New rules, responsibilities

Revenue-cycle management companies face new headaches as they assume more responsibility for the privacy and data security of the protected health information they handle.

New HHS rules extend direct civil and criminal liability to vendors and contractors who have access to such information. The regulations, issued under the Health Insurance Portability and Accountability Act, come amid generally heightened scrutiny of the treatment of patients' health information.

Revenue-cycle companies grabbed headlines last year when Chicago-based Accretive Health came under fire in Minnesota for allegedly hounding patients for money before they were treated. But the state's probe actually started as an inquiry into patient privacy violations, which surfaced when a laptop containing information on more than 23,000 patients was stolen from a car being rented by an Accretive employee.

Accretive has since settled with the state in a deal that bans the company from operating in Minnesota for at least two years and as long as six.

The Minnesota attorney general's public shaming of the company for its debt-collection practices, however, garnered “almost zero” reaction from revenue-cycle management companies, absent a “quick look” to make sure their own practices are compliant, said Richard Williams, managing director and head of the Dallas healthcare practice at Protiviti, a consulting and internal audit firm.

But “in terms of patient privacy, there was a huge response to that,” Williams said. Accretive's troubles, he said, dovetailed with HHS' new privacy and security rules—effective March 26 with a Sept. 23 compliance deadline—as well as a $9.2 million contract that HHS' Office for Civil Rights awarded KPMG in June 2011 to organize audits of healthcare companies and their business associates.

The new attention to business associates has been “creating a tremendous amount of buzz,” Williams said. Protiviti's services include HIPAA security gap assessments and risk analyses. “We are probably receiving more requests for this than we've been receiving for any other function this calendar year, bar none,” Williams said.

Williams estimated that more than two-thirds of vendors don't have “very seasoned or mature” security programs that are aligned with HIPAA guidelines. “Costs will go up; new policies and procedures will need to be developed,” he said.

That's true even at Conifer Health Solutions, which, as a revenue-cycle subsidiary of hospital chain Tenet Healthcare Corp., was already subject to most HIPAA regulations. The new rules mean that Conifer will have to establish additional policies with its subcontractors and allow patients to ask that certain pieces of information not be disclosed to health insurers.

“There's sort of a drumbeat of enforcement around it,” said Ken Schwartz, senior counsel, regulatory operations at Conifer, based in Frisco, Texas. “We're watching daily for new information that's out there. Whenever there's a new requirement, we're looking at man-hours to change processes, man-hours around training.”

Passport Health Communications, Franklin, Tenn., has similarly conducted a “full risk assessment” and engaged an outside contractor to make sure it is compliant with the new regulations, said Crista Harwood, vice president and general counsel.

The company has invested resources in creating more “robust” audit-logging procedures and in adding software, Harwood said. And as companies such as Passport now can be directly liable for a data breach, it also has looked at adding insurance coverage to lower its risk.

Schwartz said the Accretive lawsuit has opened up discussion about compliance. “Accretive is certainly an example of one that we're watching very carefully because we're in the same space.”

Accretive, which this month replaced CEO Mary Tolan with former Dell Services President Stephen Schuckenbrock, blamed the Minnesota settlement as one of the drivers that pushed down its third-quarter 2012 profit—its latest earnings report while it restates its financial results—to $2.8 million, from the $7.3 million earned during the prior-year period.

The company's troubles, though, have not created significant fallout or a chilling effect on the revenue-cycle management industry, at least when it comes to debt collection practices, said Adam Shewmaker, associate director of healthcare consulting services at accounting firm Dean Dorton Allen Ford.

Shewmaker noted, however, that an increasing number of providers are trying to move at least some pieces of the revenue-cycle management process in-house by hiring more billing specialists.

What's happening in the business, Shewmaker said, is “a heightened sense of data security and customer service and customer satisfaction.”

Follow Beth Kutscher on Twitter: @MHbkutscher