Q: Do you need to have a business associate agreement with your online appointment scheduling service?
A: Yes. In a recent case, a physician group in Arizona reached a $100,000 settlement agreement with the U.S. Department of Health and Human Services (HHS). In addition, the group had to take corrective action to implement policies and procedures to safeguard the protected health information of its patients. The incident arose from the investigation of the physician practice using an internet-based calendar for posting clinical and surgical appointments for its patients. On further investigation, more areas of non-compliance were revealed. Some of these areas were as follows:
- Lack of policies and procedures to appropriately safeguard patient information;
- Failure to document training of employees on its policies and procedures on the HIPAA’s Privacy and Security Rules;
- Failure to identify a security officer and conduct a risk analysis;
- Failure to obtain business associate agreements with internet-based email and calendar services where the provision of the service included storage of and access to its electronic patient records.
Are you in compliance with the HIPAA Privacy and Security Rules? Do you have adequate safeguards in place to protect patients’ electronic protected health information (ePHI)? We can help! Contact us today for an evaluation.