Written by Orlee Berlove, Director of Marketing at OnPage OnPage has many answering services as clients. They are often hired by a doctor’s offices to take messages after hours or during office breaks. When these answering services use OnPage or Paubox, they can send important patient messages in an encrypted and HIPAA compliant manner. Last week however, one of our customers – let’s call him Joe – mentioned that some of the hospitals and clinics his answering service works with requested that he send text messages or emails with the names and phone numbers of patients who have called in. Despite Joe’s argument that their request was forcing him to violate HIPAA regulations, Joe’s clients were not persuaded.
You might wonder why Joe is required to comply with the exigencies of HIPAA compliant messaging since his business is an answering service, not a doctor’s office. However, since Joe’s company was hired by a hospital, they are considered “business associates” (BA). According to HIPAA, a “ business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. But, what happens when a BA is asked by the clinic or hospital that hires them to send straight, unencrypted messages to doctors or nurses which contained patient names, phone numbers and ailments? In this case, both the doctors’ office and the BA would be liable for a HIPAA. Since answering services are granted access to patient information when patients disclose medical concerns that prompt them to call, the answering services are required to follow HIPAA statutes. The HITECH Act signed in 2009 requires HIPAA covered entities and business associates provide for notification of breaches of “unsecured protected health information”. They cannot send unencrypted emails containing PHI nor can they send text messages which are unencrypted such as patient name and phone number to a doctor’s office.
There are significant reasons for the doctor’s office to be concerned about the activities of their business associate. Since answering services are business associates of the a physician’s office, a number of federal obligations under the Omnibus Final Rule and other HIPAA regulations apply. There is the clear potential for possible civil and criminal penalties if there is a violation such as through sending unencrypted emails or text messages.
Keeping all the requirements of HIPAA straight can be confusing at times, so I thought to clarify the requirements of HIPAA through the following 10 commandments:
Covered entities and the entities they work for are clearly liable if either is found to exchange patient information in an unsecured manner. However, by learning and following the ten commandments of HIPAA, both BAs and the offices they work for will be in better standing.