Outsourcing Your Billing
“Yes or No – It’s That Simple”
by Sean Weiss, Partner & VP of Compliance
I start by saying I love my job and my clients – I spend every day advocating on behalf of providers who are working hard to keep patients healthy or return them to an optimal state of being. However, my job and that of my colleagues within DoctorsManagement becomes more difficult when competing forces are at play. So, before I get into this blog post any further, I want to say up front this is not meant to call out billing companies or to paint them in any sort of negative light. There are some outstanding third-party billing companies out there and they do a great job for their clients. However, there are those that take on clients for which they have no business taking them, on either because they do not have the human or financial capital to support them or they do not have the requisite skills regarding the specialty to ensure proper coding and claim submission has taken place.
The Many Outsourcing Options
When it comes to outsourcing, there is no shortage of options including companies in the United States, India, and what I refer to as a hybrid model – meaning there is an office here in the US but the actual coding and billing operations take place in India. There are very vocal groups here in the US opposed to healthcare companies sending Protect Health Information overseas and for good reason. If there’s a data breach involving one of those vendors, under HIPAA Omnibus, the ability for the Department of Health and Human Services to take enforcement action against offshore organizations falls into a gray area. A foreign Business Associate would be subject to a breach of contract if there was a violation of their business associate agreement with a covered entity in terms of protecting patient data. However, the question becomes does HHS have jurisdiction to bring an enforcement action? HIPAA does not have explicit extra-territorial reach and that poses significant challenges. As it relates to outsourced billing, a provider receives no relief of their obligations under HIPAA or HITECH when they outsource their administrative functions offshore. The truth is, it’s just the opposite – providers are responsible for the acts of their business associates and their respective subcontractors. The reality is, when your 3rd party billing/coding company is permitted to perform these type of functions and they are based outside of the US, the incentives (i.e. cost, sending records at the end of a business day and getting everything back the next day) might not be worth the risk created by the problems presented by HIPAA (i.e. no guarantee overseas coding or billing companies are HIPAA compliant or even understands the nuances of the law. Even if an offshore company claims to be HIPAA compliant, how can you actually verify it? What I have found comical is that in the contracts clients provide me for review, many outsourced billing companies based in India will sign a contract indemnifying the client for any HIPAA breaches and the resultant penalties. The fact is, things go wrong and when they do your ability to obtain a judgment against that company is almost impossible. The average pendency of any case in the 21 high courts in India for which data exists is about three years and one month (approximately 1,128 days). If a case is filed in any of the subordinate courts in India, the average time is nearly six years (approximately 2,184 days). Here is where things get even more interesting: if a case does not go to the Supreme Court in India, which the majority do not, the average litigant who appeals to a one higher court faces more than 10 years in court. If a case goes to the Supreme Court, the average time increases by a minimum of three more years. Thing about this; there are still cases from the 1940s and 1950s pending in India courts.
One of the biggest arguments surrounding outsourcing is breaches of PHI (I think there are bigger obstacles); however, the likelihood of a breach in the US is just as likely. In 2018, about 43 percent of breaches were reported as hacking/IT incidents of which those incidents affected nearly 9 million individuals. The largest breach was reported in November by Atrium Health involving third-party billing vendor AccuDoc based in North Carolina which notified 2.65 million individuals of a cyberattack on databases hosted by the vendor (Attack on Billing Vendor Results in Massive Breach). There are so many more that I can list in this area to drive the point home but at the end of the day, breaches that happen with U.S. based companies are subject to penalties and fines as well as criminal prosecution for malicious intent. And the likelihood of justice being achieved is almost 100% because of the authority our Justice System has against US based companies.
For me, the biggest risk isn’t a breach with offshore companies; it’s the communication issues (language barriers), time zones, access to the actual coders/billers performing the work, familiarity with Local Coverage Determinations and state specific guidelines, etc. While I am sure arguments can be made by offshore companies that the same risks exist with U.S. based companies, I would counter that they are far less and the ability to drive or fly to a vendor within a matter of a few hours vs. flying 20+ hours to a foreign country is more palatable. Here is one other critical piece of information to keep in the forefront of your thoughts, “The Centers for Medicare & Medicaid Services (CMS) strictly prohibits any trading partner from outsourcing system functions overseas, unless explicitly authorized in writing by the CMS chief information officer (CIO). System functions include the transmission of electronic claims, receipt of electronic remittance advice or the access to any system for beneficiary and/or eligibility information. Any request for access by an overseas party will be immediately denied by National Government Services pending authorization from CMS.” (https://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/downloads/r9ss.pdf) If your decision is to offshore your coding/billing functions and the company has a US operation, make sure your contract is with that entity only and not the India based operation so you have a better likelihood of recovery of damages and the OCR or DOJ has a better opportunity to go after those who violate the law.
I will end this post with some pros and cons of outsourcing whether it is with a US based company or one that is offshore:
- Outsourcing saves money (i.e., salaries, benefits, employment taxes, etc.)
- Efficiency with getting claims out the door
- Accuracy of CPT, ICD, HCPCS II, and Modifier selection
- Loss of revenue due to mistakes in code selection or lack of familiarity with state or regional specific coding and documentation guidelines leading to increased denials
- Lack of control over employees (biggest issue I find is lack of follow-up on claim denials since the cost to appeal outweighs cost of claim submission)
- Risk of patient satisfaction (Language barriers is the biggest complaint I hear from clients and their patients)
- HIPAA Breaches
- Hidden Costs
- Lack of Flexibility
- Contractual misunderstanding
At the end of the day, if your choice is to outsource your coding and billing, ensure you vet the company carefully. Insist on visiting their facility and speak with those who will be specifically working on your account:
- Ensure you will have a direct line to them at all times,
- Request a copy of their OIG Third-Party Billing Company Compliance Plan and ensure they are complying with it,
- Request a copy of their HIPAA and HITECH compliance manual and policies,
- Request references for groups of your size and specialty and call these references and ask the right questions,
- Request proof of Exclusion Screening of all employees within the company to ensure none are excluded (Debarred),
- Question them and request it in your contract that all services will be performed within the US and if they are sent overseas ensure your contract is with only the US entity,
- Establish weekly status update calls, and
- Finally, request a copy of their internal quality assurance (QA) process and question the Senior assigned to the account
As I said when I began this post, there are some outstanding third-party billing companies out there. Make sure you do your diligence so you are not choosing the wrong one. Remember, you get what you pay for!
What to do next…
- If you need help with an audit appeal or regulatory compliance concern, contact us at (800) 635-4040 or via email at email@example.com.
- Read more about our: Total Compliance Solution
Why do thousands of providers trust DoctorsManagement to help improve their compliance programs and the health of their business?
Experienced compliance professionals. Our compliance services are structured by a chief compliance officer and supported by a team that includes physicians, attorneys and a team of experienced auditors. The team has many decades of combined experience helping protect the interests of physicians and the organizations they serve.
Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credentials.
Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.
Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.