Q: If
a healthcare worker did not have a titer drawn after the HBV vaccine was
completed, how long afterward could we assume that he/she is a
responder/non-responder? Many titers wane after years and are no longer
detectable. How do we know the worker continues to be protected?
A: If
the healthcare worker did not have a titer, you must assume non-responder
status. Regarding testing, and boosters, booster doses of the hepatitis B vaccine
are not necessary, and periodic testing to monitor antibody concentrations
after completion of the vaccine series is not recommended. Any blood or body
fluid exposure sustained by an unvaccinated, susceptible person should lead to
the initiation of the hepatitis B vaccine series.
We have received a lot of questions about this issue
lately. It is important that you are aware of this practice and what you should
do about it.
Q: Our
billing company provides services to multiple providers. The billing company
requires the original charge sheets an explanation of benefits forms for
billing and posting. When we requested copies of the original documents for
healthcare operations purposes, the billing company indicated it could not
provide copies because they were commingled with other clients' documents. Is
this a HIPAA violation?
Also, the billing company indicated it would send all its
clients' documents for us to sort through to find our practice's documentation.
Is this a HIPAA violation? What are the specific regulatory citations?
A: Commingling
different practices' documentation is most likely a violation of the HIPAA
Privacy Rule because it violates the minimum necessary standard. Any individual
at the billing company has access to PHI from multiple practices, and unless
all employees conduct billing for all the practices, access to more than the
documents required for their job violates the minimum necessary standard. Also,
business associates (BAs) are required to make each of the practices'
documentation available to satisfy an OCR audit. If the billing company is
unable to produce that documentation, that represents another violation of
HIPAA and a violation of the BA contract.
Finally, sending a single practice all the documentation
for all practices is also a violation of the minimum necessary provisions of
the HIPAA privacy rule. A single practice should not have access to other
practices 'documentation; the additional documentation is unnecessary for its
healthcare operations. The billing company should only provide the practice
with its own documentation.
The specific regulatory citations are 45 CFR 164.502(b)
for minimum necessary requirements and 45 CFR 160.310 for OCR compliance
investigations.
Practices really should retain original documentation and
send the billing company copies. In many states, the practices "own"
those documents, and for many legal reasons, it is not wise to give away
original patient-related documentation. The billing company is the BA and has
no legal standing to require the practice to supply it with original patient
documents.