Are You Compliant? Understanding Healthcare Billing Compliance

Even though billing is essential for healthcare practices, it often takes a back burner to patient care and services. However, when it comes to compliance efforts, healthcare billing and claims are subject to strict regulations, including HIPAA, and should not be an afterthought.

If your practice is prioritizing HIPAA compliance, it should also be prioritizing healthcare billing compliance.

Quick Links:

• What is Healthcare Billing Compliance?
• Key Healthcare Billing Regulations and Standards
• Common Compliance Issues in Healthcare Billing
• Consequences of Non-Compliance
• Best Practices for Ensuring Compliance

What is Healthcare Billing Compliance?

Healthcare billing compliance refers to a healthcare practice or organization’s adherence to various laws, regulations, and guidelines that govern the billing and claims processes within the healthcare industry. This includes ensuring that all billing practices are accurate, truthful, and in accordance with federal and state laws. Compliance, in this context, is crucial for maintaining the integrity of healthcare operations and protecting the financial interests of both providers and patients.

Key Healthcare Billing and Compliance Regulations

To fully understand healthcare billing compliance, one must also understand the key regulations and standards which play a significant role in shaping healthcare billing compliance. 

HIPAA

To start, HIPAA, which focuses on the privacy and security of patient health information, requires healthcare providers to implement stringent measures to safeguard sensitive patient data and to ensure it is only shared appropriately.

HIPAA imposes several regulations on healthcare billing to ensure the privacy, security, and accuracy of patient information. These regulations are primarily aimed at safeguarding PHI/ePHI and ensuring healthcare providers and billing entities mitigate vulnerabilities and adhere to standardized practices. Here’s an overview of HIPAA’s key regulations related to billing:

The HIPAA Privacy Rule

The HIPAA Privacy Rule sets standards for the protection of PHI, which, in addition to information about health status and care, also includes personal identifiers and payment data for healthcare services.

More specifically, HIPAA’s Privacy Rule requires:

• Minimum Necessary Standard - Billing departments must make reasonable efforts to ensure that access to and disclosure of PHI is limited to the minimum necessary information needed to accomplish the intended purpose.
• Authorization and Consent - Before using or disclosing PHI for billing purposes, healthcare providers often need to obtain the patient’s written authorization, except for routine disclosures for treatment, payment, and healthcare operations.
• Patient Rights - Patients have the right to access their billing records, request corrections, and obtain an accounting of disclosures of their PHI.

The HIPAA Security Rule

The HIPAA Security Rule requires healthcare providers to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).

In the context of healthcare billing, this includes:

• Administrative Safeguards - Implementing policies and procedures to manage the selection, development, and maintenance of security measures to protect ePHI. This includes conducting risk assessments and training billing staff on security practices.
• Physical Safeguards - Controlling physical access to facilities and equipment where billing information is stored and processed to protect against unauthorized access.
• Technical Safeguards - Using technology to protect ePHI, such as encryption, access controls, and audit controls to monitor access and activity in electronic billing systems.

Transactions and Code Sets Standards

In addition to the Privacy and Security Rules, HIPAA also mandates the use of standardized electronic transactions and code sets for billing to streamline and simplify the healthcare billing process. These standards include:

• Electronic Data Interchange (EDI)- Billing entities must use standard transaction formats (e.g., X12) for electronic claims submission, payment, and remittance advice.
• Code Sets- Billing codes, such as ICD-10 for diagnoses and CPT for procedures, must be used consistently and correctly to ensure accurate billing and reimbursement.

The False Claims Act

The False Claims Act (FCA) is another critical regulation, which targets fraudulent billing practices. Under the FCA, submitting false claims to Medicare or Medicaid can result in severe penalties, including hefty fines and imprisonment. Other important regulations include the Stark Law, which prohibits physician self-referrals, and the Anti-Kickback Statute, which forbids exchanging anything of value to induce referrals for services covered by federal healthcare programs.

Key Provisions of the FCA in Healthcare Billing

• Prohibition of False Claims- It is illegal to knowingly submit, or cause to be submitted, false or fraudulent claims for payment to the federal government. In healthcare billing, this includes billing for services not provided, upcoding (billing for more expensive services than those actually performed), and unbundling (billing separately for services that should be billed together).
• Knowledge Standard-The term "knowingly" under the FCA means that a person or entity either has actual knowledge of the information, acts in deliberate ignorance of the truth or falsity of the information, or acts in reckless disregard of the truth or falsity of the information. This means that even if there is no intent to defraud, failing to ensure billing accuracy can still result in FCA liability.
• Whistleblower Provisions- The FCA includes qui tam provisions that allow private individuals, known as "relators" or whistleblowers, to file lawsuits on behalf of the government. If the lawsuit is successful, the whistleblower may receive a portion of the recovered damages. This incentivizes individuals to report fraudulent billing practices.

Effective compliance measures ensure that patient data is handled with the utmost care, reducing the risk of breaches and unauthorized access. Additionally, by adhering to billing guidelines and accurately documenting services provided, healthcare organizations can prevent fraudulent claims and billing errors. This not only helps avoid legal repercussions but also fosters trust and transparency between healthcare providers and their patients.

Ultimately, robust compliance practices are integral to maintaining a trustworthy and efficient healthcare system.

Common Compliance Issues in Healthcare Billing

Given the importance of compliance, healthcare organizations must not only understand the regulations, but also have some insight into areas where, most often, there are issues and challenges with staying compliant.

• Upcoding and Downcoding - Incorrectly coding a medical service to a higher-paying or lower-paying code than appropriate, leading to fraudulent overbilling or underbilling.
• Unbundling Services - Billing separately for services that are typically billed together as a single procedure to increase reimbursement.
• Billing for Services Not Rendered - Charging for medical services, treatments, or procedures that were not actually provided to the patient.
• Duplicate Billing - Submitting multiple claims for the same service or procedure, resulting in double reimbursement.
• Insufficient Documentation - Failing to provide adequate documentation to support the billed services, leading to discrepancies and potential audits.
• Misuse of Modifier Codes - Incorrectly applying modifier codes to avoid bundling rules or to receive higher reimbursement.
• Inaccurate Patient Information - Errors in patient information, such as incorrect insurance details or demographic data, leading to claim denials or improper payments.
• Non-Compliance with Regulatory Updates - Failing to stay updated with changes in billing regulations, coding standards, and payer policies, which can lead to non-compliance.
• Inadequate Staff Training - Lack of proper training for billing staff on current regulations, coding practices, and compliance protocols.
• Fraudulent Claims Submission - Intentionally submitting false information or fraudulent claims to receive payment for ineligible services or higher amounts.
• Lack of Internal Audits - Failing to conduct regular internal audits to identify and rectify billing errors and ensure compliance with regulations.
• Improper Handling of Overpayments - Not promptly identifying and returning overpayments, which can lead to violations of the False Claims Act.

Implementing comprehensive compliance programs, conducting regular training sessions, and utilizing advanced billing software can help mitigate these common issues in healthcare billing.

Consequences of Non-Compliance with Healthcare Billing Regulations

As with any regulatory non-compliance, oversight and enforcement is handled by the offices responsible for the regulations themselves. Those consequences may be legal or financial, or both, and can have lasting effects. As such, the consequences typically include damages to reputation and business.

To start, HIPAA enforcement is carried out by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). Non-compliance with HIPAA regulations can result in significant penalties, including fines and legal action. The penalties can vary depending on the level of negligence, ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million. In addition to penalties, non-compliance can land you on the OCR’s online breach portal, commonly referred to as the “HIPAA Wall of Shame,” making the details about your business and your breach publicly accessible.

Violations of the FCA can result in significant penalties, including fines ranging from $11,665 to $23,331 per false claim (adjusted annually for inflation), plus three times the amount of damages sustained by the government. This makes non-compliance with the FCA very costly for healthcare providers and billing entities.

In short, the consequences can be significant, especially as HIPAA has a breach notification rule requiring that providers report the breach to the following:

Individual notification must occur without unreasonable delay and no later than 60 days following the discovery of the breach. The notification must include:

• A description of the breach
• The types of information involved
• Steps individuals should take to protect themselves from potential harm
• A brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent further breaches
•  Contact information for further inquiries

If a breach affects more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that area. Covered entities must notify the Secretary of Health and Human Services (HHS) at the same time they notify the affected individuals. For breaches involving fewer than 500 individuals, covered entities can maintain a log of the breaches and submit this information annually to the HHS.

Finally, business associates (entities that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve access to PHI) must notify the covered entity of a breach of unsecured PHI.

Essentially, breaches require full visibility and transparency and, as such, the impact extends far beyond the individuals whose accounts and data were impacted.

Best Practices for Ensuring Healthcare Billing Compliance

Given the importance of ensuring healthcare billing compliance, healthcare practices must employ best practices to safeguard patient data, even and especially when it comes to billing. A few strategies practices should implement:

1. Regularly Train and Educate your Staff

• Conduct ongoing training sessions for billing staff on the latest regulations, coding updates, and compliance protocols.
• Include scenario-based learning to help staff recognize and address potential compliance issues.

2. Implement Robust Internal Audits

•  Perform regular internal audits to identify and correct billing errors.
•  Use audit findings to improve processes and prevent future errors.

3. Maintain Accurate Documentation

• Ensure thorough and accurate documentation of all services provided.
• Verify that billing codes match the documented services to avoid discrepancies.

4. Utilize Compliance Software and Technology

• Invest in advanced billing and compliance software or support to automate and/or streamline processes.
• Use software tools to monitor for potential compliance issues and generate alerts.

5. Develop Clear Billing Policies and Procedures

• Create comprehensive policies and procedures outlining proper billing practices and compliance requirements.
• Regularly review and update these policies to reflect regulatory changes.

6. Foster a Culture of Compliance

• Encourage a culture where compliance is a priority for all staff members.
• Promote open communication and encourage staff to report potential compliance concerns without fear of retaliation.

7. Conduct Risk Assessments

• Regularly assess potential risks related to billing and compliance.
• Implement strategies to mitigate identified risks.

8. Ensure Proper Use of Modifier Codes

• Train staff on the correct use of modifier codes to prevent improper billing.
• Regularly review claims to ensure modifiers are used appropriately.

9. Stay Updated with Regulatory Changes

• Keep abreast of changes in healthcare billing regulations, coding standards, and payer policies.
• Subscribe to industry newsletters and participate in professional organizations.

10. Establish a Compliance Officer and Team

• Appoint a dedicated compliance officer and create a compliance team to oversee and enforce billing compliance.
• Ensure the compliance officer has direct access to senior management and the board of directors.

11. Develop a Corrective Action Plan

• Create a plan to address compliance issues when they arise.
• Implement corrective actions promptly to rectify issues and prevent recurrence.

12. Monitor and Report Compliance Metrics

• Track key compliance metrics and regularly report findings to management.
• Use data to identify trends and areas for improvement.

Implementing these best practices can help healthcare organizations maintain compliance with billing regulations, minimize the risk of violations, and ensure accurate and ethical billing practices.

If you’re like most healthcare practices who are taking compliance seriously, you realize it can be a full-time job, requiring not only training, but knowledge, oversight, prevention, and response.

Ready for help staying compliant?

iCoreConnect’s solutions are designed not only to improve healthcare workflows, making your team more efficient, but they’re also designed to ensure compliance and improve the patient experience. Whether you’re looking for payment and billing support from iCorePay, claims and dental billing support from iCoreClaims, or help with coding to ensure compliance with iCoreCodeGenius, we have solutions designed to help. 

For a full HIPAA Risk Assessment and assistance with continued compliance, check out iCoreHIPAA.

Book a demo or reach out to our team today and let us help you with compliance so you can focus on patients.