Stick with me, there is a question at the end of this lol.
BACKGROUND: I own and operate a medical records retrieval company. Law firms will hire my company to retrieve medical bills/records on their behalf. They then use said medical bills and records in order to negotiate a settlement with the insurance company on behalf of their injured client.
CONTEXT: We currently send hundreds of requests for medical bills/records each month to medical facilities all over the state. Each of these requests typically require us to do follow ups with the medical facility because they are often swamped and under staffed. Often times this process can take weeks or even months to complete a single retrieval. Resulting in us have hundreds if not thousands of pending requests for bills/records at any given moment. So, in order to not lose track of any of these requests, and to ensure we know where we are at in the "retrieval" process for each request, I created private bases for each of my customers. Each base contains a table with each row corresponding to a single request. The fields are primarily link, date, and drop-down fields in order to provide information such as our clients name, our customers client case number, the initials for the medical facility, when we sent the request, when we last followed up with the medical facility, and several other items related to the retrieval process. None of these fields contain or are filled in with what I believe to be Protected Health Information. However, I recently added an attachment field so that we could attach the retrieved medical bills/records to its corresponding request/row. The attachments are always "Encryted with Password". Using the comments feature, we then @ our customer for that request and let them know that particular medical bill/record has been retrieved and is ready for download. They then click on the link in the notification email they receive which takes them directly to the Airtable Log-In Page and then directly to that attachment within Airtable. Allowing them to easily download the encrypted password protected bills/records PDF. We pay for each of our client’s employees to have read only access to ONLY their base for this reason, and so they can always check on the status of any pending request.
QUESTION: Would this be considered HIPPA compliant? I am aware Airtable is not HIPPA compliant. However, I am not entering any data directly into the fields that is considered Protected Health Information. The only thing that is Protected Health Information is the encrypted password protected PDFs. Is this enough or should I consider doing this differently? Any suggestions or input would be greatly appreciated.