Written by Orlee Berlove, Director of Marketing at OnPage
OnPage has many answering services as clients.
They are often hired by a doctor’s offices to take messages after hours or during office breaks. When these answering services use OnPage or Paubox, they can send important patient messages in an encrypted and HIPAA compliant manner.
Last week however, one of our customers – let’s call him Joe – mentioned that some of the hospitals and clinics his answering service works with requested that he send text messages or emails with the names and phone numbers of patients who have called in.
Despite Joe’s argument that their request was forcing him to violate HIPAA regulations, Joe’s clients were not persuaded.
HIPAA compliance and the Business Associate
You might wonder why Joe is required to comply with the exigencies of HIPAA compliant messaging since his business is an answering service, not a doctor’s office. However, since Joe’s company was hired by a hospital, they are considered “business associates” (BA).
According to HIPAA, a “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
But, what happens when a BA is asked by the clinic or hospital that hires them to send straight, unencrypted messages to doctors or nurses which contained patient names, phone numbers and ailments?
In this case, both the doctors’ office and the BA would be liable for a HIPAA. Since answering services are granted access to patient information when patients disclose medical concerns that prompt them to call, the answering services are required to follow HIPAA statutes.
The HITECH Act signed in 2009 requires HIPAA covered entities and business associates provide for notification of breaches of “unsecured protected health information”. They cannot send unencrypted emails containing PHI nor can they send text messages which are unencrypted such as patient name and phone number to a doctor’s office.
Keeping it legal
There are significant reasons for the doctor’s office to be concerned about the activities of their business associate. Since answering services are business associates of the a physician’s office, a number of federal obligations under the Omnibus Final Rule and other HIPAA regulations apply. There is the clear potential for possible civil and criminal penalties if there is a violation such as through sending unencrypted emails or text messages.
Keeping all the requirements of HIPAA straight can be confusing at times, so I thought to clarify the requirements of HIPAA through the following 10 commandments:
- In exchanging patient information, you will remember HIPAA and maintain the importance of protecting your patients’ privacy
- Thou shall not put a patient’s name in communications that are not HIPAA compliant
- Thou shall not put a patient’s phone number in communications that are not HIPAA compliant
- Though shall not exchange patient information through emails which are not HIPAA compliant
- Thou shall not exchange patient information through text messages which are not HIPAA compliant
- Thou shall only use encrypted forms of communication for exchanging patient information
- Nor shall you ask a business associate to send unencrypted, patient information on your behalf.
- Thou will educate your employees on the requirements of HIPAA regulations and what HIPAA requires of them
- Thou will ask questions if you have concerns or are unclear on implementation
- Thou shall stay abreast of HIPAA updates and requirements
Keep it clean
Covered entities and the entities they work for are clearly liable if either is found to exchange patient information in an unsecured manner. However, by learning and following the ten commandments of HIPAA, both BAs and the offices they work for will be in better standing.