More and more people are sending us great practical questions about HIPAA. In the real world, compliance managers, healthcare professionals and business owners face lots of common problems where the answer may not be obvious. If you have a question not answered here, send it to us!
HIPAA and Invoicing
Question: We are starting a new physical therapy service with four full time PTs. As the business manager, I’m familiar with Quickbooks and would like to use it for billing patients and maintaining financial records. Is Quickbooks HIPAA compliant? Does our accounting software even need to be HIPAA compliant?
Answer: According to Intuit, the maker of Quickbooks, Quickbooks is not HIPAA compliant. Intuit states: “Currently, QuickBooks Online meets industry standards for online security, but is not compliant with the HIPAA standards for privacy. If you are a health care professional, it is not recommended that you enter “individually identifiable health information” into the QuickBooks Online program.”
Any billing or invoicing system used by a covered entity or a business associate needs to be HIPAA compliant if any protected health information (PHI) is entered on the invoice. PHI includes a name, a medical record number, an address, or any other unique individual identifier. See link in this paragraph for more information about PHI.
An internet search for HIPAA compliant accounting software reveals a number of options. Remember that a vendor like an accounting software provider is a HIPAA business associate, so you need to conduct due diligence, and enter a business associate agreement with them.
HIPAA Training
Question: What kind of training do I need to provide our staff? How often do they need training?
Answer: Your workforce needs HIPAA training when they are hired, and you should repeat their training at least once a year. All members of the workforce who handle protected health information (PHI) or see patients need two kinds of training:
- general HIPAA training about privacy, security and patients’ rights; and
- cybersecurity awareness training.
Beyond that, training needs to be tailored to the staff persons’ responsibilities so not everyone will receive identical training. The IT staff may receive more specialized training in cybersecurity practices and a physician’s assistant may receive more training about communicating with patients. Make it relevant and useful in their job.
Communicating with Friends and Family
Question: I am a floor supervisor at an assisted living center and I’m not sure whether I can share information about one of our residents with a non-family member. A resident of ours had only one person who regularly came to visit, and it was a friend, not a family member. As the resident was nearing the end of her life I wanted to share information with her friend that may have benefitted both of them: information about the resident’s condition, treatment and medications, but since the friend was not a family member and was not named in the resident’s file as an authorized person, I hesitated to speak with them because I thought it might be a HIPAA violation.
Answer: The fundamental rule is that the person in your care has the right to choose who may receive information about them. If a resident is able to answer a question, you should simply ask her whether you may talk about her condition or treatment with a particular person, whether it’s a family member or a friend. If you can get the resident’s consent in writing, that’s helpful, but it’s not absolutely necessary. Once the resident answers your question, simply document in their patient file that you asked and they answered, and record the date it occurred.
If the patient is unconscious or is otherwise unable to answer your question, HIPAA permits you to use your professional judgment to decide whether to disclose information to family and friends. There may be occasions where talking with a friend or family member is entirely appropriate, and if in your judgment the resident or patient would likely consent, you may discuss their condition with others. Be sure to keep the discussion limited to the minimum necessary for the circumstances.
Communicating with Patients
Question: May I communicate with patients using email and text messaging?
Answer: Yes, but the communication needs to be encrypted unless you obtain their consent to use unencrypted email and text.
There is a simple “safe harbor” rule that protects health care providers who want to communicate via email and text, but you must follow the steps.
The three-step safeguard for obtaining consent:
- first, a “light warning” is required – inform the patient there is some level of risk that an unencrypted text or email can be read by someone else;
- if, after the light warning, the patient still wants standard email and text messages (as almost all do) you must follow their direction;
- document the light warning and the patient’s preference in writing.
The HIPAA E-Tool® Answers All Your Questions
We have solutions to all of your HIPAA challenges. Policies, forms, training and education at your fingertips. It’s practical and easy-to-use. If you want to learn more, give us a call.