It’s almost 6-1/2 years we, medical transcriptionists, have been with HIPAA since April 14, 2003. How effective was HIPAA compliance in medical transcription all these days? Where do the medical transcription industry stand in terms of HIPAA pre-enactment of Health Information Technology for Economic and Clinical Health (HITECH) Act?
HIPAA Compliance in Medical Transcription. A Revisit Post HITECH
The truth is that HIPAA has remained a paper tiger all these days. The memories of HIPAA compliance started fading as somebody said “Like Y2K, it has come and gone.” There were no benchmark standards to compare if an organization has become HIPAA compliant or any certifying authority that certifies somebody is HIPAA compliant. Anybody is HIPAA compliant as long as no privacy or security breach is raised. Everybody in the medical transcription business claimed they are HIPAA compliant; else they’re ought to be out of business.
The security requirements prescribed by HIPAA are very high that even any email message containing patient information should be sent encrypted (not the regular web emails) but in reality medical/healthcare professionals often use their own laptops and mobile devices to communicate across unsecured networks without encryption or other safeguards. Along with possible theft or accidental loss of data from these devices, these networks are also vulnerable to interceptions, attacks and malicious activities by hackers, third-party service providers, technology vendors or other healthcare employees.
Furthermore, there were unanswered questions with HIPAA itself of purported laxities like “What if a paper containing patient information was scanned and then transmitted via unsecured email?” Note here that in order to have an electronic transmission and for the HIPAA to come into effect, the data transmitted must have first been captured in electronic form.
HITECH Act, part of the American Recovery and Reinvestment Act (ARRA) of 2009, signed by President Obama on February 17, 2009, gives more teeth to HIPAA, and many of the Act’s requirements become effective 12 months from the date of enactment. Now post-HITECH Act enactment, how will the going be?
Before we look into the emerging scenario, let’s have a brushup of HIPAA in a very simple language, which will be useful especially for the freshers into this profession.
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act. This Act was introduced in 1996, but not fully implemented until April 2003. HIPAA was created to improve portability and continuity of health insurance coverage that people changing jobs would still have access to quality health care coverage, since in the past it was practically difficult or impossible to change insurance carriers without facing lowered coverage or exorbitant premiums. HIPAA also gives patients greater access to their own medical records and more control over how their personally identifiable health information is used. The regulation also addresses the obligations of healthcare providers and health plans to protect health information.
The act spans through five titles, out of which we are concerned with the rules contained in 45 Code of Federal Regulations (CFR) parts 160, 162 and 164 under Title II. The rules promulgated to date are:
- The Unique Identifiers Rule (National Provider Identifier)
- The Privacy Rule
- The Transactions and Code Sets Rule
- The Security Rule
- The Enforcement Rule
For further information, you can download a copy of the combined regulation text of all rules. Out of these, as a medical transcriptionist or as a medical transcription business owner, we are concerned with the Privacy Rule and the Security Rule and both comprehend each other. In short, these rules require you to give every sincere, willful effort to preserve, protect, and defend the privacy and confidentiality of the records (voice files, transcribed reports, patient logs) that you will be handling during the transcription process, and prevent theft or loss of these protected health information at your end or while transmitting to or from you.
How does medical transcription service come under HIPAA?
Medical transcription services are typically regarded under the Act as “Business Associates.” The Act defines a Business Associate as “any person or organization that performs a function or activity on behalf of a Healthcare Provider (Covered Entity), but is not part of the Covered Entity’s workforce (employees, volunteers, trainees and others) under the Covered Entity’s direct control, regardless of whether they are paid by the Covered Entity.” However, the state regulations may differ from national regulations and certain States may define MT Services as Covered Entities.
Prior to HITECH Act, as a Business Associate, a medical transcription service may not be directly governed by HIPAA regulations. However, Business Associates were governed indirectly by virtue of the fact that Covered Entities are required to obtain written assurances from the Business Associates that they deal with to ensure that patient identifying information is appropriately safeguarded. These written assurances must be included in a written contract between the Covered Entity and the Business Associate.
How is HIPAA applicable to independent medical transcriptionists?
Medical transcriptionists who operate as independent medical transcription contractors to medical transcription services (Business Associates) and who have direct access to patient health information are referred to by the Act as “Third Parties.” Third Parties must have a written contract with the Business Associate for whom they provide contract services to assure that patient information conveyed to them will be appropriately safeguarded and that all electronic data transmissions between the Third Party and the Business Associate are conducted in accordance with the approved national standard. This contract should be similar in nature and scope to the Business Associate Contracts executed between the Business Associates and the Covered Entities.
What are the penalties for noncompliance of HIPAA?
Civil penalties limited to the tune of not more than $100 for each violation and not more than $25,000 each calendar year for “identical violations” (Class 3 felony).
The maximum penalty from criminal liability for Covered Entities for knowingly obtaining or disclosing individually identifiable health information is a fine of $50,000 and imprisonment of note more than one year (Class 6 felony). If the offense is committed under false pretenses, the maximum penalty is a fine of $100,000 and imprisonment of not more than five years (Class 5 felony). If the offense is committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the maximum penalty is a fine of $250,000 and imprisonment of not more than ten years (Class 4 felony).
How does HIPAA apply to offshore companies?
US law does not apply overseas and obtaining redress in the US civil justice systems in cases of abuse involving overseas companies is potentially very difficult. So how does HIPAA apply to offshore destinations, say for example to the transcription companies in India?
The offshoring of protected health information was most likely not contemplated when HIPAA was designed as most of the outsourcing trend started post 1996; nothing in the statute forbids the transfer of information to overseas locations for third-party services, and from then onwards offshore outsourcing of medical transcription services has almost become inevitable and irreversible due to various obvious reasons.
Though there are appropriate rules of the land in the offshored countries, such as The Information Technology Act of India with subsequent amendments, and enforcement agencies that would take of care of privacy breaches in the offshored countries, appropriate security measures have to be taken by Business Associates onshore towards HIPAA compliance of offshore companies before outsourcing work and be fully aware of the genuineness of the company because the onshore covered entity remains answerable at the US Courts for any privacy violation offshore and the patients damaged can seek compensation from the Covered Entity that chose to entrust its patients’ Protected Health Information (PHI) to an apparently unreliable Business Associate. So the key message here is to ensure prevalence of similar Privacy Law and cyber security law with enforcement agencies in the offshored country, and to perform due diligence. The best option to get the work done from offshore is to keep the server with the stipulated requirements in the US itself and asking the offshore medical transcriptionists to log in, transcribe and log off, and encrypting all the data transmission. Furthermore, if you are sending any of your medical work overseas, spend the time and money necessary to find a stable vendor that can ensure the protection of your confidential data.
Now that you’re equipped with the basics by this time, when somebody, be it either a friend, colleague, business partner, or an organization says that they are HIPAA compliant, I think you’re ready to throw back immediately the next question “under what rule?” Isn’t it? That will quickly tell you whether they’re beating around the bush or if they’re really serious about business. Historically, if somebody indicated they were HIPAA compliant, what they likely meant was that they were attempting to comply with the Privacy Rule.
What would be the impact of HITECH on medical transcription services?
Okay now, how would be the going here afterwards? With the recent enactment of ARRA and the HITECH Act contained within it, things have become even more interesting. The HITECH Act places both the Privacy Rule and the Security Rule as front and center issues for health care providers.
Prior to the HITECH Act, Business Associates were not directly liable for HIPAA violations. Instead, Business Associates handed the potential for contractual liability to Covered Entities through contracts known as Business Associate Agreements. However, the new HIPAA poses important challenges for Business Associates. Under ARRA, Business Associates are more explicitly required to comply with the Privacy and Security Rules and are required to notify the consumers of security breaches. The HITECH Act now imposes direct civil and criminal penalties on Business Associates for certain security and privacy violations under HIPAA.
The Privacy Rule mandates Covered Entity to have written contracts with Business Associates and Business Associates in turn with Third Parties. Due to anticipated use of Third Party services, the HITECH Act puts more stringent requirements on Business Associate contracts. If a Provider chooses to enable the sharing of protected health information with Third Parties, then clearly a Business Associate relationship likely exists, and a written contract would be required where as privacy advocates claim that as on date in many cases these contracts do not exist as required for all designated parties, and no contract means non-compliance.
According to Kirk Nahra, a partner at Wiley Rein LLP, Washington,
Organizations that already comply with the existing HIPAA privacy and security regulations shouldn’t be too concerned about the updates in the rules called for under the economic stimulus package, because the American Recovery and Reinvestment Act does not call for “wholesale changes” in the HIPAA rules. ARRA sets tougher penalties, ranging from $25,000 to $1.5 million, for violating a patient’s privacy, he notes. It also will lead to dramatically stepped-up enforcement of privacy and security regulations. State Attorneys General now have explicit authority to enforce the HIPAA rules. Under ARRA, individual employees at a healthcare organization can face criminal charges for violations.
Section 13411 of the HITECH Act’s Subtitle D requires that the United States Department of Health and Human Services (HHS) conduct mandatory audits, and Section 13410 deals with “Improved Enforcement.” The Secretary shall provide for periodic audits to ensure that Covered Entities and Business Associates that are subject to the requirements of this subtitle and subparts C (HIPAA Security Rule) and E (HIPAA Privacy Rule) of part 164 of title 45, CFR, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.
So with the modifications to HIPAA mandated by the HITECH Act, especially the sections 13410 and 13411 of the HITECH Act, HIPAA is no longer going to be a paper tiger. Hence assess the areas of laxity, beef up the security and privacy standards again as if you did anticipating HIPAA in 2003, plug the holes if any before things are out of your control. Review all the contracts again and ensure that proper contracts exist with everyone involved. The HITECH Act requires periodic audits to ensure that Covered Entities and Business Associates are in compliance with the requirements of the HITECH Act.
If you look at the penalties under HITECH Act, civil penalties for “willful neglect” have been increased. Under the HITECH Act, civil penalties for a single violation can total $250,000, with a maximum of $1.5 million for repeated or uncorrected violations.
Hence having a “good story” to tell when the HHS officials show up regarding all the processes as well as demonstrable evidence of compliance is the best way to show “reasonable cause” and “no willful neglect.” Documenting everywhere, all the processes, training, periodic internal audits, and all the safeguards that you have put in place will allow you or your lawyer to make a compelling argument regarding your “good efforts” to comply with all the applicable laws. The bottom line is to do the right thing, implement necessary safeguards, and keep striving to be “the perfect” and “the best.”
HIPAA compliance post HITECH would involve constant vigilance, regular assessments and appropriate actions anticipating any breach well in advance. It is not just do once and forget issue like Y2K anymore.
References:
Offshoring medical transcription is still a bad idea in my opinion. No matter what our laws state, I believe that it is next to impossible to ensure that they are being followed by someone in another country.
@ Serena – If there was’nt no offshoring There would’nt be people like us & probably Raj would have blogged about going fishing each morning ! You see its God’s plan that he had made already so some fish must be fried offshore….and oh The money is good x48 what Americans get paid… Tee Hee !!
Nice article on HIPAA and medical transcription. I am one of the co-authors of the HIPAA Survival Guide and enjoyed reading it very much. It is amazing just how much HITECH transforms HIPAA. I hadn’t even thought of the implications with respect to the medical transcription business.
Good article and easy reading.
I am in transcription business and most of our staff is in India doing the work.
Serena wrote it offshore mt is a bad idea since it is difficult to regulate.
The real question is who want to do transcription in this country?
Who in India is interested in Identifiable Patient Information or health information on any patient? It is more interesting and useful to some one in this country especially when transcription is done in the local community itself. There is a natuarl curiocity to find out who is “Mary Jones” with 7 partners who had a condum stuck in p and the OBGYN is removing it. The transcriptionist in India has no clue who Mary Jones is and has no interest and it is not a subject they can talk in their local community in bar over couple drinks.
Hello,
I am a home based mt requiring some info about home transcription. Can you please guide me as far as this is concerned.
Thanking you,
Leela chandrasekhar
You may read the HIPAA compliance guidelines for medical transcriptionists.
If you are a transcriptionist employed by a hospital but are working home-based, are you covered under the hospital as far as HIPPA is concerned?
Of course yes irrespective of whether you’re working from home onshore or offshore.