Medicare Compliance & Reimbursement

Have you hit the PHI creek without a paddle?

Do you store your protected health information (PHI) at a data warehouse? If your answer is "Yes," then you'd better grab a business associate agreement (BAA) before your PHI ship is sunk. Get The Right PHI Flow Keep in mind that not all warehoused data is the same. "You only need a business associate agreement with your vendor if they are getting PHI," explains attorney Michael Roach at Chicago's Michael C. Roach & Associates. If the data sent to the warehouse is de-identified, then there is no obligation to obtain the agreement, he confirms.

Encrypted PHI is trickier, experts agree. "An encrypted file in its native form can't be read and isn't PHI," states Marc Goldstone, an attorney with Hoagland Longo in New Brunswick, NJ. "Encrypted PHI can be decoded" and people can easily get into your patients' files if you don't use a strong encryption method, he warns.

Consider these scenarios:

Scenario A: You hire a third party to strip your patient files of all identifiable information, and it then sends those files to a warehouse.

Scenario B: You bundle medical records and send them to the warehouse. All the warehouse knows is that it has Bundle 1. When you need particular records, you call the warehouse and ask them to send you Bundle 1.

Scenario C: You send the warehouse all your patient files and they bundle them. When you want a particular record, you call the warehouse and ask for it by name. The warehouse goes into the bundle and pulls that record.

In Scenario A, there is no way for your patient's information to be used inappropriately, so you do not have to sign a BAA with the warehouse. But "very rarely is there a reason to warehouse de-identified data," Goldstone says. While the third party de-identifier is a business associate, you probably don't need to spend your time and money on a warehouser. Scenarios B and C up the ante. Scenario B puts the warehouser in the position of a conduit, Roach posits. "We know that couriers like the post office are not business associates," he says. The warehouse is simply moving the bundles, not accessing or using the information within.

In Scenario C, the warehouse not only handles your patients' files, it also has full access to the information contained within them. That means patients' private health information is vulnerable. A BAA will force the warehouser to protect that sensitive information from a privacy or security breach, experts remind. Here's How To Play It Safe Whether you bundle (encrypt) the files you send your warehouser or you ask them to do that for you, a BAA could keep you dry in the [...]