HIPAA Compliant Medical Transcription Service Considerations
Though HIPAA was enacted over 20 years ago (in 1996), it only took full effect in 2003. What's more, it's a living document, so to speak, occasionally undergoing updates and changes. For example, 2009's American Recovery and Reinvestment Act (ARRA) addressed protected health information (PHI) and the healthcare provider's responsibility around PHI.
PHI includes transcribed medical documents, which means that responsibility for HIPAA compliance extends beyond the healthcare facility to the medical transcription service providing said documents, as well as the transcriptionist creating them. Whether you complete medical transcription in-house or outsource, you must address HIPAA.
Get Free Medical Transcription Service Quotes
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a federal statute designed to protect patients' private information, known as PHI for protected health information. In addition, it protects workers' ability to continue health coverage, even when they change jobs (hence the word "portability").
The law went into full effect in 2003 and has undergone changes that served to strengthen enforcement and modify regulations. Medical transcriptionists' main concern is HIPAA's Privacy Rule, which defines standards surrounding disclosure and PHI. In addition, transcriptionists are concerned with a section called Administration Simplification, which offers guidelines regarding patient access and control of their medical records and PHI. If you've changed healthcare providers in recent years, you should have signed a document that verifies your physician informed you of these rights.
HIPAA compliance also includes the Privacy Rule and Security rule, which work together to regulate how providers manage patients' PHI. The Privacy Rule relates to PHI in any format, whether paper or electronic, while the Security Rule does exactly what it sounds like – it defines the security safeguards that providers must employ to protect healthcare records.
Failure to maintain HIPAA compliance results in civil fines up to $25,000 (in a single calendar year) and criminal penalties of up to $250,000 in fines and 10 years in prison.
How Does HIPAA Apply to Medical Transcription?
HIPAA includes provisions for Business Associates, defined as a person or organization acting on behalf of the Covered Entity (a healthcare provider) but who is not actually employed by the entity either as paid or voluntary staff. If you outsource your medical transcription, Business Associates includes both the transcription company and the transcriptionist. Interestingly, some states consider medical transcriptionists to be part of the Covered Entity rather than Business Associates.
One of the requirements of medical transcriptionists, whether they're considered part of the Covered Entity or a Business Associate, is to provide written assurances regarding PHI security measures as part of their contract with the healthcare providers.
If a Business Associate has direct access to PHI, HIPAA refers to them as a Third Party. This includes the actual transcriptionist who performs the work and requires the transcriptionist to guarantee he or she will safeguard all records they receive according to approved standards. This includes data received via electronic transfer and requires a written assurance similar to that which the Business Associate enters into with the Covered Entity.
Remaining HIPAA Compliant
Technology advances that made the creation and transmission of digital voice files widely accessible and affordable directly led to increases in outsourcing medical transcription functions. This raises questions about the security of said transmissions.
Transcription providers responded by employing encryption when transmitting both the voice files and transcribed document, as well as passwords to protect access to any file containing PHI. Encryption requirements do not extend to dictations over telephone. Security requirements apply to both the Covered Entity sending the recording and the Business Associate receiving it and transmitting completed documents.
HIPAA compliance requires Covered Entities implement certain measures that ensure protection of patient information. This includes:
- Business Associate directions: Covered Entities must specifically address Business Associate security and confidentiality standards, as well as conduct periodic reviews of these standards.
- Establish measures: Covered Entities define privacy measures, including how the organization maintains and enforces these provisions at the administrative, technical, and physical levels.
- Proper order: There may be no disclosure of information until the individual provides documented authorization.
- Restricted access: Covered Entities must make every effort to minimize access to the patient's information.
- Written consent: The individual must provide written consent to use and maintain their PHI.
- Written proof: Must provide individuals written assurance regarding who will see and use their PHI, including healthcare providers and insurance companies.
Penalties for Violating HIPAA Regulations
Covered Entities have a $25,000 yearly cap on civil penalties. Criminal liability varies according to the particular offense.
- Knowingly obtaining or disclosing identifiable PHI carries a maximum fine of $50,000 and up to one year in prison.
- Knowingly obtaining or disclosing identifiable PHI under false pretenses carries a maximum penalty of $100,000, with a maximum prison sentence of five years.
- Knowingly obtaining or disclosing identifiable PHI with the intent to sell, transfer, or use said information for commercial advantage, malicious harm, or personal gain carries a maximum penalty of $250,000 and a maximum sentence of 10 years.
If you are deemed noncompliant, Covered Entities face both civil and criminal penalties. Business Associates also face penalties due to their contractual obligations.
As regards medical transcription, the goal of HIPAA regulations is to protect the patient from having his or her private, personal information compromised. Identity thieves aggressively seek medical files, typically paying 10 times what they'd pay for credit card and social security numbers. This is because medical records include an incredible amount of personal information, including birthdates, current and previous addresses, social security numbers, billing information, and much more. Protect your patients, and yourself, with strict HIPAA compliance.