Medical transcriptionists who operate as Independent Contractors to Medical Transcription Services (Business Associates) and who have direct access to patient health information are referred to by the Act as "Third Parties." Third Parties must have a written contract with the Business Associate for whom they provide contract services to assure that patient information conveyed to them will be appropriately safeguarded and that all electronic data transmissions between the Third Party and the Business Associate are conducted in accordance with the approved national standard. This contract should be similar in nature and scope to the contract between the Business Associate and the coveted entity.
Deadline for Complying to guidelines of HIPAA?
HIPAA act requires that healthcare organizations insurers and payors that have been using any electronic means of storing patient data and performing claims submission must comply with the this rule by April 14, 2003. Since medical transcription deals with handling and storing patient data in electronic form, it is necessary that all such organizations must comply with this deadline. Small health care plans will have until April 14, 2004 to become completely compliant. However, all other covered entities must become fully compliant by April 14, 2003.
Standards prescribed for Transmittal of Electronic Patient Information - HIPAA act requires that healthcare organizations insurers and payors that have been using any electronic means of storing patient data and performing claims submission must comply with the this rule by April 14, 2003. Since medical transcription deals with handling and storing patient data in electronic form, it is necessary that all such organizations must comply with this deadline.
Internet & HIPAA Compliance :
With advancing technology, internet has become the major source of electronic data transmission over the years and will surely continue to do so. Hence, it becomes necessary on the part of medical transcription service provider to use encryption and password protection to prevent unauthorized access to any patient information. Dictations done on a telephone does not need to be encrypted. However, voice files transmitted by portable recorders should be encrypted prior to transmission over the Internet.
Transcribed documents must be sent back to the healthcare provider also in a secured manner using encrypted email or a secure FTP site or may be faxed with a disclaimer statement explaining the confidential nature of the document. However, use of tapes lends a high degree of doubt since there is no way to verify an audit trail as to who has had the tape and who listened to patient data on the tape. If the tape is lost, one cannot guarantee the security of the information on it.
Other Key Provisions of the Act : - The primary focus of the Act is to restrict the leakage and dissemination of patient health care information. The conditions under which information can be conveyed are very explicitly stated. The rules specifically pertain to health information that is transmitted or maintained in any form be it oral, paper, electronic, etc and which contains patient identifying information. Patient identifying information includes such things as name, address, social security number, phone number, and any other information, which could be used to identify an individual.
In order to be compliant to the rules and regulations of HIPAA, covered entities must implement measures to ensure that patient information is protected in accordance with the provisions of the Act. Specifically:
1. A proper written proof must be provided to individuals telling them as to how their information will be used and to whom it will be disseminated (i.e. to insurance and billing companies, or other health care practitioners).
2. Similarly, a written consent should also be obtained from the individual allowing for the use and maintenance of personal information as provided for by the Act.
3. Disclosure of information for any other purpose must be done always after documented specific authorization from the individual.
4. All efforts must be made by covered entities to minimize the dispersal of patient information through any means.
5. Covered entities must establish and maintain adequate administrative, technical and physical measures to ensure that all privacy requirements are upheld within the organization.
6. Business Associate must be directed specifically to safeguard all patient related information in the best possible way and covered entities should periodically review the standards of security and confidentiality of their Business Associate.
Penalty imposition for non-compliance:- The total amount from civil penalties for multiple violations by a Covered Entity during a calendar year is capped at $25,000.
HIPAA also provides from criminal liability for Covered Entities for knowingly obtaining or disclosing individually identifiable health information. The maximum penalty is a fine of $50,000 and imprisonment of one year. If the offense is committed under false pretenses, the maximum penalty is a fine of $100,000 and imprisonment of five years. If the offense is committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the maximum penalty is a fine of $250,000 and imprisonment of ten years.
Both Civil and criminal penalties can be imposed for noncompliance with HIPAA. The truss of these penalties are usually directed against Covered Entities but not directed directly against Business Associates. However, indirectly, the business Associates do come under penalty imposition since they are contractually obligated to comply with these regulations.
Rights of patient under HIPAA:- HIPAA provides the patient with many new rights in relation to their healthcare documentation. Some of them include:
· Right to review their entire medical record and data.
· Right to request changes within documentation (though this comes under the preview of the physician who can deny for specific reasons
· Right to request documentation every time their information was accessed, along with identity of the individual accessing the document with specific reason for doing so.
· Right to know how much of the information was shared.
· Right to know what the Covered Entity’s policies and procedures are for security and privacy.