HIPAA Q&A: Working with multiple providers
HIPAA Weekly Advisor, October 18, 2010
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q. Our billing company provides services to multiple providers. The billing company requires the original charge sheets and explanation of benefits forms for billing and posting. When we requested copies of the original documents for healthcare operations purposes, the billing company indicated it could not provide copies because they were commingled with other clients’ documents. Is this a HIPAA violation?
Also, the billing company indicated it would send all its clients’ documents for us to sort through to find our practice’s documentation. Is this a HIPAA violation? What are the specific regulatory citations?
A. Commingling different practices’ documentation is most likely a violation of the HIPAA privacy rule because it violates the minimum necessary standard. Any individual at the billing company has access to PHI from multiple practices, and unless all employees conduct billing for all of the practices, access to more than the documents required for their particular job violates the minimum necessary standard. Also, business associates (BAs) are required to make each of the practices’ documentation available to satisfy an OCR audit. If the billing company is unable to produce that documentation, that represents another violation of HIPAA and a violation of the BA contract.
Finally, sending a single practice all of the documentation for all practices is also a violation of the minimum necessary provisions of the HIPAA privacy rule. A single practice should not have access to other practices’ documentation; the additional documentation is unnecessary for its healthcare operations. The billing company should only provide the practice with its own documentation.
The specific regulatory citations are 45 CFR 164.502(b) for minimum necessary requirements and 45 CFR 160.310 for OCR compliance investigations.
Practices really should retain original documentation and send the billing company copies. In many states, the practices “own” those documents, and for many legal reasons, it is not wise to give away original patient-related documentation. The billing company is the BA and has no legal standing to require the practice to supply it with original patient documents.
Editor’s note: Chris Apgar, CISSP, answered this question. He is president of Apgar & Associates, LLC, in Portland, OR. He has more than 17 years’ experience in IT and specializes in security compliance, assessments, training, and strategic planning.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Identify potential Medicaid RAC target areas
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched