AppointmentQuest response to Business Associate Agreements and HIPAA

[Guest guest]

For those using AppointmentQuest, here is the reply I got from them about HIPAA and Business Associate Agreements. SetoSouth Pasadena, CABegin forwarded message:Subject: Re: Support Request (1040175059): Business Associate Agreement and HIPAADate: April 24, 2012 4:05:56 PM PDTTo: Seto Dear Seto,The article you have referenced is referring to "physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible". This indeed appears to be a serious privacy breach.HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from your patients. We do not advice to store disclosed electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).For more information on healthcare scheduling and HIPAA, please visit:http://www.appointmentquest.com/scheduling/healthcareSpecifically, please read "Medical Scheduling, Privacy and HIPAA" on the page referenced above. HIPAA regulations do not apply to software, as HIPAA is an organizational/operational set of requirements.More than 20% of AppointmentQuest customers are doctors and small medical offices. We understand specific healthcare requirements and enforce very strict security measures in our systems.Nevertheless, we would like to advise you against storing patient sensitive information (such as SSN, DOB, and insurance information) in AppointmentQuest Online Appointment Manager. The main concern here is not a hacker attack or a online security incident (which has never happened successfully in the entire history of AppointmentQuest operations), but an insider breach, such as, hypothetically, one of your fired employees having access to your AppointmentQuest account externally. This general rule applies to all online systems, and not just AppointmentQuest in particular.We take customer and service provider privacy and security very seriously by enforcing high standards of electronic and physical security on our premises and data center space. AppointmentQuest does not collect, sell, share, disclose or provide customer, appointment and service provider information to any third parties unless required by law. For more information, please see AppointmentQuest Privacy Policy:http://www.appointmentquest.com/privacyAppointmentQuest does not sign BA Agreements. If you intend to store patient privacy sensitive information in your online scheduling system you may consider choosing another schooling provider that offers signed BA Agreements.Sincerely, AppointmentQuest Customer Service support@... www.appointmentquest.comOn Apr 23, 2012, at 6:45 PM, you wrote:I just read a news article about a medical practice being fined$100,000 because they didn't have a Business Associate Agreement withthe appointment scheduling service they used. How would I go aboutgetting AppointmentQuest to sign a Business Associate Agreement withme so that it meets the HIPAA Federal Privacy rules? Here is a linkto the article:http://www.hhs.gov/news/press/2012pres/04/20120417a.htmlIf you are not able to sign a Business Associate Agreement, then Ithink I would need to find another online appointment service thatcould sign an agreement. Thank you for your prompt response. Seto, MD