When Books & Benchmarks launched in 2021, I never imagined that HIPAA could have anything to do with bookkeeping. But as I’ve come to learn, it does. This week, let’s discuss what HIPAA is, how the Privacy Rule overlaps with optometry practice bookkeeping, and some practical ways to ensure you’re staying compliant.
What is HIPAA?
The Health Insurance Portability & Accountability Act of 1996 (HIPAA) lays out a number of rules for how patients’ medical information must be protected by both providers’ businesses and other associated firms that may come into contact with patient data.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate. This applies to any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”
“Individually identifiable health information” is information, including demographic data, that relates to:
- The individual’s past, present, or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual…
…and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
How PHI Finds Its Way into Financials
One of the most unexpected questions we’ve come across is whether refund checks count as PHI—since they include the patient’s name and are tied to their care. As far as we know, no practice or associate has ever been censured for their refund checks. However, it illustrates that practices and their accounting teams need to be thoughtful and intentional about HIPAA compliance.
The most obvious PHI tied to your practice’s financial operations includes lab and contact lens invoices and statements, which are packed with patient names and prescriptions. That means even something as routine as paying your bills involves handling PHI.
You might be thinking, “So what? Of course, my lab invoices contain PHI! Why does this even matter?“
It matters because QuickBooks Online is not a HIPAA-level secure environment. As a Covered Entity (your practice) or a Business Associate (Books & Benchmarks), we are responsible for ensuring the PHI is reasonably protected. If you save your statements in QuickBooks Online for record-keeping, you might not meet HIPAA’s security standards.
Where Should PHI Be Stored?
This is worth discussing with your CPA, but there’s no rule that says you have to attach every receipt and invoice to actual transactions in your accounting software. If you get audited, you ARE going to have to produce those receipts, but there are various ways to store them securely. Books & Benchmarks currently uses Box.com for file storage, with a Business Associates Agreement in place.
From a bill-pay perspective, there are various platforms (we’ve considered Bill.com and Quadient) that can help you organize invoices and statements and pay your bills while storing the invoices and statements securely.
Finally, if possible, we recommend leaving patients’ names off refund records in QuickBooks.
Need a Trusted Partner to Handle This for You?
Running a practice is hard. If you’d rather spend your time caring for patients, nurturing your team, or focusing on life outside of your practice, Books & Benchmarks can take bookkeeping, payroll, and bill-paying responsibilities off your plate. Contact us today to learn how we can help streamline your financial operations and give you more time for what matters most.
