The most constant aspect of life is that it’s always changing, and when things change, you have to adapt right along with it. Ironic, isn’t it? Most of the time, change happens for the better, but it does come with some stipulations. If you’re a medical professional, then you’re well aware of HIPAA and how it changed the entire medical industry. If you’re not aware of HIPAA, then pull up a chair and allow us to explain.
What is HIPAA?
The Health Insurance Portability and Accountability Act, better known as HIPAA, is a law that was created in 1996 to help regulate and protect the personal health information of patients. The Health Information Technology for Economic and Clinical Health Act, better known as HITECH, has it’s roots with HIPAA. Some other offshoots of HIPAA include PHI (Protected Health Information) and BAAs (Business Associate Agreements). Essentially, these laws and requirements make it so that doctors or other medical professionals cannot pass your information through unprotected systems making the data vulnerable to prying eyes. With Specialty Answering Service, we understand how important it is for our clients to maintain HIPAA compliance, so we’ve changed our method of doing things as well.
Since the start of HIPAA, medical professionals all over the country have had to completely change how they run their practice to make sure they are adhering to the appropriate guidelines. Tasks that seemed so routine before, like inputting data or filing records, now have to be handled delicately to insure the patient information stays protected. This means that if you’re using any companies to help in your day to day tasks, like answering your calls or shredding your documents, these companies also have to follow the same rules to insure they are not leaking any private data. HIPAA defines these companies you use as “business associates”, and all of these 3rd party business associates would need to enter into a Business Associates Agreement in order for your practice to maintain complaince.
Business Associates Agreement
A Business Associates Agreement is another offshoot of HIPAA, and is another protection mechanism in place making sure your patients’ health information stays protected. Whenever you do business with a 3rd party, that party needs to adhere to HIPAA even if they themselves are not in the medical industry. A business associate could include any person or company that produces, receives, communicates or maintains protected health information (PHI) on behalf of a covered entity, like a health care provider.
Once this agreement, or contract, is signed (by both parties), you are able to disclose private information without any violation. However, if your 3rd party associate breaks the contract, you could also be held liable for their actions. For example, if you sign a BAA with a medical lab, and they happen to disclose information to an outside party that’s not on the agreement, you could be held accountable. Before you enter into an agreement, you should always consult with a lawyer so you know exactly what you’re agreeing to. If both parties aren’t on the same page, it may lead to fines (which can cost over a million dollars per violation), loss of business, damage to your reputation, and/or lawsuits.
Running any office is complicated, but running a medical office comes with it’s own set of hoops that you have to jump through on a daily basis. To try and make your job a little easier, we’ve compiled a list of vendors below that a medical professional may partner with, and why you would need to make sure you’re covered with a BAA:
- Cloud/IT Data Base: No matter what system or software you use, all of your patient data is stored somewhere in cyberspace. You’ll want to enter into a BAA with whatever party you’ve chosen to do business with to insure that this information stays protected from hackers, or any other outside source looking to steal information. Data breaches are more common than you would think, so it’s important that you keep this information protected at all costs.
- CRM Providers: If you use a CRM (Customer Relationship Management) platform to manage all of your patient data, you’ll need to enter into a BAA with the CRM vendor to insure that information stays protected. There are many CRMs that are medical based, like Veeva and Evariant, so they already know the deal when it comes to HIPAA. It doesn’t hurt to always cross your t’s and dot your i’s.
- Answering Services: If you outsource your calls to an answering service, you’ll want to make sure that the answering service is HIPAA compliant. This means that the messages they send to you cannot contain any patient information. For example, Specialty Answering Service complies with HIPAA by sending standard messages that alert you that you have a new message and to log into your secure online portal for more details. We can also sign a BAA to insure that we are staying compliant under HIPAA. Other answering services may comply with HIPAA by sending messages via fax. However, not all answering services are HIPAA compliant, so if you’re in the market for an answering service or on call service, make sure you do your research before partnering with one.
- Billing: If you do not process or send out invoices in your own office, then you’ll want to sign a BAA with your medical billing company because they’ll have access to patient information. Any and all patient data needs to stay protected, and this would include billing records.
- Lawyers/Legal Firm: An important aspect of running a medical office is making sure you have proper legal representation just in case things don’t go according to plan. Even if you’re not in any sort of predicament, it’s always smart to have back up just in case. When you do hire a lawyer, you should also enter into a BAA with them as they would need to have access to patient records. If you do not, you might find yourself getting hit with a double whammy.
- Insurance Providers: Due to the high costs of the medical industry, most medical practices partner with various insurance providers. Since the insurance provider would have access to patient health records, you would need to sign a BAA with them to keep that information protected.
- Medical Labs: If you’re in the medical industry, then chances are you partner with some sort of lab to analyze any blood or culture samples you take from your patients. They are essentially an extension to your practice, so entering a BAA with any labs you work with is crucial.
- Medical Transportation Services: If you partner with a medical lab, then you most likely also partner with a medical transportation service. These services would be used to to transport any blood or culture samples to a lab for further testing. Included with these samples are the patient records, which the transportation service would have access to. So, you would want to sign a BAA with them as well to protect those items.
- Appointment Reminder Notifications: Usually, medical offices will send out some sort of reminder when a patient is due for their annual check up, or if they have an upcoming appointment. If you use a 3rd party company to send out texts, emails, phone calls and/or post cards, you’ll want to make sure they are adhering to HIPAA in addition to signing a BAA.
- Shredding Services: If you run a larger practice, then you may need to hire a 3rd party to shred documents/records that are no longer needed. Since they’ll have access to all of the information you give them, you’ll need to enter into a BAA with the company to insure that information gets destroyed correctly and nothing gets left behind.
Not Every Company You Work With is Considered a Business Associate
Sometimes you may work with vendors that might not need to be regulated under HIPAA, and therefore would not need to sign a BAA. The vendors listed below may not need to enter into a BAA with you, however, please check with your lawyer to make sure:
- Janitorial/Medical Waste Services: Typically, janitors or companies that dispose of medical waste do not need to adhere to HIPAA since they aren’t handling any patient information. However, they do still have to come into your practice so they will have indirect access to medical records.
- Website Hosting/Developers: If you pay an outside source to create and/or manage your website, you probably don’t need to sign a BAA with them. Generally speaking, your website shouldn’t have any patient information on the surface. However, if your website also serves as an online portal for your patients to log into, or a repository to gather patient email addresses for newsletter mailings, then you’ll want to make sure your 3rd party associate is HIPAA compliant and you may want to enter into a BAA with them as well.
- Business Consultants: If you have a business consultant, you may want them to enter into a BAA depending on how involved they are. If they don’t have access to your patient records, then you’re probably fine. However, you should consult with a lawyer before making any decisions.
- Direct Mail Companies: Direct mail refers to a marketing effort used by all types of industries to try and target a larger audience. For example, these promotional efforts could include brochures or pamphlets regarding your medical practice. Since these companies can realistically send mail to anyone, you may not need to enter in a BAA if you’re not giving out your own patients’ addresses.
These examples are just a few of the many types of business associates a medical professional may partner with. No matter how many or how little business associates you have, it’s always important to make sure everybody’s up to code. When you stay current on HIPAA regulations, you can insure that all of your patients’ health information stays protected. Happy patients equal more business and more business equals happy medical professionals. Everybody wins!