gkinfotek, as a medical transcription company, recognizes the significant challenge that HIPAA regulation present to the healthcare industry and to our customers. gkinfotek is committed to helping our clients achieve HIPAA compliance within the timelines established by the regulations. To this end, we have created a governing framework to define and manage our HIPAA initiatives.
gkinfotek has a full time HIPAA Privacy Officer to facilitate and manage the information security and HIPAA needs of our organization as well as for our clients. The Privacy Officer will develop and maintain effective educational programs for training internal and external clients on the requirements of HIPAA.
We, at gkinfotek, understand that Physician/Patient confidentiality is most important. Therefore all Physicians/Patients transcription related procedures, voice, and data storage, and document management meet HIPAA regulations. Partial list of the rules and regulations that we strictly adhere to are:
1. All the external drives including floppy disk drives and CD ROMs are disabled on each computer.
2. Password to control access Windows and software.
3. We have firewalls and antivirus software on all the computers and update virus definitions frequently.
4. Monthly back-ups of computer systems will be done and stored in a locked outbuilding on our property.
5. We currently require all our employees to sign a confidentiality and non-disclosure agreement.
6. We maintain up-to-date contractual agreements with all business parties.
7. We have instituted security measures to protect the security and integrity of protected information according to HIPAA guidelines.
8. All-client related information when using the Internet is handled in secure 128-bit SSL encryption.
9. gkinfotek has administrative procedures in place to guard data integrity, patient confidentiality, and document vailability. (Information Access Control and Access Authorization).
10. To prevent unauthorized use, security devices are employed to prevent theft and/or vandalism of any information stored on our systems.
11. Technical evaluations are performed on a routine basis to make sure all systems meet or exceed specified security requirements.
12. All persons, administrators, and transcriptionists, who have access to any sensitive information, patient records, or voice files, etc., have the appropriate clearances and have signed confidentiality agreements.
13. We have provided privacy, security, and confidentiality awareness training to our entire workforce. Our compliance decisions are based on sound business practices and meet and exceed HIPAA.
Understanding HIPAA & its Compliance in Medical Transcription
HIPAA is Health Insurance Portability and Accountability Act of 1996-A law mandating that anyone belonging to a group health insurance plan must be allowed to purchase health insurance within an interval of time beginning when the previous coverage is lost. The law protects employees, especially those with long-term health conditions who may be reluctant to leave jobs because they are afraid pre-existing condition clauses will limit coverage of any such conditions under a new insurance plan, from losing health insurance due a change in employment status. This act was basically designed to protect the privacy rights of individuals with regard to their confidential medical records. The act greatly restricts the dissemination and transmittal of personal patient information and has dramatically affected the way healthcare information is handled. HIPAA regulations have also tried to restrict the use of preexisting condition exclusions, create special enrollment periods and prohibit discrimination based on health-status related conditions in enrollment and premiums.
HIPAA - Primary objectives
This act was a result of congressional healthcare reform proponents to reform healthcare. The four primary objectives it serves to achieve are:
· Reduce healthcare fraud and abuse
· Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions
· Enforce standards for health information
· Guarantee security, privacy and confidentiality of patient health information
Of the four primary objectives, the fourth objective has the most impact on medical transcription since it deals with handling and transfer of sensitive information of patient health data usually in electronic form. All transcription organizations therefore must be able to support two requirements:
1. Ensure the security and confidentiality of the patient's Protected Health Information and
2. Maintain an audit trail of all individuals who have had access to Protected Health Information.
This means that transcription service providers must implement technology and business processes in their operation to support these two major requirements.
HIPAA Regulations and its reach-HIPPA regulations have been devised to have broad application with a variety of extensions. These provisions extend to all health care providers who transmit health records in an electronic format and health care billing companies. The Act refers to these organizations as "Covered Entities". Most Medical Transcription Services and their employees are not considered "Covered Entities" under the Act unless their organization also engages in services that put them in the category of "Covered Entity". Medical Transcription Services are typically regarded under the Act as "Business Associates".
Covered Entity and Business Associate.
HIPAA defines a Covered Entity (CE) as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a HIPAA transaction. A physician's office thereby would fall under the category of a Covered Entity.
The Act defines a Business Associate as "any person or organization that performs a function or activity on behalf of a Covered Entity, but is not part of the Covered Entity's workforce (employees, volunteers, trainees and others) under the Covered Entity's direct control, regardless of whether they are paid by the Covered Entity." A medical transcription service provider would be classified under the definition of a Business Associate.
As a Business Associate, the Medical Transcription Service may not be directly governed by HIPAA regulations. But however, indirectly, the Business Associates are governed in accordance with the fact that Covered Entities are required to obtain written assurances from the Business Associates that they deal with to ensure that patient identifying information is appropriately safeguarded. These written assurances must be included in a written contract between the Covered Entity and the Business Associate.
HIPAA & Independent Medical Transcriptionists?
Medical transcriptionists who operate as Independent Contractors to Medical Transcription Services (Business Associates) and who have direct access to patient health information are referred to by the Act as "Third Parties." Third Parties must have a written contract with the Business Associate for whom they provide contract services to assure that patient information conveyed to them will be appropriately safeguarded and that all electronic data transmissions between the Third Party and the Business Associate are conducted in accordance with the approved national standard. This contract should be similar in nature and scope to the contract between the Business Associate and the coveted entity.
Deadline for Complying to guidelines of HIPAA?
HIPAA act requires that healthcare organizations insurers and payors that have been using any electronic means of storing patient data and performing claims submission must comply with the this rule by April 14, 2003. Since medical transcription deals with handling and storing patient data in electronic form, it is necessary that all such organizations must comply with this deadline. Small health care plans will have until April 14, 2004 to become completely compliant. However, all other covered entities must become fully compliant by April 14, 2003.
Standards prescribed for Transmittal of Electronic Patient Information -
HIPAA act requires that healthcare organizations insurers and payors that have been using any electronic means of storing patient data and performing claims submission must comply with the this rule by April 14, 2003. Since medical transcription deals with handling and storing patient data in electronic form, it is necessary that all such organizations must comply with this deadline.
Internet & HIPAA compliance-With advancing technology, internet has become the major source of electronic data transmission over the years and will surely continue to do so. Hence, it becomes necessary on the part of medical transcription service provider to use encryption and password protection to prevent unauthorized access to any patient information. Dictations done on a telephone does not need to be encrypted. However, voice files transmitted by portable recorders should be encrypted prior to transmission over the Internet.
Transcribed documents must be sent back to the healthcare provider also in a secured manner using encrypted email or a secure FTP site or may be faxed with a disclaimer statement explaining the confidential nature of the document. However, use of tapes lends a high degree of doubt since there is no way to verify an audit trail as to who has had the tape and who listened to patient data on the tape. If the tape is lost, one cannot guarantee the security of the information on it.
Other Key Provisions of the Act - The primary focus of the Act is to restrict the leakage and dissemination of patient health care information. The conditions under which information can be conveyed are very explicitly stated. The rules specifically pertain to health information that is transmitted or maintained in any form be it oral, paper, electronic, etc and which contains patient identifying information. Patient identifying information includes such things as name, address, social security number, phone number, and any other information, which could be used to identify an individual.
In order to be compliant to the rules and regulations of HIPAA, covered entities must implement measures to ensure that patient information is protected in accordance with the provisions of the Act. Specifically:
1. A proper written proof must be provided to individuals telling them as to how their information will be used and to whom it will be disseminated (i.e. to insurance and billing companies, or other health care practitioners).
2. Similarly, a written consent should also be obtained from the individual allowing for the use and maintenance of personal information as provided for by the Act.
3. Disclosure of information for any other purpose must be done always after documented specific authorization from the individual.
4. All efforts must be made by covered entities to minimize the dispersal of patient information through any means.
5. Covered entities must establish and maintain adequate administrative, technical and physical measures to ensure that all privacy requirements are upheld within the organization.
6. Business Associate must be directed specifically to safeguard all patient related information in the best possible way and covered entities should periodically review the standards of security and confidentiality of their Business Associate.
Rights of patient under HIPAA- HIPAA provides the patient with many new rights in relation to their healthcare documentation. Some of them include:
· Right to review their entire medical record and data.
· Right to request changes within documentation (though this comes under the preview of the physician who can deny for specific reasons
· Right to request documentation every time their information was accessed, along with identity of the individual accessing the document with specific reason for doing so.
· Right to know how much of the information was shared.
· Right to know what the Covered Entity's policies and procedures are for security and privacy.