The article explores the vitality of HIPAA regulations and refocuses on the importance of PHI for a medical billing company. Under the HIPAA law, we are to: first, show an intention of compliance; second, to respect & understand the law; and, third, to implement protective measures. With the COVID-19 Public Health Emergency (PHE) in play, we felt that this topic becomes all the more crucial to discuss.
People, whether they are healthcare professionals or private business owners, must know what they can or can’t do to safeguard protected health information (PHI). We can only expect formidable results if there is clarity on the subject.
HIPAA comprises of three rules: The Privacy Rule, The Security Rule, and the Breach Notification Rule.
Under the Privacy Rule, medical billing services must protect PHI at all costs. We must train our staff and ensure there is ample knowledge of HIPAA rules and regulations — Take note of any first-hand information that comes from providers related to the implementation of rules as it helps maintain strict decorum in terms of compliance.
Also, regularly holding audits can skyrocket the compliance ship filling the staff members with much energy to take businesses to the next level.
As a general rule, give value to personal health information (PHI) and how fair it is to be HIPAA compliant at a time when electronic health records are replacing paper-based records. Progressing further, we will see a surge in the electronic way of things.
If we allow safe passage to ePHI, we adhere to HIPAA; but, if we are reckless, we may be fined up to $1.5 million and may spend 10 years in prison, according to the American Medical Association (AMA).
HHS and Medical Billing Services
Since medical billing services in the US have a lot to do with PHI to execute the billing process, it puts a great responsibility on their shoulders to protect it. Whether our system is prone to viruses or intruders have a way to barge in, we have to repurpose it to be pro-HIPAA.
How far do we have to go to comply with HIPAA as a medical billing company?
This is a good question to raise. As business associates, we are required by law to know the extent of HIPAA regulations. Department for Health and Human Services (HHS) adheres to the rules and regulations of HIPAA to the extent of its implementation in letter and spirit.
You can read them here:
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
HHS narrates everything on HIPAA Privacy and Security Rule policy and if there are amendments to the law, they update it accordingly.
Hence, nothing is unfair as long as we have the right resources to consult.
HIPAA’s Definitive Role
HIPAA (The Health Insurance Portability and Accountability ACT) is here to protect the health of Americans and keep their sensitive information locked and inaccessible to the general public. The PHI must be kept private and available to the relevant health stakeholders only.
The Act establishes a thorough plan to safeguard patient health information to respect the right to privacy. In some cases, we also read PHI as Personal Health Information.
As a medical billing company, we are under oath to protect the privacy of citizens so that sensitive information like social security numbers or patient history doesn’t go public. It must be protected against any foreign interventions that can cause emotional or financial harm to patients or providers.
Ordinarily, HIPAA enforces the law on business associates and covered entities. A medical records company comes under the category of business associates.
Covered Entities are Subject to HIPAA as well
It clearly says in the rule book that HIPAA Privacy Rule only applies to covered entities.
According to HIPAA rules, Health plans (insurance companies), clearinghouses, and healthcare providers come under the umbrella of covered entities. The phrase healthcare provider is a generic term for hospitals, university medical centers, physicians, and anyone who submits claims (PHI) directly or through a third party for monetary compensations.
The payments acquired as a result come under collections and depend on how well we execute the medical billing outsourcing process on behalf of our clients.
As an individual, everyone has the right to set their service fee to what they think is best as long as they are not crossing the limits.
Similarly, we believe medical billing services can charge as per their will, what they think is the right fee, as long as it doesn’t hurt the provider.
Business Associates
Business associates are individuals or companies who have access to access to PHI; some of them include:
• Data transmission managers
• Data processing companies
• Data saving firms or document shredders
• Medical tools manufacturers
• Auditing consultants
• Medical billing companies
• Medical transcription services
• External auditors & accountants
As long as medical billing companies comply with the Final Rule, they are safe from penalties or HIPAA violations. The billers or subcontractors are liable to strict actions if they fail to preserve PHI.
What did we learn?
Health IT consultants who offer services to providers in exchange for a reasonable fee are permissible under every law to charge as much as they want. As the law is made to protect the individually identifiable health information from falling into the wrong hands, the remote billers must show compliance to the HIPAA Security and Privacy Rule provisions at all times.
People who are currently in a similar line of work and assist or volunteer for the US healthcare industry must keep themselves in the know-how of HIPAA rules and regulations to look for any updates. Office for Civil Rights (OCR) works under HHS to perform audits; it screens companies to see if they are breach-proof.
Conclusion
Any medical practice and medical billing company cannot ignore HIPAA compliance if they deal with PHI (Protected Health Information). It’s a catch-22 situation where a company has to implement security measures or else they have to face serious repercussions.
Thus, in order to understand the dynamics of how HIPAA regulates our industry, healthcare organizations must observe the HIPAA Security Rule, the (revised) HIPAA Privacy Rule, and the HIPAA Breach Notification Rule to ensure patients’ privacy and seamless workflow.
Note: Before signing up with new providers, medical billers could prepare a document that shows that they are HIPAA compliant and share it with the client as part of their agreement.
Follow QPP MIPS for healthcare updates on subjects like these and others too. It is our goal to find topics that are of benefit to our readers.
