Ask a Lawyer and Get Answers to Your Legal Questions
to understand correctly and make sure this isn't a typo:
A unique identifier that would permit a person to identify a particular user is not PHI, under the regulations. The character of an identifier is not determined by its name. What matters is whether or not PHI is actually disclosed.
Because in the first part of your answer you mentioned that the name address and account number on the check stored in the non-hipaa compliant cloud accounting software would be a violation of the statutes.
So that has me a little confused. But the point is moot since it seems that simply issuing someone a check without any link to their medical record/PHI should be ok. In the server based medical billing software (which is hipaa compliant) we can reference the check number to the patient's account. The check itself and the record of same which is stored non compliantly on the cloud needs no reference back to the patients account since the check number itself could be used for that purpose.
So in a nutshell: ok to write checks to patients to refund them money using quickbooks online so long as no account number or any other reference appears in that record whatsoever? The quickbooks is not being used as the medical billing software, that is separate and onsite and compliant. Sorry to drag it out. I'm not into any 1.5 million dollar fines and yes I attract that sort of headache due to some karmic debt from another lifetime it seems :(
thanks. that information is handled solely by me since I am the only one using the quickbooks accounting software and I am the doc. I doubt this would be considered a breach. thanks for all your help.