HIIPA Business Associate Contract with optical labs?

[icmor]

Our ophthalmology office manager just told us we need to have our labs sign a business associate contract to continue to do business with them. In calling our lab, they said they have accounts with medical clinics throughout the country, and we're the first to bring this up. Anyone else familiar with this issue. Is optical exempt from this? There is no diagnosis information ever sent to the lab; just Rx, pt's name, ph#, and address included on the order sheet we fax to them. Your input would be greatly appreciated.

[Uncle Fester]

My significant other works in a hospital dispensary and had to deal with this about a year ago. It was a multipage questionnaire all vendors supposedly had to fill out for medicare purposes. Some of the smaller vendors basically said they wouldn't do it as the account was too small.

Nothing more came of it and eventually it fell by the wayside and they are happy to be letting sleeping dogs lie.

[wmcdonald]

There is no requirement for this under HIPAA. It sounds as though your office manager is attempting to cover all the bases, but even in the case of diagnostic information, organizations can share related patient information if it is done in the course of treatment of that individual patient. In other words, a traditional doctor's office can fax a request to the medical lab to have blood drwan and that is not a HIPAA violation. Sending the Rx order to the optical lab is not in violation, but if the practive administrator wants them to sign a form, then it will not hurt anyone.

[Diane]

Wouldn't be a problem, except you need to only include the patient's name. Don't let the other information be sent to the lab. There is no reason for it. Delete the address, phone number and any personal information.

Diane

[sharpstick777]

Your Lab, and your accountant, and your computer IT specialists are all "Covered Entities" under HIPAA, your accountant probably knows this, but I wonder why you Office Manager doesn't? A "Covered Entity" is any professional, person or service, that you must interact with to complete patient care. It also cover second opinions. Those people are bound by HIPAA just as if they were employees of you business, even if they are not.

I have serious doubts about your office manager, really? he/she doesn't know about covered entities?

Our ophthalmology office manager just told us we need to have our labs sign a business associate contract to continue to do business with them. In calling our lab, they said they have accounts with medical clinics throughout the country, and we're the first to bring this up. Anyone else familiar with this issue. Is optical exempt from this? There is no diagnosis information ever sent to the lab; just Rx, pt's name, ph#, and address included on the order sheet we fax to them. Your input would be greatly appreciated.

[huskypaul]

Agreed, I've never ordered ophthalmic; spectacle lenses, with any more then a patient name(which you can substitute a tray number in many cases) RX, material, PD (did I say that) all other essential lens info. Having never had the privilege of dispensing medicare/medicaid, I can't speak on their behalf, however, I see no reason why a optical lab would require any personal info from said individual. Although, they may be stalkers. In which case you may be able to sell them binoculars and or telescopes.

[eyechick1969]

I'm really glad to see that so many of you, (the opticians) have eased up on this.! Hippa only applies to docs!

[wmcdonald]

I'm really glad to see that so many of you, (the opticians) have eased up on this.! Hippa only applies to docs!

With all due respect, that is simply incorrect. It applies to any type of provider of health care and/or health-related products or services.

[huskypaul]

I'm having some issues with this, HIPAA was designed to protect the indivduals electronic health information, why would you be sending ABC Optical Laboratory any information derived from their exam chart other than their refractive correction?

With all due respect, that is simply incorrect. It applies to any type of provider of health care and/or health-related products or services.

[eyechick1969]

With all due respect, that is simply incorrect. It applies to any type of provider of health care and/or health-related products or services.

Can you please show me where it is written that this applies to Opticians! Please!

[optical24/7]

Can you please show me where it is written that this applies to Opticians! Please!

A medical device company meets the Privacy Rule’s definition of “health care provider” if it furnishes, bills, or is paid for “health care” in the normal course of business. “Health care” under the Rule means care, services or supplies related to the health of an individual. Thus, a device manufacturer is a health care provider under the Privacy Rule if it needs protected health information to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient’s surgery, or otherwise assists the doctor in adjusting a device for a particular patient. Similarly, when a device company needs protected health information to provide support and guidance to a patient, or to a doctor with respect to a particular patient, regarding the proper use or insertion of the device, it is providing “health care” and, therefore, is a health care provider when engaged in these services. See 65 FR 82569. By contrast, a medical device company is not providing “health care” if it simply sells its appropriately labeled products to another entity for that entity to use or dispense to individuals.

http://www.hhs.gov/hipaafaq/providers/business/490.html

Optician must comply with HIPAA. Labs, frame suppliers are device manufacturers and don't. You are directly supplying a medical device (though low on the totem pole) to a person.

[MikeAurelius]

<snipped for clarity>

Labs, frame suppliers are device manufacturers and don't. You are directly supplying a medical device (though low on the totem pole) to a person.

However, there is always the possibility that at some time in the future they might (labs that is). AND, if you get a patient name attached to a script, then, I would suggest that HIPAA DOES apply.

The simple step we took was to move our internal Rx database - layout processing and history - to a secure server isolated from the internet via a hardware firewall. Access to the data follows HIPAA rules. Hardcopies are shredded when the Rx ships.

[sharpstick777]

The primary purpose of HIPAA was not privacy, 43 states at the time protected health information. The primary purpose was to prevent fraud, with a nightmare of different regulations across states Medicare could not get enough information to ensure against fraud.

Privacy was secondary. Its why insurers are specifically able to access information about patients they need. Its probably cut Medicare fraud about $2 billion a year.

I'm having some issues with this, HIPAA was designed to protect the indivduals electronic health information, why would you be sending ABC Optical Laboratory any information derived from their exam chart other than their refractive correction?

[sharpstick777]

Can you please show me where it is written that this applies to Opticians! Please!

All Health Providers that provide either primary, secondary and even tertiarry care are specifically limited under HIPAA regulation, its very broad definition of "care." If all you sell is non-RX sunwear, frames or non-RX readers, those are not HIPAA. If you sell lenses, that require an RX, then it is. There is no legal differentiation for a spectacle or medical RX, except with DEA controlled substances. Opticians are a pharmacy of sorts, even if your independant you are under HIPAA.
.

[sharpstick777]

Labs, frame suppliers are device manufacturers and don't. You are directly supplying a medical device (though low on the totem pole) to a person.

Labs actually might get around it if we didn't know the patient name, once we have the patient name we are under HIPAA, its now protected health information. One of our owners is an attorney. We have the same document requirements as a direct medical provider in most states.

[sharpstick777]

I'm having some issues with this, HIPAA was designed to protect the indivduals electronic health information, why would you be sending ABC Optical Laboratory any information derived from their exam chart other than their refractive correction?

You are correct, you should only send that minimum information necessary for patient care, however, if there is an under lying pathology that could affect outcome, or, your lab is consulting, any information you share to complete patient care with a Lab is considered an expert consultation, is OK under HIPAA.

Discussing their gall bladder surgery is not OK. The information must be relevant to the care.

However, if a blood lab is doing testing, the fact they had gall bladder surgery, might be relevant to them. It would be OK to share with them.

[huskypaul]

You are correct, you should only send that minimum information necessary for patient care, however, if there is an under lying pathology that could affect outcome, or, your lab is consulting, any information you share to complete patient care with a Lab is considered an expert consultation, is OK under HIPAA.

Discussing their gall bladder surgery is not OK. The information must be relevant to the care.

However, if a blood lab is doing testing, the fact they had gall bladder surgery, might be relevant to them. It would be OK to share with them.

Are you saying that if I consult with my Lab about a specific patients RX, I will also give you a specified pathology connected with that patient, macular degeneration, why would I share any private information, DOB, Address, SSN, Hair Color etc... more importantly why would a whole sale lab require any more info than last name or a tray number. We are sharing info about last name; Jones or tray 1234. I am not faxing nor am I emailing the patients record, personal info, or the doctors findings. How can this be construed as a violation under HIPAA.

[rbaker]

The primary purpose of HIPAA was not privacy, 43 states at the time protected health information. The primary purpose was to prevent fraud, with a nightmare of different regulations across states Medicare could not get enough information to ensure against fraud.

Privacy was secondary. Its why insurers are specifically able to access information about patients they need. Its probably cut Medicare fraud about $2 billion a year.

Another facet of HIPPA is "Portability" so that the patients medical records can be accesed by other health care providers.

[sharpstick777]

Are you saying that if I consult with my Lab about a specific patients RX, I will also give you a specified pathology connected with that patient, macular degeneration, why would I share any private information, DOB, Address, SSN, Hair Color etc... more importantly why would a whole sale lab require any more info than last name or a tray number. We are sharing info about last name; Jones or tray 1234. I am not faxing nor am I emailing the patients record, personal info, or the doctors findings. How can this be construed as a violation under HIPAA.

You can share with your lab ANY pathology that is relevant for completion of care, but ONLY those pathologies that are.

Date of Birth can be relevent, primary member, ID#, authorization number, etc. if the lab is required by insurance to prove that it was truly that patient. But again, only that information the insurance company requires is considered relevant, otherwise not. Only share what you must, nothing that isn't. Using a patients name is not a HIPAA violation with a Covered Entity, or when calling for a patient in the exam room for example.

I am not sure what you are saying, or what you are asking. Please restate if that didn't answer your question.

[jakef]

Whether you need a Business Associate Contract for you lab would really depend on your Hipaa agreement that you have with the patient, assuming you are operating within a medical practice. Most Hipaa agreements would include 'Normal business operations' which would exclude your lab from a BAC. That being said, I like the cover all of your bases approach personally. Reading and understanding the rules in Hipaa is like trying to prove that science and religion work together, and I would never want to have a debate with the Attorney General on who has interpreted Hipaa correctly. We can't even seem to get the abbreviation right!

[shanbaum]

The short answer is, if the lab is providing only "treatment" (that is, you send an Rx for lenses or spectacles to be made, personally identified or not), a BAA is not required. That's because there's an exception to the requirement for a BAA for treatment services. However, if the lab were (for example) going to bill a third party for the treatment, or otherwise engage in some business activity unrelated to treatment, then you would need to have a BAA with the lab, and with any subcontractors of the lab who might reasonably be expected to receive any PHI.

[sabk1973]

opening a optical retail store with no dr , what must i do other then a consent form for hipaa compliant? thanks in advance, looked all over no answers