By REBECCA MOREHEAD
The answer is... YES! The Omnibus Final Rule of 2013 expands the definition of a business associate. In short, a business associate is a person or entity that creates, receives, maintains, or transmits Protected Health Information (PHI) for or on behalf of a covered entity. Under that definition, if your answering service sends you text messages or emails with patient names and contact information along with symptoms or conditions they are experiencing, then they quality as a business associate.
How the service relays the information to the provider may result in a potential liability. Some issues you want to pay close attention to include:
- Does your service text messages containing PHI to the provider's or other staff member's smartphone without using a secure texting application?
- Do they communicate using unencrypted emails containing PHI?
HIPAA-compliant messaging is something your answering service should be doing to protect your patient information. In addition to secure texting or encrypted emails, the service may consider a secure web portal where providers or their staff may retrieve messages containing PHI.
Business associates must comply with the administrative, physical and technical safeguards as required by the Security Rule. Consider whether you have ensured the following with your service:
- Do you have a completed business associate agreement with your answering service?
- Does your answering service have a signed business associate agreement on file with all of the software vendors they interact with who have access to your PHI?
- Does your answering service have a defined HIPAA Compliancy Officer with proper credentials and training?
In addition to having a HIPAA Compliancy Officer, employees of the answering service must have periodic HIPAA regulation training. They must conduct regular risk assessments to ensure the privacy and security of patient protected information and take appropriate steps to mitigate their risks.
Many answering services are aware of their responsibilities as a business associate but many are not. As the covered entity, it's your responsibility to ensure you are working with business associates who understand HIPAA regulations and take the appropriate steps to be compliant. Breaches that can be traced back to your answering service will result in fines to the answering service, as well as to you as the covered entity.
Is your service HIPAA compliant?
When evaluating potential answering services, here is a list of 10 questions to use in your investigation:
- Are they using any unsecure methods for transmitting messages to covered entities?
- What type of security measures/encryption are in place to transmit messages via text, as well as via email?
- Do they have an assigned HIPAA Compliancy Officer who has been properly trained in HIPAA Security and Privacy?
- When was the last time they conducted a HIPAA Security and Privacy Risk Assessment? When is their next assessment scheduled?
- What steps are they taking to mitigate any risks identified during their risk assessment?
- Have they ever been fined for a breach of PHI?
- Do they require their employees to undergo periodic HIPAA regulation training?
- If employees are allowed to take equipment used to transmit PHI out of the office, what safeguards are in place to prevent intentional or unintentional risks to that data?
- Do they have business associate agreements with their vendors handling PHI?
- Are they willing to sign a business associate agreement with you?
If a potential answering service cannot or is unwilling to provide you with satisfactory answers to all of these questions, then the risk is too great to do business with them. Move on and find an answering service who takes HIPAA compliance as seriously as you do.
Rebecca Morehead is a Practice Manager Strategist with over 20 years of experience. She is a certified HIPAA Security expert. She is also a certified Nutrametrix consultant working with Health Professionals in revenue generation. To learn more, please visit www.PracticeManagerSolutions.com.