College of American Pathologists






November 2010

Raymond D. Aller, MD
Hal Weiner

Assessing the security practices of third-party billing firms Assessing the security practices of third-party billing firms

It was the stuff of nightmares for hospitals and pathology practices: In July, a Marblehead, Mass.-based billing company dumped three years’ worth of unshredded paper pathology records at a public landfill. The purge compromised thousands of social security numbers, medical diagnoses, and other sensitive information from patients of four community hospitals and their associated pathology practices. By mid-August, news of the breach had spread nationwide, leading some pathology practices to question the security of patient information given to third-party billing companies.

The reality is most patient privacy breaches occur on a much smaller scale—a fax sent to the wrong number, patient information misfiled, or a box of paper records misplaced. While preventing all such breaches is impossible, health care providers should analyze the ability of their third-party billing firm to protect patient information.

Whether you’re shopping for a billing company or confirming the qualifications of your current biller, ask to review an outline of the company’s compliance plan, says Jeanne A. Gilreath, CHBME, senior vice president and compliance officer at AdvantEdge Healthcare Solutions, a medical billing firm in Warren, NJ. Ideally, she says, the compliance plan should reflect the federal Office of the Inspector General’s seven fundamental elements for an effective compliance program for third-party medical billing companies, available at

AdvantEdge maintains an 80-page compliance plan, as well as an eight-page document that outlines its standards of ethical and legal conduct. The standards cover how staff should handle privacy and confidentiality issues at every step—from data transmission to coding, billing, payment posting, and accounts receivable followup.

Providers should request to see a billing firm’s operational policies that cover billing workflow, coding, and electronic data transmission, Gilreath says. Such policies, she adds, specifically should address:

  • the company’s process for encrypting protected health information.
  • physical safeguards, such as placing locks on doors or drawers, providing instructions for turning off computers, and issuing passwords.
  • source-document creation, retention, and disposition policies.
  • the steps for securing data in the event of an emergency or disaster.
  • the identification of subcontractors used in the billing process.
  • If the written policies don’t provide clear answers, laboratory staff should interview the billing vendor. “Ask the company to walk you through its typical electronic and paper workflows,” Gilreath suggests. Pose such questions as:
  • Are all paper documents destroyed by a HIPAA-compliant document-removal program?
  • Have you had any privacy breaches? If so, what type of breaches, and what corrective actions were taken? What is the contingency plan if a breach occurs?
  • How often do you conduct compliance meetings with your clients?

For practices selecting a new billing company, visiting a prospective vendor on site can provide valuable insight. “You have to do a site visit,” says Mick Raich, president and CEO of Vachette Pathology, a Blissfield, Mich.-based pathology practice management firm that specializes in revenue management. “Ask the biller to walk you through every step of the [billing] process.”

The chain of custody for protected health information should also be outlined in the vendor’s contract with clients, which health care providers should review carefully with an attorney. “Some contracts limit the damages that can be assumed by a billing entity if they make a mistake. Or they limit the look-back period,” Raich says.

Health care providers can also protect themselves by inquiring about the billing company’s errors and omissions insurance, says Brad Lund, executive director of the Healthcare Billing and Management Association, Laguna Beach, Calif. The nonprofit trade group represents one-third of medical billing companies in the United States.

“HBMA has had insurance policies designed for third-party billing companies that allow the company to name the practice as an additional insured,” Lund says. “If the OIG [Office of the Inspector General] takes action against a practice for a problem caused by the billing company, the insurance policy extends legal defense to the provider.”

It’s important as well for providers to ask about a vendor’s compliance with upcoming Identity Theft Red Flag Rules, Lund adds. The rules, part of the Federal Trade Commission’s Fair and Accurate Credit Transactions Act of 2003, require most medical providers, and the billing companies with which they contract, to have an identity theft prevention program in place beginning Jan. 1. HBMA offers a sample Red Flag policy for billing entities at

Billing companies must also focus on the new breach notification guidelines established under the Department of Health and Human Services’ Health Information Technology for Economic and Clinical Health, or HITECH, Act.

“In the post-HITECH world, business associates, like billing companies, are held to the same HIPAA standards as covered entities, like laboratories and hospitals,” says John Outlaw, chief compliance officer for Pathology Service Associates, a billing and collections services firm in Florence, SC.

A provider should ask its billing company if it has conducted a risk assessment for billing compliance under the new HITECH rules, Outlaw continues. According to those rules, billing companies and other business associates must notify patients, HHS, and the media of breaches of unsecured protected health information affecting more than 500 patients. The breaches are then published on the Office of Civil Rights Web site at Less extensive breaches must be reported to HHS every year.

While researching a billing company’s privacy and security practices is valuable, pathology practices and hospitals must take responsibility for keeping protected health information secure on their end, Outlaw says. “A good billing company wants to make sure its clients are compliant as well.”

bullet Sunquest releases diagnostic business intelligence solution

Sunquest Information Systems has introduced its Diagnostic Intelligence business analytics solution. The product delivers actionable, real-time information via easy-to-interpret dashboards.

Diagnostic Intelligence provides features for:

  • monitoring key performance indicators.
  • measuring lab result turnaround time in real time.
  • proactively monitoring hospital-acquired infection rates.
  • measuring critical test volumes in real time.
  • measuring lab productivity, profitability, and value on a minute-by-minute basis.
  • monitoring the profitability of the laboratory’s service lines.

“The innovative, adaptive technology provides analytic capabilities that are scalable to a single user or a larger enterprise,” says J. Mark Tuthill, MD, division head of pathology informatics at Henry Ford Health System, Detroit, which served as a beta test site for the product. “This technology,” Dr. Tuthill adds, “will redefine the infrastructure, workflow implications, and implementation barriers in clinical operations and truly transform the future practice of clinical pathology.”

bullet Elekta debuts latest version of AP system

Elekta is marketing an updated version of its PowerPath anatomic pathology system, which features advanced materials processing capability to enhance histology and cytology workflow.

The integrated case materials tracking and management feature uses bar-code technology to track case materials from the point of accession through processing and diagnosis to filing or discard. Each time a specimen, block, slide, or vial is scanned, PowerPath displays identifying information, such as patient name or case number. At any time, a user can view an event log to quickly locate available, shipped, or overdue loaned materials.

The advanced materials processing feature is compatible with many commonly used bar-code scanners and supports several one- and two-dimensional bar-code formats.

The conundrum of shortcut keys for the Web-based LIS The conundrum of shortcut keys for the Web-based LIS

Keep your fingers on the keyboard, without reaching for a mouse, and you’ll type faster and more efficiently. That’s common sense.

User interaction with earlier versions of laboratory information systems relied entirely on the keyboard. Using a well-designed, efficient LIS, cases could be entered with a few keystrokes, without a person’s hands ever leaving the keys.

Through the years, these efficient LISs gradually have been replaced with graphic user interface-based LISs, which gained popularity because they had a shorter training curve and were more intuitive. However, some GUI-based LISs required many mouse movements and clicks to complete a task. Not only did this slow the data-entry process, but it increased the user’s risk of repetitive motion injuries.

Fortunately, vendors of GUI-oriented LISs came to realize the value of providing “hot keys”—keystroke combinations that replace the actions of a mouse or alleviate the need to use a long sequence of keystrokes to perform a command.

Using hot keys, or shortcut keys, LIS users could regain some of the efficiency and ergonomic benefit of earlier generation character-based interfaces. One-, two-, or three-key hot key combinations—such as F11, ctrl-A and ctrl-shift-B—work well with client/server applications, such as those using Visual Basic, where the keyboard and application are in direct communication.

Unfortunately, LISs that operate as a fully Web-based application use browsers that trap many hot key combinations for use by the browser, rendering them inaccessible to the LIS application. Furthermore, different brow-sers use different keystroke combinations and function keys to carry out the same tasks. For example, if you use a Chrome brand of browser and hit ctrl-H, Chrome will show you a browsing history and will not pass the ctrl-H command to the LIS application. Therefore, by using such Web-based LISs, users may be forced to revert to “mousing” around, slowing down data entry.

So why can’t LIS developers figure out which keystroke combinations are not used by the browser and use those for commands to the LIS application? Theoretically, they can, but a problem arises when they try to use multiple browsers or when a new version of their primary browser grabs a key combination that it views as open.

In order for LIS developers to make hot keys work for their purposes, they must link their LIS to a single version of one brand of browser, such as Firefox. So, for example, if an LIS company links its systems to Firefox but then signs up a new client, and that client uses only Internet Explorer on its workstations, then the client cannot use most of the hot keys of its LIS because the LIS relies on the hot keys permitted by a specific version of Firefox.

A colleague in the LIS industry pooled the key-combination exclusion lists from Internet Explorer 8, Firefox, Safari, Opera, and Chrome. He found that if a company permitted its customers to use any of these browsers with its LIS, very few hot keys would be passed through to that system.

A few browsers can use JavaScript to intercept the hot keys so the browsers cannot block those keys (but again, the LIS developer and its clients must use the same browser for this to work). And certain browsers may pass the hot keys to the LIS application but still invoke the browser action corresponding to the hot key. Some browsers, such as Safari and Opera, won’t let the LIS application see the hot keys at all. Firefox, on the other hand, is more accommodating, allowing hot keys to pass to the LIS and not invoking browser actions.

LIS vendors likely would prefer that their applications support a variety of browsers. Yet these companies generally can’t afford to support different versions of LIS software for each browser.

It is regrettable that browser manufacturers have not standardized their co-option of shortcut keys for browser purposes. Because of this, Web-based LIS developers have to limit the Web browser being used in order to meet the needs of customers that want to use hot keys. Otherwise, LIS users will have to keep mousing around. Neither is an ideal option.

Cerner expands revenue cycle management business Cerner expands revenue cycle management business

Cerner Corp. has entered three partnerships to strengthen its revenue cycle management product line.

Cerner will resell the entire suite of Web-based revenue cycle applications from MedAssets, as well as the health care financial services of SearchAmerica and the medical coding and prospective payment system applications of Ingenix.

The applications of all three companies will be integrated into Cerner’s Millennium platform.

Hyland Software acquires Computer Systems Company Hyland Software acquires Computer Systems Company

The document-imaging and process-management software firm Hyland Software has purchased Computer Systems Company, a provider of health care data and document conversion services and revenue cycle management solutions.

Hyland announced that it will support CSC’s product lines.

Ingenix to purchase A-Life Medical Ingenix to purchase A-Life Medical

Ingenix announced that it will acquire A-Life Medical. The companies had established a strategic alliance last year to develop advanced coding solutions for the health care marketplace.

A-Life Medical has produced a natural language processing technology to read clinical documentation, decipher the meaning and context of words, identify diagnoses and procedures, and recommend ICD-9 and CPT-4 codes.

“Ingenix has unparalleled expertise in medical coding, and, together, we can advance the science of coding technology to create a single, advanced CAC [computer-assisted coding] platform that supports coding across all venues of care,” says Jaye Connolly, president and CEO of A-Life Medical.

Dr. Aller is director of informatics in the Department of Pathology, University of Southern California, Los Angeles. He can be reached at Hal Weiner is president of Weiner Consulting Services, LLC, Florence, Ore. He can be reached at

LOINC workshop and meeting open to public Related Links