Revenue-cycle management companies face new headaches as they assume more responsibility for the privacy and data security of the protected health information they handle.
New HHS rules extend direct civil and criminal liability to vendors and contractors who have access to such information. The regulations, issued under the Health Insurance Portability and Accountability Act, come amid generally heightened scrutiny of the treatment of patients' health information.
Revenue-cycle companies grabbed headlines last year when Chicago-based Accretive Health came under fire in Minnesota for allegedly hounding patients for money before they were treated. But the state's probe actually started as an inquiry into patient privacy violations, which surfaced when a laptop containing information on more than 23,000 patients was stolen from a car being rented by an Accretive employee.
Accretive has since settled with the state in a deal that bans the company from operating in Minnesota for at least two years and as long as six.
The Minnesota attorney general's public shaming of the company for its debt-collection practices, however, garnered “almost zero” reaction from revenue-cycle management companies, absent a “quick look” to make sure their own practices are compliant, said Richard Williams, managing director and head of the Dallas healthcare practice at Protiviti, a consulting and internal audit firm.
But “in terms of patient privacy, there was a huge response to that,” Williams said. Accretive's troubles, he said, dovetailed with HHS' new privacy and security rules—effective March 26 with a Sept. 23 compliance deadline—as well as a $9.2 million contract that HHS' Office for Civil Rights awarded KPMG in June 2011 to organize audits of healthcare companies and their business associates.