Outsourcing certain practice operations is nothing new. Remote billing services have been around for a long time. Novel companies are offering programs where remote individuals, typically outside the US borders, can assist with a variety of practice operations – scheduling, insurance verification, and even live medical records scribing. This is another example of technology moving forward.
In this case, technology options can create issues with compliance with other laws – notably HIPAA. In most cases, these remote individuals have access to and are managing patient’s protected health care information (PHI). This is legal, but only under the regulations imposed by HIPAA. PCS, in consultation with our board-certified HIPAA counsel, recommends you check off the following before entering into a remote relationship, whether that relationship is inside or outside the US.
- Ensure that the remote workers have training and experience in the tasks you are asking them to be involved with.
- Ensure that the remote individuals are knowledgeable of HIPAA laws.
- Ensure that the remote worker’s technology (computers, software, routers, virus, and malware protection) is protected.
- Ensure that all communication channels are secure. HIPAA has made it clear the only acceptable security in patient data transmission is based on encryption.
- Most importantly, ensure that you have a business associate agreement with the appropriate entity involved in the remote process.
Item #5 is the area of concern we have encountered. Some virtual companies state they are not a business associate as they are not involved in managing patient data, instead stating the virtual assistant is the proper business associate. Legal counsel has stated this may be problematic if the virtual company is involved in the process of data exchange and voices concern if the virtual company is “endorsing” and even paying the virtual assistant but them claiming no interaction with the virtual assistant or liability for their actions. In most cases, it appears the virtual COMPANY would be considered the business associate and the virtual assistant a sub-contractor and the responsibility of the virtual company. We have also seen situations where the virtual company agrees to sign a business associate agreement while the contract for services states they are not a business associate and not liable under HIPAA laws, a potentially problematic contradiction.
Bottom line. Outsourcing some of your workforce responsibilities can be very helpful and embracing new technology is great. Read these agreements very carefully – legal counsel is a very good recommendation. With the sophistication of cybercriminals, breaches involving remote work are inevitable. Make sure you are protected.