BAA, HIPAA and online appointment services

[Guest guest]

Regarding the question of whether we should have a Business Associate Agreement with the providers of an online appointment scheduling service, I sent the following inquiry to Family Practice Management, the practice management journal of AAFP:I recently read a news article about a medical practice being fined $100,000 by HHS because (among other things) they violated HIPAA and didn't have a Business Associate Agreement with the appointment scheduling service they used. Here is a link to the article: http://www.hhs.gov/news/press/2012pres/04/20120417a.html When I asked the current online appointment scheduling service that I use (AppointmentQuest) if they would be willing to sign a Business Associate Agreement with me in order to comply with HIPAA rules, they said that HIPAA doesn't apply to them and that they do not sign Business Associate Agreements. Their actual reply is below:"HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider)."Naturally, this makes me feel uneasy that the Department of Human Health Services may not agree with their opinion. I would like some clarification on whether or not I can keep using an online appointment scheduler, but I am reluctant to contact HHS directly for fear that they might come after me. Is there a way FPM could find out the answer to this question? I'm sure it affects a lot of small practices who also use an online scheduling service and are unsure if they are putting themselves at risk.Thank you for any assistance you can give in this area.Here is the reply I got:My name is Renae Moch and I am the Practice Management Strategist for the American Academy of Family Physicians (AAFP). I received your question from FPM regarding HIPAA and online scheduling services. I have done some research and came across a document that should be helpful to you in answering the questions that you have. This document can be found at on the US Department of Health and Human Services website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf I highlighted the areas in the attachment that pertain to your question. Based on this documentation, I would say that the company you are using for online appointment scheduling would be considered a "business associate." They are scheduling appointments for patients and obtaining Protected Health Information (PHI) such as their name, address, birth date and reason for being seen by a provider. They should be willing to sign a Business Associate Contract at your request. Feel free to read through this documentation and proceed as you feel is appropriate.I sent a follow up question: If they refuse to sign a Business Associate Contract and I continued using their service, would I be protected from violating HIPAA if I included in my Notice of Privacy Practices a clause such as "All electronic communications including our web site, phone, internet, text messaging, fax are provided as a convenience and are considered non secure communication to be used at your discretion.” That is, as long as patients are notified that these communications are not secure, and they accept this and continue to use these services, then would this be OK under HIPAA? I understand that you may not be an attorney and therefore may not be able to answer this question, but I appreciate any thoughts you have on this. Here is her reply:Yes you are correct, I am not an attorney and unable to give you legal advice, but I can provide you with my thoughts on this subject. The best practice would be to use a service that understands and complies with HIPAA and will sign a Business Associate Contract. If that is not an option, then a signed contract between the patient and the provider (or practice) which outlines the risks and benefits of non-secure communications to share protected health information would be essential. Hope this helps you to make the best decision for your practice. SetoSouth Pasadena, CA