by Melanie
(Oregon)
I am going to start a home based billing service and want to make sure everything is Hipaa Compliant. I know it has to be a separate office that only I have access and all the other precautions I would use in the Clinic setting. I would like to find more information to make sure I cover everything in my business associate agreement. Where can I get all the info I need to make sure my email is compliant, my PC is compliant, my web connection is compliant? HIPAA compliant officer information if it is just me. I can’t seem to find the resources I need to get all my ducks in a row.
Response:
Honestly everyone seems to have a different interpretation of the HIPAA privacy and security requirements and what constitutes reasonable attempts to be compliant. I really haven’t seen a good definitive guide for medical office personnel regarding HIPAA practices – there is one on Amazon but I haven’t heard any review of it yet. I think some of the HIPAA rules – especially the security rule contains so much technical stuff that the average providers and their business associates are at a loss to understand it.
I understand the intent of HIPAA is to protect patient privacy. So our business practices should be geared towards that. A lot of HIPAA is also good business practices – such as the requirement to backup data systems off site. And having processes in place for the protection of patient information is also good defence for civil litigation.
I think as long as we are making a reasonable and good faith effort – and documenting those efforts – than the home based billing service is fine. The HIPAA act uses the word “reasonable” several times. I have never heard of any type of “HIPAA Police” from the Department of Health & Human Services that go around inspecting billing services and providers offices for compliance. Its only if someone files a complaint that any investigation would be conducted.
The HIPAA Survival Guide is a good resource for explaining a lot of the requirements of HIPAA and boiling them down so the rest of us can understand them.
Walk around your office and look for any potential privacy and security risks or violations. Look for patient information that is in full view of any visitors. Is there anything that can be seen through a window?
It’s a good idea to have written policies of your services privacy practices like removing files from the office, emailing or faxing patient information, how to handle complaints from patients, etc. Unless you have employees of course you would be the Privacy Officer. Some things to consider when developing policies:
- Location of the fax machine. Is it located where only those working in your office can access it? What happens to faxes when unattended (is the office locked?).
- When sending patient information via email, consider using encryption in case the email goes to the wrong recipient they cannot view it.
- Do you have a cover sheet with a confidentiality statement which explains the fax contains personal medical information and if it is received by anyone other than the intended recipient it should be destroyed and the sender notified.
- If you have anyone else who accesses your office when you aren’t there can they access patient information? If so they should sign a confidentiality statement. This could be a landlord, IT/Computer technician, cleaning crew, etc. When you have them sign a confidentiality agreement you are making a reasonable attempt to protect patient information. If these people violate the agreement, you are not held responsible.
- Phone conversations where patient information is discussed should not be in a setting that can be overheard. You could be on the phone with the insurance company discussing claim information – treatments, diagnosis, medication, address, etc.
- When files containing patient information are removed from the office there should be a log showing what information was removed, who removed it, date removed and returned, etc. These records should be carried in a case marked “Confidential Medical Records” or similar markings. Again another reasonable measure taken to protect this information if something were to happen in transit.
- Computer monitors should be located so if you have visitors to your office, they cannot view information displayed. There are also screen covers that limit the field of view for this type of situation.
- If someone requests patient information, the patient’s written consent must be provided prior to release.
- Computers and servers running the practice management software should have STRONG passwords both to log onto the machine and to log into the application. The software should also be configured to log who accessed the application, what they did, and when – most of them already have this capability.
I hope this helps some. The best advice I can offer is to do everything you can to reasonably protect patient information that is in your care.