HATA tries to thwart threat of regs with accreditation program
Physician practice management vendors are pursuing a plan to police themselves through a new accreditation program.
The Healthcare Administrative Technology Association, which represents the vendors, recently adopted a position that practice management companies should not be covered entities under HIPAA because the vendors already are business associates.
“Covered entities are healthcare providers, health plans and healthcare clearinghouses, but only if they transmit any information in an electronic form in connection with a transaction for which the Department of Health and Human Services has adopted a standard,” says Tim McMullen, executive director of the association. “Since practice management systems provide the capability but do not transmit information, they remain a business associate.”
To get clarity on the roles of third-party companies, the National Committee on Vital and Health Statistics recently convened a group of chief information officers to consider a variety of issues, including third-party companies that are not currently deemed covered entities and whether every third party should be considered a covered entity.
That was a wake-up call for HATA, McMullen recalls. “Our board decided the organization needed to have a position.”
In a nutshell, HATA members believe that third parties should not automatically become covered entities because clients aren’t asking for that, but the organization knew it needed to make a better case.
Consequently, the association launched a small PPM accreditation program in 2015 as a test, but only three companies participated, and none of those renewed accreditation because the program primarily dealt with privacy and security considerations; transactions are the main function of practice management systems.
Now, HATA will develop its own accreditation program for practice management vendors; the fee-based program is expected to roll out in the last three months of this year.
The goal is to have a program that regulators will see as credible, thus obviating the need for regulatory mandates, McMullen explains, noting that, “Rather than having the government issue a mandate on us, we’re taking it on ourselves.”