A related (I'm thinking) question: If a lawyer or physician hired a legal/medical assistant to help with records keeping and other office work, are they considered third parties, or as extensions of the lawyer or physician? If a lawyer hires a trusted / secure messenger who delivers a confidential communication which is held in a locked case across town, would that expose the communication to a third party?
Thx!
TomB
They're considered part of the staff and thus covered under the NDA and BLA you should have with them
My company is a middle-ware and IT company for other medical and insurance handling businesses. I apologize if this sounds like a commercial. I won't tell you where I work, and you've never heard of us anyway. But this may give some perspective from the medical/insurance/legal business as we have clients in these areas and this is what we do.
Under HIPPA we have to have NDAs and Business Level Agreements to secure the data and have the other party agree that we secured the data. It's a 2 way street, so as the client audits us, we audit them, and since we're in the middle between their clients, we audit their client and they audit us. The audit intensity varies, and the bar is lower for smaller businesses (though certain minimal expectations are there).
Generally speaking, any office staff who has a need, has authorization to read your file (as a patient). So the doctor, the billing department, the med assistant, the scheduling department, they all get to open your file because they have a need to see info from it to do their job.
Ideally, they'd only be authorized to see your file WHILE you're in the time frame of needing work done, and they'd see as little as possible.
However, that tends to be less practical than logging their access and detecting if they make unusual accesses. It is surprisingly complicated to enable/disable rights for individual employees who sometimes have a need than it is for the main office staff to see what they want, when they want, because if they were going to screw you, they'd do it in the window they have anyway.
Generally speaking, they're OK.
Now when that office contracts out to a EDI clearing house or something, audits have to happen and contracts get signed. In EDI, there's encryption going on and it's all fairly secure.
The sloppy area is when the office emails files to doctors because doctors can't be bother to learn the system, or when insurance people email files because they don't use the web portal.
Within your company, Exchange is secure. I can email Patient XYZ to you if we're both employees, and hackers aren't getting it, HIPPA isn't mad. If I email that file your gmail account, as this thread indicates, there's problems.
Technically, to include a 3rd party in the transaction requires a BLA under HIPPA. The third party is liable for securing that data, and if they don't KNOW that you're putting Protected Health Information (PHI) on them, how can they comply with HIPPA?
On top of that is that email from my server to your server is not secure, unless there's a pre-established encryption between us (TLS, forget what it stands for).
We have TLS setup with some specific clients, but our general approach is NEVER send patient data via email. Our products include web portals for logging in to see your authorized patient data/files and emails that contain links to our web portal. We never send any PHI in our automated emails.
On top of that Exchange 2010 and above has enforcement rules for preventing a user from sending an email that contains PHI because it looks for the patterns of it (like a social security number)
We're a small company, a breach means somebody gets the data we hold, and we pay for notifications for the affected people, and we pay a million dollar fine to the Department of Health. That's what any of these businesses face. For us, we're scared to death of the HIPPA monster.