Trust but Verify: Safeguards in Contracting for Outsourced Coding Services

Vendor Discovery Questions

Due Diligence and Contract Considerations

Demonstration of adherence to HIPAA “minimum necessary” use and disclosure guidance

Intent to store PHI for any purpose beyond initial coding effort

• Require the vendor to complete the coding task directly in the electronic health record (EHR), financial or HIM system, and cloud-hosted portals.
• Require the vendor to certify that they will not store any part of the patient record in any form (PHI, de-identified health information, limited data set) or use information for any purpose other than the scope of the engagement.
• Ensure the vendor’s storage and/or use of all or any part of the patient record in any form does not violate the intent of the federal laws (HIPAA), state laws, the HITECH-HIPAA Omnibus Final Rule’s use and disclosure requirements, and the entities’ own organizational standards relative to their Notice of Privacy Practices. Ensure the current business associate agreements are compliant with Omnibus Rule updates.

By law, CDOs must rely on professional ethics and best judgment in deciding which permissive uses and disclosures of PHI to make. CDOs’ risks are minimized if the vendor codes within their EHR/HIM/encoder systems and does not store or use any part of the patient record, in any form (i.e., PHI, de-identified health information, limited data set). HIM systems include cloud-hosted portals, where the patient record is dropped for processing and then returned to the client’s systems via a HL7 feed.

There is no need for a vendor to store patient information in any form. Vendors can simply access the record via a VPN; the patient record resides on the CDO’s system and should remain there. Coding audits, re-coding to address claim rejections/denials, RAC defense, etc. can be supported by re-accessing the EHR and other information systems and/or scanned images.

CDOs must assess their security risks, which is one of the foundations of HIPAA Security Rule compliance. The following review areas, which pertain to outsourced coding services, are in addition to the CDO’s standard security checklists.

• Information Security Policies and Procedures:
  • Ensure the vendor has established a set of policies and standards that steer the behavior of their remote coding resources toward secure practices, including strong password management, password change and access timeouts, protected health information (PHI) storage/use/destruction, data encryption, PHI exchange procedures, privacy filters, etc. These policies and standards are especially important when remote coding resources are not working from secure production facilities or are working from their own home.
  • Ensure the vendor can demonstrate policies in practice.

• Endpoint/Mobile Security:
  • Ensure the vendor has an adequate mobile security policy.
  • Ensure PHI can be accessed from a device only from a workstation in a secure production facility; ensure all devices have licensed copies of software and receive mandatory updates for virus, spyware, malware, and related protection and software updates; print screen functions are de-activated; and all data storage options are disabled.
  • Ensure the vendor issues fully secure devices to remote coding resources which only allow access to a CDO’s EHR, HIM, and encoding systems for remote coding purposes.
  • Ensure the vendor’s employees sign confidentiality statements that cover privacy expectations, workstation security, and safety as well as a remote workforce agreement.

• Data Network Security:
  • Ensure the vendor’s servers, cloud, and networks are protected when connecting remotely via an electronic device or computer. Encourage remote connection via a VPN that requires two-factor authentication to provide more assurance against the risk of unauthorized access to patient data.
  • Ensure the vendor leverages intrusion detection services and security services like use of firewalls, and is current with antivirus software and patch management to further secure endpoints.
  • Ensure the vendor’s routers, switches, and other devices meet HIPAA compliancy requirements to protect ePHI found on networks.
  • Ensure the vendor meets required standards by establishing policies limiting software program access to only those with authorized access.
  • Ensure the vendor maintains data at rest (i.e., on stored media such as hard drives or USBs) and data in motion as transmitted over wireless, wired networks, or the Internet are encrypted to the required current HIPAA NIST standards or better.

• Breach Response:
  • Review the vendor’s contract and business associate agreement for their breach notification roles and responsibilities, and make sure that the breach notification policies are fully aligned so that a CDO can accurately report to the Department of Health and Human Service’s Office for Civil Rights (OCR) in the event of a breach.

• Third-Party Assurance:
  • Review the vendor’s independent audit reports including financial audit opinions and SOC reports, measuring their security standards and practices against the OCR HIPAA Audit Protocol.
  • Understand the vendor’s disaster recovery/business continuity plan and testing results.

• Access Control:
  • Ensure the vendor restricts PHI system or software access to only those resources authorized to work on the coding engagement through assignment of Unique User IDs to track users. An emergency access procedure in the policies and procedures manual must be established that allows access to ePHI as needed in an emergency. Also, establishment of an automatic logoff to terminate electronic sessions after a predetermined time of inactivity is necessary, as is PHI encryption/decryption.

• Physical Security:
  • Ensure the vendor restricts physical access so only authorized personnel have access to the building where data is stored or processed. Environmental controls can be enhanced with surveillance, monitoring and alarm systems, and policies for visitors.
  • Ensure CDOs or their designees have around the clock access to any of the vendor’s production facilities anywhere in the world to inspect compliance with physical security requirements.

• Ensure the vendor can support engagement for the proposed term, which will likely include a spike in wages for trained ICD-10 coding resources.

Proven track record of service commitment

Skills and experience to service CDO’s needs

• Assess/measure the vendor’s track record of service commitment from multiple perspectives: breadth and depth of outsourced coding services; coding accuracy and turnaround time; effectiveness of their quality assurance process; plan for transition to ICD-10; and demonstration of customer service.
• Measure the quality and capacity of the resources proposed for the engagement: education and experience level of resources; professional certification of resources, etc.
• Evaluate the vendor’s ability to secure professionally certified coding resources if the CDO’s policies dictate that coding shall be performed by certified resources. Assess the vendor’s certification ability if offshore resources are being proposed, keeping in mind AHIMA stopped certification in many countries.
• Require the vendor’s coders to pass a coding test designed by the CDO, then use test scenarios that truly evaluate coding accuracy, query capabilities, and other key parameters.
• Secure assurance in writing from the vendor that the named resources for the engagement (offshore or otherwise) have never been employed as bonded labor, as it may violate CDO’s own principles and create a legal or public relations situation. This practice has long been prohibited under US law by its Spanish name “peonage.” Workers in some foreign countries fall victim to debt bondage when companies exploit an initial debt the worker assumes as part of the terms of employment.
• Ensure the vendor will not allow employees who have been listed in the Department of Health and Human Services’ Office of Inspector General Exclusions Program—and therefore have been banned from participating in Medicare or Medicaid—to perform coding or other related services.
• Establish standards, deadlines, and quality levels that need to be met for each type of coding service. Require that vendors’ SLAs be backed fully by financial guarantees and follow customer service standards and operational metrics.

• Review the vendor’s account management process and interview the proposed account manager and key service delivery people.
• Secure named, dedicated coding and quality assurance resources so that they can be seamlessly integrated with the current coding and revenue cycle processes.

• Develop a joint migration governance process—form a steering group that has clinical and revenue cycle employee representatives, vendor representatives, and an outsourcing expert.
• Ensure the vendor has a comprehensive, tested plan to guarantee a seamless and secure migration of operations and data to their production center.
• Ensure the vendor absorbs and masters valuable experience and knowledge shared by the CDO’s organization, including customer coding policies and preferences in accurate, thorough, and timely coding.
• Require the vendor will fully conform to the CDO’s policies, procedures, and practices at the onset of the engagement and provide regular, timely updates to these practices.

• Understand the vendor’s pricing model—what the CDO is paying for, not paying for, hidden costs, price changes as needs scale up or down over time, and any future ICD-10 surcharges.
• Develop and communicate with the vendor a comprehensive set of qualitative and quantitative SLAs. Require the vendor to provide pricing concessions or waived fees in the event the vendor misses any contracted service level commitment.