"If a patient experienced a rogue driver, would they name the provider who coordinated the ride for them in a potential lawsuit? Maybe. Probably," Mallon says. "Does that mean it would hold up in court? Maybe not. But, certainly it is a risk that providers need to consider as they enter this space."
Uber Health says it is HIPAA compliant, with safeguards to protect patient confidentiality. Uber drivers are told only a patient’s name, the pick-up and drop-off addresses, and won't know if a passenger is using Uber Health.
Mallon doesn't dispute the claim but adds that "we haven't seen enough details to make us comfortable with it."
Hackers are another concern.
"If providers are linking to Uber platforms from their own electronic medical records is there is some cyber-security risk that would allow hackers to enter the EMR," Mallon says. "We have seen many savvy hackers making their way into a provider's EMR through a variety of ways."
Providers who are considering using ride-sharing agreements should read up on the OIG guidelines, and do a risk assessment "to decide how this impacts their practice, their patients, what increased risks does it create and is it worth it," Mallon says. "That may be a case-by-case basis."
If providers decide to work with ride-sharing services, Mallon recommends having a business associate agreement in place that specifies that the provider is the covered entity and the ride-hailing company is the business associate.
"The more we use technology, the increased risk is there," Mallon says. "That doesn't mean that providers shouldn't pursue these opportunities, but they need to consider the risk."
John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.