HIPAA Q&A
BAAs, fax logs, and cell phone use
by Mary D. Brandt, MBA, RHIA, CHE, CHPS
Q: Are we required to have a business associate agreement (BAA) with an overseas vendor? We may begin working with a billing company based in India. I don’t believe HIPAA would apply to an overseas company but I’m not clear on our responsibilities in this situation.
A: As a covered entity under HIPAA, your organization is required to have BAAs with all vendors who have access to your PHI to perform a service on your behalf. This includes companies outside the U.S., like the billing company in India.
Q: Are we required to keep a log of all faxes sent that contain PHI?
A: There is no requirement to log all fax transmissions of PHI, but your staff must take steps to protect the information transmitted. Appropriate steps include using a cover sheet with a confidentiality statement, using pre-programmed fax numbers for frequent recipients, carefully checking numbers manually entered before transmission, and placing fax machines in secure locations.
Q: I recently took a position with a home health agency. The agency does not provide staff with company-owned cell phones to use to communicate with patients. Staff must use their personal cell phones and frequently receive voicemails and text messages from patients. Nurses are provided with laptops and all staff have a company email address and are encouraged to inform patients that if they must contact them after hours they should do so via email except in cases of emergency. However, most patients prefer to attempt to call.
I believe having staff use their personal cell phones for work is an unnecessary risk and I would like to find a solution. Are we required to inform patients that our staff do not have company-owned cell phones and they should be careful what information they leave in a voicemail or text message? Would it be best to instead ask patients to call our main number with questions and their doctor’s office in emergencies?
A: Requiring staff to use their personal cell phones for patient communications is a concern. It is intrusive for staff members to receive calls from patients even when they are not on duty, and patients may communicate sensitive information on unsecured devices. A better solution, as you suggested, would be to ask patients to call the agency’s main number for questions and their doctor’s office in emergencies. Using the agency’s number would allow questions to be directed to the staff member currently assigned to the patient.
Q: We recently received a request for a patient’s records. The patient transferred to another provider several years ago and we subsequently transferred all the patient’s records to the new provider. Should I direct the request to the provider the patient transferred to? I’m unsure that we should be responsible for retrieving and releasing information for this patient since we transferred the patient’s entire record to the new provider.
A: If you sent a copy of the patient’s records to the new provider and still have the original records, it would be appropriate for you to respond to the request. If you transferred all records to the new provider and no longer have the patient’s information, refer the request to the new provider.
Editor’s note: Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at [email protected].