Do you know almost all of the email messages that you send and receive travel over many networks and computers leaving copies of themselves all over the Internet? Unbelievable? Perform a trace route yourself and then believe! From your computer it takes multiple hops before the message could reach the server at the destination. So probabilities are there that somebody might be spying you on the way or perhaps if you’re not vigilant from your own computer itself!
As you might be knowing that HITECH act has given more teeth to HIPAA with heavy penalties and imprisonment for “willful neglect” and “non-compliance.” The penalties range from $100 to $1,500,000 per calendar year. Apart from these civil penalties, criminal punishments could include imprisonment up to 10 years. All these come into effect from February 18, 2010. Furthermore, HIPAA regulations insist that compliance means “a not do once and forget issue” but an “ongoing dynamic process.” In case of a breach at your end even if you are a medical transcriptionist offshore, the octopussy hands of HIPAA could narrow down on you through the onshore covered entity/business associate and depending on the intensity and repercussion of the breach and depending on the treaties existing between the US and the offshored country (say like the India-US Extradition Treaty). We are yet to witness the course of legal action in such situations.
So to be safe than sorry, what are those factors that you should be strictly following to ensure that you are adhering to HIPAA as an MT? Leave aside the server side security, network security, encryption, auto-logoff after “N” minutes, audit trails of the files, and other security standards concerned with the transcription platform to the application service provider who stores the data, it’s the headache of the MTSO that we work for. I have tried to chart down a few salient points below applicable to you as a medical transcriptionist, be it a home transcriptionist or a transcriptionist working at an office. May be I may have missed a few, but bring it to my attention through the comment form below or through the contact form so that we could update the post to benefit everyone seeking information regarding HIPAA compliance guidelines and tips as a medical transcriptionist. So here are those HIPAA compliance guidelines & tips for medical transcriptionists:
- First of all, ensure that proper HIPAA contract exists between you and your employer. If by any chance there doesn’t exist a contract between you and your employer, insist to execute one at the soonest possible. If you’re a medical transcriptionist working at an office, it should be an Employee Confidentiality and Nondisclosure Agreement (See sample contracts like this one. With appropriate alterations as deemed necessary, your organization’s HIPAA Employee Confidentiality Agreement will be something parallel to these. If you’re an independent medical transcription contractor working from home, there should be a Third Party Contract, something parallel to the sample Business Associate Agreement provided by the HHS. (The sample Business Associate Agreement available at AHDI needs to be updated suiting to the stipulations prescribed by the HITECH Act).
- If you are a home transcriptionist, let your workspace or office be aloof from the rest of the home where access is restricted to guests, visitors, and even your own family members. If at all your family members have access to your workroom, discourage them to physically access your workstation. Unavoidably if you want to give access to your family members to access your computer, set up a limited access user account for others. However, it is advisable that you allocate a computer for transcription alone which is barred to be used by other members of the family.
- Let your workstation be well away from the window so that no one can peep into your computer through the window.
- Protect your workstation with a password. If you haven’t yet set a password, create a password for your user account. Furthermore, you can also restrict physical access of unauthorized personnel to your system by setting up a BIOS password.
- Your transcription platform itself should auto-logoff whenever your system remains inactive for 15 minutes. Still if you want to move away from your computer for more than 5 minutes, it is better to log off. Else while you move away, the other option is to protect your files by using a screen saver password.
- Create strong passwords. Passwords containing uppercase and lowercase letters, numbers and symbols with a length of more than 14 characters are ideal. Change passwords once in a month. Passwords should not to be shared or written and displayed on sticky notes.
- If you are moving away for more than half an hour from your computer/transcription platform, remember to shutdown your computer or at least it is best to disconnect the system from Internet until you’re back.
- If you are on a home wireless network such as a Wi-Fi router, make sure that the connection is encrypted because wireless networks don’t stop at the walls of your home but extend more than 300 feet from your wireless router. Hence your neighbors can access your wireless network or even people on the street may be able to connect to your network. People who can connect to your wireless network will be able to view files on your computers, monitor the web sites you visit, read your email, and copy your user names and passwords as they travel across your unprotected wireless home network. Believe me, even your open Wi-Fi network could be used by terrorists if you prefer to remain careless. Hence improve the security of your wireless home network by setting up a wireless network with 128-bit WEP (Wired Equivalent Protection).
- Discourage sending patient logs through unencrypted emails. Encourage feeding them into the database at the source itself. Deny sending/receiving voice files and transcribed reports through unencrypted emails even if the doctor insists to do so. Make the doctor know the level of penalties that HIPAA/HITECH stipulates. Unencrypted emails could easily be intercepted on the way. If unavoidable, you should encrypt your email.
- Strictly no revealing of any patient details, sending voice or transcribed files, patient logs, or any such individually identifiable patient health information material through the instant messenger window as these could be intercepted on their way.
- If you are storing a copy of normal reports on your computer, remove any personally identifiable information in them. It should be just a normal report with no patient demographics contained in it.
- For any reason you are storing a copy of transcribed reports in your computer such as backup or for having the line count to prepare the invoice, encrypt the folder itself storing such reports. Destroy the stored reports once in a fortnight or if the invoice has been raised or as deemed appropriate. The files and folders that you delete from your computer are not really deleted but just hidden by removing the reference of the file from the file system table of your hard disk and can be retrieved at a later date. Hence use a program like Eraser to completely remove sensitive files or folders containing patient information from your system. The best thing would be to not store any patient information on your computer.
- Note that with any patient information in it, be it transcribed reports, voice files, patient logs, your computer has a priceless hard disk. Hence for some reason if a hardware engineer is rectifying your hard disk, ask to rectify the crashed hard disk in front of you. Make sure that any content from your hard disk is not copied to the engineer’s. Else, replace the hard disk and safely destroy the old one. Though you might have encrypted the files stored on your system, still as a safer bet, never ever leave back your hard disk with any computer Nazi and return home.
- If the computer is not running on Windows XP or above, you must install a firewall. Apparently you could choose a totally free firewall from a list of free firewalls.
- A virus scanner with spyware protection and up-to-date virus database is a must. If you can’t afford a paid one, there is a pretty good list of free antivirus softwares available on the Internet. Why spend money when you can get a bunch of best free antivirus softwares, legally licensed and free?
- Apparently, performing a routine computer maintenance and a virus scan of your system once a week should avoid you untimely crashes and would ensure that nobody is spying you from within your computer.
- Do not write down any patient details on any papers or sticky notes on your table. If a need exists to write down any patient information on a paper, take due care to destroy the paper with no trace left behind at the end of the day.
- Once the transcribed report has been accepted and signed by the doctor, delete the voice files from your computer. With a minor tweak, voice file players like StartStop Universal Transcription System themselves can delete voice files older than “N” days. If your voice player hasn’t got such function, delete previous day’s voice files manually daily.
- Discourage connecting USB thumb drives, ipods, removable hard disks etc., of anybody else other than yours to your system. Similarly discourage inserting removable storage devices like floppy, plain/rewritable CDs, DVDs etc., other than yours into your computer.
- Avoid copying patient data to your own laptops, any removable devices like pen drives, iPods, external hard disks or storage devices such as floppies, CDs, DVDs etc., as there are chances that these devices could get lost/stolen and become a potential hazard thereafter.
- Do not discuss any individually identifiable patient health information in the public, with outsiders, or in front of outsiders (even over phone). Same applies to online forums, message boards, Twitter, in front of friends, relatives, guests, visitors etc.
- Medical transcription is essentially a back-office work. You’re not supposed to entertain any query from any patient even if the query is pertaining to a patient’s own records. If any such chance arises (from your parents, sibling, spouse, friends, relatives, colleagues etc.), route the patient to the designated staff or the concerned doctor. In short, what I need to stress here is that (and not at all a hype) even if you are transcribing your own report, “access should be restricted only through the legally permissible route!”
I think these steps will avoid any unwanted circumstances of HIPAA noncompliance or willful neglect on your part as a medical transcriptionist. Though some points listed here may seem silly to you, note that if any breach occurs involving you and if that is termed as a HIPAA willful neglect or non-compliance on your part, life is going to become a hell for you whether you are onshore or offshore.
Had I missed any points, please make me aware of, so that I could update this post with appropriate deletions/additions. Else, spread the word, and take a printout of these HIPAA compliance tips, and stick it in front of you above your computer monitor to remind you of these points again and again.
I was terminated from my QA editing position because of entering a wrong signing clinician (Dr. Summers versus Dr. Sommers) and entering a carbon copy in error (Dr. Mark Jones versus Dr. Mark Johns) when I was assigned to help transcribe on a new account. They considered these 2 reportable HIPAA violations, though one I noticed I made an error, sent notice of report # and error just minutes after sending the report, but report faxed directly to all doctors listed 30 seconds after it left my home computer.
I read your HIPAA compliance guidelines and there are no suggestions on that type of human error.
Yes it is indeed a HIPAA violation.
Had you read the post thoroughly, you would have got my point about your problem.
I mentioned to “encourage incorporating patient demographics,” i.e., the header and footer parts at the clinic itself so that the errors/omissions/diversions are plugged at the source itself. You just have to type the contents of reports. I’m accepting to work only on such accounts. Had it been like that for you too, you wouldn’t have landed in trouble. Another tip is to leave blanks and to pass the buck to the dictator itself than to act smart at such doubt spots, which I’ve been encouraging all around.
As of now, there are no concrete guidelines on HIPAA for each and every specific problem that we may come across on day-to-day activities like this. One’s experience is another’s lesson.
Wish you good luck in finding another employer.
Transcribing report, made error in carbon copy, terminated from position based on HIPAA HITECH law. Is this what MTs have to look forward to? Must we be requested to send copies to people we have no signed written consent from patient? Shouldn’t copies be generated from where the signed written consent can be verified? If we have to send copies, shouldn’t doctor spell out name and give address to be absolutely sure correct copy is sent? There are thousands of doctors across the nation with same names, similar names, names spelled different but sound the same.. without further information, just a name does not do it anymore.
Yes, I think you are saying it right. Why should a medical transcriptionist take the extra headache to verify if the patient has signed a written consent to send a carbon copy to a particular doctor and other such things, after all our duty is to merely transcribe the content part of the report?
Wherever a doctor doesn’t care to make it clear, don’t try to act smart yourself by including your imagination. Never hesitate to put a blank at that part. Pass the blame back to the doctor citing HIPAA. Am I right?
My friend Julie at MT Exchange has further clarified what you should do to avoid situations like Elizabeth Zaayer said above: To have a “Written Policy.” Read it here: http://se5w5.th8.us
With the implement of this Hitech act can you tell me how long the transcripts can be kept even in secure mode.
As far as I know, it is seven years. However, it is better to consult with a HITECH lawyer/consultant on this aspect for a more definitive answer.