How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask socrateaser Your Own Question
socrateaser
socrateaser, Lawyer
Category: Legal
Satisfied Customers: 37957
Experience:  Retired (mostly)
10097515
Type Your Legal Question Here...
socrateaser is online now
A new question is answered every 9 seconds

HIPAA Compliance Question: Using Quickbooks online cloud-based

This answer was rated:

HIPAA Compliance Question: Using Quickbooks online cloud-based accounting software (NOT HIPAA-compliant) to account for patient refund payments:

A small medical practice uses Quckbooks online for accounting purposes. About 100-200 patient refund checks are sent every year. This poses the following dilemma:
​Patient names, addresses, and medical record numbers are PHI
Quickbooks online is NOT HIPAA-compliant per their website. Although the data is indeed stored in a secure and encrypted manner.

Therefore, is writing a patient a refund check which has their name, address and account number and having that information stored online in a non-HIPAA compliant cloud based vendor a HIPAA violation?
What if checks are printed with just the patient’s account number – then the name and address are added by hand. Is the “account number” the same as a “medical record number”? If not, is an “account number” PHI?
How about simply printing a check with just the name and address and no account number on it? Is just writing an individual a check a HIPAA violation? There would be no indication that the check represented a refund for a medical office visit, although the name and address of the the doctor and practice would indeed be on the check. Other PHI such as medical information information would not be stored on the cloud. It would simply be payment to another vendor as far as Quickbooks is concerned. The accounting software would note it as a refund – non specific. The check could be mailed with a statement generated on the HIPAA-compliant in-office medical billing software so that the patient would know why they are getting the check, but that information would not be input into Quickbooks.
The only other solution that I can think of would be to have an entirely separate paper-only account for refunds with an old fashioned checkbook ledger. The accounting for that account would be completely independent from the online accounting software and only reconciled with it offline for accounting purposes at tax time by the accountant in order to deduct refund expense on the tax return.
Hello,

You asked:

Therefore, is writing a patient a refund check which has their name, address and account number and having that information stored online in a non-HIPAA compliant cloud based vendor a HIPAA violation?

A: Yes. Failure to follow the HIPAA security regulations violates federal law. Title 45 C.F.R. Part 164, Subpart C.

What if checks are printed with just the patient’s account number – then the name and address are added by hand. Is the “account number” the same as a “medical record number”? If not, is an “account number” PHI?

A: A unique identifier that would permit a person to identify a particular user is not PHI, under the regulations. The character of an identifier is not determined by its name. What matters is whether or not PHI is actually disclosed.

How about simply printing a check with just the name and address and no account number on it? Is just writing an individual a check a HIPAA violation?

A: No. There is nothing in the regulations that would make this a HIPAA violation.

There would be no indication that the check represented a refund for a medical office visit, although the name and address of the the doctor and practice would indeed be on the check. Other PHI such as medical information would not be stored on the cloud. It would simply be payment to another vendor as far as Quickbooks is concerned. The accounting software would note it as a refund – non specific. The check could be mailed with a statement generated on the HIPAA-compliant in-office medical billing software so that the patient would know why they are getting the check, but that information would not be input into Quickbooks.
The only other solution that I can think of would be to have an entirely separate paper-only account for refunds with an old fashioned checkbook ledger. The accounting for that account would be completely independent from the online accounting software and only reconciled with it offline for accounting purposes at tax time by the accountant in order to deduct refund expense on the tax return.


A: The issue for HIPAA purposes is whether or not PHI is protected according to the regulations. If no PHI is placed into QB, then there is no HIPAA violation.

Please let me know if I can clarify or further assist.

Hope this helps.
Customer: replied 3 years ago.


to understand correctly and make sure this isn't a typo:


 


A unique identifier that would permit a person to identify a particular user is not PHI, under the regulations. The character of an identifier is not determined by its name. What matters is whether or not PHI is actually disclosed.


 


Because in the first part of your answer you mentioned that the name address and account number on the check stored in the non-hipaa compliant cloud accounting software would be a violation of the statutes.


 


So that has me a little confused. But the point is moot since it seems that simply issuing someone a check without any link to their medical record/PHI should be ok. In the server based medical billing software (which is hipaa compliant) we can reference the check number to the patient's account. The check itself and the record of same which is stored non compliantly on the cloud needs no reference back to the patients account since the check number itself could be used for that purpose.


 


So in a nutshell: ok to write checks to patients to refund them money using quickbooks online so long as no account number or any other reference appears in that record whatsoever? The quickbooks is not being used as the medical billing software, that is separate and onsite and compliant. Sorry to drag it out. I'm not into any 1.5 million dollar fines and yes I attract that sort of headache due to some karmic debt from another lifetime it seems :(


 

Your first question was premised on the statement that the software application is not HIPAA compliant. Therefore, using it to store PHI would be a HIPAA violation. Then, you provide details suggesting that the software is not storing any PHI. If it's not storing PHI, then it doesn't need to be HIPAA compliant.

ok to write checks to patients to refund them money using quickbooks online so long as no account number or any other reference appears in that record whatsoever?


A: Yes. However, there is a possible risk that the manual extraction of the account information so as to generate the checks could produce a HIPAA violation, if the person who extracts the information does so in a manner that does not maintain the confidentiality of the person's PHI. I can't think of a scenario for how this would occur. But, I'm sure that DHHS could identify it, if you were to be audited.

I'm not trying to foreclose your billing model -- just suggesting that you need to carefully look at how this information is handled, between the time that it is taken out of the compliant system and the moment that it is input into the non-compliant system.

Hope this helps.
socrateaser and 4 other Legal Specialists are ready to help you
Customer: replied 3 years ago.


thanks. that information is handled solely by me since I am the only one using the quickbooks accounting software and I am the doc. I doubt this would be considered a breach. thanks for all your help.

Related Legal Questions