Professional Risk Associates recently presented on government regulatory and cyber liability risks surrounding billers and coders to the Northern Virginia chapter of the American Academy of Professional Coders (AAPC). As a major function of the medical practice, billers and coders can impact practices’ revenue streams if they are out of compliance and have access to sensitive patient information. In our talk, we also explored the errors and omissions (E&O) liability facing billers and coders, as well as how they might relate to a physician’s medical professional liability.
Government Regulatory Exposures
CMS is concerned EMRs may be contributing to billions of dollars in higher healthcare costs. In 2010, just 1,700 physicians of more than 440,000 physicians in the U.S. cost Medicare $100 million. This is one of the reasons driving billing audits for physicians, which could in turn spark an E&O claim against a biller and/or coder. While NAS Insurance is seeing the severity of these RAC audits decrease, the frequency continues to increase.
Typically a RAC audit costs a practice $80K–$100,000 to defend one appeal, as seen by NAS Insurance claims, and the fines and penalties average $300K-$600K. The specialties being hit the hardest by these claims are Orthopaedic, Urology, Allergy, and Surgery. Standard physician med mal policies often include $25K-$50K in coverage, but with claims averaging these figures, it may not be enough if a claim arises. Some physicians’ carriers offer a buy-up policy which would increase coverage for government regulatory-related exposures at a lower cost than a stand-alone policy.
Some regulatory exposures overlap billers and coders with the physician’s practice. The Office of Inspector General (OIG) is on the lookout for potential fraud in vulnerable areas, such as:
• Unbundling codes • Upcoding • Undercoding • Falsifying medical records • Inappropriate financial relationships
Billing E&O is not just an exposure affecting billers and coders. Coders rely on the medical chart to code, and many times the charts (including EMR) may have typos, illegible handwriting, or an incomplete history, which requires additional follow-up to the healthcare provider to code and bill correctly. If the documentation is not available, there could be inaccuracies. With the implementation of ICD-10 in October 2015, there will be increased necessity for documentation in the chart from physicians to help coders choose the most accurate codes.
Network Security and Privacy Breach Exposures
Hacking makes big news, but statistically the top reason for network security and privacy breaches is employee-related. Whether it’s negligence, lost or stolen equipment, outsourcing, or disgruntled rogue employees, the biggest risk is not in some foreign country hacking into your system, it’s in your office. The HIPAA Omnibus Rule which went into effect in 2013 puts the practice on the hook for everyone it does business with, including medical coders and billers in the event of HIPAA violations. This means coders become legal agents for the practice, and the practice may be completely liable for the coders’ services on its behalf.
Billers and coders have unique risks when it comes to cyber liability. The documents they handle are connected with patients and practices, making them extremely vulnerable for identity theft and HIPAA violations. If you are an independent contractor or third-party biller, you should have a termination plan in your business associate agreement (BAA) to manage patient information should the contract be canceled. Additionally, your BAA should define how you return or destroy Protected Health Information (PHI), including information you might not realize is being stored on devices, such as photocopiers, fax machines, and portable devices.
Are you insured for these risks and do you have enough coverage?
Standard physician med mal policies often include about $50K for Network Security and Privacy Breach claims. How many patient records do you have? When you figure the average cost to notify clients in the event of a breach is about $20 per patient record, you may discover you do not have enough insurance. You should ask your insurance agent about buy-up options or stand-alone policies, especially if you don’t already have this coverage.
How are billers & coders covered?
If a biller/coder is an employee of a practice, they would be considered first-party and should be covered under the practice’s corporate medical professional liability policy, if corporate coverage is in place. Be sure to review the policy definition of an “insured” and the limits of coverage in place. However, if you are a third-party biller or coder, you also have the responsibility for protecting patient data, and you should have your own E&O policy to include coverage for government regulatory violations, network security, and privacy breaches.
Have Questions? Looking for coverage options?
We barely scratched the surface when it comes to exposures and insurance options associated with billers and coders. Whether a biller/coder is working for a private practice physician, or as an independent consultant, it’s important to know the exposures and make sure you have enough insurance coverage to meet these risks. You can check with your insurance agent to confirm and understand the coverages on the policy.
If you are interested in looking into coverage options for medical billers and coders, please contact Joan Kassel at Professional Risk Associates online or call 800-318-9930.
Jennifer Richard, ARM has been with Professional Risk Associates since 2001. Her area of focus is medical professional liability for private practice physicians, surgeons, and podiatrists in the Mid-Atlantic region.
Joan Kassel, MLIS focuses her expertise on Billing E&O, Privacy & Data Breach coverage options for healthcare professionals. She has been with Professional Risk Associates since 2000, and also writes and instructs insurance continuing education courses for PIA of Virginia and DC.