Health Information Compliance Alert

HIPAA:

Inspect Your Vendors' Policies and Protocols Before

Choose the best associate for your practice needs.

For a medical practice to run smoothly, all the pieces of the puzzle must fit. From designing waiting rooms to executing payroll to installing software systems to overseeing billing, you have to do a lot and know about doing even more.

It’s tempting — and, sometimes, necessary — to get help in completing some of these tasks by hiring a vendor. But it’s tough to anticipate when a vendor will actually alleviate your stress and boost your bottom line.

“You need to hire what you need, not what you think you can get,” says Terry Fletcher, BS, CPC, CCC, CEMC, CCS, CCS-P, CMC, CMCSC, CMCS, ACS-CA, SCP-CA, owner of Terry Fletcher Consulting Inc. and consultant, auditor, educator, author, and podcaster at CodeCast, in Laguna Niguel, California.

Make Your Schedule a Priority

While hiring out for a service can be complicated, what with compliance with HIPAA and other privacy and security concerns, you need to make sure that whichever vendors you deem necessary also make good business sense.

For example, if you want to invest in a waiting room that is comfortable for patients and meets your office’s needs and budget, you’ll need to find someone who can consult and execute the work while your office isn’t open. Patients are pretty accommodating with construction work or other necessary nuisances, but you don’t want to have to ask patients to please evacuate their seats so you can switch out your waiting room furniture during business hours. Don’t put off updates that will benefit everyone, but find someone who can work with your schedule.

“Make sure you know who your vendors are, make sure you get references, make sure they’re available off-hours if you need them,” she says.

Important: Similarly, if you’re hiring out for assistance with billing or coding, you need the help to be available around your schedule. You don’t want to get behind in the paperwork necessary to bring in the dollars you depend upon because the vendor you hire — who is working for you — has an inflexible schedule.

“I see a lot of billing companies that say ‘we’re not open Saturday, we’re open 9-5 Pacific Standard Time.’ That helps nobody. Never go with a billing company that has that kind of lack of flexibility,” Fletcher says.

Beware of Compliance

Personal and small-business accounting programs have revolutionized the way many people keep track of expenses, debts, payroll, income, and taxes. At first glance, utilizing a commercially available program like QuickBooks for your medical office may seem brilliant — it’s working for all the other independent businesses in town, right? And that way, you can keep everything in-house!

However, while such programs may be secure, they are probably not compliant.

“Currently, QuickBooks Online meets industry standards for online security, but is not compliant with the HIPAA standards for privacy. If you are a healthcare professional, it is not recommended that you enter ‘individually identifiable health information’ into the QuickBooks Online program,” says Intuit’s QuickBooks website. Other iterations of this or other similar programs may not be compliant either.

One hint: If you’re having trouble processing a health savings account (HSA), a flexible spending account (FSA), or a health reimbursement account (HRA) — or payments made with cards for any of these accounts — the software you’re using may not be designed to use in a healthcare setting.

Be careful not to let the convenience of programs like this lull you into noncompliance.

Know the Basics on Liability

Covered entities (CEs) can share protected health information (PHI) with business associates (BAs) only when “the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule,” says the HHS Office for Civil Rights (OCR).

Remember: Recently, the OCR updated its guidance on the direct liability of BAs. The truth is that CEs need to be doubly careful of what they share with their partners and vendors (see Health Information Compliance Alert, Vol.19, No.6).

The new guidance outlines and clarifies which “party is ultimately responsible for satisfaction of various responsibilities and patient rights,” explains HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Where the BA is not responsible, the hiring entity is.” 

Sheldon-Dean continues, “The guidance doesn’t reduce the BA responsibilities so much as define the legal liability boundaries between entities. It is overall a useful document, even though in many cases now it clearly puts the covered entities on the hook for making sure their business associates are providing services on their behalf according to the rules.” 

Best bet: Make sure you utilize a watertight business associate agreement (BAA) to protect your business when hiring and using vendors.

Resource: See the most updated advice on vendor and BA liability at  www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.