AMA letter to CMS: Repeal ICD-10

Written by Jill Raykovicz

On Wednesday, the American Medical Association wrote a letter to the US Department of Health and Human Services calling for a repeal of the ICD-10 implementation, slated to be required by all covered entities October 1st, 2014.  AMA Executive Vice President and CEO, Dr. James L. Madara, reasoned ICD-10  “is not expected to improve the care physicians provide their patients and, in fact, could disrupt efforts to transition to new delivery models.”

Financial Burdens and Vendor Readiness

Dr. Madara voiced particular concern for smaller sized practices, where some estimates of the ICD-10 price tag could reach over $225,000, which, he writes, merely compounds other financial hardships such as costs to comply with Stage 2 Meaningful Use, overcoming any impending ePrescribe and PQRS penalties, as well as mitigating the 2 percent across-the-board sequestration cuts now pushed into 2023.

The letter released the results of a report by Nachimson Advisors, which revealed fewer than half (47 percent) of physicians say their practice management system vendor plans on delivering an ICD-10 software upgrade. Of those who are expecting an upgrade, 26 percent expect to receive it before April, 24 percent before July, 13 percent before October, and 1 percent after the October 1st deadline.  These timelines, the AMA argues, is insufficient to perform the necessary testing to ensure the software is working as intended.

Dr Madara also implored Medicare to conduct true end-to-end testing with at least 100 different physician practices of varying size and specialties.  Dr. Madara writes, “We believe end-to-end testing is essential for ensuring the health industry will not suffer massive disruptions in claims and payment processing and ultimately risk physicians’ ability to care for their patients.”

Advance Payment

Dr. Madara also appeals for an “Advance Payment” policy for the more serious cases that would jeapordize a provider’s ability to treat Medicare patients due to non-payment of services. This would apply to those services that have been submitted but not yet paid for date of service after October 1st, 2014, where the provider has already tried unsuccessfully to recoup payment from their contractor but is still weeks or months away from receiving reimbursement.  Dr. Madara reminds CMS a similar policy went into effect after the implementation of the National Provider Identifier (NPI) in 2008, and proposed the following parameters where advance payment would be afforded to providers:

1. When a physician has submitted claims but is having problems getting the claim paid to reach the contractor due to problems on the contractor’s end
2. When a physician has not been paid for at least 90 days
3. When they attest that at least 25 percent of their patients are Medicare and;
4. When they attest that at least 25 percent of their reimbursements are from Medicare.

Two-Year Implementation Grace Period

To battle the learning curve physicians and coders will experience as they gain a better understanding of the specificity required for ICD-10, Dr Madara proposes a two-year “implementation period” during which Medicare will not be allowed to deny payment based on the specificity of the ICD-10 code, and provide feedback to the physician on any coding concerns.  Medicare would also agree not to recoup payment due to lack of ICD-10 specificity during this grace period.


While the AMA confirms their commitment to the successful transtion to new payment and delivery models, and the adoption of technology to promote care coordination,  the letter concludes that  ICD-10 is “unlikely to improve the care physician provide to their patients and takes valuable resources away from implementing delivery reforms and health information technology”.

42,000 Impacted by Insurance Hard Drive Breach

A Wisconsin health insurance group has notified nearly 42,000 of its members that their protected health information may have been compromised following a HIPAA privacy breach.

Back in December, Unity Health Plans Insurance Corporation, which serves some 140,000 members, discovered a unencrypted portable computer hard drive containing health records of 41,437 individuals was missing from the University of Wisconsin-Madison School of Pharmacy. Officials say the school had this information as part of a benefits program evaluation.

Member names, dates of birth, name of prescription drugs and dates of service were contained on the device.

“(We’re) reviewing all our policies and trying to reeducate employees,” Jennifer Woomer Dinehart, spokesperson for Unity Health, told Healthcare IT News. Woomer Dinehart would not confirm or clarify what the company-wide encryption policy was.

“We are sorry this happened and want to provide pertinent information concerning the occurrence along with the steps we are taking to minimize any potential impact,” read a Jan. 30 company notice.

To date, out of the more than 80,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.

Just this past December, the five-hospital Riverside Health System in southeast Virginia announced that the PHI of nearly 1,000 patients had been compromised in a privacy breach that continued for four years. From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients. The breach wasn’t discovered until Nov. 1 following a random company audit.


Originating Source

Skype With Patients? HIPAA Says “No Go”

Oklahoma medical board sanction against Thomas Trow, MD, sparked concern over the practices of telemedicine and telepsychiatry. Using Skype, Trow conducted online video appointments and prescribed controlled substances to a patient who ultimately succumbed to an overdose. Trow never saw the patient in person before prescribing the drugs. As a result, the Oklahoma medical board published a ruling on January 16 of this year, stating that telemedicine, “Technology must be HIPAA compliant.”

With growing excitement, doctors and patients are “seeing” each other online through a range of video chat technology platforms. In fact, healthcare innovation like telemedicine is vital to the changing landscape of patient demands and government-driven insurance. For many, the Oklahoma telemedicine ruling brings welcome clarification and an opportunity to educate providers about this new way of practicing HIPAA-compliant telemedicine.

“The last thing the U.S. healthcare system needs is to abandon the idea of telemedicine,” said Daniel Gilbert, president and CEO of CloudVisit Telemedicine. “The technology has tremendously positive implications for providers and patients. To lose out because of one platform — a platform that was never designed as a medical tool — would be real detriment.”

Since the Oklahoma ruling does not specifically cite any brand names, many physicians are left wondering, “Is Skype HIPAA compliant?” Skype’s privacy policy simply states that they, “will take appropriate organizational and technical measures to protect the personal data…” and owner, Microsoft Corp.’s Business Associate Agreement (BAA) explicitly omits Skype. To better understand Skype’s security, one must turn to the Health Insurance Portability and Accountability Act (HIPAA).

  • Telemedicine is a HIPAA-compliant method for patient appointments
  • Online video appointments must be conducted via a HIPAA-compliant telemedicine platform
  • Business Associate Agreement (BAA) must exist between the healthcare provider and the company responsible for the telemedicine technology
  • The BAA must guarantee the HIPAA compliance of all measures for security practices and data encryption
  • Providers must obtain informed patient consent prior to conducting online video appointments
  • In absence of a BAA and informed consent, Skype is not HIPAA compliant

“It’s important to keep in mind that Microsoft never intended Skype to be a medical tool,” reminds Gilbert. “Beyond significant HIPAA issues, Skype has many operational shortcomings. CloudVisit provides tools for scheduling and billing, plus treatment notes and more. Skype has none of these features.”

In fact, a search of the word “telemedicine” on the Skype website comes up empty. They do not claim to be HIPAA compliant, nor do they position themselves as a resource for the medical community.

As stated, healthcare practices and patients have a lot to gain from online video appointments. The right technology can be highly effective and appropriate for follow-up care, routine appointments, and mental health consultations once a provider-patient relationship is established in person.

CloudVisit Telemedicine provides a HIPAA-compliant telemedicine and telepsychiatry platform for scheduling, conducting, tracking, and billing online video appointments with patients. CloudVisit enters into a BAA with every client.


Originating Source

Coming to a Medical Practice Near You: HIPAA and Hi-Tech Audits

On December 26, 2013, the U.S. Health and Human Services Office of Civil Rights (“OCR”) announced its first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Adult & Pediatric Dermatology, P.C., (“the Practice”) of Concord, Massachusetts agreed to settle potential violations with a $150,000 penalty and corrective action plan.

In 2011, the Practice notified OCR that an unencrypted thumb drive containing the electronic protected health information (“ePHI”) of approximately 2,200 individuals was stolen from a staff member’s vehicle. OCR launched a subsequent investigation and found that the Practice had failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of confidential ePHI as part of its security management process.  Further, the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

The Final Omnibus Rule has been discussed at length on this blog and compliance was mandated by September 23, 2013. Providers should already have policies and procedures implemented to correspond with the Final Rule, reflect current technology, and address ePHI. The OCR’s December settlement, however, serves as a startling reminder that providers of every size are being audited. No entity is too small and medical practice practitioners are gravely mistaken if they think they are off OCR’s radar.

The importance of HIPAA risk analysis cannot be stressed enough. The Practice failed to have a risk analysis and paid the costly consequences. Not only is an analysis required as the first step in HIPAA Security Rule compliance, but it is also a Core Measure of Stage 1 and 2 “Meaningful Use.”

The Practice’s troubles began over a lost thumb drive. Does your practice use thumb drives? How about laptops? Mobile phones? Have you accounted for the use and misuse of these devices in your HIPAA risk analysis?

Originating Source

This 5-Minute Video Could Save Your Practice

Almost every business uses a multi-function copy machine that copies, scans, prints and possibly faxes information. What most people don’t realize is that many of these machines have hard drives that store all information that the machine has access to. Think of these machines as computers that store a digital record of every copy it makes, every document it scans and every page it prints.

Copying patient information

If your organization copies insurance explanation of benefits (EOBs), patient insurance cards or uses a multi-function printer to print out letters to patients, all that information could be sitting on the hard drive of your copier. If this information is not properly destroyed before you return the machine to a leasing company, recycle the machine, sell the machine or throw the machine out; all that patient information might cause a HIPAA data breach.

Watch this video!

The below video from CBS news gives valuable information about the risks of copy machines.

Note: Affinity Health Plan who is featured in the video, received a $1,215,780 HIPAA fine (that’s right… $1.2 MILLION) because of one copy machine that contained 344,579 records with protected health information (PHI)

[youtube id=”TCKr5WgVVN8″ width=”600″ height=”350″]

A Cloud Based EMR Does Not A Compliant Entity Make

Snake-oilRecently, a question came up that involved entities that said they are perfectly fine with HIPAA compliance because they use a cloud based EMR (or EHR) who takes care of all their HIPAA compliance for them.

A discussion ensued ending with the question:     This can’t really be true, can it?

I suppose someone could dream up some condition and try to argue it is true.  I, however, tend to follow the statistics.  The chances any group is able to have all the HIPAA compliance requirements handled by their cloud based software provider is so very tiny I will say it can not actually be true.  Yes, some vendors may tell you just that but the term snake oil salesman comes to mind……

Here is your check list of things your vendor must provide to take care of all your compliance for you.  If you actually do have a vendor with all this covered and documented, please let me know.  I am eager to get to know them and work with them.

Does your vendor….

  • Provide a complete and thorough Risk Analysis looking at everything you store in your office that could include PHI.
  • Know every record that comes in and out of your office and how it is managed?
  • Configure your network security and firewall?
  • Monitor you computer systems to confirm they have all their security updates and an active antivirus/malware system?
  • Provide documentation and reports that compliance activity is taking place and reviewing the results?
  • Confirm data you exchange with every single business associate you work with is secured and protected properly?
  • Confirm your Business Associate Agreements are properly in place with every entity that you have a BA relationship?
  • Perform due diligence with all your Business Associates?
  • Update your Notice of Privacy Practices (NPP) to make sure all cases your office should cover is included properly?
  • Confirm you post your updated NPP properly to meet the new requirements?
  • Create a complete disaster recovery and business continuity plan that covers all aspects of your operation being functional?
  • Complete a physical site security checklist and determine all your physical safeguards are adequate and properly documented?
  • Review your administrative safeguards to confirm they are adequate and meet the required and addressable elements properly with documentation of same?
  • Create and monitor a plan for disposal of all media and equipment that may contain PHI – like printers and copiers?
  • Create and document a breach response plan?
  • Create, monitor and execute a training plan for every member of your staff regarding HIPAA terms, requirements, acceptable uses and disclosures, how to identify a breach, what your own internal policies and procedures require for HIPAA and more?

Should I go on, because there is more?  For now, I will just leave it at that.

Don’t get me wrong.  There are a lot of HIPAA things, in the Security Rule especially, that you can outsource to your cloud software provider.  But, even those things don’t relieve you of responsibility.  It is up to you to make sure you document completely and audit regularly to make sure those functions like backup and recovery of the data they maintain, up-time guarantees,encryption at rest and in transit, password and user access controls, etc are actually working as required.

The wall of shame is full of CEs and BAs that thought someone else was taking care of their compliance.  You can’t just say someone else is doing it for me.  If you do, you probably need more training before making your final HIPAA decisions and, of course, detailed documentation of those decisions.   It really takes time and effort on every entity’s part to create their culture of compliance that is really required to make an honest stab at HIPAA compliance in your office.

All this is really a question any CE or BA should be asking themselves no matter who their vendor may be.  Do we have all these things covered?  If you don’t then you definitely need to consider getting some help.  There is a lot to do and you can’t just “mail in” your compliance requirements.


Re-posted with permission. Original post located here.

What is Reasonable and Appropriate for Your Specific Environment

These days we deal with resistance and denial towards HIPAA compliance. There are many reasons given for incomplete or ineffective compliance programs. We have heard everything from long rambling rants against the government, claims of not applicable to me and plenty of “we don’t have the _____” (fill in: time, money, resources) to explain away the compliance gaps.

There is, however, one case that concerns me when we find it. A practice or business is given a standard list of HIPAA Security implementation recommendations. The problem is that the list of recommendations doesn’t always include a review of what is reasonable and appropriate for the specific environment. The result is a group frozen by fear, sticker shock or worse paying for services and equipment that may be overkill for them. The Security Rule explains in the General Rules section just what should be considered in determining what is reasonable and appropriate for a specific environment (emphasis added):

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

Its size, complexity, and capabilities,

Its technical, hardware, and software infrastructure,

The costs of security measures, and

The likelihood and possible impact of potential risks to e-PHI.

No, this doesn’t mean you can decide you are so small and the rules are too complex to follow them at all. That is definitely not what reasonable and appropriate means in this context. What it does mean, though, is that you can determine how to implement the standards, both required and addressable, but apply these considerations to your implementation plans.

Our approach is to always define the environment before defining the plan. The Security Risk Analysis is first in the list of requirements for a reason. But, keep in mind, that even the tasks performed in the Risk Analysis should be confirmed as reasonable and appropriate for your specific environment.


Reposted with permission from:

Microsoft Aims To Take On iPad In Health Care


When internist Nitin Patel called up Microsoft in May to rave about its Surface Pro tablet, Dennis Schmuland, the company’s head of health strategy for U.S. Health & Life Sciences, was taken aback. “I was surprised, because he was so excited,” says Schmuland. “We didn’t solicit this.”

Microsoft is elated by Patel’s call. While physicians’ use of tablets is widespread—72% according to Manhattan Research, more than half of the nearly 3,000 physicians it surveyed, used Apple iPad in the first quarter of 2013. Microsoft released Surface RT last year, and Surface Pro this past February. According to IDC, shipments of Surface amounted to 900,000 units in this year’s first quarter. It has a long way to catch up with the iPad, which commands nearly 40% of the tablet market. “We’re not getting any requests from doctors to build on it [Surface],” says Daniel Kivatinos, a founder of drchrono which provides an electronic health record specifically for the iPad. Also, a 128 GB Surface Pro retails for $999, versus $799 for an iPad.

Patel who doubles as a geek-in-chief at Palmetto Health, one of the largest hospital systems in South Carolina, tried the iPad. He disliked the wait to log into a patient’s chart, the small screen, and the lack of keyboard, among other things. On a Friday afternoon, he drove over to a Best Buy in Columbia, and bought Surface Pro, keeping the receipt. He didn’t return it. Patel was immediately impressed by its speed to access a patient’s chart, and its compatibility with Cerner electronic health record which Palmetto uses throughout its hospitals and clinics. Patel says he now sees two more patients per day as a result.

William Jennings, Palmetto’s medical informatics officer, was initially skeptical, but Surface won over other doctors. “We’re providing an environment where physicians pick what they want. We want technology to work for us not the other way around,” says Jennings. Palmetto just started a three to six month pilot with 30 physicians, including obstetricians and surgeons, who will use Surface on loan from Microsoft, in their every day practice. The goal is to measure patient and physician satisfaction, as well as impact on productivity, which typically drops when medical providers go digital.

“What Palmetto has proven is that you can run Windows 8 or 7, and have the full features of an electronic health record,” says Schmuland, not a lighter version usually offered on an iPad.  If so, that would address major complaints by untethering doctors from their desktops, and allowing them to interact more freely with their patients. He says Microsoft is talking to several electronic health record vendors, including Cerner, Epic, and Allscripts about developing applications.

Schmuland doesn’t know how many doctors are using Surface, but he’s starting to hear more anecdotes, such as Palmetto’s.  “This is an early wave indicator that Windows 8 is resonating with the industry,” he says.

Microsoft sent a crew to Columbia, South Carolina, to film doctors at Palmetto using Surface Pro. Check it out.


original published at:

Do Your BA Due Diligence

Long gone are the days that you pull down a template Business Associate Agreement and everyone just signs it.  BAs may not understand the extent of their obligations under HIPAA.  You need to confirm your agreements plus check what they are really doing to comply.

I really don’t recommend blindly using a template agreement to anyone.  Make sure you know what the agreement is committing for both parties.  There are optional things in those templates that can cause problems for some businesses.  Many folks just rolled them all in there and never looked at the implications closely.

Once you have the agreement worked out, get at least a general understanding of what each BA is doing for their own compliance including BAs they use to provide services.  We use a due diligence checklist to help with the process.  Here are a few things we have learned while doing them.

IT Support Companies.  If you are trying to manage HIPAA Security requirements without some sort of IT company involved (or your own IT staff), you probably aren’t doing everything that is required.  Someone has to understand firewall logs, encryption key management, network scanning, etc.  BUT, make sure the one you do use is HIPAA compliant.  If they have admin access to all your servers they have access to everything; and they can’t do their job well without that level access.

We find that most IT companies have the security part of the rules covered, maybe not documented fully but mostly in place.  The real problem comes when you ask about anything outside the Security Rule.  They should have a training program, understand minimum uses and disclosure requirements, breach notification policies and procedures and a few more things that have nothing to do with the Security Rule.  Make sure they understand there is more to HIPAA than the Security Rule.

Collections Services.  Collections services vary widely in the data they gather.  Many of these services may not specialize in medical but make it a segment of their business.  Be very thorough with any service that doesn’t offer specific secure connections or instructions for data exchange.  When checking these guys you have to ask about Security first.  You may never even get to the things outside of security requirements before you know you have a problem.  Make sure to determine how much medical work they are doing first then ask about the rest of compliance, especially how they worry about encryption at all stages of the process.

Accounting/CPAs.  Sometimes these are also collection or billing services which may make things easier.  Think through what you do with them otherwise and make sure you understand exactly what they are doing with your patient information they may be privy to for their services.   In cases where they are simply doing accounting they may only see patient data when dealing with large balance accounts or writing refund checks.  It is still PHI.  Make sure they have a plan to protect PHI.  Also, make sure they train employees on HIPAA even if they think they are discreet enough because they have to be for everyone.

Billing Services.  These guys deal in high volumes of data moving through their offices all the time.  They usually have a decent understanding of the uses and disclosure rules but may be lax in security within their office.  Also, they have a lot of downline BAs and subcontractors in most cases just in processing services.  Make sure they have security plans in place and understand clearly what their BA and subcontractors obligations include.

Transcription.  A wide array of situations are occurring when we ask about transcription.  You need to be sure you know if they are signing your BAA but using subcontractors that may not be signing one with them.  This area can get very messy just working out who is storing data and who is accessing data.  Review every part of their set up to be sure they are covering their bases.  Make sure you check a lot of details with this BA both for a service as well as individual contractors.

Many of the compliance management tools include BA management features.  It is a very valuable tool to help you keep up with all this information and documentation.  It is hard enough to keep up with our own stuff but you have to get some info about all their stuff too.   It is important, though.

By checking on your BAs to make sure they truly understand their obligations, you better protect your patients and your business from compliance problems that aren’t under your roof.  If you have a BA that you know is a BA but they don’t want to become compliant, you have very specific steps you need to follow in order to protect your compliance status.

  • Take reasonable steps to cure the problem with the BA and get compliance in line
  • If a BA still does not comply, you must terminate the business contract on HIPAA compliance grounds.
  • If there is no other entity you can get the service provided by the non-compliant BA, you must report them to HHS.

One more thing…….  BA management isn’t just for CEs anymore.  All you BAs need to follow the same process for your BAs.

Original article authored by Donna Grindle, used here by permission.

How Do You Know Who is a HIPAA Business Associate?

One of the first processes we go through for HIPAA Compliance is to identify all Business Associates (BAs).  That has to be done for CEs and BAs alike.  The Final Rule has changed the status and viewpoints for many CEs and BAs. We have addressed a lot of questions on the topic lately.  Now seemed like a good time to go through some of the examples and tips we have discussed with a variety of clients.

The new rule makes it clear.  Signing an agreement doesn’t make you a BA, doing work that gives you access to PHI makes you a BA.  People have claimed exemptions for various reasons for years and that can’t be done any longer.  There are many BAs struggling with the process right now.  Last week, a BA responded to a readiness survey from one of the CEs in our compliance program with a single question “Do we have to fill this out?”.  I am certain that business qualifies as a BA and they obviously have no idea what is going on.  Checking on your BAs should be a top priority based on what we are seeing and hearing.

A great way to make sure you have all BAs on a list is to use your accounts payable as well as the 1099s you generated.  Take a minute to think about every one of them because some may need attention for other HIPAA reasons than being a BA.  We expect at least 5 or 6 BAs for most groups we work with on compliance.  Depending on their structure, size and activities there can many more.  Small CEs and BAs have a different environment than large entities.  It is worth going through the whole list.

Here is a list of similar businesses you may find on your AP/1099 list.

  1. Scrubs That Are Best   – Scrubs Service – We will call them STAB
  2. Clean and Pretty – Cleaning Service – CaP
  3. People Ask You,  Inc – Collections Service  – PAY
  4. Patterson, Salvatori, Bitterman and Enis – Attorneys –  PSBE
  5. Zimmerman and Pierce – Heating and Air Service –  ZaP
  6. Melissa Odum-Madison – Contracted bookkeeper – MOM
  7. Shred, Haul, Install and Track – document management – we will just call them shredding company
  8. Hippert, Ikemoto, Paine, Abruzzo and Alvarez  –  CPA Firm – HIPAA
  9. Advanced Concepts for Your Information Technology – IT support – what everyone calls them –  the computer guy
  10. Medical Equipment Devices – provide medical devices for tests – MED

Now, let’s go through the list and discuss how they may be classified and evaluated.

1- STAB only supplies scrubs for the office so that shouldn’t be a big deal and no HIPAA involved right.  But, in our conversation about BAs we learned that the STAB delivery staff has keys to the back door to drop off the clean and pick up the dirty each week.  That leads to more questions and decisions that must be made due to their physical access controls.  While they aren’t a BA for the work they do, they have access that does involve HIPAA regulations and may have been missed without this exercise.  Don’t put them on your BA list but put it on your “gotta deal with that one” list.

2- CaP only comes in to clean so they should be fine.  We have had them for years and it is a family business.  No HIPAA problems, right.  That depends.  Do you lock up all your charts and computers every night?  Do they only clean when someone is at the office who watches over their work?   In March, the Atlanta Journal reported a case of identify theft that involved office cleaning companies.  People would work for a cleaning company just for a week filling in for someone and stick a usb device in a couple of computers the first night.  Pick it up the last night of their temp job.  The whole time it is logging keystrokes on each computer.  They end up with all the information typed on that computer for the week.  Personally, I find it hard to give cleaning companies the benefit of the doubt in offices any longer.  I think they need to be BAs to be cleaning offices for CEs and BAs now.  There are some cases where they aren’t but it requires laying out very specific guidelines on how the service will be managed in your office.  Most small businesses don’t have that ability.

3- PAY gets a list of patients and all their contact information in order to do the collections.  I have heard some collection companies claim they don’t get treatment information so they aren’t BAs.  What do you give them to contact your patients?  To do your collections they know they saw your practice and they have to have some reference like date of service maybe.  Then, you have to give the date of birth, address, phone.  Well, you see what I mean.  I recommend you treat them as a BA or get a HIPAA attorney involved with an opinion.

4- PSBE handles malpractice claims among other duties for your practice.  There are plenty of references pointing out that they are BAs.  Don’t be surprised if they aren’t eager to admit it, though.  It isn’t unheard of but should be less likely under the new rules.

5- ZaP doesn’t need access to any PHI in order to do their job for you.  But, just as with STAB, the discussion does bring up another issue.  When they come in to work on things in your office does anyone notice what they are doing or where they are at while they are doing it?  Incidental disclosures may happen through the vents they are working on but what about the story about the USB drive and the cleaning crew.  Should you really just let them roam around the office without a thought?  Add another one to the ”gotta deal with that one” list.

6- Good ol’ MOM comes in and helps do the bookkeeping.  She works for us on a 1099 basis but only for us and no other practices or businesses.  Part of the bookkeeping work does make it necessary for her to have access to PHI so what do we do?  Is MOM a BA?  Oh no!  That will just not work – what are we going to do?  Who is going to tell Dr. Madison that MOM is a BA.  Wait, calm down.  No one needs to upset MOM or Dr. Madison.  A 1099 does not make anyone a BA.  In this case, MOM is a member of your workforce under HIPAA definitions.  Include her in the same training and rules you use for all your other employees.  Add it to your ”gotta deal with that one” list to make sure she is included in all the training programs.

7- The shredding company.  We have them covered, they know they are a BA and we have a BAA with them.  But, we still need to see the status of the BAA and update it with the latest requirements.  They also need to provide some assurance they actually are following compliance requirements.  Another thing, though.  As you were pointing out your shredding bins they are just large garbage containers with a lid on them.  There are no locks or anything.  Anyone can open them up and take things out, at will.  They sit over out of the way so no one notices them.  When you contact your shredding company you should probably ask for a more secure container.  One that isn’t so likely to dump things out on the street or be easy access to grab a handful of documents.

8- HIPAA knows they have to deal with HIPAA.  It is in their name!  They write refund checks and have all the details of that patient to reference for accounting for the refund checks.  BA.

9- The computer guy is what everyone calls IT companies in their office.  We are used to it.  We are also used to having access to everything.  There are some “computer guys” that make a case for not being a BA themselves because they never look at the patient data.  Having access to everything means access to everything including ePHI.  You really must have an IT company that is a BA and understands HIPAA Security Rule requirements.  They have to help you implement, monitor and manage your compliance.  BA, big time, because you need them to be one unless you have your own in house IT skills to manage it.

10- MED is like most device companies trying to figure out exactly how they will handle HIPAA.  They have to do it.  It is in discussions all over the place how much data those devices hold now.  They should be prepared more than any of the others on this list for your BA readiness survey.

Hopefully, this helps answer some questions concerning BAs for all those involved.  It may open up more questions but at least we are talking about it differently than before.

Reposted with permission from