HIPAA, HITECH And Medical Transcription, Part 2: Protecting ePHI - Administrative Safeguards
For this second installment in a series of articles on the added
responsibilities for transcription service providers under HITECH, I'll
be drawing heavily from information from the HIPAA Survival Guide, specifically the section regarding the HIPAA Security Rule,
which deals with electronic protected health information (ePHI). In a
nutshell, the Security Rule requires three kinds of safeguards with
regard to ePHI: administrative, physical, and technical.
It probably won't come as any shock to you, since this is a document
created by government bureaucrats, that there's some overlap between
these three areas, not to mention the occasional lack of clarity and
specificity.
With that in mind, let's look first at the
administrative requirements for protecting PHI under HIPAA and HITECH.
Keep in mind that although reference is made to covered entities (CEs),
with the passage of HITECH, business associates (BAs), including
transcription service providers, must also now adhere to the provisions
of the Security Rule. According to the HIPAA Survival Guide,
administrative safeguards are defined as "administrative actions, policies and
procedures, to manage the selection, development, implementation, and
maintenance of security measures to protect ePHI and to manage the
conduct of the CE's workforce in relation to the protection of that
information." My
translation of this definition is that one of the requirements for
HIPAA compliance is to have written policies that lay out in detail, A)
the measures you've put in place to protect ePHI; B) the measures you
have in place to deal with any breaches of your written policies on
security; and C) the measures you have in place to train your workforce
to comply with A and B. But simply having written policies and
procedures in place isn't enough; you must also actually enforce them,
and be able to document that you have in fact enforced them.
(Did I mention that all of this was dreamed up by bureaucrats?)
Even
though I'm mentioning administrative safeguards first, the reality is
that order to formulate the written policies and procedures
that will guide your operations with regard to security, you first have
to have an understanding of what HIPAA and HITECH require in terms of
protecting ePHI, which I will deal with in future posts. Once you know
what's required in terms of physical and technical safeguards, you'll
then be ready to do an assessment of your particular situation to
determine what specific threats to security exist in your operational
workflow in light of the HIPAA/HITECH requirements. At that point you
should be in a position to create the written policies and procedures
covering your specific operation.
Suffice it to say at this
point that you should be aware that as a result of HITECH, the
administrative burden on business associates under HIPAA has gotten
considerably more significant. Even small MT service providers and independent contractors will need to comply, and the time to begin the process is now.