Billing Service BAA?
Question: We are moving to electronic billing, but currently submit paper claims. Do we need to establish a BAA with our billing service? Does it matter if our billing service converts those paper claims to electronic ones?
New Mexico subscriber
Answer: "If they use an entirely paper process, then they do not need a business associate agreement as of today," says Gwen Hughes, Director of e-HIM Consulting Services at Chicago's Care Communications.
However, "once you put your toe in the electronic stream, HIPAA applies," asserts Clark Stanton, an attorney in the San Francisco office of Davis Wright Tremaine. Remember: This conversion doesn't have to take place in your office.
In the Centers for Medicare & Medicaid Services's FAQs, CMS states that a billing service that converts paper claims into electronic claims is, in fact, a clearinghouse. Because the billing service is "acting on behalf of a covered entity," it is a business associate, says CMS.
The Bottom Line: You need a business associate agreement with a billing service if you are submitting any electronic claims, experts agree. However, you also need it if your billing service is doing the electronic work for you.
Tip: "If all you're doing is paper" at all levels, then you aren't a covered entity, explains Jason Levine, a consultant with Murer Consultants in Joliet, IL. However, "if you're doing any electronic claims, then you absolutely need a business associate agreement," he clarifies.
Conversational HIPAA
Question: Many of our physicians speak with patients or other treating physicians over the phone. Is their conversation protected by the HIPAA privacy or security rules?
Texas subscriber
Answer: "You don't have to worry about the security rule, but the conversation is subject to the privacy rule," Levine affirms. The conversation would only fall under the HIPAA security rule if it were somehow computerized before transmission, he adds.
Your physicians need to take appropriate measures to ensure that they are adhering to your HIPAA privacy policy and procedures to avoid a violation, experts say.
Tip: "Make sure you aren't using your cell phone where people can overhear you and know whose information you are discussing," Stanton reminds.
The Bottom Line: You should always look to state guidelines in these situations, but overall, you have to think about patient privacy when transmitting any PHI over the telephone, Levine reminds. "All communications with or about patients are covered by the privacy regulation," adds Stanton.
Remember: The behavior, not the conversation, is regulated by the privacy rule, Hughes says. If the behavior follows solid policies and procedures, your organization will remain HIPAA compliant, she maintains.