Deadline Approaching: Have You Conducted Your Security Risk Analysis for 2022? Our Team is Here To Help! Click Here to Learn More!

Working with Multiple Providers

Q: If a healthcare worker did not have a titer drawn after the HBV vaccine was completed, how long afterward could we assume that he/she is a responder/non-responder? Many titers wane after years and are no longer detectable. How do we know the worker continues to be protected?

Person Holding Injection

A: If the healthcare worker did not have a titer, you must assume non-responder status. Regarding testing, and boosters, booster doses of the hepatitis B vaccine are not necessary, and periodic testing to monitor antibody concentrations after completion of the vaccine series is not recommended. Any blood or body fluid exposure sustained by an unvaccinated, susceptible person should lead to the initiation of the hepatitis B vaccine series.

We have received a lot of questions about this issue lately. It is important that you are aware of this practice and what you should do about it.

Q: Our billing company provides services to multiple providers. The billing company requires the original charge sheets an explanation of benefits forms for billing and posting. When we requested copies of the original documents for healthcare operations purposes, the billing company indicated it could not provide copies because they were commingled with other clients' documents. Is this a HIPAA violation?

Also, the billing company indicated it would send all its clients' documents for us to sort through to find our practice's documentation. Is this a HIPAA violation? What are the specific regulatory citations?

A: Commingling different practices' documentation is most likely a violation of the HIPAA Privacy Rule because it violates the minimum necessary standard. Any individual at the billing company has access to PHI from multiple practices, and unless all employees conduct billing for all the practices, access to more than the documents required for their job violates the minimum necessary standard. Also, business associates (BAs) are required to make each of the practices' documentation available to satisfy an OCR audit. If the billing company is unable to produce that documentation, that represents another violation of HIPAA and a violation of the BA contract.

Finally, sending a single practice all the documentation for all practices is also a violation of the minimum necessary provisions of the HIPAA privacy rule. A single practice should not have access to other practices 'documentation; the additional documentation is unnecessary for its healthcare operations. The billing company should only provide the practice with its own documentation.

The specific regulatory citations are 45 CFR 164.502(b) for minimum necessary requirements and 45 CFR 160.310 for OCR compliance investigations.

Practices really should retain original documentation and send the billing company copies. In many states, the practices "own" those documents, and for many legal reasons, it is not wise to give away original patient-related documentation. The billing company is the BA and has no legal standing to require the practice to supply it with original patient documents.