Transcript – Episode 416: What You Need to Know and Do Under HIPAA if Your Practice Uses an Outside Biller

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered Tech. This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, Meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 416. What You Need to Know and Do Under HIPAA if Your Practice Uses an Outside Biller.

 

Liath Dalton 

This is a really important topic. And one that, like a lot of our podcast episodes, got precipitated by some of the great questions that we get asked in our Group Practice Office Hours, which is our ongoing direct support and consultation service for group practice leaders. But it’s also kind of precipitated by the fact that issues with how things are set up with outside billing services is one of the primary areas where we see HIPAA violations occurring and a sort of threat landscape scenario that is really inviting a HIPAA breach.

 

Evan Dumas 

Uh huh.

 

Liath Dalton 

So we’re like, let’s talk about this and make sure you kind of get the basic outline of what the considerations are, and how you can be safeguarding your practice and your clients info.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So without any further ado, let’s dive right into the topic. Which is one of one of the questions that we often get, and maybe it seems so basic, that it’s silly that we’re talking about it, but it isn’t actually silly.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Because you also may find that the answers that various billing services have to it, don’t always have the soundest logic –

 

Evan Dumas 

No.

 

Liath Dalton 

but maybe sound reasonable. Or they’ll say, oh, payment operations, you don’t need a BAA with me. And yes, I just belied what with that kind of super basic question is that that we often get when a practice is using or considering using an outside billing service. And that is: Do I need a HIPAA Business Associate Agreement?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Yes.

 

Liath Dalton 

You absolutely do. If they have access to PHI, which they will need in order to perform billing functions, but they are not workforce of your practice. They’re not working in your organization or under your policies and procedures, including sanction policies, etc. They’re a business associate and you absolutely do need a BAA.

 

Evan Dumas 

Yeah.

 

Evan Dumas 

Yep.

 

Liath Dalton 

Evan, what’s another question we get about billing services related to BAAs?

 

Evan Dumas 

Oh, yeah, do I give them my BAA if they don’t have a BAA? Because what do I do if they don’t have a BAA?

 

Liath Dalton 

This also is something that comes up more often than you might imagine. And it always is something that raises some some red flags for us, right? Because a billing service that really understands their HIPAA responsibilities is going to as part of fulfilling those HIPAA responsibilities, understand what a Business Associate Agreement is, and they are going to have one for you, and they are going to understand its contents and requirements.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And be you know, reasonably materially prepared to meet those responsibilities.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So why is it an issue if they don’t have their own BAA?

 

Evan Dumas 

Yeah, the BAA functions as their evidence that they know how to handle PHI. That they know it’s not theirs, that it’s yours, but that there’ll be doing everything in their care to uh prevent things from doing it, and especially all the HIPAA things that they need to do.

 

Evan Dumas 

So to not have a BAA is a sign that they don’t have any formal assurances that they know what to do and what their responsibilities are. And by asking you, for one, it’s even worse, because they’re probably not going to read it. And they’re like, No, you should know you tell me what the answers are like, no, no, no, you you give me the answers.

 

Liath Dalton 

So then that’s just performative compliance, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And that’s something that comes up often. And there are a few aspects of compliance where the performative components aren’t as problematic as with this.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But in this instance, the information that billers are handling includes the highest sensitivity PHI, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

When we are talking about diagnosis codes, in particular, that is high, high sensitivity PHI.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

It’s not something that we can be cavalier in how we are managing who has access to it, or who is handling it. And that is especially applicable with billing services. So if a billing service says, I have a BAA, but you know, if you have one that you prefer we use, instead, I that is not the same red flag category,

 

Evan Dumas 

No, not at all.

 

Liath Dalton 

That’s more, or it’s orange flag, yellow flag, maybe?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Because, and the reason for that being is that a Business Associate Agreement includes all of these assurances and saying, I am responsible for doing X, Y, and Z. And I am liable in these ways if I don’t meet those requirements. So you want them to really know what the contents of that document are. And not just being like, sure I’ll sign you know, whatever, BAA, just Google a BAA and all sign it. So it doesn’t necessarily mean that if they’re willing to sign your BAA that that’s HIPAA problematic, but typically, in practice, what we’ve seen is that it means that they’re more cavalier about it.

 

Evan Dumas 

Yeah, it would be kinda like, if, when a client comes to you, and you give them their intake paperwork, they’re like, no, no, I brought my own, we’ll sign that. You’re like, Excuse me? Like, No, I just have my own paperwork. But let’s go through these terms and conditions.

 

Liath Dalton 

Right. Exactly. So that’s, that is something to to be aware of. And actually, interestingly, we recently had a circumstance where a practice was evaluating a couple of billing services. Right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And received BAAs from each of the billing services, but then was wondering, well, do they each contain all of the necessary provisions? Is there anything in the BAA content that should help inform my decision as to which of these services I’m considering I should go with? So they shared the the respective BAAs with us and asked for our take.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

 Now, Evan? We did our standard review.

 

Liath Dalton 

Yeah, totally.

 

Liath Dalton 

Right. How were the BAA contents themselves?

 

Evan Dumas 

Oh, you know, the contents, except for some of the very specific needed wording, contents covered a lot of the bases. They look just like your regular boilerplate, template BAA at quick glance.

 

Liath Dalton 

Yep. Each had all of the necessary provisions and components for what constitutes a HIPAA compliant BAA, which, you know, sidebar are easily found in the model HIPAA Business Associate Agreement from HHS.

 

Evan Dumas 

Exactly.

 

Liath Dalton 

And that’s our standard process when we’re reviewing a BAA is to kind of cross reference. So they’ll have the necessary provisions. But then, but then, there was one huge difference that made us go “Uh, this is a no go!” What was that?

 

Evan Dumas 

Yeah, that was that the the biller said that they were the covered entity, which was almost like it’s the billers, PHI and the other person would handle it. Now, this is the fine point that you know, actually a lot of people do gloss over, and before I started working at PCT, I wasn’t quite familiar with that the covered entity is you. And it is your stuff. And the Business Associate is the other person. They had it in reverse. They had it that they were the covered entity and the other person was the Business Associate. Which, at quick glance, you’re like, Oh, does it matter that there’s directionality in there? It does. It does matter.

 

Liath Dalton 

It matters in really significant ways. But kind of the most important one is that if they don’t understand the difference between what a Business Associate and with what a Covered Entity is, they’re not going to understand or be following the other particularities that are contained in there.

 

Evan Dumas 

Sadly, no.

 

Liath Dalton 

So, yeah, if you see something like that in a BAA, whether it be with a biller or not, that should give you significant pause, and is something that you know, you you can, of course, first make sure that it wasn’t just a typo in how they were filling things out, right?

 

Evan Dumas 

Yep, totally.

 

Liath Dalton 

That potentially could be something that arises. But I will say, and not to malign billers in any way, but I’ve seen a lot of just HIPAA confusion and lack of understanding amongst billing services, so it is an area that you want to kind of scrutinize more more closely.

 

Liath Dalton 

Okay, that’s, that’s the main points about the BAA considerations here. Now, where things get more into the nitty gritty of how, once you have selected a billing service, although actually these these points are things that should be questions that get kind of addressed or asked and considered when you’re evaluating a prospective billing service.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But we’ll just focus on the kind of, in practice, if this is going on, this is an issue. Here’s why and what you need to do about it. So one of the other questions that we recently got was, “Hey, my billing service just uses –

 

Evan Dumas 

Oh yeah, I forgot about this. Yeah, they just use Gmail. And is that okay? They said, it was secure. Let’s just use the free Gmail to communicate, I don’t need a, I don’t need a BAA, a protected email service. Gmail is just fine, is what they said.

 

Liath Dalton 

And again, I want to be clarifying that what we’re talking about here is the distinction between a paid Google Workspace account where a BAA with Google is obtainable. And that includes Google email, Gmail, versus a free gmail account with the @gmail.com address designation.

 

Evan Dumas 

Totally.

 

Liath Dalton 

Nice little red flag there.

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

You can kind of do some initial sleuthing too that might inform.

 

Evan Dumas 

Oh, super easy, yeah.

 

Liath Dalton 

Hey, should should I even go past go with this? Ah, maybe not. So this practice’s, billing service provider said, you know, Gmail to Gmail is secure, and so it’s fine to be communicating that way. We don’t need to be using Hushmail or anything else, and it’s just fine.

 

Liath Dalton 

Now, one of the issues there, of course, is that they, as a Business Associate, have to have a Business Associate Agreement with service providers that have access to PHI. Just like you as a covered entity do.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

They missed missed the mark on that.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

I mean, technically speaking, the transmission security standard is being met when email is sent Google to Google email, whether it’s Google workspace email or a free, personal Gmail. But that is not, the transmission security standard is not the only HIPAA standard that has to be managed with email communications that include PHI.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Um, so that, unfortunately, was a big, nope! That is still not HIPAA consistent, and lets us know that they don’t really get the nitty gritty of how HIPAA works and needs to be applied.

 

Evan Dumas 

Mhm, mhm.

 

Liath Dalton 

So whatever communication mechanisms you are using with your outside billing service, do need to be HIPAA consistent. And so they should be using the same sorts of secure and HIPAA appropriate platforms that you use as a service provider, right?

 

Evan Dumas 

Mhm, yeah.

 

Evan Dumas 

And if if they’re not, that’s an issue. If you are giving a biller access to your systems that contain client info, so you’re not just providing them files that contain the info they need, that they are then going to handle and secure in their own systems. But you’re actually giving them access like a login to your EHR, or giving them sharing access to your practices Google Workspace account,

 

Liath Dalton 

For example,

 

Evan Dumas 

Mm, oh my.

 

Liath Dalton 

to able to look at CSV exports, for example, have other billing related and client data that’s been pulled from the EHR. Maybe historical data there. If you are giving a biller who’s a Business Associate, not workforce, access to your systems, you need not only a Business Associate Agreement, but you also need a Service Level Agreement.

 

Evan Dumas 

Yep.

 

Liath Dalton 

And this is, again, going to another great discussion that we recently had, in Group Practice Office Hours on what we refer to as Eric Day. Eric Day is the this session of the month where it’s co facilitated by therapist attorney Eric Strom. And one of the questions we had was, when is a Service Level Agreement necessary, in addition to a Business Associate Agreement?

 

Liath Dalton 

And how do I how do I know the difference?

 

Evan Dumas 

Mhm, yeah.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

This actually comes up a lot with billers.

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

Maybe the most frequently. Like, just second on the list would be with VA services, actually.

 

Evan Dumas 

Oh, yep, schedulers, too.

 

Liath Dalton 

But typically, billers are the area where these we see this come up the most. Now, what is a Service Level Agreement? And why would you want need that in addition to a BAA Evan?

 

Evan Dumas 

Service Level Agreements are an agreement at the service level. So this, it makes sense when you when we parse it out. So it’s when they have access to your services. When you say, like, you know, loan the keys to someone to your house and get the verbal, hey, you can eat anything in this thing, but don’t eat anything in this thing, don’t mess with this, or here’s how this works. You are getting their confirmation that they won’t mess with the internals of your system. They won’t share the passwords with other people. They won’t delete things, they won’t go places they shouldn’t, and ideally, shouldn’t even be able to, but they sort of agree on how to use it, and how to use it correctly.

 

Liath Dalton 

Exactly. And that is not something that is contained in a Business Associate Agreement. Oh, no, because Business Associate Agreements are looking at how they safeguard Protected Health Information in their systems, right, under their policies and procedures. And they’re responsible and liable for that. As soon as you’re giving them access to your systems that contain PHI, we need to have a mechanism that is providing for the safeguards that you have in place and are required to have in place for those systems, that those are maintained for this outside user, who isn’t workforce, who isn’t under your direction and control in the same way that workforce is, right? You’re not training them and overseeing every little action that they take, like you can do with with workforce.

 

Liath Dalton 

So we need to both provide for making sure that you’re upholding all of your HIPAA responsibilities for how you safeguard these systems that you control and keep PHI in. And then we need to be just having something that explicitly addresses how they’re going to not bring issues into those systems that you give them access to.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

It’s much more straightforward, honestly, then, than it sounds. And just putting out, we have a Service Level Agreement, especially the template Service Agreement that we use with our group practice clients in this instance, the provisions it contains are not so extensive that it’s trying to like bullet point, every standard, every HIPAA standard, and every policy and procedure that your practice has in place to meet those standards. It’s only looking at the areas of risk exposure related to credential sharing, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So it’s it is simple, short, straightforward, and basically talking about the the main areas of risk exposure. Like device security, that if they’re using devices to access systems with login credentials you provided, they need to make sure those devices have the technical security measures in place, according to HIPAA standards. That’s one example of the contents.

 

Liath Dalton 

So whenever a third party is working within your own systems, not just their systems, we want to have a Service Level Agreement in in place above and beyond just the BAA.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So that can often be the case with billers, depending on, I mean, there are so many different ways that working with a biller can be set up. And we’ve seen many, many different iterations of that, right. So some practices will just send out data via a secure method to the billing service. And they’ll work with it purely in their own systems, that that comes up sometimes. And in that case, a Service Level Agreement isn’t needed just a BAA is.

 

Liath Dalton 

But a lot of practices will give their outside billing company a biller login to their EHR, and access to Google Drive.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And so that’s when we say oh, they have access to and are going to be working within your systems not their own? So Service Level Agreement, SLA time.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So SLA and BAA, which I feel like we should make an even catchier and ridiculous acronym.

 

Evan Dumas 

Oh, no.

 

Liath Dalton 

Like

 

Evan Dumas 

No, veto.

 

Liath Dalton 

SLAAA –

 

Evan Dumas 

SLABAA.

 

Liath Dalton 

Yes, la. Yes. SLABAA time. If you are giving them access in that way. So those are just some of the like, basic parameters. Beyond that it doesn’t have to be too convoluted, or complicated. But these are just some of the basic parameters that are really important to be aware of, so that you can can make sure if you’re using an outside billing service, or evaluating working with an outside billing service, that you’ve covered these bases.

 

Evan Dumas 

Yeah, exactly.

 

Liath Dalton 

So that’s, I guess, one more PSA podcast episode to add to the the podcast archive. So we hope you found that helpful. And we look forward to your joining us next time.

 

Evan Dumas 

Yeah, talk to you next time, everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.