24x7 TRANSCRIPTION & ALLIED SERVICES utilizes security features that comply with the data security rules of HIPAA:

Strong, compliant authentication procedures include both user identification and secure passwords. Our security administrator defines and manages user- and role-based access as required by HIPAA. Encryption technology (128-bit) that conforms to the HIPAA rules for information transmitted over the Internet. Additional levels of security allow specifically designated users to view only the particular pages or columns of reports they are authorized to access and tracking system records user activity, including what information they have accessed, as required under the proposed rules.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has four primary objectives:

• Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions
• Reduce healthcare fraud and abuse.
• Enforce standards for health information.
• Guarantee security and privacy of health information.

Of the four primary objectives, the fourth objective has the most impact on medical transcription.

**Compliance with the law has been required since April 2003.

MTSOs must be able to support two requirements:

• Ensure the security and confidentiality of the patient’s Protected Health Information (PHI), and
• Maintain an audit trail of all individuals who have had access to PHI.

This means that transcription service providers must implement technology and business processes in their operation to support these two key requirements.

Yes, provided the MTSO uses encryption and password protection to prevent unauthorized access to the PHI. Dictation done on a telephone does not need to be encrypted. However, voice files transmitted by portable recorders should be encrypted prior to transmission over the Internet. Transcribed documents must be sent back to the healthcare provider in a secure manner using encrypted email or a secure FTP site or may be faxed with a disclaimer statement explaining the confidential nature of the document.

This may cause a problem. There is no easy way to create and verify an audit trail of who has had the tape and who listened to the PHI on the tape. If the tape is lost, one cannot guarantee the security of the information on it.

HIPAA defines a Covered Entity (CE) as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a HIPAA transaction. A physician’s office or medical clinic would fall under the category of a Covered Entity. A Business Associate (BA) is a person or organization that performs a function or activity on behalf of a Covered Entity; MTSOs are therefore Business Associates.

Civil and criminal penalties can be imposed for noncompliance with HIPAA. The imposition of these penalties are against Covered Entities (e.g. healthcare provider) but not directed directly against Business Associates (e.g. medical transcription service organization). Healthcare providers should ask their transcription company about their privacy and security regulations and ensure that they are contractually obligated to comply with these regulations.

The total amount from civil penalties for multiple violations by a Covered Entity during a calendar year is capped at $25,000. HIPAA also provides from criminal liability for Covered Entities for knowingly obtaining or disclosing individually identifiable health information. The maximum penalty is a fine of $50,000 and imprisonment of one year. If the offense is committed under false pretenses, the maximum penalty is a fine of $100,000 and imprisonment of five years. If the offense is committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the maximum penalty is a fine of $250,000 and imprisonment of ten years.

HIPAA provides the patient with many new rights in relation to their healthcare documentation. Some of them are: · Review his/her entire medical record · Request changes within documentation, which can be denied by physician for specific reasons · Request documentation of every time his or her PHI was accessed, along with identity of the individual accessing the document with specific reason for doing so · To know how much of the PHI information was shared · What the facility (Covered Entity’s) policies and procedures are for security and privacy When the patient becomes aware of these rights you should be prepared to deal with any legitimate requests the patient may have.