If you’re planning to use an online scheduling tool such as ZocDoc, avoid potential HIPAA disasters by ensuring the vendors understand their patient privacy responsibilities. Online appointment services for patients have gained in popularity with 27% of family doctors using patient portals or “online services” for scheduling appointments in 2013, up from 6% in 2005, according to the American Academy of Family Physicians (AAFP). But you need to protect your practice by having the vendor sign a business associate agreement (BAA) to confirm their HIPAA responsibilities, per the 2013 HIPAA “mega-rule,” experts tell Part B News (PBN 9/2/13).
“Furnishing patient scheduling services under contract with the medical provider would typically create a business associate relationship and therefore requirea business associate agreement,” says Rick Hindmand, attorney with McDonald Hopkins in Chicago. He adds that while some may argue that the scheduling service is working for the patient, rather than the provider, that seems to be “a risky approach.”
Jeff Mongelli, CEO of Acentec Inc. in Irvine, Calif., says look at it this way: “Let’s say Kim Kardashian makes an online appointment with a fertility doctor. If that information got into the open as a result of the scheduling company, it would be a breach of PHI [protected health information] involving Ms. Kardashian and the fertility clinic, with the scheduling company at the heart of it.”
If there’s no BAA between the scheduling company and the doctor, then the doctor and the scheduling company are “on the hook,” Mongelli says. With a BAA, the doctor has theoretical insulation from the Office for Civil Rights (OCR). OCR already has gone after a practice for a similar situation, says Jennifer Searfoss, president of SCG Health in Ashburn, Va. She points to a 2012 decision by the agency in which Phoenix Cardiac Surgery in Arizona had to pay $100,000 after they found that the practice “was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible,” according to OCR.
“It’s PHI if it includes information about the type of appointment they are having, which is what most systems do,” says Searfoss. Also, the data is stored “at rest” — that is, in the scheduling company’s possession, whether it’s being sent anywhere or not — which makes them a business associate, she says.
Part B News asked large companies offering patient appointment scheduling tools about their policy on BAAs. Kenan Akbas, co-founder of health IT company Unified Practice, signs BAAs with scheduling clients. “It’s not just about the data that is shared with the scheduling software by the patient,” he says, “but also what the scheduling software then does with the data. Does it sync with other calendars, for example?” A spokesman for EHR vendor Practice Fusion confirms that the company completes BAAs with clients using its scheduling tool, Patient Fusion. ZocDoc did not respond to repeated inquiries.
2 more tips for online scheduling •• Check that vendors have HIPAA privacy and security policies, says Amy Fehn, health law attorney with Fehn, Robichaud & Colagiovanni, PLLC, Troy, Mich. You can start by reviewing their privacy policies, which should be available online and may include specific references to HIPAA and PHI, and follow up with a discussion of how they handle patient data.
•• Make sure that vendors understand the minimum necessary rule because that can be an issue with scheduling, Fehn says. That rule, she explains, states that uses and disclosures of PHI should be made only to the extent necessary to achieve the intended purpose. “In other words, they should collect only the amount of patient information as necessary to schedule the appointment,” she explains. “Similarly, confirmation communications going back to the patient [from the doctor] should be limited to the information necessary to confirm or remind them of the appointment.” Ideally, Fehn prefers that practices use secure messaging to patients to confirm appointments to make sure no PHI gets loose (PBN 1/13/14). — Roy Edroso (redroso@ decisionhealth.com)