Possibilities and pitfalls of outsourcing

Outsourcing has become a $4 trillion-a-year business, according to Dun and Bradstreet. Outsourcing potentially enables businesses to reduce costs and concentrate on core competencies while transferring noncore business processes, thereby providing more effective goods and services elsewhere. But is it a boon or a boondoggle?

Many healthcare organizations are finding that diverse functions can be outsourced without affecting the core competency of health care. Although outsourcing was once primarily used to provide noncore services such as dietary, housekeeping, and security, it has extended to top executive jobs, clinical areas (e.g., nurse and physician staffing), and a growing number of business functions, including coding and billing. Functional outsourcing involves a single function that solves one problem in a facility, such as outsourcing transcription or coding. Departmental outsourcing is much broader in scope and may include reengineering of a department, such as the health information management department or the payroll department. Strategic outsourcing involves more than one department, such as the human resources division (including payroll, benefits, hiring, and firing) or the business office (including chargemaster, insurance, admissions, and collections). There is no general consensus on the optimal mix of in-house and outsourced functions. Each organization should assess its own needs and determine for which functions benefits outweigh the concerns discussed below.

Benefits of Outsourcing

Continue article
Advertisement

Outsourcing offers many potential benefits to healthcare organizations. One major benefit is providing enough staff to operate the facility. Altoona Hospital in Altoona, Pa., for example, successfully outsourced some of its radiology readings to India. Outsourcing routine X-rays and scans helped to stabilize the heavy workload for the hospital's in-house physicians. The number of nighttime radiology calls was swamping the seven on-call radiologists at the hospital. In addition, transferring routine paperwork off-site allowed in-house staff to concentrate on core competencies, such as improved patient care, and to spend more time practicing medicine.

Another major benefit is the cost savings resulting from reducing the in-house full-time and/or temporary staff and the training associated with that staff. In addition, healthcare organizations can invest capital in new medical equipment and supplies rather than in staff and/or technology to complete core business processes such as billing and coding. For example, an Evanston Northeastern Healthcare executive in Highland Park, III., estimates that the organization's outsourcing contract will save it about $400,000 annually. By outsourcing coding, Hennepin County Medical Center in Minneapolis reduced its discharged not final billed due to uncoded records from $13 million to $4 million. Its outpatient unbilled encounters also improved from more than $2 million to less than $800,000.

Concerns Regarding Outsourcing

Outsourcing does carry risks. Several hospitals have been stripped of their tax-exempt status due to the extensive use of outsourcing, that is, having for-profit entities operating inside a tax-exempt facility. Provena Covenant Medical Center in Urbana, Ill., received a $1.1 million property tax bill after its status changed. Another concern is potential declining employee morale and the loss of community support due to layoffs associated with outsourcing, especially when unemployment is high in the United States.

A healthcare organization considering outsourcing must be assured that the vendor can provide credentialed, knowledgeable, properly trained staff. Liability must also be addressed. No one knows if liability is going to fall on the healthcare organization that is doing the outsourcing, the referred physician, or the third-party provider. Other factors at issue include cultural barriers, differing management styles, potential political instability, time zone differences, and labor pool quality that may add real costs through resulting management inefficiencies.

A key ethical consideration is whether a healthcare organization should inform its patients that their information is being outsourced. Most healthcare organizations do not tell their patients that some services are outsourced. Other professions have dealt with this issue by requiring such notification. In late 2004, the American Institute of Certified Public Accountants issued several ethics rulings, one of which requires its members to inform clients, preferably in writing, of the transfer of personal information to a third-party supplier before the transfer takes place (see www.aicpa.org/download/ethics/ 2004_1028_outsourcing.pdf). However, the rule does not require a member to inform a client when he or she uses a third-party service provider to provide administrative support services, such as record storage or software application hosting services, to the member.

Confidentiality and security of the information being transferred to the outsourcing firm is of great significance. Even with strong security measures, risks such as identity theft can occur. The information transferred is highly private, including name, address, and Social Security number. Many argue that the risk of potential mishandling of a client's personal information is far too great even though the benefits of cost savings and turnaround time are substantial.

The Health Insurance Portability and Accountability Act of 1996 was enacted to improve the productivity of the American healthcare system and to provide federal regulations for the security and confidentiality of health information. HIPAA requires entities that provide services to healthcare organizations, such as outsourcing vendors, to keep confidential the information they receive. These entities, which are considered business associates, include vendors who process insurance claims, service copier machines, transcribe medical dictation as contract work, repair biometric devices, or provide equipment or supplies. HIPAA's privacy regulation requires that contracts with business associates contain specific provisions, such as what disclosures of information and permitted uses of the information the business associate may make. Contracts must also require that the business associate does not further disclose the information unless permitted by law. If a business associate uses a subcontractor, the subcontractor must abide by the same provisions as the original business associate. The contract should also specify that if a breach occurs, the contract will be terminated.

In addition to meeting HIPAA requirements, contracts with vendors should address indemnification, which can protect providers from lawsuits by third parties who allege injury from the misuse of the information. Providers should also insist upon some internal oversight so that they can monitor the work of the vendor.

Despite precautions, breaches can occur. In 2003, the University of California-San Francisco Medical Center forwarded a portion of its transcription to its vendor, which has 15 subcontractors nationwide. UCSF had been working with the vendor for more than two decades without any problems. In this case, however, the work allegedly was subcontracted twice more, finally going out of the country. A payment dispute among the subcontractors led to a threat--never carried out--to expose patient records. No breach of patient privacy occurred, although the situation illustrates the major risks related to contracting out work without diligence in determining who has access to the information.

Eager to satisfy security fears, foreign outsourcers are turning to their governments to provide some assurance to potential customers. The Ministry of Information Technology and National Association of Software and Service Companies in India are drafting a data protection law to respond to privacy concerns of offshore clients. Pakistan has drafted the Foreign Data Security and Protection Act of 2004, aimed at providing protection and safety of foreign data that are processed in Pakistan.

Outsourcing the Coding Function

Remote coding (either employing home-based coders or contracting with an off-site vendor) has gained popularity in the past five years with many hospitals reporting tremendous success. The approach used depends on the types of records and capabilities of the providers.

In one scenario, the client (e.g., hospital or physician's office) sends transcribed medical or surgical reports to the vendor via overnight carrier or online. The coder reads the reports, assigns codes, and transmits the codes back to the facility's billing office by a predetermined deadline for billing of claims. In another scenario, the client faxes or sends overnight complete records, not just a few pages. Facilities with scanning capabilities may use scanning as an option for transmitting the records. In that case, the client has provided an electronic health record, and coders can access the EHR from their home-based computer. Obviously, in all of these scenarios, security and confidentiality are critical.

Again, HIPAA security regulations apply. Basically, HIPAA requires vendors to ensure the security of electronic patients' personal health information. The security regulations delineate recommendations in three categories-administrative procedures, physical safeguards, and technical security services and mechanisms. HIPAA requires administrative procedures that protect data and regulate the conduct of individuals using personal health information. Business associates need to train their employees concerning confidentiality and security of the information they will use to code. Healthcare organizations should investigate the adequacy of a vendor's training before deciding whether to outsource.

HIPAA also requires that computer systems be protected from events such as fire or other hazards as well as from access by unauthorized persons. The safeguards will differ, of course, depending on where outsourced coders are located. For example, if a vendor's coders wore in its office, protections are needed concerning access to the computers, perhaps with a badge card or other scanning mechanism, as well as issues related to backing up the information, passwords, backup power, and failed drives. If a vendor's coders work at home, other protections should be addressed and may include:

* Using home-based computers exclusively for coding with no access to other Internet usage and exposure to viruses

* Regulating Internet connections through routers that have built-in, effective firewall protection

* Restricting employees from downloading any personal software onto the computer

* Providing software that does not allow coders to print, screen capture, or transmit any electronic data from their computers to any other users other than back to the hospital or vendor's server

* Using the software that does not allow any information to be stored on the computer's hard drive either in files or as cookies after coding is completed

Technical security mechanisms are needed to prevent unauthorized use of data transmitted to coders. The vendor should tell the hospital who has access to the information, such as coding supervisors or technicians working on the computers. Access to the information should occur only after the authorized coder has logged into the system using a series of passwords. Also, audit trails are needed to verify that information was accessed only as appropriate. At a minimum, remote coding vendors should be evaluated on:

* How data are captured, transferred, stored, and accessed

* Type of encryption methods used

* Firewall controls

* Bandwidth requirements

* Audit controls and reporting

* Physical security of hardware

* Maintenance of data

* Disaster recovery methods

* Workflow management

Outsourcing the Billing Function

Because processing a single healthcare claim costs as much as $25, healthcare organizations are challenged to improve payment while complying with federal guidelines for billing. Outsourcing may be the answer.

The billing function ideally is a combination of in-house and outsourced collaboration. Routine claims can easily be completed by in-house staff, and more complex tasks can be sent to outsourcing vendors. The healthcare organization should make all decisions regarding collection and write-offs. The healthcare organization can submit codes to the vendor. The vendor can then prepare billing forms for the third-party payer, recheck the bills for accuracy and compliance with payer rules, and transmit the bills. Another function that can be outsourced is review of the explanation of benefits. The vendor can analyze EOBs, follow up on denials and unpaid claims, and file appeals on the organization's behalf as necessary.

Outsourcing the billing function can be problematic. Patients have to deal with a third party when problems arise and do not understand why they cannot discuss the bill with someone at the hospital. In essence, healthcare organizations give up some control over their business function because their staff are removed from the process. The important thing to remember is that using an external billing service does not mean that the organization is no longer responsible for coding and billing. Third-party payers, including the federal government, hold the provider responsible for all billing issues.

The Trend Continues

The growth of outsourcing in the healthcare environment is expected to continue. As such, it is imperative that healthcare facilities be diligent in choosing functions to outsource as well as outsourcing vendors.

**** AT A GLANCE

* Outsourcing can save healthcare organizations costs related to staffing and training.

* Organizations should ensure that a vendor's staff is credentialed, knowledgeable, and properly trained.

* Outsourcing firms should ensure the confidentiality and security of the information they will handle.

* Outsourcing carries risks for providers, including potentially negative impact on tax-exempt status and loss of control over business processes.

WHAT IS OUTSOURCING?

Outsourcing, the contracting of traditionally internally provided goods and services to outside third-party contractors, has existed on the American canvas, and internationally, for decades. Referred to as "off-shoring" or "offshore staff leasing" when the work is done overseas and "nearshoring" if done in Canada or Mexico, the practice exists in various sectors of the economy, including manufacturing, technology, accounting, business services, and health care.

QUESTIONS TO ASK PROSPECTIVE OUTSOURCING VENDORS

* How and where will the work be done, and will any portion of the work be subcontracted?

* Who will be performing the work and at what pay?

* What policies, procedures, and training programs are in place at all of the contractor's sites, and are they compliant with industry standards for privacy and security?

* What laws govern the protection of personal health information in the countries where services are being performed?

* How will the information be securely transported to and from the healthcare facility?

* How and when will physician and patient demographic information be provided to the contractor?

* How long will information reside on the contractor's database?

* How will information retained on the contractors' database be destroyed?

* How will the service ensure and measure quality?

* What language exists in your contracts to assign responsibility for breaches of privacy and security?

Source: Globalization of Medical Transcription Industry Requires Proper Risk Analysis, American Health Information Management Association, Oct. 30, 2003.

BOOMING BUSINESS

Outsourcing is a $4 trillion-a-year business with approximately 25 percent of a typical corporation's budget going to outsourcing of supplies or services, according to Dun and Bradstreet. Forrester Research reports that 830,000 American jobs in the service sector will move offshore by 200.5, with the number of jobs relocated to India, Korea, and China expected to reach 3.4 million by 201.5.

DID YOU KNOW?

Outsourcing is expected to gain momentum in health care as hospitals seek creative ways to cut costs while maintaining high-quality patient care. A survey of VHA hospitals indicated that outsourcing accounted for approximately 16 percent of operational budgets in 2003, up 2 percent from 2002.

Sarah E. Hazelwood is a healthcare management consultant, Lafayette, La. (SarahEH711@yahoo.com).

Anita C. Hazelwood, RHIA, FAHIMA, is a professor of health information management, University of Louisiana at Lafayette, Lafayette, La. (hazelwd@louisiana.edu).

Ellen D. Cook, CPA, is a professor of accounting, University of Louisiana at Lafayette, Lafayette, La. (edcook@louisiana.edu).

COPYRIGHT 2005 Healthcare Financial Management Association
COPYRIGHT 2005 Gale Group