Services takes painstaking measures to protect
all patient information. Our internal procedures for
privacy and security meet and exceed all HIPAA regulations
related to Electronic Transmission of Patient Information.
to our facilities is controlled by key entry only.
Only authorized staff who are fully aware and trained
in the HIPAA Privacy requirements will be issued access.
We use an ICSA certified firewall and filter on incoming
ports allowing only FTP and management ports for administrative
access into our system.
network performs Network Address Translation (NAT)
and addresses cannot be routed without traversing
our FTP Server is accessed with any FTP Client that
also supports SSL all files are encrypted while being
sent across the internet. This means, anyone intercepting
any data while it is being transferred from our server
to your computer could not interpret or decode this
access any data from our FTP Server, a valid username
and password is required.
are not responsible for the security of files
(documents or sound files) that are transferred to
or from our server.
to our network is limited by auto-logoff, ID/password
protection, password protected screensavers, and a
security-enabled OS (WinNT)
fully trained staff have access to the server and
dictation files for support and maintenance.
data storage and backup system hardware consists of
two Intel Pentium 1.3 GHz server towers with 490 MB
of RAM Memory. The system operates on the Windows
NT platform. The operating software and digital voice
software reside on two 80 GB mirrored hard drives
whichb provide full fault tolerance and total system
redundancy. Only one of the server towers is in use
at any particular time, thereby guaranteeing a second
level of system redundancy as well as a readily accessible
emergency parts inventory.
are not responsible for nor will we provide access
to any files on our system to any other person other
that those authorized by the originator of the dictation.
We will not release any files directly to a patient.
responsibility for enabling the patients to control
their health records including access, disclosures,
'minimum necessary' standard, consent and authorization,
etc. resides the medical professional who initiated
The Health Insurance Portability and Accountability
Act of 1996 (HIPAA) was a result of congressional healthcare
reform proponents to reform healthcare. The HIPAA legislation
has four primary objectives.
health insurance portability by eliminating job-lock
due to pre-existing medical conditions
healthcare fraud and abuse
standards for health information
security and privacy of health information
the four primary objectives, the fourth objective has
the most impact on medical transcription.
is the deadline for HIPAA compliance?
The rule requires that healthcare organizations insurers
and payors that have been using any electronic means
of storing patient data and performing claims submission
must comply with the this rule by April 14, 2003. Since
medical transcription deals with electronic means of
handling and storing patient data, April 14, 2003 is
the deadline by which medical transcription service
organization (MTSO) must comply with the HIPPA requirement.
What are the important requirements of HIPAA for a medical
MTSOs must be able to support two requirements.
the security and confidentiality of the patients
Protected Health Information (PHI), and
an audit trail of all individuals who have had access
to a PHI.
means that transcription service providers must implement
technology and business processes in their operation
to support these two key requirements.
Can the Internet be used for medical transcription and
still meet HIPAA requirements?
Yes, as long as the MTSO uses encryption and password
protection to prevent unauthorized access to the PHI.
Dictations done on a telephone does not need to be encrypted.
However, voice files transmitted by portable recorders
should be encrypted prior to transmission over the Internet.
Transcribed documents must be sent back to the healthcare
provider in a secure manner using encrypted email or
a secure FTP site or may be faxed with a disclaimer
statement explaining the confidential nature of the
If tapes are used to record dictations, will this meet
This may cause a problem. There is no easy way to create
and verify an audit trail of who has had the tape and
who listened to the PHI on the tape. If the tape is
lost, one cannot guarantee the security of the information
Who and what is a Covered
Entity and a Business Associate?
HIPAA defines a Covered Entity (CE) as a health plan,
a healthcare clearinghouse, or a healthcare provider
who transmits any health information in electronic form
in connection with a HIPAA transaction. A physicians
office or medical clinic would fall under the category
of a Covered Entity.
A Business Associate (BA) is a person or organization
that performs a function or activity on behalf of the
Covered Entity (CE), but is not a part of the covered
entitys work force. A medical transcription service
provider would be classified under the definition of
a Business Associate.
Who is liable for privacy violation under HIPAA?
Civil and criminal penalties can be imposed for noncompliance
with HIPAA. The imposition of these penalties are against
Covered Entities (e.g. healthcare provider) but not
directed directly against Business Associates (e.g.
medical transcription service organization).
Healthcare providers should ask their transcription
company about their privacy and security regulations
and ensure that they are contractually obligated to
comply with these regulations.
What is the penalty for
not meeting HIPAA compliance?
The total amount from civil penalties for multiple violations
by a Covered Entity during a calendar year is capped
HIPAA also provides from criminal liability for Covered
Entities for knowingly obtaining or disclosing individually
identifiable health information. The maximum penalty
is a fine of $50,000 and imprisonment of one year. If
the offense is committed under false pretenses, the
maximum penalty is a fine of $100,000 and imprisonment
of five years. If the offense is committed with the
intent to sell, transfer or use individually identifiable
health information for commercial advantage, personal
gain or malicious harm, the maximum penalty is a fine
of $250,000 and imprisonment of ten years.
What rights does the patient
have under HIPAA?
HIPAA provides the patient with many new rights in relation
to their healthcare documentation. Some of them are:
his/her entire medical record
changes within documentation, which can be denied
by physician for specific reasons
documentation of every time his or her PHI was accessed,
along with identity of the individual accessing the
document with specific reason for doing so
know how much of the PHI information was shared
the facility (Covered Entitys) policies and
procedures are for security and privacy
the patient becomes aware of these rights you should
be prepared to deal with any legitimate requests the
patient may have.