Transcript
Transcript – Episode 416: What You Need to Know and Do Under HIPAA if Your Practice Uses an Outside Biller
Evan Dumas
You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host Evan Dumas.
Liath Dalton
And I’m Liath Dalton and we are Person Centered Tech. This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, Meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.
Evan Dumas
Hello and welcome to Episode 416. What You Need to Know and Do Under HIPAA if Your Practice Uses an Outside Biller.
Liath Dalton
This is a really important topic. And one that, like a lot of our podcast episodes, got precipitated by some of the great questions that we get asked in our Group Practice Office Hours, which is our ongoing direct support and consultation service for group practice leaders. But it’s also kind of precipitated by the fact that issues with how things are set up with outside billing services is one of the primary areas where we see HIPAA violations occurring and a sort of threat landscape scenario that is really inviting a HIPAA breach.
Evan Dumas
Uh huh.
Liath Dalton
So we’re like, let’s talk about this and make sure you kind of get the basic outline of what the considerations are, and how you can be safeguarding your practice and your clients info.
Evan Dumas
Mhm.
Liath Dalton
So without any further ado, let’s dive right into the topic. Which is one of one of the questions that we often get, and maybe it seems so basic, that it’s silly that we’re talking about it, but it isn’t actually silly.
Evan Dumas
Mhm.
Liath Dalton
Because you also may find that the answers that various billing services have to it, don’t always have the soundest logic –
Evan Dumas
No.
Liath Dalton
but maybe sound reasonable. Or they’ll say, oh, payment operations, you don’t need a BAA with me. And yes, I just belied what with that kind of super basic question is that that we often get when a practice is using or considering using an outside billing service. And that is: Do I need a HIPAA Business Associate Agreement?
Evan Dumas
Yeah.
Liath Dalton
Yes.
Liath Dalton
You absolutely do. If they have access to PHI, which they will need in order to perform billing functions, but they are not workforce of your practice. They’re not working in your organization or under your policies and procedures, including sanction policies, etc. They’re a business associate and you absolutely do need a BAA.
Evan Dumas
Yeah.
Evan Dumas
Yep.
Liath Dalton
Evan, what’s another question we get about billing services related to BAAs?
Evan Dumas
Oh, yeah, do I give them my BAA if they don’t have a BAA? Because what do I do if they don’t have a BAA?
Liath Dalton
This also is something that comes up more often than you might imagine. And it always is something that raises some some red flags for us, right? Because a billing service that really understands their HIPAA responsibilities is going to as part of fulfilling those HIPAA responsibilities, understand what a Business Associate Agreement is, and they are going to have one for you, and they are going to understand its contents and requirements.
Evan Dumas
Yeah.
Liath Dalton
And be you know, reasonably materially prepared to meet those responsibilities.
Evan Dumas
Mhm.
Liath Dalton
So why is it an issue if they don’t have their own BAA?
Evan Dumas
Yeah, the BAA functions as their evidence that they know how to handle PHI. That they know it’s not theirs, that it’s yours, but that there’ll be doing everything in their care to uh prevent things from doing it, and especially all the HIPAA things that they need to do.
Evan Dumas
So to not have a BAA is a sign that they don’t have any formal assurances that they know what to do and what their responsibilities are. And by asking you, for one, it’s even worse, because they’re probably not going to read it. And they’re like, No, you should know you tell me what the answers are like, no, no, no, you you give me the answers.
Liath Dalton
So then that’s just performative compliance, right?
Evan Dumas
Mhm.
Liath Dalton
And that’s something that comes up often. And there are a few aspects of compliance where the performative components aren’t as problematic as with this.
Evan Dumas
Yeah.
Liath Dalton
But in this instance, the information that billers are handling includes the highest sensitivity PHI, right?
Evan Dumas
Mhm.
Liath Dalton
When we are talking about diagnosis codes, in particular, that is high, high sensitivity PHI.
Evan Dumas
Yeah.
Liath Dalton
It’s not something that we can be cavalier in how we are managing who has access to it, or who is handling it. And that is especially applicable with billing services. So if a billing service says, I have a BAA, but you know, if you have one that you prefer we use, instead, I that is not the same red flag category,
Evan Dumas
No, not at all.
Liath Dalton
That’s more, or it’s orange flag, yellow flag, maybe?
Evan Dumas
Yeah.
Liath Dalton
Because, and the reason for that being is that a Business Associate Agreement includes all of these assurances and saying, I am responsible for doing X, Y, and Z. And I am liable in these ways if I don’t meet those requirements. So you want them to really know what the contents of that document are. And not just being like, sure I’ll sign you know, whatever, BAA, just Google a BAA and all sign it. So it doesn’t necessarily mean that if they’re willing to sign your BAA that that’s HIPAA problematic, but typically, in practice, what we’ve seen is that it means that they’re more cavalier about it.
Evan Dumas
Yeah, it would be kinda like, if, when a client comes to you, and you give them their intake paperwork, they’re like, no, no, I brought my own, we’ll sign that. You’re like, Excuse me? Like, No, I just have my own paperwork. But let’s go through these terms and conditions.
Liath Dalton
Right. Exactly. So that’s, that is something to to be aware of. And actually, interestingly, we recently had a circumstance where a practice was evaluating a couple of billing services. Right?
Evan Dumas
Yeah.
Liath Dalton
And received BAAs from each of the billing services, but then was wondering, well, do they each contain all of the necessary provisions? Is there anything in the BAA content that should help inform my decision as to which of these services I’m considering I should go with? So they shared the the respective BAAs with us and asked for our take.
Evan Dumas
Mhm.
Liath Dalton
Now, Evan? We did our standard review.
Liath Dalton
Yeah, totally.
Liath Dalton
Right. How were the BAA contents themselves?
Evan Dumas
Oh, you know, the contents, except for some of the very specific needed wording, contents covered a lot of the bases. They look just like your regular boilerplate, template BAA at quick glance.
Liath Dalton
Yep. Each had all of the necessary provisions and components for what constitutes a HIPAA compliant BAA, which, you know, sidebar are easily found in the model HIPAA Business Associate Agreement from HHS.
Evan Dumas
Exactly.
Liath Dalton
And that’s our standard process when we’re reviewing a BAA is to kind of cross reference. So they’ll have the necessary provisions. But then, but then, there was one huge difference that made us go “Uh, this is a no go!” What was that?
Evan Dumas
Yeah, that was that the the biller said that they were the covered entity, which was almost like it’s the billers, PHI and the other person would handle it. Now, this is the fine point that you know, actually a lot of people do gloss over, and before I started working at PCT, I wasn’t quite familiar with that the covered entity is you. And it is your stuff. And the Business Associate is the other person. They had it in reverse. They had it that they were the covered entity and the other person was the Business Associate. Which, at quick glance, you’re like, Oh, does it matter that there’s directionality in there? It does. It does matter.
Liath Dalton
It matters in really significant ways. But kind of the most important one is that if they don’t understand the difference between what a Business Associate and with what a Covered Entity is, they’re not going to understand or be following the other particularities that are contained in there.
Evan Dumas
Sadly, no.
Liath Dalton
So, yeah, if you see something like that in a BAA, whether it be with a biller or not, that should give you significant pause, and is something that you know, you you can, of course, first make sure that it wasn’t just a typo in how they were filling things out, right?
Evan Dumas
Yep, totally.
Liath Dalton
That potentially could be something that arises. But I will say, and not to malign billers in any way, but I’ve seen a lot of just HIPAA confusion and lack of understanding amongst billing services, so it is an area that you want to kind of scrutinize more more closely.
Liath Dalton
Okay, that’s, that’s the main points about the BAA considerations here. Now, where things get more into the nitty gritty of how, once you have selected a billing service, although actually these these points are things that should be questions that get kind of addressed or asked and considered when you’re evaluating a prospective billing service.
Evan Dumas
Yeah.
Liath Dalton
But we’ll just focus on the kind of, in practice, if this is going on, this is an issue. Here’s why and what you need to do about it. So one of the other questions that we recently got was, “Hey, my billing service just uses –
Evan Dumas
Oh yeah, I forgot about this. Yeah, they just use Gmail. And is that okay? They said, it was secure. Let’s just use the free Gmail to communicate, I don’t need a, I don’t need a BAA, a protected email service. Gmail is just fine, is what they said.
Liath Dalton
And again, I want to be clarifying that what we’re talking about here is the distinction between a paid Google Workspace account where a BAA with Google is obtainable. And that includes Google email, Gmail, versus a free gmail account with the @gmail.com address designation.
Evan Dumas
Totally.
Liath Dalton
Nice little red flag there.
Evan Dumas
Oh, yeah.
Liath Dalton
You can kind of do some initial sleuthing too that might inform.
Evan Dumas
Oh, super easy, yeah.
Liath Dalton
Hey, should should I even go past go with this? Ah, maybe not. So this practice’s, billing service provider said, you know, Gmail to Gmail is secure, and so it’s fine to be communicating that way. We don’t need to be using Hushmail or anything else, and it’s just fine.
Liath Dalton
Now, one of the issues there, of course, is that they, as a Business Associate, have to have a Business Associate Agreement with service providers that have access to PHI. Just like you as a covered entity do.
Evan Dumas
Yeah.
Liath Dalton
They missed missed the mark on that.
Evan Dumas
Yeah.
Liath Dalton
I mean, technically speaking, the transmission security standard is being met when email is sent Google to Google email, whether it’s Google workspace email or a free, personal Gmail. But that is not, the transmission security standard is not the only HIPAA standard that has to be managed with email communications that include PHI.
Evan Dumas
Yeah.
Liath Dalton
Um, so that, unfortunately, was a big, nope! That is still not HIPAA consistent, and lets us know that they don’t really get the nitty gritty of how HIPAA works and needs to be applied.
Evan Dumas
Mhm, mhm.
Liath Dalton
So whatever communication mechanisms you are using with your outside billing service, do need to be HIPAA consistent. And so they should be using the same sorts of secure and HIPAA appropriate platforms that you use as a service provider, right?
Evan Dumas
Mhm, yeah.
Evan Dumas
And if if they’re not, that’s an issue. If you are giving a biller access to your systems that contain client info, so you’re not just providing them files that contain the info they need, that they are then going to handle and secure in their own systems. But you’re actually giving them access like a login to your EHR, or giving them sharing access to your practices Google Workspace account,
Liath Dalton
For example,
Evan Dumas
Mm, oh my.
Liath Dalton
to able to look at CSV exports, for example, have other billing related and client data that’s been pulled from the EHR. Maybe historical data there. If you are giving a biller who’s a Business Associate, not workforce, access to your systems, you need not only a Business Associate Agreement, but you also need a Service Level Agreement.
Evan Dumas
Yep.
Liath Dalton
And this is, again, going to another great discussion that we recently had, in Group Practice Office Hours on what we refer to as Eric Day. Eric Day is the this session of the month where it’s co facilitated by therapist attorney Eric Strom. And one of the questions we had was, when is a Service Level Agreement necessary, in addition to a Business Associate Agreement?
Liath Dalton
And how do I how do I know the difference?
Evan Dumas
Mhm, yeah.
Evan Dumas
Yeah.
Liath Dalton
This actually comes up a lot with billers.
Evan Dumas
Oh, yeah.
Liath Dalton
Maybe the most frequently. Like, just second on the list would be with VA services, actually.
Evan Dumas
Oh, yep, schedulers, too.
Liath Dalton
But typically, billers are the area where these we see this come up the most. Now, what is a Service Level Agreement? And why would you want need that in addition to a BAA Evan?
Evan Dumas
Service Level Agreements are an agreement at the service level. So this, it makes sense when you when we parse it out. So it’s when they have access to your services. When you say, like, you know, loan the keys to someone to your house and get the verbal, hey, you can eat anything in this thing, but don’t eat anything in this thing, don’t mess with this, or here’s how this works. You are getting their confirmation that they won’t mess with the internals of your system. They won’t share the passwords with other people. They won’t delete things, they won’t go places they shouldn’t, and ideally, shouldn’t even be able to, but they sort of agree on how to use it, and how to use it correctly.
Liath Dalton
Exactly. And that is not something that is contained in a Business Associate Agreement. Oh, no, because Business Associate Agreements are looking at how they safeguard Protected Health Information in their systems, right, under their policies and procedures. And they’re responsible and liable for that. As soon as you’re giving them access to your systems that contain PHI, we need to have a mechanism that is providing for the safeguards that you have in place and are required to have in place for those systems, that those are maintained for this outside user, who isn’t workforce, who isn’t under your direction and control in the same way that workforce is, right? You’re not training them and overseeing every little action that they take, like you can do with with workforce.
Liath Dalton
So we need to both provide for making sure that you’re upholding all of your HIPAA responsibilities for how you safeguard these systems that you control and keep PHI in. And then we need to be just having something that explicitly addresses how they’re going to not bring issues into those systems that you give them access to.
Evan Dumas
Mhm.
Liath Dalton
It’s much more straightforward, honestly, then, than it sounds. And just putting out, we have a Service Level Agreement, especially the template Service Agreement that we use with our group practice clients in this instance, the provisions it contains are not so extensive that it’s trying to like bullet point, every standard, every HIPAA standard, and every policy and procedure that your practice has in place to meet those standards. It’s only looking at the areas of risk exposure related to credential sharing, right?
Evan Dumas
Yeah.
Liath Dalton
So it’s it is simple, short, straightforward, and basically talking about the the main areas of risk exposure. Like device security, that if they’re using devices to access systems with login credentials you provided, they need to make sure those devices have the technical security measures in place, according to HIPAA standards. That’s one example of the contents.
Liath Dalton
So whenever a third party is working within your own systems, not just their systems, we want to have a Service Level Agreement in in place above and beyond just the BAA.
Evan Dumas
Mhm.
Liath Dalton
So that can often be the case with billers, depending on, I mean, there are so many different ways that working with a biller can be set up. And we’ve seen many, many different iterations of that, right. So some practices will just send out data via a secure method to the billing service. And they’ll work with it purely in their own systems, that that comes up sometimes. And in that case, a Service Level Agreement isn’t needed just a BAA is.
Liath Dalton
But a lot of practices will give their outside billing company a biller login to their EHR, and access to Google Drive.
Evan Dumas
Yeah.
Liath Dalton
And so that’s when we say oh, they have access to and are going to be working within your systems not their own? So Service Level Agreement, SLA time.
Evan Dumas
Mhm.
Liath Dalton
So SLA and BAA, which I feel like we should make an even catchier and ridiculous acronym.
Evan Dumas
Oh, no.
Liath Dalton
Like
Evan Dumas
No, veto.
Liath Dalton
SLAAA –
Evan Dumas
SLABAA.
Liath Dalton
Yes, la. Yes. SLABAA time. If you are giving them access in that way. So those are just some of the like, basic parameters. Beyond that it doesn’t have to be too convoluted, or complicated. But these are just some of the basic parameters that are really important to be aware of, so that you can can make sure if you’re using an outside billing service, or evaluating working with an outside billing service, that you’ve covered these bases.
Evan Dumas
Yeah, exactly.
Liath Dalton
So that’s, I guess, one more PSA podcast episode to add to the the podcast archive. So we hope you found that helpful. And we look forward to your joining us next time.
Evan Dumas
Yeah, talk to you next time, everybody.
Liath Dalton
This has been Group Practice Tech, you can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.
Your Hosts:
PCT’s Director Liath Dalton
Senior Consultant Evan Dumas
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we’re answering a question we frequently get: What are the HIPAA considerations when you have an outside biller for your group practice?
We discuss the threat landscape scenario of outside billing; whether you need a BAA with your biller; who should provide the BAA; what should and shouldn’t be in a BAA; and the difference between a Service Level Agreement and a BAA, and when to use each.
Resources are available for all Group Practice Tech listeners below:
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources & further information
PCT Resources:
- PCT’s Service Level Agreement form
- PCT’s free Group Practice Service Selection Workbook & Worksheets Step 1 of the PCT Way — support for selecting HIPAA-secure, effective, and economical services to meet your practice’s functionality and operational need
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
- HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Solo Practitioners
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.