In recent Boston Globe and New York Times articles, billing companies were named in connection with a medical records data breach, one of which apparently involved medical records found in a public dump.

The billing companies named in these media reports were not members of the Healthcare Billing & Management Association. While the full facts are not publicly known, and the HBMA does not comment on individual cases, the mere publication of these articles captured the attention of the organization.

It was determined by the HBMA that this would be an appropriate time to review the general issue of the proper disposal of records containing Protected Health Information under HIPAA and the steps that the HBMA has advised its member companies to take if there is a breach of HIPAA requirements.

The association’s Ethics and Compliance Committee is advising healthcare organizations and medical billers alike that this is an ideal opportunity to re-evaluate procedures, policies, safeguards, contracts and business relationships.

A Compliance Officer’s Worst Nightmare
This recent medical records data breach represents a billing company’s compliance/privacy officer’s worst nightmare – apparently paper medical records involving multiple facilities, with potentially thousands of patients affected were found in a public dump. Bad publicity, irate patients and advocates, loss of trust and reputation may be harsher punishments than the legal and financial costs of a breach such as this.

While there can never be a 100 percent guarantee that something like this will not happen to your organization, there are some basic steps you can take when considering a business agreement with any entity that will have access to patient records and other sensitive information.

For organizations that already have arrangements in place, the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements provide an opportunity to carefully revisit your contracts, policies, procedures, operations, risks and safeguards.

Provider Due Diligence is Crucial
The OIG has published compliance guidance for virtually every facet of the healthcare industry, including third-party medical billing companies, physicians, hospitals and laboratories. These best practices included security and protection of data long before the current HITECH requirements were enacted.

More importantly, a failure in one critical area of compliance may be asserted to be indicative of systemic problems and lack of effective compliance processes throughout the organization. Some basic questions providers should consider when choosing a vendor and/or re-evaluating vendors are:

• Is the entity you contract with knowledgeable regarding the relevant compliance guidance?  Do they have a real living, breathing Compliance Program? Is there a strong culture of compliance or is compliance viewed as government hassles? Does everyone assigned to your account – i.e. sales, CEO, managers, employees – understand and remain committed to compliance?
• What is the company doing now to prepare for proposed rule changes that will affect their business operations?
• Has the company conducted a thorough risk assessment for billing compliance and HIPAA/ HITECH?
• Site visits can tell you a lot about a company. Are the employees professional? How secure does the location seem? Can anyone walk in and out? Are you escorted to any area outside of a public lobby? Where are system back-ups stored? How and where are paper documents stored? What are the document storage, transportation and destruction policies?
• Does the company outsource work to subcontractors or agents? Do those entities meet the same level of compliance? Who did that analysis? Is it credible?
• Have you ever sent the company electronic health information that was not encrypted to the current standard? Did you receive any notification that what you did was improper? Does the company give you electronic data that is not encrypted? If paper records are necessary, are the records routinely transported using unlocked or visible methods?
• Do you have or will you have regular compliance meetings or communications with the company? 
• Does the contract you will have with the company include appropriate provisions for compliance responsibility?
• Does your compliance program mesh with the billing company, contractor or agent’s? (Note: a third party’s Compliance Program – even an excellent one – is not a proxy or substitute for a practice’s own Compliance Program.)

Compliance officers in billing companies and healthcare organizations across the country are taking this opportunity to reinforce the message of patient privacy and security with their own workforce as well as business associates, subcontractors and vendors.

Strict legal and regulatory compliance is essential in today’s complex healthcare environment, and, as always in applying the law, there is no substitute for common sense and good judgment.

Holly J. Louie is chair of the HBMA Ethics and Compliance Committee. Two additional members of the committee contributed to this article: Robert B. Burleigh, President of Brandywine Healthcare Services, and Karen L. Collier, Chief Compliance Officer at Intermedix.