materials used, attendance list, and training date(s).

Many billing service employees are home-based. This is fine, “as long as they maintain home offices that meet the identical security and privacy policies the practice does,” Mr. Sacopulos said. “That means, for example, that their home network is secure and encrypted, and children don’t play video games on the same computer used to access any PHI.”

Who knows what?
Don’t assume that the billing company’s employees have up-to-date knowledge of coding rules or Federal regulations. “Many small billing companies fall short when it comes to training,” Ms. Zupko warned. “Employees don’t attend annual society coding workshops. Ongoing education—if any is provided—is limited. Employees may rely on ‘years of experience’ and advice from online coding discussion boards.”

An uneducated workforce is dangerous, according to Ms. Zupko. “If billing service employees are not receiving ongoing education, they may not know regulatory rules or use best practices for managing accounts.” She cites a recent encounter with a billing service that could have put clients in jeopardy under the False Claims Act.

“The new client contract asked whether the practice wanted the service to make refunds to patients for overpayments. If a physician were to check the ‘no’ box and sign the agreement, a whistleblower would have the documentation needed to turn the physician in under the False Claims Act.”

Ms. Zupko believes that billing service employees should attend coding courses each year. “Practices should also expect the service to be competent with ICD-10 coding and aware of fraud and abuse statutes.”

To determine whether the service uses effective accounts receivable processes, practices should ask how unpaid, underpaid, and denied claims are handled. “Reputable billing services have procedures for each part of the reimbursement process,” Ms. Zupko said. “Request copies of billing and collections procedures, and sample reports. Ask for protocols describing how credit balances, refunds, and adjustments are handled. Clarify that the service will never change a diagnosis or procedure code for any reason without physician approval.”

Get it in writing
“Handshake and hope” arrangements won’t cover the practice when problems arise. Yet, they are all too common—especially when physicians outsource to small companies that are operated by former employees or friends of another physician.

One physician hired his cousin’s next-door neighbor. The inexperienced biller quickly fell behind. To cover her incompetence, the biller limited communications with practice staff, avoided accountability, and blamed denials on new payer protocols.

“By the time the practice caught on, it was down six figures in revenue and facing an audit,” said Mr. Sacopulos. “It had to refund overpayments and borrowed money just to keep the doors open.” Because there was no service contract, the practice had no redress.

“Practices must insist on vendor accountability and responsibility,” said Ms. Zupko, “including the details of how receivables are managed and what protection is provided to the practice against specific liability risks.” She also recommends that an attorney review the service contract and BAA.

Mr. Sacopulos often finds three clauses missing in a billing service’s contract or BAA: indemnification, insurance coverage, and termination details.

“An indemnification clause holds the practice ‘harmless’ if the billing service submits unintended, fraudulent billing, miscodes, or allows PHI to get into the wrong hands,” he explained. Every service contract or BAA should include such a clause.

“Medical records have a value of $50 or more per patient on the black market because they contain social security numbers, dates of birth, and sometimes photo identification,” he explained. Because unsavory characters are attracted to this easy access to data, practices should not use billing services that do not conduct background checks on everyone they hire and contract with.

Insurance coverage
Misconduct is always a possibility, so the billing service must have errors and omission insurance coverage. “The practice is entrusting a billing service with patient records and financial data,” says Ms. Zupko. “It’s not a good idea to do business with one that carries no insurance.”

Liability coverage is also a must-have. “If there is a security breach and patient records are hacked, liability coverage provides the funds for breach disclosure communications, potential lawsuits, and other activities necessary to restore your good name,” Mr. Sacopulos said. “It depends on the volume of business the practice has, but generally speaking, the liability and errors and omission policies should each have coverage of $1 million or more.”

Termination details are the third critical item to get in writing. Knowing how the billing service will return or destroy PHI if the contract is cancelled is vital. Will it be returned over an encrypted channel or delivered on a hard drive or storage media such as flash drives, hard drives, or CD-ROMs? How will the stored images in the vendor’s photocopier hard drive be disposed of? How will paper be destroyed?

Practices should also ask about the plan for informing and servicing patient accounts throughout the transition to the next service. According to Ms. Zupko, “The last thing an orthopaedic surgeon wants is for patients to have a negative experience with the practice due to something the billing service did.”

Cheryl Toth is a consultant with KarenZupko & Associates. She brings more than 20 years of consulting, executive management, training, and technology development to her projects.

Editor’s Note: This article is the first in a two-part series about how to reduce the liability, revenue, and efficiency issues associated with outsourced billing services.

Bottom Line

  • Before outsourcing billing and collection services, orthopaedic practices should carefully evaluate the company to minimize risk and lost revenue.
  • Make sure your billing service provides you with a HIPAA-compliant Business Associate Agreement—and read it carefully.
  • Don’t assume that billing service employees are up-to-date on federal regulations; ask about employee training.
  • Don’t seal the deal with a handshake; make sure you have a contract that spells out the terms of service and includes details on indemnification, insurance, and termination.