Sheriff: It’s highly unlikely thieves accessed personal information

July 2, 2008
KSL team coverage | ksl.com

A tip led authorities to stolen medical billing records and to the arrest of the men behind it. That’s reassuring news for the million and a half patients affected by the theft, but is their personal information safe?

Authorities are confident the suspects did not access confidential information, even though they knew early on, from media coverage, what was in those stolen tapes. A $1,000 reward was just too much for one of their friends to keep quiet about it.

Sheriff Jim Winder said, “The criminal element in this case is a circle, and within that circle, fortunately, there was someone willing to contact us.”

A phone call Monday night led authorities to the missing records and to the suspects. Sheriff’s deputies arrested 37-year-old Shadd Hartman on one count of possession of stolen property and one count of unlawful possession of another’s ID.

Fifty-two-year-old Thomas Howard Anderson was arrested on one count of theft by receiving and one count of identity fraud. A third suspect is in jail on unrelated charges.

“These were individuals with substantial criminal histories that found an opportunity and did take these tapes,” Winder said.

Investigators say last month one of the suspects randomly broke into the SUV with the records inside. The vehicle belongs to a courier for an offsite storage company. That courier broke policy by taking the records to his Kearns home.

The records contained information for 1.5 million University of Utah Hospitals and Clinics patients, including Jenni Todd. She said, “I’m glad they found it. I’m glad that they found the records and arrested some people.”

But Todd says, she’s still a little concerned. “It almost scares me more because if there’s a ring of people, maybe they were really trying to steal our identities,” she said.

But authorities don’t believe any patient information was compromised. They say the suspects didn’t have the means or the knowledge to access them. “They definitely are not techies. There’s no question about that. I don’t know if they could find their rear ends with both hands,” Winder said.

But the U isn’t taking any chances. IT plans to work with the FBI to determine if any patients’ records are at risk. The U is still offering free credit monitoring for a year.

Jenni Todd plans to take advantage of it. She said, “Just to make sure, and it’s also just good to have credit monitoring anyway.”

The U has spent $2 million to notify affected patients and offer services. University Health Care says until the FBI verifies through forensic testing that the personal information was not accessed, the hospital will keep current safety measures in place.

“We take our patient confidentiality information very seriously, and so that’s currently in place. And we’ll continue to work with law enforcement officials to determine whether there’s any risk of that information having been accessed,” said David Entwistle, CEO of University Hospitals and Clinics.

University Health Care has also released a statement on the recovery of the records. Two class-action lawsuits have been filed in this case.

The KSL Team:

E-mail: syi@ksl.com
E-mail: corton@ksl.com
E-mail: mgiauque@ksl.com

 

BPO’s Philippine operations get British standards certification

Friday, May 16, 2008. Sun.Star Cebu

ACCENTURE delivery centers in the Philippines have been awarded the British Standards Institute (BSI) Management Systems ISO 27001 certification for information security.

The only international standard that provides a truly independent assessment of an organization’s information security, ISO 27001 aims to protect the confidentiality, integrity and availability of information assets of an organization.

BSI has also recommended the certification as compliant with the requirements of the Health Insurance Portability and Accountability Act (HIPAA), covering Accenture’s health operations services in the Philippines.

HIPAA certification is a US law enacted in 1996 to protect healthcare customers’ privacy, integrity and availability of information such as health, demographic and other personal data, especially those containing electronic protected health information (ePHI). HIPAA compliance is mandatory for the healthcare industry, including its service providers, to protectparticipants and beneficiaries in group health plans.

Accenture is one of the first companies in the world to have complied with the information security management systems requirements of HIPAA. “These joint certifications reinforce Accenture’s commitment to safeguarding the protected information that our clients have entrusted us with,” said Mitch Gross, global delivery lead for Accenture’s Health Administration BPO (business process out-sourcing) Services business.

“We’re pleased to be the first delivery center in Accenture’s Global Delivery Network to be awarded (an) ISO 27001 and HIPAA Certification,” said Beth G. Lui, country managing director for Accenture in the Philippines. “Such recognition further strengthens Accenture’s industry leadership and helps validate the Philippine delivery centers as a preferred partner by our trusted clients as it helps provide a safe and secure information security environment.”

Accenture was recently named Philippines’ Business Process Outsourcing Employer of the Year at the Information and Communications Technology Awards 2008, following its 2007 win as BPO Company of the Year.

Accenture employs 178,000 people in 49 countries. (PR)

 

DATA OWNERSHIP ISSUES FOR THE PHYSICIAN PRACTICE AND A MEDICAL BILLING SERVICE

Article Date: April 4, 2008

Medical billing services assist physician practices in billing, coding, accounts receivables and management activities. By outsourcing to a medical billing service, a physician practice may realize increased profitability by decreasing the administrative time and expense involved in the billing process. The relationship between the physician practice and a billing service is an important and complex one. The issues are not limited to the billing service’s effectiveness in collecting payments. Both the physician practice and the billing service will benefit from a clear agreement, appropriately documented, as to all aspects of their relationship, including matters relating to data ownership of medical records and termination of the relationship.

Information technology systems are making it easier to rapidly transmit medical records and associated claims data while also reconfiguring and manipulating the data to exchange. To protect patient’s privacy and security, the American Medical Association (AMA) and the Healthcare Billing Management Association (HBMA) encourage physician practices and medical billing services to consider discussing, agreeing upon and including provisions in their contracts regarding software and proprietary information, claims data-ownership with respect to both original and copies of physician practice records and termination procedures. Physician practices are encouraged to consider the value the relationship will bring to the practice before entering into an agreement.

Typically, the physician practice will provide a medical billing service with a variety of records required for various billing, coding, accounts receivable, and management activities. A medical billing service may incorporate the records into proprietary forms, templates and other tools to prepare reports for the physician practice. This document will list topics for physician practices to consider addressing with prospective medical billing services prior to entering into an agreement.

Definition of Physician Practice Records

Typically, three categories of records belong to the physician practice: (1) patient records, claims, Explanation of Benefits (EOB)/Remittance Advice (RA) and other documents containing patient information, (2) managed care contracts, fee schedules and other proprietary information of the physician practice itself, and (3) final reports, such as accounts receivable (A/R) registers, prepared by the billing service for the physician practice.

Definition of Medical Billing Service Records

Typically, three categories of records belong to the billing service: (1) internal notes and work papers prepared by its employees, such as records of conversations with third party payers relevant to documentation needed for appeals, (2) papers relating to the billing service’s software and other proprietary or licensed tools, and (3) other proprietary information of the billing service, such as the forms and templates used to prepare reports furnished to the physician practice. The billing service may also have proprietary or confidential information regarding its operations.

Transfer of Documents and Electronic Records When Relationship Terminates

Prior to entering into an agreement, the medical billing service and the physician practice should agree on how to handle any termination of the relationship. Questions to consider include:

• What materials should be returned by the billing service to the physician practice or a successor billing service, subject to any transition agreement, for the practice or successor billing service to: (1) enter patient and charge data into its computer system, or (2) seek to collect pending billings on health plan claims for the physician practice.

• Who has custody of the documents relating to health care claims filed, which generally fall into three categories: (1) source documents, usually in the form of copies of visit or operative notes, (2) payer generated data, such as EOBs, and (3) reports that the billing service generates on billing and management activities for its clients. Occasionally, when discussing these questions, both the physician practice and billing service should realize that a billing service may have a legitimate need to retain copies of or at least a right of access to any records—even documents owned by the physician practice, as discussed above, in order to document their services, particularly if the billing service codes physician claims.

• What should the format and media for the return of physician practices records be?

• When and how will electronic records be returned to the physician practice?

(1) What information will be provided in file layout?

(2) What file codes and programming will be given?

(3) Which patient account data on the billing service’s computer system or software will be returned to the physician practice or sent to a successor billing service?

• Who will own documents that do not contain protected health information, such as the coding notes, and other work products of the billing service? Will it be the original or copies?

• Who keeps original records and who pays for any copies?

• Who pays the cost of locating or transferring hard copy or electronic records to the physician practice or to a successor billing service?

• Under what circumstance will the physician practice (or a successor billing service) have access to billing and claim denial notes and records made by the billing service as it provided services to the physician practice?

Record Retention and Access – Points to consider and discuss

At a certain point in time, retained records cease to be of any value, typically upon the lapse of the longest applicable statute of limitations for a third party payer audit or legal actions as to which the records would be relevant. In the case of patient records in the custody of a billing service, the patient records will be copies only, with the originals of the patient’s records at the physician practice or facility at which the underlying care was rendered. Some of the considerations in this section apply principally to original records.

• When the applicable time frame for retention of records in the custody of the billing service expires, will the records be destroyed or returned to the physician practice?

  • What are the state and federal laws pertaining to the period of time records are to be retained?

  • To the extent that the billing service is a business associate of the physician practice, a written HIPAA business associate agreement should be in place documenting among other things how protected health information (either in paper or electronic forms) must be either destroyed or returned to the physician upon termination of the agreement with the billing service. This language can also provide for other equally secure methods of protected health information management upon termination. Additionally, physician practices should ensure that the underlying agreement with their billing services provides for safeguards to the confidentiality, integrity and availability of the protected health information disclosed to the billing service and any other confidential information. These provisions should comply with any state law that is more stringent than HIPAA, and be consistent with guidance from the physician’s professional liability carrier.

• Due to the cost of storage of voluminous paper records, a billing service may scan original paper documents and store them electronically.

  • Will electronic copies of paper records be accepted as the original document?

  • Does the state the physician practices in accept a scanned medical record or other business record as an original as long as the accuracy of the scanned document can be reasonably substantiated?

  • Will the original paper records be destroyed after such records are scanned?

  • If, for some reason, electronic scanning is not permitted due to cost or availability, will the paper records be stored on the billing service’s premises or, especially after the termination of the agreement, in an offsite storage facility?

  • Will there be any costs charged to the physician practice for storage of paper records by the billing service during or after the termination of the agreement?

• Selection of offsite facilities. A storage facility off the premises of the billing service needs to be secure both for the integrity and availability of the stored records and for compliance with HIPAA and state medical records laws. Ultimately, this is the physician practice’s responsibility, although the selection may be delegated to the billing service.

  • Who will pay the cost of storage at offsite facilities during the term of the relationship?

  • After termination, will the physician practice be responsible for the costs of storage or scanning of records retained on behalf of the physician practice (as opposed to for the billing service’s own purposes)?

Audit and Litigation Assistance and Record Searches

Certain records searches and data assembly may be time consuming if the search requires manual review of stored records. This may be the case where, for example, a records search is conducted by date of service rather than by patient name. Physician practices should expect a reasonable level of support from their billing services during the term of the relationship as “part of the service”, but may also anticipate incurring additional costs for assistance which goes beyond that level.

• During the term of the relationship, the billing service and the practice need to determine if there is a component included in the basic service for searching records and otherwise assembling information for litigation or third party payer audits.

• For more extensive work, discussions should include the fee the billing company will charge for personnel and reimbursement for associated costs.

• For services during and after the termination of the relationship, discussions should include the fee and other costs that is the responsibility of the physician practice, such as if the billing service will be reimbursed for copies of records it provides to the physician practice.

For more information on medical billing services, as well as further questions that should be asked before contracting with a medical billing service, AMA members can visit the Private Sector Advocacy (PSA) Website at http://www.ama-assn.org/go/psatools and download the complimentary flyer “What is a medical billing service?”

Prepared by the American Medical Association, Practice Management Center, along with the Healthcare Billing and Management Association, December 2007.

Questions or concerns about practice management issues? AMA members and their practice staff can email the AMA Practice Management Center at practicemanagementcenter@ama-assn.org for assistance.

Contact the AMA-PSA unit:

• Call (800) 262-3211 and ask for AMA-PSA.

• Fax information to (312) 464-5541

• Visit http://www.ama-assn.org/go/psa to access the AMA-PSA Web site.

Contact HBMA:

• Call (877) 640-4262 and ask for HBMA’s Billing Resource Center

• E-mail requests to info@hbma.org

• Visit www.hbma.org

This educational flyer was developed through a cooperative effort between the Healthcare Billing and Management Association and the American Medical Association. © Copyright 2007 American Medical Association. All rights reserved.