Without proper protected health information (PHI) security protocols of their own, second- and third-party vendors could create infraction liabilities amounting to millions of dollars for the facilities employing them.
To mitigate your liability for your outsourced coding company’s PHI compliance oversights, you should take the appropriate steps to ensure that they conform to all of the guidelines in the HIPAA Privacy Rule and Security Rule.
Prosecutions of protected healthcare information violations have been increasing rapidly since 2013, and 2016 was a record year:
Most facilities are themselves compliant, but they don’t realize their vendors may not be. In this digital age with electronic records and charts being exchanged outside your facility at the speed of light, many points in the conveyance are vulnerable to information “leakage.”
The problems and your vulnerability increase dramatically if you’re using an offshore coding company. They often don’t abide by U.S. compliance standards and they’re seldom transparent in their data security processes. If your offshore coding company proves responsible for a compliance infraction for which your facility is prosecuted and fined, what are your chances you would be compensated for damages?
The Office for Civil Rights (OCR) leads the charge, with the authority to oversee, investigate and make recommendations on breaches of PHI use under HIPAA and HITECH. If an audit discovers your outside coding vendor lacks proper compliance procedures and you can’t demonstrate you’ve taken proper safety precautions, the consequences can be extremely costly for you. HIPAA and HITECH regulations set up the overall policing structure, but the HIPAA Omnibus Rule defines the specific criteria that impact your relationship with your outsourced coding company.
According to HIPAA, a Covered Entity or Covered Entities are defined as health plans, health care clearinghouses, and health care providers who electronically transmit any health information relative to Department of Health and Human Services standards. If you’re a hospital, clinic or physician group or practice, you’re a covered entity.
The Final Omnibus Ruling of January 2013 defines a Business Associate as “a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity. ” This includes “subcontractors that create, receive, maintain or transmit protected health information on behalf of business associates.” If you're using an outsourced coding company, it is a business associate.
As a business associate, does your coding company have a comprehensive compliance plan to protect you as a covered entity from its own potential PHI oversights?
We’ve taken extreme steps to protect ourselves as a business associate and our clients (covered entities) from compliance oversights. Our industry-leading information security process combines an all-inclusive array of human and digital protocols to cover all components impacting digital healthcare data exchange:
Each of these criteria addresses a potential point of vulnerability, prevention or correction in our management of protected health information our clients have entrusted to us.
No other coding company protects you like KIWI-TEK.