Jump to content
RemedySpot.com

Re: AppointmentQuest response to Business Associate Agreements and HIPAA

Rate this topic

Guest guest

By Guest guest
in Health, Medicine and Natural Healing 12

 Share

Recommended Posts

Guest guest

Guest guest

Posted
Posted

Thanks .Sharon

Sharon McCoy MDRenaissance Family Medicine10 McClintock Court; Irvine, CA  92617PH: (949)387-5504   Fax: (949)281-2197  Toll free phone/fax:  www.SharonMD.com

 

For those using AppointmentQuest, here is the reply I got from them about HIPAA and Business Associate Agreements. SetoSouth Pasadena, CABegin forwarded message:

Subject: Re: Support Request (1040175059): Business Associate Agreement and HIPAA

Date: April 24, 2012 4:05:56 PM PDTTo: Seto

Dear Seto,The article you have referenced is referring to " physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible " . This indeed appears to be a serious privacy breach.

HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).

For more information on healthcare scheduling and HIPAA, please visit:http://www.appointmentquest.com/scheduling/healthcare

Specifically, please read " Medical Scheduling, Privacy and HIPAA " on the page referenced above. HIPAA regulations do not apply to software, as HIPAA is an organizational/operational set of requirements.

More than 20% of AppointmentQuest customers are doctors and small medical offices. We understand specific healthcare requirements and enforce very strict security measures in our systems.Nevertheless, we would like to advise you against storing patient sensitive information (such as SSN, DOB, and insurance information) in AppointmentQuest Online Appointment Manager. The main concern here is not a hacker attack or a online security incident (which has never happened successfully in the entire history of AppointmentQuest operations), but an insider breach, such as, hypothetically, one of your fired employees having access to your AppointmentQuest account externally. This general rule applies to all online systems, and not just AppointmentQuest in particular.

We take customer and service provider privacy and security very seriously by enforcing high standards of electronic and physical security on our premises and data center space. AppointmentQuest does not collect, sell, share, disclose or provide customer, appointment and service provider information to any third parties unless required by law. For more information, please see AppointmentQuest Privacy Policy:

http://www.appointmentquest.com/privacyAppointmentQuest does not sign BA Agreements. If you intend to store patient privacy sensitive information in your online scheduling system you may consider choosing another schooling provider that offers signed BA Agreements.

Sincerely, AppointmentQuest Customer Service support@... www.appointmentquest.com

I just read a news article about a medical practice being fined$100,000 because they didn't have a Business Associate Agreement with

the appointment scheduling service they used. How would I go aboutgetting AppointmentQuest to sign a Business Associate Agreement with

me so that it meets the HIPAA Federal Privacy rules? Here is a linkto the article:http://www.hhs.gov/news/press/2012pres/04/20120417a.html

If you are not able to sign a Business Associate Agreement, then Ithink I would need to find another online appointment service that

could sign an agreement. Thank you for your prompt response. Seto, MD

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

Thanks ,Seeing the original article about the fine on the HHS website definitely was alarming, but this seems to have reassured any IMP concerns for potential exposure when using AppointmentQuest. I'm currently working on my future practice website and am looking into integrating AQ into my online presence.Frederick Elliott MDIMP Practice in 2013Buffalo, NY

Thanks .Sharon

Sharon McCoy MDRenaissance Family Medicine10 McClintock Court; Irvine, CA 92617PH: (949)387-5504 Fax: (949)281-2197 Toll free phone/fax: www.SharonMD.com

For those using AppointmentQuest, here is the reply I got from them about HIPAA and Business Associate Agreements. SetoSouth Pasadena, CABegin forwarded message:

Subject: Re: Support Request (1040175059): Business Associate Agreement and HIPAA

Date: April 24, 2012 4:05:56 PM PDTTo: Seto

Dear Seto,The article you have referenced is referring to "physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible". This indeed appears to be a serious privacy breach.

HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).

For more information on healthcare scheduling and HIPAA, please visit:http://www.appointmentquest.com/scheduling/healthcare

Specifically, please read "Medical Scheduling, Privacy and HIPAA" on the page referenced above. HIPAA regulations do not apply to software, as HIPAA is an organizational/operational set of requirements.

More than 20% of AppointmentQuest customers are doctors and small medical offices. We understand specific healthcare requirements and enforce very strict security measures in our systems.Nevertheless, we would like to advise you against storing patient sensitive information (such as SSN, DOB, and insurance information) in AppointmentQuest Online Appointment Manager. The main concern here is not a hacker attack or a online security incident (which has never happened successfully in the entire history of AppointmentQuest operations), but an insider breach, such as, hypothetically, one of your fired employees having access to your AppointmentQuest account externally. This general rule applies to all online systems, and not just AppointmentQuest in particular.

We take customer and service provider privacy and security very seriously by enforcing high standards of electronic and physical security on our premises and data center space. AppointmentQuest does not collect, sell, share, disclose or provide customer, appointment and service provider information to any third parties unless required by law. For more information, please see AppointmentQuest Privacy Policy:

http://www.appointmentquest.com/privacyAppointmentQuest does not sign BA Agreements. If you intend to store patient privacy sensitive information in your online scheduling system you may consider choosing another schooling provider that offers signed BA Agreements.

Sincerely, AppointmentQuest Customer Service support@... www.appointmentquest.com

I just read a news article about a medical practice being fined$100,000 because they didn't have a Business Associate Agreement with

the appointment scheduling service they used. How would I go aboutgetting AppointmentQuest to sign a Business Associate Agreement with

me so that it meets the HIPAA Federal Privacy rules? Here is a linkto the article:http://www.hhs.gov/news/press/2012pres/04/20120417a.html

If you are not able to sign a Business Associate Agreement, then Ithink I would need to find another online appointment service that

could sign an agreement. Thank you for your prompt response. Seto, MD

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

Carla,I am with you on this.....was rather put off by their response and not reassured at all. DannielleConnected by DROID on Verizon Wireless Re: Support Request (1040175059): Business Associate Agreement and HIPAADate:April 24, 2012 4:05:56 PM PDTTo: Seto Dear Seto,The article you have referenced is referring to "physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible". This indeed appears to be a serious privacy breach.HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosedelectronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).For more information on healthcare scheduling and HIPAA, please visit:http://www.appointmentquest.com/scheduling/healthcareSpecifically, please read "Medical Scheduling, Privacy and HIPAA" on the page referenced above. HIPAA regulations do not apply to software, as HIPAA is an organizational/operational set of requirements.More than 20% of AppointmentQuest customers are doctors and small medical offices. We understand specific healthcare requirements and enforce very strict security measures in our systems.Nevertheless, we would like to advise you against storing patient sensitive information (such as SSN, DOB, and insurance information) in AppointmentQuest Online Appointment Manager. The main concern here is not a hacker attack or aonline security incident (which has never happened successfully in the entire history of AppointmentQuest operations), but an insider breach, such as, hypothetically, one of your fired employees having access to your AppointmentQuest account externally. This general rule applies to all online systems, and not just AppointmentQuest in particular.We take customer and service provider privacy and security very seriously by enforcing high standards of electronic and physical security on our premises and data center space. AppointmentQuest does not collect, sell, share, disclose or provide customer, appointment and service provider information to any third parties unless required by law. For more information, please see AppointmentQuest Privacy Policy:http://www.appointmentquest.com/privacyAppointmentQuest does not sign BA Agreements. If you intend to store patient privacy sensitive information in your online scheduling system you mayconsider choosing another schooling provider that offers signed BA Agreements.Sincerely, AppointmentQuest Customer Service support@... www.appointmentquest.comOn Apr 23, 2012, at 6:45 PM, you wrote:I just read a news article about a medical practice being fined$100,000 because they didn't have a Business Associate Agreement withthe appointment scheduling service they used. How would I go aboutgetting AppointmentQuest to sign a Business Associate Agreement withme so that it meets the HIPAA Federal Privacy rules? Here is a linkto the article:http://www.hhs.gov/news/press/2012pres/04/20120417a.htmlIf you are not able to sign a Business Associate Agreement, then Ithink I would need to find another online appointment service thatcould sign an agreement. Thank you for your prompt response. Seto, MD

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

Over the years, sign in logs at the front desk have been replaced with more private sign in procedures.  How does that differ from privacy concerns for an online sign in like Appointment Quest.  If you agree this is comparable situation then a BAA would be required by HIPAA.  On the other hand, non secure text messages, robo voice messages and emailed appointment reminders seem to pass muster with HIPAA.  It would seem HIPAA gives a pass to those usual activities that would be difficult to do otherwise while raising the anxiety level over newer technologies.  If a bureaucracy gets onerous enough the public will demand cutting its funding.  The HIPAA bureaucracy walks a fine line as it attempts to serve the conflicting needs for convenience and security. Beginning the online sign in process with something like the following disclosure would seem to be a good start. “Our online appointment schedule is offered to you for your convenience using non secure internet services.  If this does not meet your privacy needs then please call our office at .†Think about it. How many patients have a problem using a non secure internet for hundreds of needs a year?  I have yet to meet a patient that has a problem with a non secure internet service for anything other than charge cards.  Perhaps it’s time to disclose we use non secure internet services to everyone.  The Wall Street article below should give pause to anyone believing they have a secure portal or secure anything. Hackers-for-Hire Are Easy to Find … “One such site, hiretohack.net, advertises online services including being able to " crack " passwords for major email services in less than 48 hours. It says it charges a minimum of $150, depending on … complexity and the urgency of the job.†                Perhaps, Appointment Quest should accommodate a full disclosure before patients sign in? Neighbors, MDHuntsville, Alabama Solo using FlexMedical EMR/Billing since 2/2009Attested MU in 2011 From: [mailto: ] On Behalf Of Carla GibsonSent: Wednesday, April 25, 2012 1:50 AMTo: Subject: Re: AppointmentQuest response to Business Associate Agreements and HIPAA , They don't advise storing any ePHI in the AQ databases but then reassure us that the databases are private and " shared " only with us as the purchaser of their service? Yet, I'm sure that most of us collect demographic data... like NAME ... and scheduling an appointment is about the provision of health care to that individual (see excerpts from HHS below). It appears we should not collect address, insurance plan name, DOB, or reason for appointment if we are to use AQ. AQ is offering a service- their cloud based scheduler-which is an administrative function for us. That makes them a Business Associate from my read. It seems they don't want to take on the liability of a BAA- but if they are protecting our databases the way they say they are, then it should not be an issue. What is your gut feeling on their response? Carla Gibson From: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.htmlProtected Health Information. The Privacy Rule protects all " individually identifiable health information " held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information " protected health information (PHI). " 12 “Individually identifiable health information†is information, including demographic data, that relates to:the individual’s past, present or future physical or mental health or condition,the provision of health care to the individual, orthe past, present, or future payment for the provision of health care to the individual,and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9 Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. To: Sent: Tuesday, April 24, 2012 5:24 PMSubject: AppointmentQuest response to Business Associate Agreements and HIPAA For those using AppointmentQuest, here is the reply I got from them about HIPAA and Business Associate Agreements. SetoSouth Pasadena, CA Begin forwarded message:Subject: Re: Support Request (1040175059): Business Associate Agreement and HIPAADate: April 24, 2012 4:05:56 PM PDTTo: Seto Dear Seto,The article you have referenced is referring to " physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible " . This indeed appears to be a serious privacy breach.HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).For more information on healthcare scheduling and HIPAA, please visit:http://www.appointmentquest.com/scheduling/healthcareSpecifically, please read " Medical Scheduling, Privacy and HIPAA " on the page referenced above. HIPAA regulations do not apply to software, as HIPAA is an organizational/operational set of requirements.More than 20% of AppointmentQuest customers are doctors and small medical offices. We understand specific healthcare requirements and enforce very strict security measures in our systems.Nevertheless, we would like to advise you against storing patient sensitive information (such as SSN, DOB, and insurance information) in AppointmentQuest Online Appointment Manager. The main concern here is not a hacker attack or a online security incident (which has never happened successfully in the entire history of AppointmentQuest operations), but an insider breach, such as, hypothetically, one of your fired employees having access to your AppointmentQuest account externally. This general rule applies to all online systems, and not just AppointmentQuest in particular.We take customer and service provider privacy and security very seriously by enforcing high standards of electronic and physical security on our premises and data center space. AppointmentQuest does not collect, sell, share, disclose or provide customer, appointment and service provider information to any third parties unless required by law. For more information, please see AppointmentQuest Privacy Policy:http://www.appointmentquest.com/privacyAppointmentQuest does not sign BA Agreements. If you intend to store patient privacy sensitive information in your online scheduling system you may consider choosing another schooling provider that offers signed BA Agreements.Sincerely,AppointmentQuest Customer Servicesupport@...www.appointmentquest.comOn Apr 23, 2012, at 6:45 PM, you wrote:I just read a news article about a medical practice being fined$100,000 because they didn't have a Business Associate Agreement withthe appointment scheduling service they used. How would I go aboutgetting AppointmentQuest to sign a Business Associate Agreement withme so that it meets the HIPAA Federal Privacy rules? Here is a linkto the article:http://www.hhs.gov/news/press/2012pres/04/20120417a.html If you are not able to sign a Business Associate Agreement, then Ithink I would need to find another online appointment service thatcould sign an agreement. Thank you for your prompt response. Seto, MD

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

To my read, it does appear that I am breaking the law by using Appointment Quest

to collect name, dob reason for visit.  However, I am going to continue for now

because clearly they are not making my patient schedule available for all to

access online.  Maybe I will add 's disclaimer to the section on my web

page where one can go to make an appointment .  Interesting times to be alive

in.

Lynn

________________________________

> To:

> From: dharwood100@...

> Date: Wed, 25 Apr 2012 05:00:24 -0700

> Subject: Re: AppointmentQuest response to

> Business Associate Agreements and HIPAA

>

>

>

> Carla,

> I am with you on this.....was rather put off by their response and not

> reassured at all.

> Dannielle

> Connected by DROID on Verizon Wireless

>

>

> Re: Support Request (1040175059): Business Associate Agreement

> and HIPAA

> Date: April 24, 2012 4:05:56 PM PDT

> To: Seto >

>

> Dear Seto,

>

> The article you have referenced is referring to " physician practice was

> posting clinical and surgical appointments for its patients on an

> Internet-based calendar that was publicly accessible " . This indeed

> appears to be a serious privacy breach.

>

> HIPAA regulations do not apply to AppointmentQuest scheduling services

> since AppointmentQuest does not perform insurance, payment or related

> transactions (HIPAA transactions), and does not collect any medical

> history from your patients. We do not advice to store disclosed

> electronic protected health information (ePHI) in AppointmentQuest

> databases. Customer contact and appointment information is kept private

> and shared only with you (service provider).

>

> For more information on healthcare scheduling and HIPAA, please visit:

>

> http://www.appointmentquest.com/scheduling/healthcare

>

> Specifically, please read " Medical Scheduling, Privacy and HIPAA " on

> the page referenced above. HIPAA regulations do not apply to software,

> as HIPAA is an organizational/operational set of requirements.

>

> More than 20% of AppointmentQuest customers are doctors and small

> medical offices. We understand specific healthcare requirements and

> enforce very strict security measures in our systems.

>

> Nevertheless, we would like to advise you against storing patient

> sensitive information (such as SSN, DOB, and insurance information) in

> AppointmentQuest Online Appointment Manager. The main concern here is

> not a hacker attack or a online security incident (which has never

> happened successfully in the entire history of AppointmentQuest

> operations), but an insider breach, such as, hypothetically, one of

> your fired employees having access to your AppointmentQuest account

> externally. This general rule applies to all online systems, and not

> just AppointmentQuest in particular.

>

> We take customer and service provider privacy and security very

> seriously by enforcing high standards of electronic and physical

> security on our premises and data center space. AppointmentQuest does

> not collect, sell, share, disclose or provide customer, appointment and

> service provider information to any third parties unless required by

> law. For more information, please see AppointmentQuest Privacy Policy:

>

> http://www.appointmentquest.com/privacy

>

> AppointmentQuest does not sign BA Agreements. If you intend to store

> patient privacy sensitive information in your online scheduling system

> you may consider choosing another schooling provider that offers signed

> BA Agreements.

>

> Sincerely,

>

> AppointmentQuest Customer Service

> support@...

> www.appointmentquest.com<http://www.appointmentquest.com>

>

>

>

>

>

> I just read a news article about a medical practice being fined

> $100,000 because they didn't have a Business Associate Agreement with

> the appointment scheduling service they used. How would I go about

> getting AppointmentQuest to sign a Business Associate Agreement with

> me so that it meets the HIPAA Federal Privacy rules? Here is a link

> to the article:

> http://www.hhs.gov/news/press/2012pres/04/20120417a.html

>

> If you are not able to sign a Business Associate Agreement, then I

> think I would need to find another online appointment service that

> could sign an agreement. Thank you for your prompt response.

>

> Seto, MD

>

>

>

>

>

>

>

>

>

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

and I think that is the point, no matter how secure a service appears to be, lack of a BAA makes it all moot?Sangeetha

To my read, it does appear that I am breaking the law by using Appointment Quest to collect name, dob reason for visit.  However, I am going to continue for now because clearly they are not making my patient schedule available for all to access online.  Maybe I will add 's disclaimer to the section on my web page where one can go to make an appointment .  Interesting times to be alive in.

Lynn

________________________________

> To:

> From: dharwood100@...

> Date: Wed, 25 Apr 2012 05:00:24 -0700

> Subject: Re: AppointmentQuest response to

> Business Associate Agreements and HIPAA

>

>

>

> Carla,

> I am with you on this.....was rather put off by their response and not

> reassured at all.

> Dannielle

> Connected by DROID on Verizon Wireless

>

>

> Re: Support Request (1040175059): Business Associate Agreement

> and HIPAA

> Date: April 24, 2012 4:05:56 PM PDT

> To: Seto >

>

> Dear Seto,

>

> The article you have referenced is referring to " physician practice was

> posting clinical and surgical appointments for its patients on an

> Internet-based calendar that was publicly accessible " . This indeed

> appears to be a serious privacy breach.

>

> HIPAA regulations do not apply to AppointmentQuest scheduling services

> since AppointmentQuest does not perform insurance, payment or related

> transactions (HIPAA transactions), and does not collect any medical

> history from your patients. We do not advice to store disclosed

> electronic protected health information (ePHI) in AppointmentQuest

> databases. Customer contact and appointment information is kept private

> and shared only with you (service provider).

>

> For more information on healthcare scheduling and HIPAA, please visit:

>

> http://www.appointmentquest.com/scheduling/healthcare

>

> Specifically, please read " Medical Scheduling, Privacy and HIPAA " on

> the page referenced above. HIPAA regulations do not apply to software,

> as HIPAA is an organizational/operational set of requirements.

>

> More than 20% of AppointmentQuest customers are doctors and small

> medical offices. We understand specific healthcare requirements and

> enforce very strict security measures in our systems.

>

> Nevertheless, we would like to advise you against storing patient

> sensitive information (such as SSN, DOB, and insurance information) in

> AppointmentQuest Online Appointment Manager. The main concern here is

> not a hacker attack or a online security incident (which has never

> happened successfully in the entire history of AppointmentQuest

> operations), but an insider breach, such as, hypothetically, one of

> your fired employees having access to your AppointmentQuest account

> externally. This general rule applies to all online systems, and not

> just AppointmentQuest in particular.

>

> We take customer and service provider privacy and security very

> seriously by enforcing high standards of electronic and physical

> security on our premises and data center space. AppointmentQuest does

> not collect, sell, share, disclose or provide customer, appointment and

> service provider information to any third parties unless required by

> law. For more information, please see AppointmentQuest Privacy Policy:

>

> http://www.appointmentquest.com/privacy

>

> AppointmentQuest does not sign BA Agreements. If you intend to store

> patient privacy sensitive information in your online scheduling system

> you may consider choosing another schooling provider that offers signed

> BA Agreements.

>

> Sincerely,

>

> AppointmentQuest Customer Service

> support@...

> www.appointmentquest.com<http://www.appointmentquest.com>

>

>

>

>

>

> I just read a news article about a medical practice being fined

> $100,000 because they didn't have a Business Associate Agreement with

> the appointment scheduling service they used. How would I go about

> getting AppointmentQuest to sign a Business Associate Agreement with

> me so that it meets the HIPAA Federal Privacy rules? Here is a link

> to the article:

> http://www.hhs.gov/news/press/2012pres/04/20120417a.html

>

> If you are not able to sign a Business Associate Agreement, then I

> think I would need to find another online appointment service that

> could sign an agreement. Thank you for your prompt response.

>

> Seto, MD

>

>

>

>

>

>

>

>

>

------------------------------------

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

I love paper!!!

I love America!!!

________________________________

> To:

> From: sangeethamurthy@...

> Date: Wed, 25 Apr 2012 08:49:35 -0700

> Subject: Re: AppointmentQuest response to

> Business Associate Agreements and HIPAA

>

>

>

> and I think that is the point, no matter how secure a service appears

> to be, lack of a BAA makes it all moot?

>

>

> Sangeetha

>

>

> On Wed, Apr 25, 2012 at 8:20 AM, Lynn Ho

> > wrote:

>

> To my read, it does appear that I am breaking the law by using

> Appointment Quest to collect name, dob reason for visit. However, I am

> going to continue for now because clearly they are not making my

> patient schedule available for all to access online. Maybe I will add

> 's disclaimer to the section on my web page where one can go to

> make an appointment . Interesting times to be alive in.

> Lynn

>

> ________________________________

> > To:

>

<mailto: \

>

> >

> > Date: Wed, 25 Apr 2012 05:00:24 -0700

> > Subject: Re: AppointmentQuest response to

> > Business Associate Agreements and HIPAA

> >

> >

> >

> > Carla,

> > I am with you on this.....was rather put off by their response and not

> > reassured at all.

> > Dannielle

> > Connected by DROID on Verizon Wireless

> >

> >

> > Re: Support Request (1040175059): Business Associate Agreement

> > and HIPAA

> > Date: April 24, 2012 4:05:56 PM PDT

> > To: Seto

>

<mailto:drseto@...<mail\

to:drseto@...>>>

> >

> > Dear Seto,

> >

> > The article you have referenced is referring to " physician practice was

> > posting clinical and surgical appointments for its patients on an

> > Internet-based calendar that was publicly accessible " . This indeed

> > appears to be a serious privacy breach.

> >

> > HIPAA regulations do not apply to AppointmentQuest scheduling services

> > since AppointmentQuest does not perform insurance, payment or related

> > transactions (HIPAA transactions), and does not collect any medical

> > history from your patients. We do not advice to store disclosed

> > electronic protected health information (ePHI) in AppointmentQuest

> > databases. Customer contact and appointment information is kept private

> > and shared only with you (service provider).

> >

> > For more information on healthcare scheduling and HIPAA, please visit:

> >

> > http://www.appointmentquest.com/scheduling/healthcare

> >

> > Specifically, please read " Medical Scheduling, Privacy and HIPAA " on

> > the page referenced above. HIPAA regulations do not apply to software,

> > as HIPAA is an organizational/operational set of requirements.

> >

> > More than 20% of AppointmentQuest customers are doctors and small

> > medical offices. We understand specific healthcare requirements and

> > enforce very strict security measures in our systems.

> >

> > Nevertheless, we would like to advise you against storing patient

> > sensitive information (such as SSN, DOB, and insurance information) in

> > AppointmentQuest Online Appointment Manager. The main concern here is

> > not a hacker attack or a online security incident (which has never

> > happened successfully in the entire history of AppointmentQuest

> > operations), but an insider breach, such as, hypothetically, one of

> > your fired employees having access to your AppointmentQuest account

> > externally. This general rule applies to all online systems, and not

> > just AppointmentQuest in particular.

> >

> > We take customer and service provider privacy and security very

> > seriously by enforcing high standards of electronic and physical

> > security on our premises and data center space. AppointmentQuest does

> > not collect, sell, share, disclose or provide customer, appointment and

> > service provider information to any third parties unless required by

> > law. For more information, please see AppointmentQuest Privacy Policy:

> >

> > http://www.appointmentquest.com/privacy

> >

> > AppointmentQuest does not sign BA Agreements. If you intend to store

> > patient privacy sensitive information in your online scheduling system

> > you may consider choosing another schooling provider that offers signed

> > BA Agreements.

> >

> > Sincerely,

> >

> > AppointmentQuest Customer Service

> > support@...

> >

>

www.appointmentquest.com<http://www.appointmentquest.com><http://www.appointment\

quest.com>

> >

> >

> >

> >

> >

> > I just read a news article about a medical practice being fined

> > $100,000 because they didn't have a Business Associate Agreement with

> > the appointment scheduling service they used. How would I go about

> > getting AppointmentQuest to sign a Business Associate Agreement with

> > me so that it meets the HIPAA Federal Privacy rules? Here is a link

> > to the article:

> > http://www.hhs.gov/news/press/2012pres/04/20120417a.html

> >

> > If you are not able to sign a Business Associate Agreement, then I

> > think I would need to find another online appointment service that

> > could sign an agreement. Thank you for your prompt response.

> >

> > Seto, MD

> >

> >

> >

> >

> >

> >

> >

> >

> >

>

>

> ------------------------------------

>

>

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

Lynn,:)Glad to hear you are a patriot.

It is a *!#*! shame that any doctor spends time thinking about some of this stuff.  Go do your healing!

Sharon 

I love paper!!!

I love America!!!

________________________________

> To:

> From: sangeethamurthy@...

> Date: Wed, 25 Apr 2012 08:49:35 -0700

> Subject: Re: AppointmentQuest response to

> Business Associate Agreements and HIPAA

>

>

>

> and I think that is the point, no matter how secure a service appears

> to be, lack of a BAA makes it all moot?

>

>

> Sangeetha

>

>

> On Wed, Apr 25, 2012 at 8:20 AM, Lynn Ho

> > wrote:

>

> To my read, it does appear that I am breaking the law by using

> Appointment Quest to collect name, dob reason for visit.  However, I am

> going to continue for now because clearly they are not making my

> patient schedule available for all to access online.  Maybe I will add

> 's disclaimer to the section on my web page where one can go to

> make an appointment .  Interesting times to be alive in.

> Lynn

>

> ________________________________

>  > To:

> <mailto: >

>  >

>  > Date: Wed, 25 Apr 2012 05:00:24 -0700

>  > Subject: Re: AppointmentQuest response to

>  > Business Associate Agreements and HIPAA

>  >

>  >

>  >

>  > Carla,

>  > I am with you on this.....was rather put off by their response and not

>  > reassured at all.

>  > Dannielle

>  > Connected by DROID on Verizon Wireless

>  >

>  >

>  > Re: Support Request (1040175059): Business Associate Agreement

>  > and HIPAA

>  > Date: April 24, 2012 4:05:56 PM PDT

>  > To: Seto

> >>

>  >

>  > Dear Seto,

>  >

>  > The article you have referenced is referring to " physician practice was

>  > posting clinical and surgical appointments for its patients on an

>  > Internet-based calendar that was publicly accessible " . This indeed

>  > appears to be a serious privacy breach.

>  >

>  > HIPAA regulations do not apply to AppointmentQuest scheduling services

>  > since AppointmentQuest does not perform insurance, payment or related

>  > transactions (HIPAA transactions), and does not collect any medical

>  > history from your patients. We do not advice to store disclosed

>  > electronic protected health information (ePHI) in AppointmentQuest

>  > databases. Customer contact and appointment information is kept private

>  > and shared only with you (service provider).

>  >

>  > For more information on healthcare scheduling and HIPAA, please visit:

>  >

>  > http://www.appointmentquest.com/scheduling/healthcare

>  >

>  > Specifically, please read " Medical Scheduling, Privacy and HIPAA " on

>  > the page referenced above. HIPAA regulations do not apply to software,

>  > as HIPAA is an organizational/operational set of requirements.

>  >

>  > More than 20% of AppointmentQuest customers are doctors and small

>  > medical offices. We understand specific healthcare requirements and

>  > enforce very strict security measures in our systems.

>  >

>  > Nevertheless, we would like to advise you against storing patient

>  > sensitive information (such as SSN, DOB, and insurance information) in

>  > AppointmentQuest Online Appointment Manager. The main concern here is

>  > not a hacker attack or a online security incident (which has never

>  > happened successfully in the entire history of AppointmentQuest

>  > operations), but an insider breach, such as, hypothetically, one of

>  > your fired employees having access to your AppointmentQuest account

>  > externally. This general rule applies to all online systems, and not

>  > just AppointmentQuest in particular.

>  >

>  > We take customer and service provider privacy and security very

>  > seriously by enforcing high standards of electronic and physical

>  > security on our premises and data center space. AppointmentQuest does

>  > not collect, sell, share, disclose or provide customer, appointment and

>  > service provider information to any third parties unless required by

>  > law. For more information, please see AppointmentQuest Privacy Policy:

>  >

>  > http://www.appointmentquest.com/privacy

>  >

>  > AppointmentQuest does not sign BA Agreements. If you intend to store

>  > patient privacy sensitive information in your online scheduling system

>  > you may consider choosing another schooling provider that offers signed

>  > BA Agreements.

>  >

>  > Sincerely,

>  >

>  > AppointmentQuest Customer Service

>  > support@...

>  >

> www.appointmentquest.com<http://www.appointmentquest.com><http://www.appointmentquest.com>

>  >

>  >

>  >

>  >

>  >

>  > I just read a news article about a medical practice being fined

>  > $100,000 because they didn't have a Business Associate Agreement with

>  > the appointment scheduling service they used. How would I go about

>  > getting AppointmentQuest to sign a Business Associate Agreement with

>  > me so that it meets the HIPAA Federal Privacy rules? Here is a link

>  > to the article:

>  > http://www.hhs.gov/news/press/2012pres/04/20120417a.html

>  >

>  > If you are not able to sign a Business Associate Agreement, then I

>  > think I would need to find another online appointment service that

>  > could sign an agreement. Thank you for your prompt response.

>  >

>  > Seto, MD

>  >

>  >

>  >

>  >

>  >

>  >

>  >

>  >

>  >

>

>

> ------------------------------------

>

>

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

I uh live where we  ah MAKE paper. My paper mill employees give me grief about paperless offices... it is pathetic  that we canno tall communicate, everyone is afraid and no has  any idea what'sup

 I have abetter word for these times than Lynn's sweet " interesting " :

I love paper!!!

I love America!!!

________________________________

> To:

> From: sangeethamurthy@...

> Date: Wed, 25 Apr 2012 08:49:35 -0700

> Subject: Re: AppointmentQuest response to

> Business Associate Agreements and HIPAA

>

>

>

> and I think that is the point, no matter how secure a service appears

> to be, lack of a BAA makes it all moot?

>

>

> Sangeetha

>

>

> On Wed, Apr 25, 2012 at 8:20 AM, Lynn Ho

> > wrote:

>

> To my read, it does appear that I am breaking the law by using

> Appointment Quest to collect name, dob reason for visit.  However, I am

> going to continue for now because clearly they are not making my

> patient schedule available for all to access online.  Maybe I will add

> 's disclaimer to the section on my web page where one can go to

> make an appointment .  Interesting times to be alive in.

> Lynn

>

> ________________________________

>  > To:

> <mailto: >

>  >

>  > Date: Wed, 25 Apr 2012 05:00:24 -0700

>  > Subject: Re: AppointmentQuest response to

>  > Business Associate Agreements and HIPAA

>  >

>  >

>  >

>  > Carla,

>  > I am with you on this.....was rather put off by their response and not

>  > reassured at all.

>  > Dannielle

>  > Connected by DROID on Verizon Wireless

>  >

>  >

>  > Re: Support Request (1040175059): Business Associate Agreement

>  > and HIPAA

>  > Date: April 24, 2012 4:05:56 PM PDT

>  > To: Seto

> >>

>  >

>  > Dear Seto,

>  >

>  > The article you have referenced is referring to " physician practice was

>  > posting clinical and surgical appointments for its patients on an

>  > Internet-based calendar that was publicly accessible " . This indeed

>  > appears to be a serious privacy breach.

>  >

>  > HIPAA regulations do not apply to AppointmentQuest scheduling services

>  > since AppointmentQuest does not perform insurance, payment or related

>  > transactions (HIPAA transactions), and does not collect any medical

>  > history from your patients. We do not advice to store disclosed

>  > electronic protected health information (ePHI) in AppointmentQuest

>  > databases. Customer contact and appointment information is kept private

>  > and shared only with you (service provider).

>  >

>  > For more information on healthcare scheduling and HIPAA, please visit:

>  >

>  > http://www.appointmentquest.com/scheduling/healthcare

>  >

>  > Specifically, please read " Medical Scheduling, Privacy and HIPAA " on

>  > the page referenced above. HIPAA regulations do not apply to software,

>  > as HIPAA is an organizational/operational set of requirements.

>  >

>  > More than 20% of AppointmentQuest customers are doctors and small

>  > medical offices. We understand specific healthcare requirements and

>  > enforce very strict security measures in our systems.

>  >

>  > Nevertheless, we would like to advise you against storing patient

>  > sensitive information (such as SSN, DOB, and insurance information) in

>  > AppointmentQuest Online Appointment Manager. The main concern here is

>  > not a hacker attack or a online security incident (which has never

>  > happened successfully in the entire history of AppointmentQuest

>  > operations), but an insider breach, such as, hypothetically, one of

>  > your fired employees having access to your AppointmentQuest account

>  > externally. This general rule applies to all online systems, and not

>  > just AppointmentQuest in particular.

>  >

>  > We take customer and service provider privacy and security very

>  > seriously by enforcing high standards of electronic and physical

>  > security on our premises and data center space. AppointmentQuest does

>  > not collect, sell, share, disclose or provide customer, appointment and

>  > service provider information to any third parties unless required by

>  > law. For more information, please see AppointmentQuest Privacy Policy:

>  >

>  > http://www.appointmentquest.com/privacy

>  >

>  > AppointmentQuest does not sign BA Agreements. If you intend to store

>  > patient privacy sensitive information in your online scheduling system

>  > you may consider choosing another schooling provider that offers signed

>  > BA Agreements.

>  >

>  > Sincerely,

>  >

>  > AppointmentQuest Customer Service

>  > support@...

>  >

> www.appointmentquest.com<http://www.appointmentquest.com><http://www.appointmentquest.com>

>  >

>  >

>  >

>  >

>  >

>  > I just read a news article about a medical practice being fined

>  > $100,000 because they didn't have a Business Associate Agreement with

>  > the appointment scheduling service they used. How would I go about

>  > getting AppointmentQuest to sign a Business Associate Agreement with

>  > me so that it meets the HIPAA Federal Privacy rules? Here is a link

>  > to the article:

>  > http://www.hhs.gov/news/press/2012pres/04/20120417a.html

>  >

>  > If you are not able to sign a Business Associate Agreement, then I

>  > think I would need to find another online appointment service that

>  > could sign an agreement. Thank you for your prompt response.

>  >

>  > Seto, MD

>  >

>  >

>  >

>  >

>  >

>  >

>  >

>  >

>  >

>

>

> ------------------------------------

>

>

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

I use web appointments, I also looked at appointment plus?. All of them say pretty much the same thing, reluctant to sign BAA but insist it should be fine..so who DOES use a SERVICE that WILL sign a BAA?

Sangeetha

 

,They don't advise storing any ePHI in the AQ databases but then reassure us that the databases are private and " shared " only with us as the purchaser of their service? Yet, I'm sure that most of us collect demographic data... like NAME ... and scheduling an appointment is about the provision of health care to that individual (see excerpts from HHS below).   It appears we should not collect address, insurance plan name, DOB, or reason for appointment if we are to use AQ.   AQ is offering a service- their cloud based scheduler-which is an administrative function for us. That makes them a Business Associate from my read.  It seems they don't want to take on the liability of a BAA- but if they are protecting our databases the way they say they are, then it should not be

an issue.What is your gut feeling on their response?Carla GibsonFrom: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Protected Health Information. The Privacy Rule protects all " individually identifiable health information "

held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information " protected health information (PHI). " 12 “Individually identifiable health information” is information, including demographic data, that relates to:the individual’s past, present or future physical or mental health or condition,

the provision of health care to the individual, orthe past, present, or future payment for the provision of health care to the individual,and

that identifies the individual or for which there is a reasonable basis

to believe it can be used to identify the individual.13  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9  Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered

business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

To:

Sent: Tuesday, April 24, 2012 5:24 PM Subject: AppointmentQuest response to Business Associate Agreements and HIPAA

 

For those using AppointmentQuest, here is the reply I got from them about HIPAA and Business Associate Agreements. SetoSouth Pasadena, CABegin forwarded message:

Subject: Re: Support Request (1040175059): Business Associate Agreement and HIPAA

Date:

April 24, 2012 4:05:56 PM PDTTo: Seto

Dear Seto,The article you have referenced is referring to " physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible " . This indeed appears to be a serious privacy breach.

HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed

electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).For more information on healthcare scheduling and HIPAA, please visit:

http://www.appointmentquest.com/scheduling/healthcareSpecifically, please read " Medical Scheduling, Privacy and HIPAA " on the page referenced above. HIPAA regulations do not apply to software, as HIPAA is an organizational/operational set of requirements.

More than 20% of AppointmentQuest customers are doctors and small medical offices. We understand specific healthcare requirements and enforce very strict security measures in our systems.Nevertheless, we would like to advise you against storing patient sensitive information (such as SSN, DOB, and insurance information) in AppointmentQuest Online Appointment Manager. The main concern here is not a hacker attack or a

online security incident (which has never happened successfully in the entire history of AppointmentQuest operations), but an insider breach, such as, hypothetically, one of your fired employees having access to your AppointmentQuest account externally. This general rule applies to all online systems, and not just AppointmentQuest in particular.

We take customer and service provider privacy and security very seriously by enforcing high standards of electronic and physical security on our premises and data center space. AppointmentQuest does not collect, sell, share, disclose or provide customer, appointment and service provider information to any third parties unless required by law. For more information, please see AppointmentQuest Privacy Policy:

http://www.appointmentquest.com/privacyAppointmentQuest does not sign BA Agreements. If you intend to store patient privacy sensitive information in your online scheduling system you may

consider choosing another schooling provider that offers signed BA Agreements.Sincerely, AppointmentQuest Customer Service support@...

www.appointmentquest.comOn Apr 23, 2012, at 6:45 PM, you wrote:I just read a news article about a medical practice being fined

$100,000 because they didn't have a Business Associate Agreement withthe appointment scheduling service they used. How would I go about

getting AppointmentQuest to sign a Business Associate Agreement withme so that it meets the HIPAA Federal Privacy rules? Here is a link

to the article:http://www.hhs.gov/news/press/2012pres/04/20120417a.html

If you are not able to sign a Business Associate Agreement, then Ithink I would need to find another online appointment service that

could sign an agreement. Thank you for your prompt response. Seto, MD

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

Carla,My gut feeling is, this makes me nervous. On the one hand, if the patient is the one entering their own information and chief complaint and demographic information and hitting "Send", then I think this should not be a HIPAA violation because the patient is the one initiating the sending of this information. Just like there is a presumption that patients are giving permission to communicate by e-mail if they initiate the e-mail to a healthcare provider.On the other hand, this is definitely protected health information (PHI) and it is being sent through regular e-mail as part of the notification to me, so it makes sense to me that a Business Associate Agreement (BAA) would apply and cover all parties concerned. Also this is the Federal government we are talking about and if they want to interpret this as a HIPAA violation, then they have the power to prosecute and add our names to the next news headline, regardless of how AQ or anyone else interprets this.So I think these are our options:1. Don't use any online appointment scheduling service at all.2. Find an online appointment scheduling service that agrees to sign a BAA.3. Contact HHS and ask for a clarification on whether they agree with AppointmentQuest's interpretation of HIPAA.4. Keep using an online appointment scheduling service and hope no one notices. SetoSouth Pasadena, CA

,They don't advise storing any ePHI in the AQ databases but then reassure us that the databases are private and "shared" only with us as the purchaser of their service? Yet, I'm sure that most of us collect demographic data... like NAME ... and scheduling an appointment is about the provision of health care to that individual (see excerpts from HHS below). It appears we should not collect address, insurance plan name, DOB, or reason for appointment if we are to use AQ. AQ is offering a service- their cloud based scheduler-which is an administrative function for us. That makes them a Business Associate from my read. It seems they don't want to take on the liability of a BAA- but if they are protecting our databases the way they say they are, then it should not be

an issue.What is your gut feeling on their response?Carla GibsonFrom: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.htmlProtected Health Information. The Privacy Rule protects all "individually identifiable health information"

held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12 “Individually identifiable health information” is information, including demographic data, that relates to:the individual’s past, present or future physical or mental health or condition,the provision of health care to the individual, orthe past, present, or future payment for the provision of health care to the individual,and

that identifies the individual or for which there is a reasonable basis

to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9 Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered

business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. To: Sent: Tuesday, April 24, 2012 5:24 PM Subject: AppointmentQuest response to Business Associate Agreements and HIPAA

For those using AppointmentQuest, here is the reply I got from them about HIPAA and Business Associate Agreements. SetoSouth Pasadena, CABegin forwarded message:Subject: Re: Support Request (1040175059): Business Associate Agreement and HIPAADate:

April 24, 2012 4:05:56 PM PDTTo: Seto Dear Seto,The article you have referenced is referring to "physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible". This indeed appears to be a serious privacy breach.HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed

electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).For more information on healthcare scheduling and HIPAA, please visit:http://www.appointmentquest.com/scheduling/healthcareSpecifically, please read "Medical Scheduling, Privacy and HIPAA" on the page referenced above. HIPAA regulations do not apply to software, as HIPAA is an organizational/operational set of requirements.More than 20% of AppointmentQuest customers are doctors and small medical offices. We understand specific healthcare requirements and enforce very strict security measures in our systems.Nevertheless, we would like to advise you against storing patient sensitive information (such as SSN, DOB, and insurance information) in AppointmentQuest Online Appointment Manager. The main concern here is not a hacker attack or a

online security incident (which has never happened successfully in the entire history of AppointmentQuest operations), but an insider breach, such as, hypothetically, one of your fired employees having access to your AppointmentQuest account externally. This general rule applies to all online systems, and not just AppointmentQuest in particular.We take customer and service provider privacy and security very seriously by enforcing high standards of electronic and physical security on our premises and data center space. AppointmentQuest does not collect, sell, share, disclose or provide customer, appointment and service provider information to any third parties unless required by law. For more information, please see AppointmentQuest Privacy Policy:http://www.appointmentquest.com/privacyAppointmentQuest does not sign BA Agreements. If you intend to store patient privacy sensitive information in your online scheduling system you may

consider choosing another schooling provider that offers signed BA Agreements.Sincerely, AppointmentQuest Customer Service support@... www.appointmentquest.comOn Apr 23, 2012, at 6:45 PM, you wrote:I just read a news article about a medical practice being fined$100,000 because they didn't have a Business Associate Agreement withthe appointment scheduling service they used. How would I go aboutgetting AppointmentQuest to sign a Business Associate Agreement withme so that it meets the HIPAA Federal Privacy rules? Here is a linkto the article:http://www.hhs.gov/news/press/2012pres/04/20120417a.htmlIf you are not able to sign a Business Associate Agreement, then Ithink I would need to find another online appointment service thatcould sign an agreement. Thank you for your prompt response. Seto, MD

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

So I sent an e-mail to a site called DocMeIn.com which looked promising. They call themselves a "free online scheduling for private healthcare providers". Their response to BAA was better but not ideal:"We hold no position on HIPAA's applicability to our services. However, we are confident that we satisfy the provisions we would be required to as a BA of a HIPAA covered entity. This being the case, we are not averse to executing a BA agreement with you. However we would not be able to do so on our usual commercial terms. For a single-provider BAA-covered practice, the monthly service fee would be $50."So they will sign a BAA but charge $50/month, or you can use their service for free without a BAA.When I searched further, I eventually found a website (www.lattiss.com) offering free online appointment scheduling that not only says it is HIPAA-compliant, but they also include a HIPAA Business Associate Agreement as an addendum to their Terms of Use:http://www.lattiss.com/corp/hippa.jsfI had never heard of them before. Apparently they have been around since at least 2008, and are based in Santa Clara, and have a bunch of testimonials on their site. It might be worth checking out. SetoSouth Pasadena, CAI use web appointments, I also looked at appointment plus?. All of them say pretty much the same thing, reluctant to sign BAA but insist it should be fine..so who DOES use a SERVICE that WILL sign a BAA?Sangeetha

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

Thanks for posting that .I've been thinking about adding Appointment Quest to my practice but, given what's been discussed here, I may need to look at other alternatives such as these.

Pierce

 

So I sent an e-mail to a site called DocMeIn.com which looked promising. They call themselves a " free online scheduling for private healthcare providers " . Their response to BAA was better but not ideal:

" We hold no position on HIPAA's applicability to our services. However, we are confident that we satisfy the provisions we would be required to as a BA of a HIPAA covered entity. This being the case, we are not averse to executing a BA agreement with you. However we would not be able to do so on our usual commercial terms. For a single-provider BAA-covered practice, the monthly service fee would be $50. "

So they will sign a BAA but charge $50/month, or you can use their service for free without a BAA.When I searched further, I eventually found a website (www.lattiss.com) offering free online appointment scheduling that not only says it is HIPAA-compliant, but they also include a HIPAA Business Associate Agreement as an addendum to their Terms of Use:

http://www.lattiss.com/corp/hippa.jsfI had never heard of them before. Apparently they have been around since at least 2008, and are based in Santa Clara, and have a bunch of testimonials on their site. It might be worth checking out.

SetoSouth Pasadena, CA

I use web appointments, I also looked at appointment plus?. All of them say pretty much the same thing, reluctant to sign BAA but insist it should be fine..

so who DOES use a SERVICE that WILL sign a BAA?Sangeetha

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

E-MDs.patients can schedule via portal.   Pratt

 

I use web appointments, I also looked at appointment plus?. All of them say pretty much the same thing, reluctant to sign BAA but insist it should be fine..so who DOES use a SERVICE that WILL sign a BAA?

Sangeetha

 

,They don't advise storing any ePHI in the AQ databases but then reassure us that the databases are private and " shared " only with us as the purchaser of their service? Yet, I'm sure that most of us collect demographic data... like NAME ... and scheduling an appointment is about the provision of health care to that individual (see excerpts from HHS below).   It appears we should not collect address, insurance plan name, DOB, or reason for appointment if we are to use AQ.   AQ is offering a service- their cloud based scheduler-which is an administrative function for us. That makes them a Business Associate from my read.  It seems they don't want to take on the liability of a BAA- but if they are protecting our databases the way they say they are, then it should not be

an issue.What is your gut feeling on their response?Carla GibsonFrom: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Protected Health Information. The Privacy Rule protects all " individually identifiable health information "

held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information " protected health information (PHI). " 12 “Individually identifiable health information” is information, including demographic data, that relates to:the individual’s past, present or future physical or mental health or condition,

the provision of health care to the individual, orthe past, present, or future payment for the provision of health care to the individual,and

that identifies the individual or for which there is a reasonable basis

to believe it can be used to identify the individual.13  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9  Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered

business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

To:

Sent: Tuesday, April 24, 2012 5:24 PM Subject: AppointmentQuest response to Business Associate Agreements and HIPAA

 

For those using AppointmentQuest, here is the reply I got from them about HIPAA and Business Associate Agreements. SetoSouth Pasadena, CABegin forwarded message:

Subject: Re: Support Request (1040175059): Business Associate Agreement and HIPAA

Date:

April 24, 2012 4:05:56 PM PDTTo: Seto

Dear Seto,The article you have referenced is referring to " physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible " . This indeed appears to be a serious privacy breach.

HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed

electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).For more information on healthcare scheduling and HIPAA, please visit:

http://www.appointmentquest.com/scheduling/healthcareSpecifically, please read " Medical Scheduling, Privacy and HIPAA " on the page referenced above. HIPAA regulations do not apply to software, as HIPAA is an organizational/operational set of requirements.

More than 20% of AppointmentQuest customers are doctors and small medical offices. We understand specific healthcare requirements and enforce very strict security measures in our systems.Nevertheless, we would like to advise you against storing patient sensitive information (such as SSN, DOB, and insurance information) in AppointmentQuest Online Appointment Manager. The main concern here is not a hacker attack or a

online security incident (which has never happened successfully in the entire history of AppointmentQuest operations), but an insider breach, such as, hypothetically, one of your fired employees having access to your AppointmentQuest account externally. This general rule applies to all online systems, and not just AppointmentQuest in particular.

We take customer and service provider privacy and security very seriously by enforcing high standards of electronic and physical security on our premises and data center space. AppointmentQuest does not collect, sell, share, disclose or provide customer, appointment and service provider information to any third parties unless required by law. For more information, please see AppointmentQuest Privacy Policy:

http://www.appointmentquest.com/privacyAppointmentQuest does not sign BA Agreements. If you intend to store patient privacy sensitive information in your online scheduling system you may

consider choosing another schooling provider that offers signed BA Agreements.Sincerely, AppointmentQuest Customer Service support@...

www.appointmentquest.comOn Apr 23, 2012, at 6:45 PM, you wrote:I just read a news article about a medical practice being fined

$100,000 because they didn't have a Business Associate Agreement withthe appointment scheduling service they used. How would I go about

getting AppointmentQuest to sign a Business Associate Agreement withme so that it meets the HIPAA Federal Privacy rules? Here is a link

to the article:http://www.hhs.gov/news/press/2012pres/04/20120417a.html

If you are not able to sign a Business Associate Agreement, then Ithink I would need to find another online appointment service that

could sign an agreement. Thank you for your prompt response. Seto, MD

Link to comment
Share on other sites
  • 1 month later...
Guest guest

Guest guest

Posted
Posted

Fullslate is a nice option.  Don't think they have BAs.http://www.fullslate.com/hipaa Best,Paras

 

On a slightly different scheduling program topic:I was using AppointmentQuest, generally quite happily, except for a few things:

1.   A few people lose their passwords or log-ins and get frustrated.2.  If I put an appointment on my calendar (I use Google calendar) NOT through appointmentquest and forget to reenter on appointmentquest (as an appt. or block), patients can still schedule during that time....ie double entry is required.

So, I tried Time Trade.  It solved those problems, no log-in and it syncs both ways with my calendar so I have less problems that need to be rescheduled.

But, it doesn't offer the option to have lead-in or lead-out time (in appointmentquest I have 15 minutes after each appt.) which I like.

Anyone know of a program that does all this?

Sharon

Sharon McCoy MDRenaissance Family Medicine10 McClintock Court; Irvine, CA  92617PH: (949)387-5504   Fax: (949)281-2197  Toll free phone/fax: 

www.SharonMD.com

 

  " this is the Federal government we are talking about and if they want to interpret this as a HIPAA violation, then they have the power to prosecute and add our names to the next news headline, regardless of how AQ or anyone else interprets this. "

That is the reason we are paranoid, of course.  I

don't want to be paranoid and I don't want to limit the advantages of using services like AQ and others  by reducing the information I collect

" just to be sure " . 

I looked at several other online scheduler options and at least two others had almost the exact same text as AQ on their site in regards to HIPAA. Focusing on the fact they are software, they don't send or collect ePHI or payment related info... thus they are not a BA.  I can basically buy that... if they specifically say that no one on their end has access AT ALL to the data in our database on their server and they provide all the encryption etc... then one could argue it is as safe as software on your own computer- which if one were PARANOID, one could imagine a software developer entering code in their software that connects to the internet when the program is used to collect information from the program... like how sensitive do we want to be. For example, I have not signed a BAA with Amazing Charts and yet I know that when I use their software, it connects to their servers to check my version.... what else might it be

checking for???!!   The line has to be drawn somewhere.

The more concerning aspect is what info goes through email.  I looked at Lattiss (great find !)... it is very easy and intuitive but not as robust as AQ. From my quick demo of it with a fake practice it looks like it collects name, email address and phone. Patients don't have to register with the program but if they do, then they have the ability to cancel their appointment or reschedule.  The email sent to the patient is from Lattiss.... not good.  You can add up to 5 fields of additional input like mailing address or reason for appointment. They email you with all that info... so technically, if you add in useful fields with ePHI, and it is sent via regular email- that is 'trouble'.

It would be helpful if AQ or others would allow customization of what is sent by email.  Lattiss does not but they appear very responsive to user input and invite it. Their blog lists several modifications/upgrades they have made based on user

input.  If anyone wants to test Lattis from the client side you can use my fake practice:

testing1.lattiss.comFor now, I will do as Lynn suggested- post more privacy info on my link to AQ and possibly create an opt-in/accept the risk field in AQ.

Carla

To:

Sent: Wednesday, April 25, 2012 12:33 PM Subject: Re: AppointmentQuest response to Business Associate Agreements and HIPAA

 

Carla,My gut feeling is, this makes me nervous. On the one hand, if the patient is the one entering their own information and chief complaint and demographic information and hitting " Send " , then I think this should not be a HIPAA violation because the patient is the one initiating the sending of this information. Just like there is a presumption that patients are giving permission to communicate by e-mail if they initiate the e-mail to a healthcare provider.

On the other hand, this is definitely protected health information (PHI) and it is being sent through regular e-mail as part of the notification to me, so it makes sense to me that a Business Associate Agreement (BAA) would apply and cover all parties concerned. Also this is the Federal government we are talking about and if they want to interpret this as a HIPAA violation, then they have the power to prosecute and add

our names to the next news headline, regardless of how AQ or anyone else interprets this.So I think these are our options:1. Don't use any online appointment scheduling service at all.

2. Find an online appointment scheduling service that agrees to sign a BAA.3. Contact HHS and ask for a clarification on whether they agree with AppointmentQuest's interpretation of HIPAA.4. Keep using an online appointment scheduling service and hope no one notices.

SetoSouth Pasadena, CA

 

,They don't advise storing any ePHI in the AQ databases but then reassure us that the databases are private and " shared " only with us as the purchaser of their service? Yet, I'm sure that most of us collect demographic data... like NAME ... and scheduling an appointment is about the provision of health care to that individual (see excerpts from HHS below).   It appears we should not collect address, insurance plan name, DOB, or reason for appointment if we are to use AQ.   AQ is offering a service- their cloud based scheduler-which is an administrative function for us. That makes them a Business Associate from my read.  It seems they don't want to take on the liability of a BAA- but if

they are protecting our databases the way they say they are, then it should not be

an issue.What is your gut feeling on their response?Carla GibsonFrom: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Protected Health Information. The Privacy Rule protects all " individually identifiable health information "

held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information " protected health information (PHI). " 12 “Individually identifiable health information” is information, including demographic data, that relates to:the individual’s past, present or future physical or mental health or condition,

the provision of health care to the individual, orthe past, present, or future payment for the provision of health care to the individual,and

that identifies the individual or for which there is a reasonable basis

to believe it can be used to identify the individual.13  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9  Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered

business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

To:

Sent: Tuesday, April 24, 2012 5:24 PM Subject: AppointmentQuest response to Business Associate Agreements and HIPAA

 

For those using AppointmentQuest, here is the reply I got from them about HIPAA and Business Associate Agreements. SetoSouth Pasadena, CABegin forwarded message:

Subject: Re: Support Request (1040175059): Business Associate Agreement and HIPAA

Date:

April 24, 2012 4:05:56 PM PDTTo: Seto

Dear Seto,The article you have referenced is referring to " physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible " . This indeed appears to be a serious privacy breach.

HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed

electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).For more information on healthcare scheduling and HIPAA, please visit:

http://www.appointmentquest.com/scheduling/healthcareSpecifically, please read " Medical Scheduling, Privacy and HIPAA " on the page referenced above. HIPAA regulations do not apply to software, as HIPAA is an organizational/operational set of requirements.

More than 20% of AppointmentQuest customers are doctors and small medical offices. We understand specific healthcare requirements and enforce very strict security measures in our systems.Nevertheless, we would like to advise you against storing patient sensitive information (such as SSN, DOB, and insurance information)

in AppointmentQuest Online Appointment Manager. The main concern here is not a hacker attack or a

online security incident (which has never happened successfully in the entire history of AppointmentQuest operations), but an insider breach, such as, hypothetically, one of your fired employees having access to your AppointmentQuest account externally. This general rule applies to all online systems, and not just AppointmentQuest in particular.

We take customer and service provider privacy and security very seriously by enforcing high standards of electronic and physical security on our premises and data center space. AppointmentQuest does not collect, sell, share, disclose or provide customer, appointment and service provider information to any third parties unless required by law. For more information, please see AppointmentQuest Privacy Policy:

http://www.appointmentquest.com/privacyAppointmentQuest does not sign BA Agreements. If you intend to store patient privacy sensitive information in your online scheduling system you may

consider choosing another schooling provider that offers signed BA Agreements.Sincerely, AppointmentQuest Customer Service support@...

www.appointmentquest.comOn Apr 23, 2012, at 6:45 PM, you wrote:I just read a news article about a medical practice being fined

$100,000 because they didn't have a Business Associate Agreement withthe appointment scheduling service they used. How would I go about

getting AppointmentQuest to sign a Business Associate Agreement withme so that it meets the HIPAA Federal Privacy rules? Here is a link

to the article:http://www.hhs.gov/news/press/2012pres/04/20120417a.html

If you are not able to sign a Business Associate Agreement, then Ithink I would need to find another online appointment service that

could sign an agreement. Thank you for your prompt response. Seto, MD

--

_____________________Paras Mehta, MD PGY-4President | CMC [House Staff]Board of Directors | Mecklenburg County Medical SocietyBoard of Directors | American Academy of Medical Acupuncture

paras.mehta@...

Link to comment
Share on other sites

Join the conversation

You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...