Medical Transcription and HIPAA: Focusing on the Independent Contractor and Service Owner

True/False:
If the transcription being performed did not contain protected health information (PHI), I would not have to worry about being compliant with HIPAA.

True. The HIPAA law only applies to covered entities (CE), i.e. health plans, health care clearing houses and health care providers. However, as a member of the workforce of a covered entity (employee, trainee or volunteer), the training you receive regarding policies and procedures will reflect the privacy protection the law requires of the CE.

A CE must also have business associate (BA) contracts with all nonemployees (vendors, independent contractors) that contractually hold the business associate/vendor responsible for having policies and procedures in place that safeguard the PHI that the vendor has while performing its job duties for the covered entity.

Since the HIPAA law requires CEs to do business with only BAs who can help the CE be compliant, it makes good business sense to have policies and procedures already in place so a potential client will have no second thoughts of trusting you as a business associate.

It is also a excellent mark of professionalism to be knowledgeable and prepared to protect privacy of your client's patients. The majority of us will be patients at one time or another in our life, and the measures we use for protecting the privacy of others, may be the same measures used to protect our privacy when we are the patients.

Here are some aspects of medical transcription that should be looked at with "HIPAA eyes," particularly because the majority of transcription is done at home offices. The questions and comments below illustrate areas where privacy and security begin.

Policies and procedures:
These need to be written down, no matter how simple. In measuring compliance, if it is not written down, it does not exist, and, therefore, cannot be followed.

Home work areas:
Is work done in a separate room or area not used by others during work time? Is the room locked? If not, is the location of the monitor such that PHI on the screen cannot be seen by onlookers? Are the locks on the drawers of the desk? Are storage disks kept in a locked case or in a locked drawer? Are appointment schedules kept in a locked drawer or shredded when no longer needed?

Fax areas:
Is the area secure from onlookers? Is a fax cover sheet used? How often are the faxed information picked up? Where are the faxes stored? Is speed dialing used to help prevent accidental misdialing?

Phone areas:
Is this area secure from casual listeners? Do message pads contain any PHI?

Equipment use/protection:
Is the PC used only for work? If not, is the work area on the drive separated by an encrypted partition or password protection? Is there a smoke alarm and fire extinguisher near by? Is a surge protector used? Is there current virus and firewall protection in place and the knowledge of how to use them? Are samples and routines free of patient identification?

Delivery of work:
If reports are delivered by courier to the client, employees or subcontractors, is the work delivered in a sealed or locked container without visible PHI on the outside? Is there is a confidentiality agreement signed by the courier? Is there a secure place to leave the deliveries at?

Secure electronic transmissions:
Is an encryption program used for email of reports? Is software that encrypts during electronic transfers, such as SSL, used when sending audio and text files over a web server?

Storing of reports for clients:
How long do you store reports? How are they stored (in a PC, on back up tapes, etc.) and who has access? Does your client verify they have received their reports? Who can request a copy? Is there an understanding that the CE has the designated record set or authentic patient record, and that the patient should request viewing the record or requesting amendments only from the CE? Is it possible to decrease the amount of time reports are stored?

Dictation systems:
Are IDs and passwords mandatory before being able to assess dictated reports?

Passwords:
Are passwords committed to memory or stored in a locked and secure drawer?

Destroying PHI:
How is no-longer-needed patient information destroyed? Thrown away, torn in pieces or shredded?

Business associate contract elements:

1. That the protected health information (PHI) that is received will be held strictly confidential and shall not be used or disclosed except as specifically provided for in the contract or as required by law.

2. All appropriate safeguards will be implemented and maintained to prevent use or disclosure except as permitted by this agreement.

3. Within a specific period of time after discovery, your company would report to the CE any and all disclosures not permitted in this agreement.

4. Ensure that all employees, agents, subcontractors of your company will agree and adhere to the same conditions and restrictions as the business associate.

5. Make the PHI available to the CE as necessary for compliance with the obligation to provide access to the record for the patient for review and request amendments .

6. Make available to the Secretary of Health and Human Services the internal practices, books and records relating to the use, disclosure and security of PHI as required by law

7. Upon termination of the contract, all PHI must be destroyed or returned. If this is not possible, the protection remains as long as the information is retained.

Training/Hiring:
Some clients may request that employees or subcontractors be screened with drug testing, background checks and assurances of no prior conviction in Medicare fraud. Copies of training procedures in privacy and security or copies of confidentiality agreements may be requested.

While there is a professional responsibility for knowing about privacy and security and being able to apply that knowledge in practical ways, there is no one person, place or thing that can certify another person, place or thing is HIPAA compliant. Being HIPAA compliant is an ongoing process. Should there ever be a question regarding whether or not an interpretation met the "letter of the law", the decision will be made in a courtroom.

Knowledge can be gained in many ways, including attending the orientation and training programs that your clients provide for their employees. The HIPAA rule and guidances can be downloaded free of charge.

References and learning

materials can be obtained from web sites of professional organizations such as AAMT, and AHIMA, and agencies such as Office for Civil Rights and Department of Health and Human Services.

References:
Journal of AHIMA, "Making Your Telecommuting Program HIPAA Compliant",
February 2002
AAMT, HIPAA for MTs
HIPAA Privacy Rule
AHIMA, Getting Practical with Privacy Resource Book

Carole J. Gilbert, RHIT
Gilbert Medical Transcription

[ 09-27-2002: Message edited by: Nae ]

This should go a long way in helping me convince the MTSO that I contract to that compliance is not impossibly complex.

Care to point me to a website that can give the computer illiterate a boost? I still can't get the idea of email encryption across to these extrememly nice ladies.

What the heck, I can always hand carry (in appropriately secured containers) my tapes and files as needed to keep compliance on my part.

again, thanks for a succinct article.

Sherry

If you are AAMT members their guide book for HIPAA is an excellent resource If not a member it is well worth the cost.

You also might want to keep an eye out for the MTIA online training for ICs and MTs that is supposed to be in the offing as well

Nae

1. The compliance date is April 2003 as far as privacy. As we are an MTSO, that is the day all my clients should have presented me with a business associate contract to sign beforehand, and have filed it with my contract. Same for independent contractors--their clients should have done the same thing.

EXCEPT, if there was an existing contract in place that ends after April 2003, then there is a 1-year extension to April 2004 for all covered entities to have business associate contracts in place.

I cannot tell you what the date of compliance is for transactions and code sets (billing), as I have not kept up on that aspect.

2. Again, I am not versed in transactions and code sets, but I believe that your doctor will have to submit claims electronically and perhaps on specific forms in order to get paid. I hope the practice manager is keeping up on this side of the HIPAA requirements.

3. HIPAA does not mean going "digital" at all. Neither does the law demand one word processor program over another, nor one method of anything over another---how much easier if it did! Instead, the law stresses "reasonable" steps to safeguard the protected health information (PHI) of the patient whose information you have in your keeping.

You can keep on picking up tapes and delivering reports--just go about YOUR end of the procedure in the most secure way you can provide or in the way your client requires.

4. You've already recognized in your work environment that the greatest security risk is your PC. It sounds like you have taken "reasonable" steps to prevent a breach by having a firewall.

5. This is exactly what I meant by having "HIPAA eyes". Track your work flow--from the time you pick up the tapes to the time you deliver back the reports. Where is the greatest possibility for a privacy breach to occur? What steps can you take to minimize it? Write it down and it becomes a policy---follow it, and it becomes a procedure. This is what helps your clients be compliant----your protection of their patients' privacy as it passes from them to you and back to them.

I hope this has helped a little

Sherry, your MTSO is fortunate that you are focusing on the practical side Carole/gmts

Carole/gmts

All health plans will require electronic claims to be HIPAA compliant by October 16, 2003. Some plans may do so earlier. Medicare will no longer accept paper claims (with a few exceptions) after October 16, 2003.

The only way I can see the transactions and code sets rule impacting MTs is that many offices may need to submit documentation with their electronic claims, so smaller offices that are currently only getting paper copies of their transcription may want electronic documents as well, and possibly in a specific format.

Others may be able to lend a hand here.

The idea about providing electronic records, rather than paper ones, is a good one, and perhaps could be simply done by delivering a weekly or monthly storage disk to the client along with the paper reports.

This way the invoicing can be verified, along with providing the client their own back up, and allowing the IC to delete their copy. I believe this is in agreement with AAMT's opinion of "minimum necessary."

This "HIPAA procedure" should be in the contract, so the client is aware the IC will no longer be keeping months' worth of patient reports just "in case."

Now, what if the client still wants the IC to keep the back up copy for months? That is just fine, if it is fine with both parties. Then the contract should note how that protected health information (PHI) is protected during the time that the IC has it.

About contracts: An IC can present a business associate contract to the client; he/she does not have to wait for the client to give one. The post above contains the HIPAA elements for privacy; just include this in your contract or agreement.

Corporate contracts may contain more restrictions or tighter requirements; one of the contracts presented to us has language about our physical office building.

As far as documentation of invoicing, even if HIPAA does not apply, auditing billing practices for Medicare fraud and abuse is being taken very seriously by all hospitals and physician offices. So, if they are being scrutinized in what they bill out, they are also going to be looking closely at what they have to pay out in an effort to contain costs. Being able to document how and what you are billing your client for can save a lot of headaches. Carole/gmts

quote:

---

I understood the electronic billing to pertain to third party billing (insurance claims), not to office expenditures, such as transcription services.

---

Carole, that is my understanding as well from seminars I have attended regarding HIPAA.

Diane

HIPAA ABCs

Nae

Nae

Nae