Jump to content
RemedySpot.com

Re: HIPAA ,privacy policy, and employee training

Rate this topic

Guest guest

By Guest guest
in Health, Medicine and Natural Healing 12

 Share

Recommended Posts

Guest guest

Guest guest

Posted
Posted

I am starting a new IMP, and have read the thread and case below re: appt

scheduling. This brings up 2 simple questions for me:

1) How much HIPAA training documentation do I need to have for a part-time

receptionist that schedules appointments for me? I have taken these trainings

in the past on PHI at other clinics I worked at, but as a solo practitioner I

need to know if I have to provide these?

(The case below mentions they " failed to document that it trained any employees

on its policies and procedures on the Privacy and Security Rules. "

2) does anyone have a link to how much is required in my privacy policy? I have

surveyed many websites and see policies in great variation from 2-7 pages long

(7 pages!) The link below is 25 pages and I intend to read that, but these

policies are so long...

I appreciate your input,

thanks,

>

> Regarding the question of whether we should have a Business Associate

Agreement with the providers of an online appointment scheduling service, I sent

the following inquiry to Family Practice Management, the practice management

journal of AAFP:

>

> > I recently read a news article about a medical practice being fined $100,000

by HHS because (among other things) they violated HIPAA and didn't have a

Business Associate Agreement with the appointment scheduling service they used.

Here is a link to the article:

> > http://www.hhs.gov/news/press/2012pres/04/20120417a.html

> >

> > When I asked the current online appointment scheduling service that I use

(AppointmentQuest) if they would be willing to sign a Business Associate

Agreement with me in order to comply with HIPAA rules, they said that HIPAA

doesn't apply to them and that they do not sign Business Associate Agreements.

Their actual reply is below:

> >

> >> " HIPAA regulations do not apply to AppointmentQuest scheduling services

since AppointmentQuest does not perform insurance, payment or related

transactions (HIPAA transactions), and does not collect any medical history from

your patients. We do not advice to store disclosed electronic protected health

information (ePHI) in AppointmentQuest databases. Customer contact and

appointment information is kept private and shared only with you (service

provider). "

> >

> > Naturally, this makes me feel uneasy that the Department of Human Health

Services may not agree with their opinion. I would like some clarification on

whether or not I can keep using an online appointment scheduler, but I am

reluctant to contact HHS directly for fear that they might come after me. Is

there a way FPM could find out the answer to this question? I'm sure it affects

a lot of small practices who also use an online scheduling service and are

unsure if they are putting themselves at risk.

> >

> > Thank you for any assistance you can give in this area.

>

>

> Here is the reply I got:

>

> > My name is Renae Moch and I am the Practice Management Strategist for the

American Academy of Family Physicians (AAFP). I received your question from FPM

regarding HIPAA and online scheduling services. I have done some research and

came across a document that should be helpful to you in answering the questions

that you have.

> >

> > This document can be found at on the US Department of Health and Human

Services website at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

> >

> > I highlighted the areas in the attachment that pertain to your question.

Based on this documentation, I would say that the company you are using for

online appointment scheduling would be considered a " business associate. " They

are scheduling appointments for patients and obtaining Protected Health

Information (PHI) such as their name, address, birth date and reason for being

seen by a provider. They should be willing to sign a Business Associate

Contract at your request. Feel free to read through this documentation and

proceed as you feel is appropriate.

>

> I sent a follow up question:

>

> > If they refuse to sign a Business Associate Contract and I continued using

their service, would I be protected from violating HIPAA if I included in my

Notice of Privacy Practices a clause such as " All electronic communications

including our web site, phone, internet, text messaging, fax are provided as a

convenience and are considered non secure communication to be used at your

discretion. " That is, as long as patients are notified that these communications

are not secure, and they accept this and continue to use these services, then

would this be OK under HIPAA? I understand that you may not be an attorney and

therefore may not be able to answer this question, but I appreciate any thoughts

you have on this.

>

> Here is her reply:

>

> > Yes you are correct, I am not an attorney and unable to give you legal

advice, but I can provide you with my thoughts on this subject. The best

practice would be to use a service that understands and complies with HIPAA and

will sign a Business Associate Contract. If that is not an option, then a signed

contract between the patient and the provider (or practice) which outlines the

risks and benefits of non-secure communications to share protected health

information would be essential. Hope this helps you to make the best decision

for your practice.

>

> Seto

> South Pasadena, CA

>

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

OK, so I have the same concerns about appointmentquest, which I am using with

great trepidation now. Has anyone found a similar online appointment service

that is willing to sign a business associate agreement and clearly comply with

HIPAA?

> >

> > Regarding the question of whether we should have a Business Associate

Agreement with the providers of an online appointment scheduling service, I sent

the following inquiry to Family Practice Management, the practice management

journal of AAFP:

> >

> > > I recently read a news article about a medical practice being fined

$100,000 by HHS because (among other things) they violated HIPAA and didn't have

a Business Associate Agreement with the appointment scheduling service they

used. Here is a link to the article:

> > > http://www.hhs.gov/news/press/2012pres/04/20120417a.html

> > >

> > > When I asked the current online appointment scheduling service that I use

(AppointmentQuest) if they would be willing to sign a Business Associate

Agreement with me in order to comply with HIPAA rules, they said that HIPAA

doesn't apply to them and that they do not sign Business Associate Agreements.

Their actual reply is below:

> > >

> > >> " HIPAA regulations do not apply to AppointmentQuest scheduling services

since AppointmentQuest does not perform insurance, payment or related

transactions (HIPAA transactions), and does not collect any medical history from

your patients. We do not advice to store disclosed electronic protected health

information (ePHI) in AppointmentQuest databases. Customer contact and

appointment information is kept private and shared only with you (service

provider). "

> > >

> > > Naturally, this makes me feel uneasy that the Department of Human Health

Services may not agree with their opinion. I would like some clarification on

whether or not I can keep using an online appointment scheduler, but I am

reluctant to contact HHS directly for fear that they might come after me. Is

there a way FPM could find out the answer to this question? I'm sure it affects

a lot of small practices who also use an online scheduling service and are

unsure if they are putting themselves at risk.

> > >

> > > Thank you for any assistance you can give in this area.

> >

> >

> > Here is the reply I got:

> >

> > > My name is Renae Moch and I am the Practice Management Strategist for the

American Academy of Family Physicians (AAFP). I received your question from FPM

regarding HIPAA and online scheduling services. I have done some research and

came across a document that should be helpful to you in answering the questions

that you have.

> > >

> > > This document can be found at on the US Department of Health and Human

Services website at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

> > >

> > > I highlighted the areas in the attachment that pertain to your question.

Based on this documentation, I would say that the company you are using for

online appointment scheduling would be considered a " business associate. " They

are scheduling appointments for patients and obtaining Protected Health

Information (PHI) such as their name, address, birth date and reason for being

seen by a provider. They should be willing to sign a Business Associate

Contract at your request. Feel free to read through this documentation and

proceed as you feel is appropriate.

> >

> > I sent a follow up question:

> >

> > > If they refuse to sign a Business Associate Contract and I continued using

their service, would I be protected from violating HIPAA if I included in my

Notice of Privacy Practices a clause such as " All electronic communications

including our web site, phone, internet, text messaging, fax are provided as a

convenience and are considered non secure communication to be used at your

discretion. " That is, as long as patients are notified that these communications

are not secure, and they accept this and continue to use these services, then

would this be OK under HIPAA? I understand that you may not be an attorney and

therefore may not be able to answer this question, but I appreciate any thoughts

you have on this.

> >

> > Here is her reply:

> >

> > > Yes you are correct, I am not an attorney and unable to give you legal

advice, but I can provide you with my thoughts on this subject. The best

practice would be to use a service that understands and complies with HIPAA and

will sign a Business Associate Contract. If that is not an option, then a signed

contract between the patient and the provider (or practice) which outlines the

risks and benefits of non-secure communications to share protected health

information would be essential. Hope this helps you to make the best decision

for your practice.

> >

> > Seto

> > South Pasadena, CA

> >

>

Link to comment
Share on other sites
Guest guest

Guest guest

Posted
Posted

What’s wrong with just saying “As a convenience we offer this appointment service via non secure internet and email. If this does not meet your privacy needs please stop by to make an appointment.” Bet no one ever takes you up on the “stop by the office offer.” Does HIPAA require more than full disclosure. Can’t imagine that it does if you offer full disclosure and a secure alternative? People like the convenience of non secure email, telephones, etc. Unfortunately, many conveniences we like have not quite caught up with the simple security solutions we want. Any HIPAA expert with a different view. From: [mailto: ] On Behalf Of drdeonneSent: Tuesday, June 05, 2012 10:46 AMTo: Subject: Re: HIPAA ,privacy policy, and employee training OK, so I have the same concerns about appointmentquest, which I am using with great trepidation now. Has anyone found a similar online appointment service that is willing to sign a business associate agreement and clearly comply with HIPAA?> >> > Regarding the question of whether we should have a Business Associate Agreement with the providers of an online appointment scheduling service, I sent the following inquiry to Family Practice Management, the practice management journal of AAFP:> > > > > I recently read a news article about a medical practice being fined $100,000 by HHS because (among other things) they violated HIPAA and didn't have a Business Associate Agreement with the appointment scheduling service they used. Here is a link to the article: > > > http://www.hhs.gov/news/press/2012pres/04/20120417a.html > > > > > > When I asked the current online appointment scheduling service that I use (AppointmentQuest) if they would be willing to sign a Business Associate Agreement with me in order to comply with HIPAA rules, they said that HIPAA doesn't apply to them and that they do not sign Business Associate Agreements. Their actual reply is below:> > > > > >> " HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider). " > > > > > > Naturally, this makes me feel uneasy that the Department of Human Health Services may not agree with their opinion. I would like some clarification on whether or not I can keep using an online appointment scheduler, but I am reluctant to contact HHS directly for fear that they might come after me. Is there a way FPM could find out the answer to this question? I'm sure it affects a lot of small practices who also use an online scheduling service and are unsure if they are putting themselves at risk.> > > > > > Thank you for any assistance you can give in this area.> > > > > > Here is the reply I got:> > > > > My name is Renae Moch and I am the Practice Management Strategist for the American Academy of Family Physicians (AAFP). I received your question from FPM regarding HIPAA and online scheduling services. I have done some research and came across a document that should be helpful to you in answering the questions that you have. > > > > > > This document can be found at on the US Department of Health and Human Services website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf> > > > > > I highlighted the areas in the attachment that pertain to your question. Based on this documentation, I would say that the company you are using for online appointment scheduling would be considered a " business associate. " They are scheduling appointments for patients and obtaining Protected Health Information (PHI) such as their name, address, birth date and reason for being seen by a provider. They should be willing to sign a Business Associate Contract at your request. Feel free to read through this documentation and proceed as you feel is appropriate.> > > > I sent a follow up question: > > > > > If they refuse to sign a Business Associate Contract and I continued using their service, would I be protected from violating HIPAA if I included in my Notice of Privacy Practices a clause such as " All electronic communications including our web site, phone, internet, text messaging, fax are provided as a convenience and are considered non secure communication to be used at your discretion. " That is, as long as patients are notified that these communications are not secure, and they accept this and continue to use these services, then would this be OK under HIPAA? I understand that you may not be an attorney and therefore may not be able to answer this question, but I appreciate any thoughts you have on this. > > > > Here is her reply:> > > > > Yes you are correct, I am not an attorney and unable to give you legal advice, but I can provide you with my thoughts on this subject. The best practice would be to use a service that understands and complies with HIPAA and will sign a Business Associate Contract. If that is not an option, then a signed contract between the patient and the provider (or practice) which outlines the risks and benefits of non-secure communications to share protected health information would be essential. Hope this helps you to make the best decision for your practice.> > > > Seto> > South Pasadena, CA> >>

Link to comment
Share on other sites

Join the conversation

You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...