Q&A: Electronic appointment tracking

March 16, 2017

News & Insights

Q. We currently use an electronic system to make appointments for our spa clients that is not HIPAA compliant according to its maker. Can we use this system to track appointments for B-12 shots clients and those who are prescribed with appetite suppressants? We would have to enter patient medications and any allergies into this system. Since it is a cash-based business, what’s the HIPAA liability?

A. If the spa is not a CE, there would be no HIPAA concerns. If the spa’s business is solely cash-based and no claims are submitted to health plans, the spa would not be considered a HIPAA covered entity. On the other hand, if the spa bills insurance carriers for other forms of treatment electronically, that part of the spa would be a CE. That means if the services that are defined as cash-based need to be under the umbrella of the spa as a CE, the services or treatment is defined as treatment pursuant to the HIPAA Privacy Rule.

The HIPAA Privacy Rule defines treatment as, “Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another” (45 CFR § 164.501). What that means is, if the spa is providing treatment, whether paid for in cash or paid by a health plan, the treatment services would make the spa a CE for all treatment provided, cash-based or not.

To provide a bit of clarification, if the spa offered services such as massage services, such services do not fall under the category of treatment or healthcare as it is defined in the HIPAA Privacy Rule. If that’s the case, the spa would be a hybrid entity and only those services that are defined as healthcare would fall under the HIPAA umbrella.

First, determine whether the spa is a CE. The spa would be a CE if it provides treatment and transmits or receives electronic HIPAA-covered transactions directly or indirectly. If the spa is a CE, the spa needs to assess whether it is a hybrid entity, providing services that do not fall under the umbrella of healthcare as defined pursuant to the HIPAA Privacy Rule in addition to those that do.

If the cash-based services are not considered healthcare, the spa would be considered a hybrid entity and the cash-based services would not be subject to HIPAA. If the cash-based services are considered healthcare, the vendor used for tracking appointments would need to comply with HIPAA as a BA and a BAA would need to be executed. If the vendor cannot comply with HIPAA, look for one that can.

Editor's note: This question was answered by Chris Apgar, CISSP, for Briefings on HIPAA. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.