Practice Management Alert

HIPAA Question of the Month:

E-Mail Provider Won't Sign a BAA?

Question: The company that hosts our e-mail accounts refuses to sign a business associate agreement (BAA). Should we push the issue further? Are we putting our HIPAA compliance at risk by not protecting our e-mails with a BAA? Answer: "Yes, you should push the issue further," says Raj Patel, manager of Plante & Moran's Security Assurance and Consulting Practice in Southfield, Mich. Because e-mail communications are "like sending a postcard," a BAA will force the provider to take extra steps to ensure its privacy and security.

If you're still unsure whether your e-mail provider is a business associate, find out whether "the provider has access to personal health information (PHI). Can they actually go into the e-mails and see the content?" says Beth Rubin, an attorney with Dechert in Philadelphia.

The Bottom Line: You must be thoroughly convinced a provider cannot access PHI before you let it off the hook, Rubin says. Remember that the provider does have "administrative capabilities," which allows it access to e-mail content even if it does not exercise that ability, Patel says.
You’ve reached your limit of free articles. Already a subscriber? Log in.
Not a subscriber? Subscribe today to continue reading this article. Plus, you’ll get:
  • Simple explanations of current healthcare regulations and payer programs
  • Real-world reporting scenarios solved by our expert coders
  • Industry news, such as MAC and RAC activities, the OIG Work Plan, and CERT reports
  • Instant access to every article ever published in Revenue Cycle Insider
  • 6 annual AAPC-approved CEUs
  • The latest updates for CPT®, ICD-10-CM, HCPCS Level II, NCCI edits, modifiers, compliance, technology, practice management, and more

Other Articles in this issue of

Practice Management Alert

View All