How to Buy or Sell a Practice without Violating HIPAA
DOCUMENTATION
■ ■ When one doctor rents space from another, that agreement may include access to a computer or sharing front desk CA services, but there’s no legal connection between the two practices except for a lease. J J
By Kathy Mills Chang, MCS-P, CCPC
A client called us because he was selling his practice to a doctor who was threatening to turn our client in for HIPAA violations. Our client was in quite a panic. Interestingly, the doctor making threats was actually the one violating HIPAA, but that didn’t mean our client was off the hook.
Huh?
Here’s some basic background about our client. He had been renting office space from another chiropractor. Many doctors mistakenly believe that this constitutes an associate doctor relationship, and that the HIPAA policy covering the “landlord” practitioner will cover them too.
It’s important to understand that it doesn’t. When one doctor rents space from another, that agreement may include access to a computer or sharing front desk CA services, but there’s no legal connection between the two practices except for a lease.
Our client found this out the hard way when he decided to open a new practice across the county—leaving his current patients behind—and arranged to sell his practice to someone else.
Then it got tricky. Our client came in on his last day—after the practice had been sold. He made copies of patient information and demographics so he could use that information to start his new practice across the county that would focus less on chiropractic and more on weight loss. The purchasing doctor was outraged. Those were his patients now, right? He threatened to turn our client in for violating HIPAA.
Our client was confused. Could this be true? Why, he asked, couldn’t he look at his own patients’ files? Was he really violating HIPAA by copying private health information of patients whom he had treated? Who was in the right here?
As it turns out, both doctors were wrong, and this is why:
• Our client didn’t have his own HIPAA program because he’d wrongly assumed that since he was renting space from another doctor, that doctor’s HIPAA program covered him. The front desk CAhad been handing out the other doctor’s notice of privacy, and everyone assumed it would cover our client and his patients too. Not so much.
• Because our client didn’t have a viable HIPAA program, he had nothing in writing that defined what would happen to his patients if he closed or sold his practice.
• Our client, therefore, legally remained the custodian of his patients’ records, and the purchasing doctor had no legal access without each patient’s agreement and signature.
• If our client had been a true associate doctor with the same tax ID number and an employment agreement with his landlord, and the purchasing doctor had agreed to the same arrangement, then all would have been well. However, since each doctor had his or her own separate practices under one roof, every practice was considered its own separate entity.
We’re seeing more of these kinds of compliance-related technicalities. They’re confusing for everyone involved, and very few doctors understand what’s happened to turn their world upside down.
Doctors need to understand that patient records belong to the practice. A purchasing doctor can only have legal access to those records if they ai e identified as part of the sale, and each patient has to authorize the new doctor’s right to look at his or her protected health information.
^Ultimately, the purchasing doctor was in the wrong because he violated HIPAA by looking at patients’ records that he thought he’d “bought” without the patients’ permission. ï Ï
We sorted things out for our client and the purchasing doctor, but it was a mess that easily could have been avoided if the appropriate HIPAA policies had been implemented in the first place.
Ultimately, the purchasing doctor was in the wrong because he violated HIPAA by looking at patients’ records that he thought he’d “bought” without the patients’ permission. Our client was also in the wrong because he allowed this to happen without having a written HIPAA policy in place.
Together, they now have to decide if this is a reportable breach. It’s not an easy decision, and it’s not without serious ramifications.
HIPAA is a very big hammer. Take steps to get your compliance policies and programs in place so that this particular hammer never falls on you.
Kathy Mills Chang is a certified medical compliance specialist (MCS-P) and certified chiropractic professional coder (CCPC). Since 1983, she has provided chiropractors with reimbursement and compliance training, advice, and tools to improve the financial performance of their practices. Kathy leads a team of 15 at KMC University and is known as one of our profession ’s foremost experts on Medicare. She or any of her team members can be reached at 855832-6562 or infofiKMClJniversily.com.
