Recent changes (again) have beefed up what healthcare providers must do to protect patients’ information in the office, and have many providers scratching their heads and worrying about one more compliance issue. While HIPAA Privacy addresses the protection and disclosures concerning all protected health information (PHI) created or received by a practice (including oral, written, and electronic PHI), HIPAA Security addresses, more strictly, the protection of electronic protected health information (ePHI). ePHI is described as protected health information that is created, stored, accessed, maintained, or transmitted electronically. One of the most important requirements of your HIPAA Security Program is the Business Associate Agreement (BAA) rules and guidelines. You may often use the services of a variety of other people or businesses to carry out your chiropractic business functions. The HIPAA Security Rule allows you to disclose and transmit patients’ ePHI to these “business associates” if you obtain satisfactory assurances that the business associate will use the information only for the purposes for which this associate was engaged by your office, will safeguard the information from misuse, and will help you comply with some of your duties under the Security Rule.
- Do you have contracts in place with outside entities entrusted with ePHI generated by your office?
- If so, do the contracts provide assurances that the ePHI will be properly safeguarded and used only for the intended purpose?
- For the software vendor you use for practice management, do you have assurances that the products are HIPAA compliant?
- Is your massage therapist an independent contractor? Do you have a BAA with him/her with proper assurances in place?
- When you contact consultants for assistance, do you ensure you have a BAA in place before sending ePHI?
Mary: “Oh, no problem. E-mail it to me and I’ll get it back to you later today.”
Dr. Parker: “Hi Mary, I know we’ve been working together for years, and you’ve always done such a great job handling my billing. I am updating my compliance policies and procedures in my office to the HIPAA rules and regulations. I’ve learned a lot about my responsibilities for protecting my patients’ health information, and yours as well as a business associate”
Mary: “What is this agreement all about? I’m not sure I want to sign any agreement.”
Dr. Parker: “Oh, the agreement simply says that you won’t use my patients’ information in any way other than for the agreement we have for you to do my billing. It says you’ll protect that information and make sure it doesn’t get mishandled in any way. You’ll see in the contract. But no worries, Mary, it’s all the stuff I’m sure you’ve been doing the whole time. I am simply required to have this contract on file here in the office since you are an independent contractor.”
Mary: “Well, I’m just not big on contracts. I’d have to hire an attorney to review it, and that’s expensive. I’ll read it but I have to tell you, I don’t think I’ll be signing it.”
Dr. Parker: “It’s really straightforward. I’ll send it for you to read. I want to continue working with you because you do an awesome job for us, but I’m responsible for this requirement. Whoever is doing my billing has to agree to protect my patients’ ePHI, and that person has to agree in writing. I’m bound by these rules and regulations or could face a hefty fine. I’m sure you understand. I’ll send it over. You take a look and we’ll decide if we can move forward working together once you’ve made a decision about signing.”
Because you are responsible for having these documents on file, you can’t allow a business associate to function on your behalf, using your ePHI, without consent to the assurances you have in your BAA. Once you have received this BAA from all of those who work with your practice, make sure you log and date the receipt of a signed BAA and keep this log in your HIPAA Security Compliance Manual. Your documentation of this transaction is equally as important as the transaction itself per HIPAA Security documentation standards.
There are circumstances when a BAA is not required, such as:
- Sending ePHI to another healthcare provider when it concerns the treatment of a patient.
- A person requesting a copy of his or her own ePHI.
- For those who work as W2 employees in your practice.
- When an independent contractor has no access or authorization to PHI (keep in mind, HIPAA Privacy addresses PHI in all forms, so these independent contractors can have access to no PHI, not just ePHI, otherwise HIPAA Privacy requires a BAA).
Remember, you patients’ PHI is your responsibility. Don’t miss this crucial piece of your compliance program. Start now with the business associates you currently utilize for services and each time you retain a new associate for services, be sure that the BAA is signed before he or she ever receives or has access to your patients’ ePHI. Having your compliance in place and active in your practice allows for fearless care of patients and ease in daily business functions!