Practice Management

Betsy,

We have something that is very similar – and we offer to either give the guarantor/patient the reference #, mail, or email them a receipt. It has the same as what you mentioned, plus the merchant ID as well as a reference to what services were paid.

We questioned this as well, and the general discussion was that because this is at the direction of the guarantor/patient involved, the email is provided at the time of payment (ie, we do NOT keep these on file, it is only applicable to the payment being processed in front of you), and we have offered alternatives (snail mail or reference # verbally), that this would meet HIPAA requirements.

I have not opted to turn on email for guarantor/patient statements as we do not feel that option is maintained often enough (could be an old email address from how long ago or might now be shared with other family members), however, with regards to obtaining an email address at the time of the payment, it is current and a one-time use only.

Hope that helps, feel free to contact me directly if you have any other questions.

Michelle

Michelle R. Juette, CPC, RCC

Business Services Manager

Yakima Valley Radiology

(509) 895-0402 (direct, voice/mail)

(509) 248-0733 (secure fax)

mailto:mjuette@yakrad.com

Betsy,

The patient is allowed to choose how their information is transmitted.  We routinely would transmit reports via unsecured email at the request of the patient.  We would advise the patient that transmitting a PDF copy of the report to their email account is not secure and that there is a risk of the information being intercepted, but it is your information and your choice. 

If you do not inform the patient that they are selecting an unsecured method, and the information is intercepted, you may have to report a breach.  However, if you have advised the patient of the risk and they choose to have you transmitted via email, the entity is not responsible for the breach.

An account number can uniquely identify the patient, so it is considered PHI (even though I would have to have access to your EMR to use it, don't get me started).

This deals with transmission to a third party, but it is the same idea.

What is a covered entity's obligation under the Breach Notification Rule if it transmits an individual's PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?

If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was "unsecured PHI" as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D.  However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required.  Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.