Possible HIPAA violation question.

[wmf333]

What is the name of your state?a former client of my computer company ( dec 2002 to jan 2004) is a healthcare billing office. we set up a vpn for him. He gave us his billing software ( personally delivered to my office and picked up by one of his employees) so we could test remote access to his database. This allowed us access to all protected health information. He never had us sign a Business associate agreement, never mentioned anything about HIPAA to us. He or and associate of is company asked us to connect to his database and troubleshoot their connectivity problems from Jan 2003 to JAn 2004. Is this comapany in violation of HIPPA? Is my company in any violation of HIPPA? Thank you.

 

[I AM ALWAYS LIABLE]

What is the name of your state?a former client of my computer company ( dec 2002 to jan 2004) is a healthcare billing office. we set up a vpn for him. He gave us his billing software ( personally delivered to my office and picked up by one of his employees) so we could test remote access to his database. This allowed us access to all protected health information. He never had us sign a Business associate agreement, never mentioned anything about HIPAA to us. He or and associate of is company asked us to connect to his database and troubleshoot their connectivity problems from Jan 2003 to JAn 2004. Is this comapany in violation of HIPPA? Is my company in any violation of HIPPA? Thank you.

My response:

You bet you are, and so is the company! Just ask the the people whose records you looked at to fix his system!

IAAL

 

[wmf333]

Would my company ( the computer company) be in violation of HIPPA even though we did not disclose the PHI to anyone an we are not the covered entity, the healthcare billing company was? Only the covered entity here disclosed PHI and would be in violation here, right? Or am I also in violation? thank you.

 

[ellencee]

Computer consultants for covered entities are considered "Business Associates" of the covered entity for whom they are consulting. As such, the computer consultants are required to protect the PHI the same as the covered entity. It may be that the physician/medical practice was not in violation of HIPAA.

Here's a good reference site for HIPAA rules/regulations on this issue:
http://www.hhs.gov/ocr/hipaa/contractprov.html

EC

 

[wmf333]

Would I ( the computer company) be considered a "business associate" if the covered entity never had us sign a business associate agreement? The billing office did not take any measures to protect PHI, written or verbal.

I want to file a complaint with HHS about this if in fact he is in violation of HIPAA and we were not. The next computer company he deals with may have staff who would disclose and use this PHI where we did not disclose any PHI. What should I do? Thanks.

 

[ellencee]

Go to the site I provided; close to the end of the document, it states that an exception is made for PHI that is provided to the computer consultant(s) for use in setting up programs and assessing data retrieval, etc. Your company is a Business Associate of the MD or medical practice and as an employee of your company, you are required to honor the privacy of the PHI and to not disclose any of the information except within your jub function/duties.

The referenced document also states that a contract, which is the basis for the document I referenced, is not required for the HIPAA regulations to apply.

I don't think the MD or medical practice violated the HIPAA regulations for several reasons, but most specific is the exception near the end of the document.

If you can not work with medical providers and protect their information (PHI) without seeking to destroy those who create your income by hiring you, get the hell out of the business. Healthcare can not support the ridiculous costs of HIPAA, which was meant to protect electronic billing information, and healthcare providers certainly can not afford the legal expenses of defending against all these ridiculous complaints. Good doctors are refusing to treat Medicare patients so they do not have to carry the additional expenses of managing HIPAA electronic billing. People like you are responsible for the loss of good physicians.

Should the MD be found to have violated HIPAA and fined, you won't receive one red cent.

EC

 

[wmf333]

dear ellencee.... thank you for your replies but i think you are misunderstanding my intensions here. i do not wish to seek any financial gain here. this particular covered entity is not a medical practice, its a clearinghouse. the owner of this clearinghouse is one of those individuals you mentioned who likes to file lawsuits and threaten lawsiuts for financial gain. Myself and my employees would never misuse anyone's PHI for personal or finincial gain. I did not feel it was right for this clearinghouse to not take proper measures to protect his clients' patients PHI. Perhaps others he does business with will not be as respectful of PHI as we were.

i'll be honest here, he is threatening me with a lawsuit because he feels we should be maintaining his systems for free when there was no contract in place for this and no money paid to us for these services. He enriches himself by pushing around small companies like mine. He states " its will cost you more to defend this case than to do what i am demanding here"

Do you think I would be filing a complaint without reason or should I file one with HHS?

Thank you for oyur help.

 

[wmf333]

dear ellencee.... thank you for your replies but i think you are misunderstanding my intensions here. i do not wish to seek any financial gain here. this particular covered entity is not a medical practice, its a clearinghouse. the owner of this clearinghouse is one of those individuals you mentioned who likes to file lawsuits and threaten lawsiuts for financial gain. Myself and my employees would never misuse anyone's PHI for personal or finincial gain. I did not feel it was right for this clearinghouse to not take proper measures to protect his clients' patients PHI. Perhaps others he does business with will not be as respectful of PHI as we were.

i'll be honest here, he is threatening me with a lawsuit because he feels we should be maintaining his systems for free when there was no contract in place for this and no money paid to us for these services. He enriches himself by pushing around small companies like mine. He states " its will cost you more to defend this case than to do what i am demanding here"

Do you think I would be filing a complaint without reason or should I file one with HHS?

Thank you for your help.

 

[ellencee]

Until your last post, I understood you (now and hereafter, to mean "you or your company") as providing computer consulting, developing a program to manage data, transmit billing, and prevent unauthorized access of PHI for an MD and, or his practice via a clearing house for billing. My mistake; I must be getting old! I now understand you to be a computer consulting provider with a (former) client who owns/operates a clearing house for medical billing. In that capacity, you were/are a Business Associate of the clearing house and as such, HIPAA allows you to view, receive, and "use" all of the clearing house's information, including PHI, in order to develop a program or assess the security of the clearing house's system. You can even share the information with others, for example to test the system's ability to transmit properly and to prevent unauthorized access to PHI. HIPAA requires that you protect the PHI and do not use it in an authorized manner.

If you did not accept the information and use it, then the clearing house owner did not share the information; he attempted to share it for the purpose of meeting the HIPAA requirements for security analysis and compliance.

One of my daughters is a software developer and computer consultant; she performs the very services described above for healthcare providers and for class action attorneys handling medical products and pharmaceutical class action suits. I don't believe she has developed a program for a clearing house or reviewed a clearing house, but some of the healthcare providers for whom she has consulted use a clearing house for billing. It is possible that accessing the clearing house's data base would be needed in order to develop the appropriate program and train the staff in its use. I'll have to ask her. Anyway, in addition to the reference site that I provided, that's why I believe your former client has not violated HIPAA.

I do not understand why he is threatening to sue you for refusing to provide a service for which you have no agreement or contract to provide; however, you state "you were" protective of his clients' information. If you did not agree to provide the service, then you had no right to access the data by reading the information and should have no idea what information is on the disc. If you did "look at" the disc and did not accept the job, YOU violated HIPAA by accessing PHI not necessary for the job at hand. It's the same as reading your own medical records or your friend's medical records when neither of your records have anything to do with your current assignment.

EC

 

[wmf333]

dear ellencee.... thank you for your info.

I really need some guidance here. To be completely honest here, the reason I am asking is to see if I have a bargaining chip here with this individual. He is filing a civil suit against my company for $7500.00 for failure to maintain computer systems. Some background here: We (my company) are a small company with 5 total employees. He (clearinghouse owner) purchased a Windows 2000 server from us which we set up for him so his satellite office could access the database remotely instead of his previous method of backing up data, emailing it to the satellite office where it was worked on for 2 days and emailed back. Our intended involvement was only to sell the hardware and set the system up for the client. His employees had a lot of trouble using the new set up because they either refused to follow instructions or were unable to understand the procedures. He accused us of incompetence and threatened litigation. He brought his billing software to us where we proved the system works when the simple procedure is followed. Well, many many more of these situations arose over the next year from him and his satellite office with the same results. Finally we sent him a letter terminating our professional relationship after he verbally attacked me and my staff with profanity and other personal degrading remarks, even calling my family members saying these remarks (they are listed in telephone directory.) He was accusing us of selling him a defective product when the problem was his broadband internet provider was having problems. He never had us sign a business associate agreement, never requested any accounting of any phi accessed by us during testing or addressed the fact that we had a copy of his software. We, of course, did not keep any records of phi accessed because we were unaware of the regulations. We only accessed his database upon request of him or a member of his staff and have not accessed it after the date of the letter where we terminated the relationship. He also does not have a signed computer service agreement because there was never one issued.

Do I have a bargaining chip here or is he free of any violations? I hope I presented my problem clearly and I really appreciate any input. Thank you.

 

[ellencee]

Oh, gee, what a freakin' mess. Let this be a lesson to you. A contract should have a beginning and an end point. You did not have to sign a Business Associate contract with him (see the referenced HIPAA site's information). You still functioned as a Business Associate for his business.

With the last information you provided, I don't think either of you violated HIPAA. The problem is a contract issue. If you provided your services as agreed upon for X amount of dollars and you followed up when he complained of problems, I don't see where he has reason to sue you. You can not be responsible for whether or not his employees and contracted proofers (the 2 day service people) can use his program.

I know exactly what type of services he provides and the interaction between him and the 2 day proofers. If you created a program that allows him to transmit his data to the proofers and to receive their return information and you taught his employees how to use the program, then I think you met your contract.

I suggest that you make an appointment with a contract attorney and get this man off of your back.

In the future, always have a written contract with specific terms for what you will provide, the amount of money, and the end point. If you can't create a contract that you trust, have an attorney prepare one for you. The only problem with having an attorney prepare a contract is the lengthy verbage that no one but another contract attorney can understand. In contracts, the KISS rules--keep it simple, stupid!

Best wishes,
EC