We commonly receive questions from our clients related to Business Associate Agreements (BAA’s). We have found that certain DME providers are refusing to provide BAA’s. claiming that they are Healthcare Providers.
Whenever I have a question about HIPAA I check the published HIPAA regulations
Based upon what is on the HHS website, my opinion is:
Paragraph 1 – specifically is to allow the DME provider to view patient data they need the data to deliver the appropriate range of sizes for a patient. The only information the vendor needs in many cases is the image (either digital or cast) of the patient’s anatomy that will interface with the device and information that relates to the patients use of the device such as weight. You need to determine what clinical information is vital to allow for proper selection of materials and fabrication of the device.
Paragraph 2 – allows the representative to be present when the device is being provided to the patient.
Paragraph 3 - if they are viewing the patient records to provide consultation, advice, or assistance with fabrication of the device
Paragraph 4 - you can share info if you need to do so to facilitate payment
Paragraph 5 - You can share info if you need to report an adverse event.
Under the minimum necessary provision of HIPAA you may only share information necessary for the DME vendor to provide the device to your practice. If you are sending a physical or digital impression of a patients anatomy to a laboratory and some physiologic information that is usually enough information for them to fabricate a device. Protected Health Information such as the Patients Name is not necessary for the DME vendor to fabricate the device. In my opinion these are the two best options when ordering prosthetics and orthotics that you will dispense in your office.
1. Get a BAA with the DME vendor so that you can share the patient name and make it easier for you to track the devices when they are received and dispensed to the proper patient.
2. Send out the information in a de-identified manner so that the manufacturer does not know the identity of the patient.
Some practices do keep a hard copy logbook that has the patients name as well as a ‘code’ that is put on the order for the device and then cross reference the codes when the devices arrive. Others find that process onerous and obtain BAA’s from the DME Vendors. Sharing patient names with a DME manufacturer without a BAA could be considered a HIPAA violation. We strongly recommend that you follow steps 1 or 2 above to remain compliant with the HIPAA regulations.
I have had conversations with DME vendors and asked if they need patient names on the forms, or if they could fabricate the devices with just a 'code' instead of a name. Some vendors have said that a code is fine, others have said that their software requires a first name and a last name. If you want to use a code and the manufacture requires data in both the first name and last name fields of the order form, I would recommend that you put your practice name as the first name and the code as the last name.
Disclaimer - I am not an attorney and this should not be considered legal advice. I am a practicing Podiatrist who is a Certified HIPAA Professional. If you need specific legal advice please seek a qualified healthcare attorney who is knowledgeable in HIPAA.