Business for virtual assistants is booming, and more businesses offering virtual assistant services are starting up to meet the demand, bolstered by a high number of skilled individuals seeking permanent remote work or a new career as a result of pandemic shifts in employment. An online search for “virtual assistant” yields pages of results, with some companies based outside of the U.S. advertising services ranging from scheduling appointments to answering calls and emails to help business owners and managers with recurring administrative tasks. Some of the business owners targeted by the virtual assistant companies are health care providers.
Dentists and other providers have used, are currently using or may consider using virtual assistants. An online search for “virtual medical assistant” similarly produces dozens of results, with these businesses offering more specific patient-based administrative tasks such as timely insurance billing, entering and collecting patient information and regular patient follow-up.
A virtual assistant’s flexible hours can potentially bring relief to an understaffed or overwhelmed small dental practice, allowing the dentist to focus more of their time and effort on patient care.
But while no law prohibits dentists from hiring a virtual assistant, doing so brings special considerations and risk for dentists and other HIPAA-covered entities compared to many other professions. Dentists can be and have been investigated and fined for HIPAA violations.
Dentist may have sole or shared responsibility for HIPAA compliance
CDA Regulatory Compliance Analyst Teresa Pichay, CHPC, wants members to understand that while HIPAA does not prohibit the use of virtual assistants, including those who work outside of the U.S., it does place the responsibility of safeguarding patient information on covered entities (in this case the dentist) and on business associates with whom they contract.
Providing required training to workers or ensuring they have received compliant training on, for example, when and how to appropriately use and disclose patient information and how to assess and respond to an information breach is one responsibility of the HIPAA-covered entity — and this required training extends to virtual assistants regardless of their working location.
This means that, as the dentist, if you are considering bringing on a virtual assistant, you could be solely responsible for ensuring the virtual assistant has been trained on the HIPAA security and privacy rules and the practice’s own privacy and data security procedures. Or the responsibility may be shared with the business associate, depending on how the contract and business associate agreement are structured.
The responsibility should be shared.
Pichay recently advised a member-dentist who called with questions about a contract he received for hiring a virtual assistant through an agency. She discussed the contract with the dentist and found that the agency appeared to put the responsibility for HIPAA compliance solely on its client.
“The contract appears to disavow any HIPAA obligations and leaves you alone to carry the risk of using the out-of-country employee,” Pichay cautioned the member.
Have a business associate agreement in place and carefully review any contracts
Dental practices likely will not hire virtual assistants directly but instead will contract with a company or agency that supplies virtual assistants, who work as independent contractors. In this case, the agency is the business associate, and both the dentist and business associate are obligated to comply with HIPAA and to safeguard patients’ personal information.
“Put that written business associate agreement in place,” Pichay stresses. “HIPAA requires you to have the agreement with any business you disclose protected health information to, and it helps protect the practice by making HIPAA compliance a shared responsibility.”
(Member dentists can log in to use CDA’s sample business associate agreement.)
Dentists should also review and have their legal counsel review carefully any contract they receive from an agency prior to “hiring” a virtual assistant.
“Be leery of any contract that does not give attention to the security of patient information or that appears to put sole responsibility for HIPAA training on you, the employer, as you would be responsible for any missed training,” Pichay says. Sole responsibility would mean:
- Having documentation that the out-of-country virtual assistant has been trained on HIPAA and the practice’s own privacy and data security policies and procedures.
- Knowing how you would sanction or discipline the assistant for any conduct that causes the impermissible use or disclosure of patient information. Any investigation by the U.S. Department of Health and Human Services Office for Civil Rights may include a request to review the practice’s sanction policy.
- Determining if the assistant will have access to the practice’s electronic health record or any other electronic or communication system with patient information, as well as the ability to print patient information. If yes, how will you instruct the assistant on the management of written patient information?
- Outlining the steps you (the covered entity) would need to follow if an impermissible use or disclosure of patient information occurs at the assistant’s location.
- Implementing physical, administrative and technical safeguards for any out-of-country workers.
In summary, bringing on a virtual assistant may be a viable solution for some practices with the right “hire” being able to fill in for absent staff, eliminating the need for on-the-job training and thereby freeing up the dentist’s time and energy to care for patients. But dentists should proceed with caution, particularly when working with agencies located outside the U.S., to ensure HIPAA compliance, protect patient information and avoid any hefty fines or corrective actions.
Access over two dozen HIPAA-related resources, including those cited in this article and training resources, in CDA’s member-only resource library.