Business Associates Gone Bad

5 Tales of Woe and Ways to Prevent Them from Reoccurring

From large hospitals to the one-physician practice, administrators need to not only examine the liabilities their own staff maybe creating, but their Business Associates too. As more healthcare entities look for ways to cut costs by outsourcing work, beware-  because it does not relieve them of potential liabilities.

Fatal Savings: Foreign Transcriptionists

In the United States, the medical transcription business is estimated to be worth up to $25 billion annually and growing 15 percent each year. Due to the increasing demand to document medical records, many providers are outsourcing the transcription. The main reason for outsourcing is the cost advantage of relatively inexpensive labor in developing countries.[1]

Costs, Privacy & Quality

The controversy stands on whether medical transcription should be outsourced, due to cost, privacy and quality.

Many transcription companies are finding it cost effective to hire U.S. based medical transcribers as independent contractors; thus saving on benefits. To save even more, some of these companies are subcontracting the work overseas and keeping the difference as profit.

This raises concerns over privacy. Here in the U.S. we have the Health Insurance Portability and Accountability Act (HIPAA) as well as a host of state privacy rights; whereas transcribers in other countries may not comply with our privacy and patient confidentiality laws.  These transcriptionists may not even know what standards of privacy are required.

Many foreign transcriptionists, who can speak English, are not familiar with American expressions and/or the colloquial sayings doctors often use, and can be unfamiliar with American names and places; or specific medical jargon. For example, “subarachnoid hemorrhage” may be transcribed as “subarachnoid hemorrhoids.”

Fatal Savings

On December 13, 2012, a Baldwin County, Alabama, jury returned a $140 million wrongful death verdict against Thomas Hospital and its outsourced medical transcription companies for a woman’s death resulting from a transcription error. [2]

In a complicated case that took more than four years to prepare for trial, Plaintiff’s attorneys revealed the circumstances that led to the needless death of Sharron Juno, a former patient of Thomas Hospital in Fairhope, Alabama.

On March 18, 2008, Ms. Juno was discharged from Thomas Hospital.  Unbeknownst to her treating physician, the Discharge Summary he dictated was outsourced by the hospital and ultimately transcribed in Mumbaiand New Delhi, India.

“One thing that was astonishing to the case, and I am not sure it is unique to Thomas Hospital, is none of the doctors even knew there was outsourcing going on, much less oversaw the outsourcing. The work was not reviewed by anyone in the U.S. It just came back and was waiting for the Doctor to read,” said Skip Finkbohner, who tried the case with Toby Brown, Brian Duncan and David Wirtes of Cunningham Bounds, LLC. [3]

The transcript contained three critical errors, including the dosage of Levemir insulin, which was written incorrectly as 80 units rather than eight (10 times the prescribed dose).

“One of our experts who runs the in-house transcription service at the University of Arizona said ‘you can outsource the work, but you can’t outsource the responsibility of the work,” Finkbohner said. [4]

The hospital violated its own procedures and multiple national patient safety standards by using the unreviewed, unsigned Discharge Summary to write admission and medication orders for Sharon Juno’s admission to a local rehabilitation facility.  Shortly after her admission to the rehab facility, on March 19, 2008, Ms. Juno was given a fatal dosage of insulin based on the admission paperwork the hospital had sent to the rehab facility.  The medication caused an irreparable brain injury that resulted in cardiopulmonary arrest.  Sharon Juno never regained consciousness and died on March 27, 2008.

Beginning in 2007, Thomas Hospital authorized its U.S. based outsource transcription vendor — Precyse Solutions, LLC — to use overseas transcription in India to save 2 cents per line.  Through a series of subcontracts, the actual transcription services were moved to India and performed by Medusind Solutions, Inc. in Mumbai and Sam Tech Datasys in New Delhi.  Testimony at trial revealed that U.S. based employees of Precyse were highly critical of the poor accuracy of the transcription work performed overseas by Medusind and Samtech.  Instead of instituting better quality control procedures, these employees were replaced with overseas reviewers.

“There were nine to ten separate vendors in India that were using this watered down quality standard. The frightening thing about this is that they are not even doing work for any Indian hospitals or hospital providers. They are only doing work through sub contracts with hospitals in the U.S. I would suspect that many of the hospitals don’t even know who is doing the work,” Finkbohner said. [5]

Consequently, no one in the United States reviewed the transcripts for critical errors before they were provided to Thomas Hospital.  Even after the death of Sharron Juno, Thomas Hospital continued its relationship with the transcription company for two more years.

“At the time we tried the case, the Health Information Manager testified that she still did not tell medical staff that the transcription was outsourced to anyone, much less to India,” said Finkbohner.[6]

There are a lot of lessons to be learned from this case. Below is a list of action items that need to be taken to prevent this type of tragedy from occurring in your health care facility.

Plan of Action:

• Create an outsourcing policy
• Create provision in Business Associate Agreement to prohibit outsourcing without prior written consent
• Conduct random audits of transcription company and its work product
• Investigate if transcription company outsources

Always remember that under agency theory, you are liable for the errors of your agents. Be careful when outsourcing transcription.

Properly Terminated Business Associate Agreement (BAA)

The U.S. District Court for the Southern District of Florida found that a hospital system properly terminated its contract with a business associate staffing company for a violation of HIPAA.

Community Health Systems (CHS) owns and operates hospitals throughout the country. They hired Managed Care Solutions (MCS) to assist them in collecting receivables from third-party payors, such as insurance companies, who fail to pay all or part of a bill. In order to perform these services MCS had to receive protected health information from CHS. In January, 2005, a contractor for MCS was investigated, and subsequently charges and convicted, with misusing protected health information, including patient social security numbers. The contractor, Nichole Scott, worked at CHS’ Salem Hospital through a temporary employment agency employed by MCS. [7]

Although the compromised health information did not belong to patients of CHS, CHS responded to the criminal investigation by terminating its contract with MCS. During the parties business arrangement they signed a HIPAA Business Associate Contract Addendum. In the HIPAA Addendum CHS cited a clause granting them the right to immediate termination of their contract if MCS, or its agents, misuse protected health information. MCS did not dispute the interpretation of the clause; they disputed that the identity theft conviction of its contractor should be classified as “misuse of protected health information” and that therefore CHS did not have the right to immediate termination. Re-read the last sentence. That’s right, they argued identity theft was not misuse of CHS’s protected health information.

MCS argued that the actions of their contractor was not sufficient grounds for immediate termination under that provision. MCS argued that their contractor did not use protected health information from Salem Hospital to commit identity theft, but that she obtained her victims’ information from a street source. MCS cited documentation from their contractor’s police record that confirms that the victims were not patients at Salem and that their information was obtained outside the context of the hospital.

For obvious reasons, CHS was not comforted by this argument. CHS took the responsible position of terminating its Business Associate Agreement with MCS. Unfortunately, this is not the first time we have come across a Business Associate that has a thief as an employee/agent. This case should remind all healthcare providers to have strong Business Associate Agreements in place.

Takeaway messages:

• Know who you hire; look for accreditations and references
• Have written requirements for hiring standards of your BAs.
• Make sure your BAA contract includes the right to immediate termination of the contract if an employee, or an agent of the business associate, misuses protected health information or is in anyway engaged in criminal behavior.

Discussion Groups Risky for Coding Advice

Allowing the billing team to use online coding discussion groups may seem like a cost effective way to get answers and share best practices. But doing so is risky. Anyone can proclaim “expertise” and provide an answer. There are no industry standard guidelines, and all the responses are in the public domain and discoverable. That means anything your employees post could be used against you. Are you willing to take the risk?

Discussion boards are not inherently evil, but if used improperly they can get a practice into real trouble. “First, because these discussions are intentionally ‘open,’ there is no one validating the answers. Readers take them as the gospel truth, yet frequently the online answers are just plain wrong,” says Mary LeGrand, RN, MA, CCS-P, CPC, and consultant with KarenZupko & Associates.[8] The common mantra is that if it’s on the internet , it must be true.

This is because the “answerers” are rarely coding educators or experts. They are billers, managers, and other staff at practices and hospitals across the country, trying to help each other out. At first blush, this collegiality may seem harmless, even admirable. But here’s the problem: Unlike a coding education company, society, or professional consultant, these people carry no errors and omissions insurance. If your practice uses one of their wrong answers and gets audited, who are you going to sue for restitution? You’re on your own.

“The second big issue,” LeGrand continues, “is that people and practices are clearly identified in the emails.” This leaves the practice exposed when staff is posting about physician coding behavior and other sensitive or controversial issues. “A well-known surgeon was recently discussed on one of the boards,” LeGrand explains. “His full name and practice name were listed, along with the details what he does in terms of coding and billing. Now the whole world knows about his billing issues.” [9]

If your practice is using coding boards and listservs without policies and protocols in place, you are flying without a net. A key issue here is disclosure. Staff is publicly disclosing something, and that makes the physician an audit risk. And in most cases, you can’t un-ring the bell. It’s done. It’s up there for everyone to see.”

Remember, every time people ask a question or provide an answer, a permanent digital trail of coding crumbs is created. That trail can easily be followed by the Feds or savvy payors seeking clues and patterns and indeed, the government is watching, according to LeGrand. “Over the past year, we’ve noticed a Noridian Medicare Director responding to multiple posts. And we occasionally see others identify themselves as Medicare representatives.”[10]

So let’s say one of your partners isn’t exactly following E/M coding rules despite your best efforts at training and cajoling. You and your partners know it. Your staff knows it, and if someone on your team talks about it online, the rest of the world knows it, too.

“Staff often publicly discloses their displeasure with something the physician said, or how he wants to code,” says Kim Pollock, RN, MBA, CPC, consultant with KarenZupko & Associates. “They freely use the word “fraud,” but most of them don’t have an understanding of the legal definition of fraud, which includes the burden of proof that is required.” ^[11]

The trouble with this is that your practice can’t get legal protection. There is no attorney client privilege because your issue is ‘out there’. Information posted to listservs and discussion boards is also ripe for picking by disgruntled employees or others who are formulating a whistleblower or qui tam suit.”

Recommendations:

1. Create a list of approved sites and resources.

LeGrand suggests logging the name of each coding board and listserv used, along with the organization name, sponsor, if relevant, and web site address. Then, review each site and evaluate it against criteria to create an “approved” list that’s acceptable for employee use.

• Is the site or list sponsored by a national specialty society or professional organization?
• What are the credentials of those responding to the questions?
• Is the board or list moderated? If so, what are the credentials of the moderator?
• Does the organization that sponsors the board or list carry errors and omissions insurance that protects your practice against inaccurate advice?

Be leery of online responses that come without errors and omissions protection. If you use an inaccurate response and get audited, you’re on your own.

Some boards and listservs have credentialed moderators, who will chime in to correct wrong answers and who can remove inaccurate posts. If the sites on your list have a moderator, that’s a positive sign. So are those sites and boards whose respondents list their degrees and credentials, such as Certified Procedural Coder (CPC) or one three obtained from the American Health Information Management Association (ahima.org).

“Update the list at least annually, or when the practice finds new sites,” she says. “If you get audited, you’ll need to track down the sources of the coding advice used.”

2. Develop usage policies and procedures.

Online boards and listservs bridge both HIPAA and billing compliance. You need policy statements in both your Billing Compliance Plan and your Social Media Policy that address usage. And the latter requires employee sign-off.”

A good policy prohibits employees from posting, for example, sensitive coding issues. This would include any inference of physician coding behavior, or anything that could be perceived as the physician ignoring correct coding rules or guidelines.

Additionally, define acceptable and unacceptable topics. Some employees use these sites to vent that their doctor did this or that. Citing a discussion about a physician who was saying inappropriate things to staff, is extremely inappropriate, as are questions such as, ‘Should we disclose to a patient that we made an error in the surgical procedure?’ ‘Is there an obligation to disclose this?’”

3. Set rules about identifying details.

Instruct staff not to post anything online in a format that could identify the practice. Posting practice identifiable information is risky and should be carefully controlled. Pollock adds that some practice policies instruct employees to use their own personal email, and use the boards and listservs on their own time – off the clock. Regardless of the guidelines you choose, pay close attention to how much time employees spend online, and what they post.

4. Validate, document, and file all answers.

Validate online responses against credible sources such as AAOS, the American Medical Association or Federal transmittals. Only after responses have been verified should the practice use the information in its billing and coding practices. And as with any coding source documentation, put the details into the practice’s Compliance Plan. “Log where and on what date you got the answer, who provided it, their credentials, and the web site address,” LeGrand explains. “If you are audited, you need this trail of information to justify where surgeons and staff received the coding information used on the claim.”

5. Pay for vetted resources from reputable organizations.

Keep your workforce informed and you’ll reduce the number of questions they pose to questionable sources. “[For orthopaedic groups], [p]urchase AAOS’ Code-X correct coding tool and send the billing team to AAOS coding workshops every year,” suggests Pollock. “Subscribe to Medicare’s Part B News.” Other good coding resources are available from the American Medical Association (ama-assn.org), American Health Information and Management Association (ahima.org) and the American Association of Procedural Coders (aapc.com).

And for ongoing questions that need answers, contract with a coding educator or consultant with expertise in orthopaedics, or your respective specialty. Pollock also suggests the American Medical Association’s CPT® Network, a subscription-based resource that provides a searchable knowledgebase of coding questions and answers, as well as the option of getting answers to ad hoc questions from the AMA’s CPT® Coding Department. According to the organization’s web site, AMA members can receive answers for up to 6 questions per year, for free. Additional packages are available and costs range from $80 for the answer to one question, to $1100 for the answers to 25 questions.

While there are indeed useful online resources, we recommend they be used with caution. Be aware of and monitor what billing staff  are discussing online, establish policies that protect the practice from risk, and always validate online coding ‘advice’ against credible sources.

Know where your data lives

Just when you think you have all your t’s crossed and your i’s dotted, you turn on the CBS Evening News and you forgot to think about your copying machine.

Affinity Health Plan Inc. indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity.  CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.[12]

Affinity filed a breach report with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information.  Under a settlement with HHS , Affinity Health Plan, Inc. will settle potential violations HIPAA Privacy and Security Rules for $1,215,780.

Affinity estimated that up to 344,579 individuals may have been affected by this breach. Those were robust copy machines. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez.  “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”[13]

In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

Takeaway messages:

• Learn about safeguarding sensitive data stored in the hard drives of digital copiers: http://business.ftc.gov/documents/bus43-copier-data-security.
• Practice media sanitation: http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf.
• Have an independent security risk analysis conducted at your practice
• Your Business Associate Agreement can mandate the vendor will be responsible for wiping data clean on any hard drives in their machines

 Unsecure Website Exposes Private Patient Information

Even after you terminate a contract with a Business Associate, liabilities still exist. Take ICS Collection Service, Inc., a debt collection agency for example. They specialize in recovering aged debt from individuals on behalf of healthcare and commercial entities. One of their clients formerly included the University of Chicago Physicians Group (UCPG). ICS had previously contracted with UCPG for collection and address verification services.  While the contract had been terminated before the potential breach occurred, ICS had retained data on 1,344 patient claims that were active at the time the contract was terminated.[14]

Last July, ICS received a report that a website user was able to view certain sensitive information relating to other debtors while on the debtor page of its website.  While the investigation is ongoing, it currently appears that the user viewed protected health information including names, addresses, and, in some cases, Social Security numbers, dates of birth, responsible party names, responsible party addresses, insurance payment and dates, insurance company names, insurance policy numbers, procedure and diagnosis codes and descriptions, dates of service, and treating physician names relating to certain UCPG patients.

After being notified, ICS contacted its third-party website and software vendors ICS corrected the security settings and disabled access to the page on our website utilized by debtors to make payments and other account adjustments.  In addition, ICS retained independent, third-party forensic experts to assist with the investigation.  ICS reported this incident to the Federal Bureau of Investigation.  ICS also retained cyber counsel to assist in responding and investigating the incident.

ICS said in their press release that they are unaware of any attempted or actual misuse of the data stored in the database.  Nevertheless, ICS is offering credit monitoring and identity theft consultation services to affected debtors for one year.  Consultation services include information on protecting oneself from identity theft and fraud.

With the 2013 HIPAA Omnibus Final Rule, subcontractors and business associates of HIPAA-covered entities are equally responsible for privacy and security breaches of protected health information. By studying the mistakes of others, we can avoid similar problems in our own future.

Summary:

HIPAA, HITECH, and other Privacy Laws address the obvious. But, they also go deeper. Understanding the risks allow you to pre-emptively plan and stay out of harm’s way.

Michael J. Sacopulos is the CEO of Medical Risk Institute (MRI). Medical Risk Institute  provides proactive counsel to the healthcare community to identify where liability risks originate, and to reduce or remove these risks. Michael won the 2012 Edward B. Stevens Article of the Year Award for MGMA. He has written for Wall Street Journal, Forbes, Bloomberg and many publications for the medical profession. He is a frequent national speaker.  He attended Harvard College, London School of Economics and Indiana University/Purdue University School of Law. He may be reached at msacopulos@medriskinstitute.com.

Jeffrey Segal, MD, JD, FACS is founder and CEO of Medical Justice, eMerit and is a board-certified neurosurgeon. Segal holds a M.D. from Baylor College of Medicine, where he also completed a neurosurgical residency. He received his B.A. from the University of Texas and graduated with a J.D. from Concord Law School with highest honors.