Complying with patient privacy laws

Q I'm concerned that the billing company could fail to protect my patients' information. What does the billing company need to do to be in compliance with HIPAA?

A: Your billing company does, indeed, have to be in conformance with HIPAA. It has the same level of responsibility to safeguard confidential patient data that binds the practice, and it may have additional standards related to computer security and the electronic transmittal of data. Your responsibility is to have the billing company execute what is commonly known as a business associates agreement that assures you that it understands and complies with these regulations. Any healthcare attorney will have a form of this agreement, because it has become a rather standard form of legal assurance. Your local hospital or medical society also might share a form agreement with you for use with billing subcontractors. Beyond that, your responsibility is to make sure that your agreement with the billing company contains language that assures you that it recognizes its responsibilities in this respect and that it agrees to indemnify your practice for any breach of data that is traced to its negligence or omission.