Re: BAA, HIPAA and online appointment services

[Guest guest]

Egads. I run my scheduler on my own website and, presumably, only I have access

to the database. However, the website is hosted by another company, and I

suppose they could find a way to get into the database. There is no way they

would agree to a BAA. And I don't use a secure HTTP session. So now I don't know

if my setup would meet code, either. This IMP thing doesn't get any easier, does

it?!

Haresch

>

> Regarding the question of whether we should have a Business Associate

Agreement with the providers of an online appointment scheduling service, I sent

the following inquiry to Family Practice Management, the practice management

journal of AAFP:

>

> > I recently read a news article about a medical practice being fined $100,000

by HHS because (among other things) they violated HIPAA and didn't have a

Business Associate Agreement with the appointment scheduling service they used.

Here is a link to the article:

> > http://www.hhs.gov/news/press/2012pres/04/20120417a.html

> >

> > When I asked the current online appointment scheduling service that I use

(AppointmentQuest) if they would be willing to sign a Business Associate

Agreement with me in order to comply with HIPAA rules, they said that HIPAA

doesn't apply to them and that they do not sign Business Associate Agreements.

Their actual reply is below:

> >

> >> " HIPAA regulations do not apply to AppointmentQuest scheduling services

since AppointmentQuest does not perform insurance, payment or related

transactions (HIPAA transactions), and does not collect any medical history from

your patients. We do not advice to store disclosed electronic protected health

information (ePHI) in AppointmentQuest databases. Customer contact and

appointment information is kept private and shared only with you (service

provider). "

> >

> > Naturally, this makes me feel uneasy that the Department of Human Health

Services may not agree with their opinion. I would like some clarification on

whether or not I can keep using an online appointment scheduler, but I am

reluctant to contact HHS directly for fear that they might come after me. Is

there a way FPM could find out the answer to this question? I'm sure it affects

a lot of small practices who also use an online scheduling service and are

unsure if they are putting themselves at risk.

> >

> > Thank you for any assistance you can give in this area.

>

>

> Here is the reply I got:

>

> > My name is Renae Moch and I am the Practice Management Strategist for the

American Academy of Family Physicians (AAFP). I received your question from FPM

regarding HIPAA and online scheduling services. I have done some research and

came across a document that should be helpful to you in answering the questions

that you have.

> >

> > This document can be found at on the US Department of Health and Human

Services website at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

> >

> > I highlighted the areas in the attachment that pertain to your question.

Based on this documentation, I would say that the company you are using for

online appointment scheduling would be considered a " business associate. " They

are scheduling appointments for patients and obtaining Protected Health

Information (PHI) such as their name, address, birth date and reason for being

seen by a provider. They should be willing to sign a Business Associate

Contract at your request. Feel free to read through this documentation and

proceed as you feel is appropriate.

>

> I sent a follow up question:

>

> > If they refuse to sign a Business Associate Contract and I continued using

their service, would I be protected from violating HIPAA if I included in my

Notice of Privacy Practices a clause such as " All electronic communications

including our web site, phone, internet, text messaging, fax are provided as a

convenience and are considered non secure communication to be used at your

discretion. " That is, as long as patients are notified that these communications

are not secure, and they accept this and continue to use these services, then

would this be OK under HIPAA? I understand that you may not be an attorney and

therefore may not be able to answer this question, but I appreciate any thoughts

you have on this.

>

> Here is her reply:

>

> > Yes you are correct, I am not an attorney and unable to give you legal

advice, but I can provide you with my thoughts on this subject. The best

practice would be to use a service that understands and complies with HIPAA and

will sign a Business Associate Contract. If that is not an option, then a signed

contract between the patient and the provider (or practice) which outlines the

risks and benefits of non-secure communications to share protected health

information would be essential. Hope this helps you to make the best decision

for your practice.

>

> Seto

> South Pasadena, CA

>