How JustAnswer Works:

  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.

Ask socrateaser Your Own Question

socrateaser
socrateaser, Lawyer
Category: Legal
Satisfied Customers: 33369
Experience:  Retired (mostly)
Type Your Legal Question Here...
socrateaser is online now
A new question is answered every 9 seconds

HIPAA Compliance Question: Using Quickbooks online cloud-based

Resolved Question:

HIPAA Compliance Question: Using Quickbooks online cloud-based accounting software (NOT HIPAA-compliant) to account for patient refund payments:

A small medical practice uses Quckbooks online for accounting purposes. About 100-200 patient refund checks are sent every year. This poses the following dilemma:
​Patient names, addresses, and medical record numbers are PHI
Quickbooks online is NOT HIPAA-compliant per their website. Although the data is indeed stored in a secure and encrypted manner.

Therefore, is writing a patient a refund check which has their name, address and account number and having that information stored online in a non-HIPAA compliant cloud based vendor a HIPAA violation?
What if checks are printed with just the patient’s account number – then the name and address are added by hand. Is the “account number” the same as a “medical record number”? If not, is an “account number” PHI?
How about simply printing a check with just the name and address and no account number on it? Is just writing an individual a check a HIPAA violation? There would be no indication that the check represented a refund for a medical office visit, although the name and address of the the doctor and practice would indeed be on the check. Other PHI such as medical information information would not be stored on the cloud. It would simply be payment to another vendor as far as Quickbooks is concerned. The accounting software would note it as a refund – non specific. The check could be mailed with a statement generated on the HIPAA-compliant in-office medical billing software so that the patient would know why they are getting the check, but that information would not be input into Quickbooks.
The only other solution that I can think of would be to have an entirely separate paper-only account for refunds with an old fashioned checkbook ledger. The accounting for that account would be completely independent from the online accounting software and only reconciled with it offline for accounting purposes at tax time by the accountant in order to deduct refund expense on the tax return.
Submitted: 9 months ago.
Category: Legal
Expert:  socrateaser replied 9 months ago.
Hello,

You asked:

Therefore, is writing a patient a refund check which has their name, address and account number and having that information stored online in a non-HIPAA compliant cloud based vendor a HIPAA violation?

A: Yes. Failure to follow the HIPAA security regulations violates federal law. Title 45 C.F.R. Part 164, Subpart C.

What if checks are printed with just the patient’s account number – then the name and address are added by hand. Is the “account number” the same as a “medical record number”? If not, is an “account number” PHI?

A: A unique identifier that would permit a person to identify a particular user is not PHI, under the regulations. The character of an identifier is not determined by its name. What matters is whether or not PHI is actually disclosed.

How about simply printing a check with just the name and address and no account number on it? Is just writing an individual a check a HIPAA violation?

A: No. There is nothing in the regulations that would make this a HIPAA violation.

There would be no indication that the check represented a refund for a medical office visit, although the name and address of the the doctor and practice would indeed be on the check. Other PHI such as medical information would not be stored on the cloud. It would simply be payment to another vendor as far as Quickbooks is concerned. The accounting software would note it as a refund – non specific. The check could be mailed with a statement generated on the HIPAA-compliant in-office medical billing software so that the patient would know why they are getting the check, but that information would not be input into Quickbooks.
The only other solution that I can think of would be to have an entirely separate paper-only account for refunds with an old fashioned checkbook ledger. The accounting for that account would be completely independent from the online accounting software and only reconciled with it offline for accounting purposes at tax time by the accountant in order to deduct refund expense on the tax return.


A: The issue for HIPAA purposes is whether or not PHI is protected according to the regulations. If no PHI is placed into QB, then there is no HIPAA violation.

Please let me know if I can clarify or further assist.

Hope this helps.
Customer: replied 9 months ago.


to understand correctly and make sure this isn't a typo:


 


A unique identifier that would permit a person to identify a particular user is not PHI, under the regulations. The character of an identifier is not determined by its name. What matters is whether or not PHI is actually disclosed.


 


Because in the first part of your answer you mentioned that the name address and account number on the check stored in the non-hipaa compliant cloud accounting software would be a violation of the statutes.


 


So that has me a little confused. But the point is moot since it seems that simply issuing someone a check without any link to their medical record/PHI should be ok. In the server based medical billing software (which is hipaa compliant) we can reference the check number to the patient's account. The check itself and the record of same which is stored non compliantly on the cloud needs no reference back to the patients account since the check number itself could be used for that purpose.


 


So in a nutshell: ok to write checks to patients to refund them money using quickbooks online so long as no account number or any other reference appears in that record whatsoever? The quickbooks is not being used as the medical billing software, that is separate and onsite and compliant. Sorry to drag it out. I'm not into any 1.5 million dollar fines and yes I attract that sort of headache due to some karmic debt from another lifetime it seems :(


 

Expert:  socrateaser replied 9 months ago.
Your first question was premised on the statement that the software application is not HIPAA compliant. Therefore, using it to store PHI would be a HIPAA violation. Then, you provide details suggesting that the software is not storing any PHI. If it's not storing PHI, then it doesn't need to be HIPAA compliant.

ok to write checks to patients to refund them money using quickbooks online so long as no account number or any other reference appears in that record whatsoever?


A: Yes. However, there is a possible risk that the manual extraction of the account information so as to generate the checks could produce a HIPAA violation, if the person who extracts the information does so in a manner that does not maintain the confidentiality of the person's PHI. I can't think of a scenario for how this would occur. But, I'm sure that DHHS could identify it, if you were to be audited.

I'm not trying to foreclose your billing model -- just suggesting that you need to carefully look at how this information is handled, between the time that it is taken out of the compliant system and the moment that it is input into the non-compliant system.

Hope this helps.
socrateaser, Lawyer
Category: Legal
Satisfied Customers: 33369
Experience: Retired (mostly)
socrateaser and 6 other Legal Specialists are ready to help you
Customer: replied 9 months ago.


thanks. that information is handled solely by me since I am the only one using the quickbooks accounting software and I am the doc. I doubt this would be considered a breach. thanks for all your help.

JustAnswer in the News:

 
 
 
Ask-a-doc Web sites: If you've got a quick question, you can try to get an answer from sites that say they have various specialists on hand to give quick answers... Justanswer.com.
JustAnswer.com...has seen a spike since October in legal questions from readers about layoffs, unemployment and severance.
Web sites like justanswer.com/legal
...leave nothing to chance.
Traffic on JustAnswer rose 14 percent...and had nearly 400,000 page views in 30 days...inquiries related to stress, high blood pressure, drinking and heart pain jumped 33 percent.
Tory Johnson, GMA Workplace Contributor, discusses work-from-home jobs, such as JustAnswer in which verified Experts answer people’s questions.
I will tell you that...the things you have to go through to be an Expert are quite rigorous.
 
 
 

What Customers are Saying:

 
 
 
  • Mr. Kaplun clearly had an exceptional understanding of the issue and was able to explain it concisely. I would recommend JustAnswer to anyone. Great service that lives up to its promises! Gary B. Edmond, OK
< Last | Next >
  • Mr. Kaplun clearly had an exceptional understanding of the issue and was able to explain it concisely. I would recommend JustAnswer to anyone. Great service that lives up to its promises! Gary B. Edmond, OK
  • My Expert was fast and seemed to have the answer to my taser question at the tips of her fingers. Communication was excellent. I left feeling confident in her answer. Eric Redwood City, CA
  • I am very pleased with JustAnswer as a place to go for divorce or criminal law knowledge and insight. Michael Wichita, KS
  • PaulMJD helped me with questions I had regarding an urgent legal matter. His answers were excellent. Three H. Houston, TX
  • Anne was extremely helpful. Her information put me in the right direction for action that kept me legal, possible saving me a ton of money in the future. Thank you again, Anne!! Elaine Atlanta, GA
  • It worked great. I had the facts and I presented them to my ex-landlord and she folded and returned my deposit. The 50 bucks I spent with you solved my problem. Tony Apopka, FL
  • Not only did he answer my Michigan divorce question but was also able to help me out with it, too. I have since won my legal case on this matter and thank you so much for it. Lee Michigan
 
 
 

Meet The Experts:

 
 
 
  • Tina

    Lawyer

    Satisfied Customers:

    8436
    JD, BBA Over 25 years legal and business experience.
< Last | Next >
  • http://ww2.justanswer.com/uploads/MU/multistatelaw/2011-11-27_173951_Tinaglamourshotworkglow102011.64x64.jpg Tina's Avatar

    Tina

    Lawyer

    Satisfied Customers:

    8436
    JD, BBA Over 25 years legal and business experience.
  • http://ww2.justanswer.com/uploads/RA/ratioscripta/2012-6-13_2955_foto3.64x64.jpg Ely's Avatar

    Ely

    Counselor at Law

    Satisfied Customers:

    19941
    Private practice with focus on family, criminal, PI, consumer protection, and business consultation.
  • http://ww2.justanswer.com/uploads/FL/FLAandNYLawyer/2012-1-27_14349_3Fotolia25855429M.64x64.jpg FiveStarLaw's Avatar

    FiveStarLaw

    Attorney

    Satisfied Customers:

    8189
    25 years of experience helping people like you.
  • http://ww2.justanswer.com/uploads/jespoag/2008-12-17_222355_jessepic.jpg JPEsq's Avatar

    JPEsq

    Attorney

    Satisfied Customers:

    2132
    Experience as general attorney, in house counsel, SSDI, Family Law attorney, and law professor
  • http://ww2.justanswer.com/uploads/gsenmartin/2008-04-22_214950_me1.jpg Guillermo J. Senmartin, Esq.'s Avatar

    Guillermo J. Senmartin, Esq.

    Attorney

    Satisfied Customers:

    110
    7+ years of experience handling various legal matters.
  • http://ww2.justanswer.com/uploads/PA/PaulmoJD/2013-10-10_195858_JAImage.64x64.jpg Law Educator, Esq.'s Avatar

    Law Educator, Esq.

    Attorney

    Satisfied Customers:

    31621
    JA Mentor -Attorney Labor/employment, corporate, sports law, admiralty/maritime and civil rights law
  • http://ww2.justanswer.com/uploads/dkaplun/2009-05-17_173121_headshot_1_2.jpg Dimitry K., Esq.'s Avatar

    Dimitry K., Esq.

    Attorney

    Satisfied Customers:

    15975
    Multiple jurisdictions, specialize in business/contract disputes, estate creation and administration.