DOMESTIC — ALL-AMERICAN MEDICAL CODING
Are You Safe And Secure?
Your Facility Could Be Liable For PHI Compliance Infractions Of Your Outsourced Coding Company.
Without proper protected health information (PHI) security protocols of their own, second- and third-party vendors could create infraction liabilities amounting to millions of dollars for the facilities employing them.
To mitigate your liability for your outsourced coding company’s PHI compliance oversights, you should take the appropriate steps to ensure that they conform to all of the guidelines in the HIPAA Privacy Rule and Security Rule.
A Real Security Threat
Prosecutions of protected healthcare information violations have been increasing rapidly since 2013, and 2016 was a record year:
Most facilities are themselves compliant, but they don’t realize their vendors may not be. In this digital age with electronic records and charts being exchanged outside your facility at the speed of light, many points in the conveyance are vulnerable to information “leakage.”
The problems and your vulnerability increase dramatically if you’re using an offshore coding company. They often don’t abide by U.S. compliance standards and they’re seldom transparent in their data security processes. If your offshore coding company proves responsible for a compliance infraction for which your facility is prosecuted and fined, what are your chances you would be compensated for damages?
The Office for Civil Rights (OCR) leads the charge, with the authority to oversee, investigate and make recommendations on breaches of PHI use under HIPAA and HITECH. If an audit discovers your outside coding vendor lacks proper compliance procedures and you can’t demonstrate you’ve taken proper safety precautions, the consequences can be extremely costly for you. HIPAA and HITECH regulations set up the overall policing structure, but the HIPAA Omnibus Rule defines the specific criteria that impact your relationship with your outsourced coding company.
HIPAA Omnibus Rule
- Outlines the Office for Civil Rights’ (OCR’s) data privacy and security enforcement strategies, as updated for the Electronic Health Records (EHR) era mandated by the HITECH Act.
- Holds HIPAA business associates to the same compliance standards for protecting PHI as covered entities, including subcontractors of business associates.
- Increases penalties for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation.
- Guarantees that organizations can operate with certainty that their privacy and security policies comply with all applicable regulations.
According to HIPAA, a Covered Entity or Covered Entities are defined as health plans, health care clearinghouses, and health care providers who electronically transmit any health information relative to Department of Health and Human Services standards. If you’re a hospital, clinic or physician group or practice, you’re a covered entity.
The Final Omnibus Ruling of January 2013 defines a Business Associate as “a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity. ” This includes “subcontractors that create, receive, maintain or transmit protected health information on behalf of business associates.” If you’re using an outsourced coding company, it is a business associate.
As a business associate, does your coding company have a comprehensive compliance plan to protect you as a covered entity from its own potential PHI oversights?
Play It Safe With KIWI-TEK.
We’ve taken extreme steps to protect ourselves as a business associate and our clients (covered entities) from compliance oversights. Our industry-leading information security process combines an all-inclusive array of human and digital protocols to cover all components impacting digital healthcare data exchange:
- Workplace privacy standards and forms
- Equipment monitoring
- Business Associate Agreements (BAA)
- User acknowledgments
- Compliance documents
- Incident plans
- HIPAA Compliance Training and signed user acknowledgments
Each of these criteria addresses a potential point of vulnerability, prevention or correction in our management of protected health information our clients have entrusted to us.
No other coding company protects you like KIWI-TEK.