Can Doctors Use Online Appointment Scheduling?
Online appointment scheduling is a wonderful convenience to patients and doctors alike. However, this convenience does add complexity—you will have another HIPAA business associate and will need to obtain patient authorization. To understand why, let's discuss the three elements of online scheduling.
Many doctors falsely believe appointment data (e.g., patient name with date & time only) does not fall under HIPAA rules because it contains no "clinical" information. The fact is, appointment information is clinical in nature, thus protected health information (PHI), and HIPAA safeguards must be implemented to properly protect this data.
Don't believe me? Consider this scenario:
You're a patient at The Acme Clinic and you discover your last 20 appointments to their facility have been posted on Facebook. Are you upset, or are you indifferent because the World doesn't know your diagnosis or the treatment provided?
You may not care if The Acme Clinic is a dentist or chiropractor, but would likely care deeply if ACME was a mental health, infertility, cancer, diabetes, etc. treatment facility.
The appointment scheduling service itself
Business associate requirement: The HIPAA requires that you have a business associate relationship with any person or business who performs a service on your behalf in which the entity has access to PHI. Because all scheduling services, online or off, are performing a service for you—scheduling patients—and because they have access to your PHI when creating and storing the PHI, they are absolutely considered a business associate.
This leads to the...
Business associate agreement (the hard part): Countless online appointment scheduling apps exist on the market; a small fraction are HIPAA compliant. In this case, "HIPAA compliant" means the company is willing to sign a business associate agreement (BAA). The hard part (not really hard, just takes time) is figuring out if the service you wish to use is comfortable signing/offering a BAA.
Companies that specifically market themselves as a healthcare service should embrace their business associate responsibilities and have a pre-signed BA agreement as part of their Terms of Service agreement. Meaning, they don't physically sign a BAA with each individual customer; instead, they post a "pre-signed" agreement online for everyone.
With that said, it is still every doctor's responsibility to either obtain a signed BAA from the appointment scheduling service or to ensure that the service's Terms of Service clearly states they fully agree to being a business associate. Never assume the latter to be true.
The last piece of the compliance puzzle related to online appointment scheduling is the patient. Scheduling services will send appointment confirmations and reminders to your patients' email addresses and/or phone numbers. Because those end points are typically unsecured and not under the doctor's control, and because it's not reasonable to obtain a BAA from patients’ email and phone service providers (impossible), the doctor must obtain a patient's authorization before transmitting PHI to an email address or phone via text message.
Even though it takes a little leg work getting online appointment scheduling HIPAA compliant, many doctors conclude the benefit of convenience is worth the extra effort.
by Dr. Jeff Brown
Jeff Brown, DC, is CEO at HIPAAMATE and dedicated to making HIPAA compliance comfortable for small- and medium-sized healthcare practices and business associates. Dr. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.