- Currently, practice management software (PMS) vendors are considered HIPAA business associates and therefore subject to the HIPAA Privacy and Security Rules, but not the HIPAA transactions and codes set requirements.
The Healthcare Administrative Technology Association (HATA), which represents the PMS industry, wants to keep things that way.
HATA issued a statement on July 24 saying that it does not support designating PMS vendors as HIPAA “covered entities,” which would require PMS vendors to incorporate all HIPAA transactions and code sets.
“Increased capital investment, if not offset by client demand, does not make good business sense, and has the potential to negatively affect the existing client base through price increases of the existing or upgraded software to cover business losses,” said HATA President Eric Christ in the statement.
“Many vendors support various versions of their software, since their clients are not willing to upgrade to newer versions with additional capabilities, such as the ability to send and receive prior authorization,” Christ noted.
“Like any business, capital decisions for solution capabilities and enhancements are determined by proven return on investment and client demand. Return on investment can only be realized when most payers and clients are willing to adopt and use new/updated solutions and standard transactions within their workflows and adhere to the standard transaction requirements,” Christ stressed.
HATA Executive Director Tim McMullen told HealthITSecurity.com that his organization decided to clarify its position on this issue as a “preemptive” move in response to the National Committee on Vital and Health Statistics’ (NCVHS) Predictability Roadmap effort.
NCVHS serves as the public advisory body to HHS for health data, statistics, privacy, and national health information policy and HIPAA.
As part of the Predictability Roadmap, NCVHS is developing recommendations related to electronic transactions, terminologies and code sets, identities, clinical documentation, and security measures in terms of their impact on the healthcare system.
NCVHS held a CIO forum in May to discuss the roadmap, including the issue of whether vendors and other third parties should be considered covered entities.
“One of the things that was brought up in the discussions about the forum agenda was third-party entities becoming covered entities. Some folks thought that if you are not a covered entity and you are not forced to support all of the HIPAA transactions and code sets, that’s what is causing the problem, McMullen explained.
An NCVHS summary of the CIO forum included a problem statement concerning third parties. “Vendors and other business associates are not covered entities despite a role in the conduct of the adopted standards. The Federal Government is limited in its authority over noncovered entities. This impacts the use of standards in a variety of ways, from costs to actual utilization.”
The forum discussion about this problem statement identified criteria that could be used in considering who should or should not come under the HIPAA umbrella, the summary explained.
The first criterion focused on leveling the playing field and sharing the risks; the second emphasized simplification to make it easier for patients to understand the HIPAA status of those who touch their data.
A physician at the forum said that all those who touch patient data should face the same requirements. In contrast, other participants laid out the reasons why their sectors should remain as third-party, noncovered entities. One individual in that category described his company’s work, as a business associate, to secure data and protect patient privacy and confidentiality.
At the time of the forum, HATA did not have a position on the issue of whether PMS vendors should be designated as covered entities. Following the forum, the HATA board decided to clarify its position.
“We need to have a clear case why we should not be covered entities. It comes down to the client’s use and need. For a practice management system to invest in the R&D required and the manpower to program all of this, when the client doesn’t ask for it, is a waste of resources,” McMullen said.