Q&A: Outsourcing coding duties
Q: My organization is considering outsourcing our coding to an offshore company. Does HIPAA apply only to healthcare entities and business associates located within the United States? If so, what would happen if the offshore third party experiences a breach? What are the risks associated with this decision?
A: As a U.S. law, HIPAA applies to three categories of covered entities (CE) operating within the U.S.:
- Healthcare clearinghouses
- Health plans (with the exception of the workers’ compensation program)
- Healthcare providers that transmit health information in electronic form using standard transactions
As a CE, you are required to safeguard protected health information (PHI) you share with business associates. This is done through a written business associate agreement (BAA). Even though the coding company is outside the U.S., you must still have a written BAA with it to safeguard the PHI you share with it.
If the offshore third party experiences a breach, your BAA must require the company to report the breach to you. However, there is a risk that any business associate may experience a data breach and fail to report it to the CE. This risk may be higher with an offshore company.
Coding quality and timeliness should also be considered in your decision-making. It would be reasonable to send a small sample of de-identified patient records to the company for coding before you enter into a contract, so you can judge the quality of their work.
Editor's note: Mary D. Brandt, MBA, RHIA, CHE, CHPS is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to editor Kevin Duffy at kduffy@hcpro.com.