From a press release from MD-IT, one of the charter members of the Medical Transcription Service Consortium, with some interesting tidbits highlighted:

The Medical Transcription Service Consortium (MTSC) – formed by ICSA Labs, an independent division of Verizon Business, and the Medical Transcription Industry Association (MTIA) – will develop a common framework for the seamless and secure exchange of PHI among consortium members and their health care clients. The new framework will support structured narrative notes, which read like a text document but include XML tags that unlock valuable data, enabling both the narrative note and clinical data to be imported into an electronic medical record.

Charter members of the consortium, in addition to MD-IT, include leading MTSOs MedQuist, MxSecure, Sten-Tel, and Webmedx, plus Verizon Business, which will develop the new IT platform using security best practices.

“While our clients can exchange information today with other practices on the MD-IT network, it is exciting that within a few months, they will be able to send and receive records among 2,500 hospitals and 375,000 physicians nationwide who are current clients of consortium members,” said Robin Daigh, a vice president with MD-IT. “The cost is very affordable, with monthly fees comparable to those for electronic fax services, and requiring only a PC with internet connectivity for access to the network. We have found that our clients can save money overall by eliminating the current labor-intensive process of faxing and mailing.”

“The consortium holds the potential to rapidly accelerate the exchange of electronic records from tens of thousands of records to millions of records per month,” noted Thomas Carson, president of MD-IT. “Consortium members produce an estimated 200 million narrative patient notes annually and have over 2.5 billion patient records in electronic archive. This is a great way to kick start the ambitious goal of having all health care providers connected through a secure digital network."

In a move reported by Reuters and other sources, a newly formed industry group called the Medical Transcription Service Consortium has announced plans to create "a new IT platform for the secure exchange of digitized transcriptions of physician-dictated patient notes." Creation of the MTSC was spearheaded by the Medical Transcription Industry Association (MTIA) and ICSA Labs, an independent division of Verizon Business. In addition to ICSA Labs and the MTIA, the charter members of the consortium are Verizon and medical transcription service providers MD-IT, MedQuist, MxSecure, Sten-Tel and Webmedx. According to a press release, the platform, which is expected to be available later this year, will "leverage Verizon Business' broad portfolio of advanced IT, hosting and security solutions, as well as the company's global IP network. The platform will be designed to the specifications determined by the MTSC, including the use of security best practices, and will enable the objective testing and certification for privacy, security and interoperability."

I spoke with Lea Sims, Director of Professional Programs for AHDI and MTIA, about this new endeavor. She described this project as "a secure exchange highway where health records would be available and accessible through a platform to multiple users via a single digital portal for information exchange." She said the goal of the initiative was to "demonstrate to healthcare that our sector is positioning itself as a solution/value-add to healthcare's goal for interoperability and secure exchange/access beyond just our ability to generate the document but to also be a secure solution for information exchange." Sims said that the MTSC project was being coordinated with the Health Story Project and would most likely be based on an HL7/CDA exchange architecture. She said the new platform would connect to the National Health Information Network (NHIN) and complement the work that is being done by Regional Health Information Organizations (RHIOs) in terms of building a national health information exchange infrastructure.

Sims said many of the details of the MTSC project are still being hammered out, including how the platform will be monetized as well as whether the MTSC "digital highway" would represent an actual central health data repository or simply a platform for exchanging information between individual data repositories maintained by the individual transcription service providers.

When asked about potential roadblocks to the successful implementation of this project, Sims cited as examples the willingness of transcription service providers to collaborate with competitors and their collective commitment to making it happen. She said no timetable for implementation has been set as of yet.

Certainly it's interesting to see that a major IT and communications player like Verizon is on board with this project; at the very least that would indicate they believe there's a market for something like this. In my mind there are still a lot of questions to be answered, including who would control the release of the transcribed records that would be exchanged and/or stored by the MTSC, and how something like this would fit into the HIPAA regulatory picture. In any case, it will be interesting to watch the development of this initiative in the coming months.

From Na Vijayashankar ("Naavi") at www.naavi.org comes a strong response to the Indian black market medical records scandal in general and the resulting comments by Webmedx CEO Sean Carroll in particular (emphases mine):

"To put the incident in the proper perspective, we can recall the many data breach incidents that have occurred in the U.S. itself, where millions of records have been compromised--some out of financial inducements, many through negligence and many more due to criminals who hack into systems as a profession. IS [information security] is therefore as much an issue in the U.S. as it is in India.

"The reason for increasing data breaches of the kind referred to in the instant case is the growing cyber crime underworld which finds all means of stealing data because there is a market for the same. In the case of health records coming under HIPAA, the beneficiaries are in the U.S. Many of them are the insurance companies who follow unscrupulous methods to obtain data that can be used for marketing. It is therefore the unethical business practices of the U.S. insurance companies that cause a fertile ground for the proliferation of the data breach incidents. Part of the solution therefore lies within the U.S. jurisdiction on how to promote ethical business practices. I would request Sean Carroll to find means of spreading this message in the industry in the U.S."

Naavi further alleges that although Indian business process outsourcing (BPO) firms, including medical transcription service providers, do indeed need to pay more attention to security, the onus is on U.S.-based clients and primary contractors to put pressure on their outsourcing partners to adhere to HIPAA standards:

"On the other hand, I would also request the U.S. companies outsourcing health care business to India to insist that their clients in India must undergo a 'HIPAA-HITECH Compliance Drill.' I have observed that many Indian companies are not aware of their responsibilities. This lack of awareness is also indicative that the U.S. vendors are not driving home the requirement of HIPAA compliance in their SLAs. Perhaps they have exchanged a contract which indirectly talks of an indemnity. This is more a legal formality they have undergone rather than a real effort to educate their counterparts. Let it be one of the HIPAA compliance requirements of the U.S. companies that they have specifically inquired with their Indian counterparts about the HIPAA compliance measures undertaken in India and obtain certifications. Not all these certificates would be reliable, but many would be.

"Many of the HIPAA awareness programmes I have conducted, and audits I have participated in are a result of the initiative of the local companies to improve their competitiveness. This indicates that there is a desire in India for companies to adopt IS standards. Like in every other case of motivation, they perhaps need a little nudging, little coercion and little incentivisation.

"I would request U.S. companies not to treat HIPAA compliance as a paper formality to be completed. Let it be a genuine exercise to promote IS culture. Let the U.S. vendors insist in their business contracts that Indian medical transcription partners must only engage employees who have undergone a 'HIPAA Awareness Training' and send documentary proof for having conducted such programme for their employees. U.S. companies can also devise strategies where they earmark a part of their payments to be released only towards expenses in employee training and other HIPAA initiatives. (Extension of Obama’s strategy of incentivisation of adoption of EHRs by medical practitioners).

"The sting report is therefore a wake up call as much to the U.S. companies as it is to the Indian companies. Let’s work together in the effort to have adequate information security without losing out on the outsourcing advantages."

Clearly the Indian BPO industry is rightfully concerned about the potential fall-out from data breaches of U.S. health information. Time will tell whether or not this blame-the-greedy-Americans strategy is the best way to go about reassuring the U.S. citizenry and regulatory bodies that our medical records are safe in foreign hands.

On the other hand, this blogger does raise some important issues that shouldn't be summarily dismissed merely because of the rather belligerent (not to mention somewhat self-serving) tone in which they are presented. As I have said in the past, many of the concerns regarding the safety of foreign outsourcing of protected health information (PHI) are just as applicable to the domestic outsourcing MT industry that relies heavily on home-based practitioners. It's my firm belief that the increased focus on PHI security as a result of HITECH truly is, as Naavi says, a "wake up call" to the medical transcription industry, both here and abroad. To mix a couple of metaphors, before casting stones at the practice of offshore outsourcing, we'd best make sure the glass-housed domestic MT workforce is without sin as well.

From PRNewswire.com comes a press release from Webmedx, fourth-largest U.S. medical transcription service provider:

Atlanta-based Webmedx, the fourth largest medical transcription company in the World, cites the news of black market sales of medical records in India as further proof that the Webmedx's 100% domestic workforce is the most reliable way to maintain standards of privacy and security. In an era when the HITECH Act is demanding more stringent rules for protected health information, the onus on transcription service providers is at an all-time high.

The example of records being sold in India is a perfect rationale for the fact that sending medical records offshore for transcription is not in the best interests of the healthcare industry and its patients. "It is unrealistic to think that U.S. laws can be effectively enforced outside our borders sufficient to deter the misuse of information or breaches of security," mentions Sean Carroll, CEO of Webmedx.

According to Carroll, the new healthcare privacy and security regulations have sharply increased responsibilities and penalties for healthcare providers and their business associates when it comes to medical record security. As a result, Webmedx has heightened its training compliance practices for its entire staff to keep pace with the HIPAA regulations detailed in ARRA's HITECH legislation.

"At Webmedx, we simply believe that, on balance, patients and providers will receive more secure, higher quality documentation of their care through a domestic, credentialed and engaged workforce operating on a 100% U.S.-based infrastructure," says Carroll. "Keeping patient records onshore is an important measure in protecting ourselves, our clients and the millions of patients whose medical information is vulnerable in situations such as what recently occurred in India."

164.312 Technical safeguards:

A CE must, in accordance with the general rule:

(a) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have appropriately granted access rights.

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

(c) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

(e) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

For MT service providers utilizing the Internet, a proper understanding of and adequate compliance with the Technical Safeguards section of the HIPAA Security Rule is of vital importance. This section is actually quite straightforward and concise in terms of the basic requirements. Implementing those requirements, of course, may turn out to be somewhat more complicated.

Part A deals with maintaining control over who can access electronic protected health information (ePHI) which is placed in your keeping. In the case of remote/home-based employees or independent contractors, business associates will likely need to perform some time of security review in order to ensure that every workstation being used by every MT is protected with whatever hardware or software is necessary to allow only authorized individuals to access ePHI, whether that data resides on the local computer, remote file storage sites, transcription platforms, etc.

Part B is probably one reason why we're starting to hear dictation/transcription platform vendors say that the days of Microsoft Word and FTP sites for home-based transcriptionists is a thing of the past. I'm not prepared to go that far, but there's no question in my mind that this requirement will prove problematic for a lot of MT operations. Basically this is saying that a business associate must have some mechanism for tracking the life cycle of files containing ePHI from beginning to end. This would, I believe, include being able to track activity on individual MTs' home computers as it relates to ePHI, including:

• when audio and text files are accessed on a remote dictation/transcription platform;
• when audio or text files are downloaded from or uploaded to a remote file storage site or system;
• when text files are created/modified/accessed on the local PC.

Part C is closely related to Part B and requires that business associates implement policies and controls to ensure that the integrity of ePHI is maintained at all times.

Part D seems to me to overlap heavily with Part A, but focuses more specifically on user authentication. Again, this may prove to be a challenge for business associates utilizing remote personnel. The HIPAA requirements are quite vague here in terms of what technologies are acceptable to comply with this section. It's not clear to me whether or not simply using user logins and passwords would be adequate.

Part E addresses the need for securing ePHI that is being transmitted over networks, including the Internet. Encryption is the solution of choice under HITECH, and applies to data in motion as well as data at rest. It's important to understand the difference. Some "secure" FTP or other file transfer services use SSL encryption to provide a "HIPAA compliant" solution. Whether or not that was true before HITECH is debatable, but there's no debate now post-HITECH. SSL encryption only protects files while they are in transit; SSL does not protect data that is "at rest" on a remote server. Any system administrator, for instance, who can access that server either locally or remotely can technically access your files. To truly be HIPAA/HITECH compliant (and to avoid having to report breaches of "unsecured protected health information"), files containing ePHI should be protected by a mechanism that discretely encrypts individual files/folders, so that the information is secure even while residing on a remote server.

As is true of the Administrative and Physical Safeguards sections, keep in mind that simply having adequate policies and procedures in place is only part of the solution; proper documentation is a crucial component of compliance. As you move forward with a HIPAA compliance plan in a post-HITECH environment, remember the "Five D's":

• DETERMINE your specific requirements
• DESIGN appropriate policies and procedures
• DISSEMINATE information to all relevant personnel
• DAY-TO-DAY implementation of your policies and procedures.
  
• DOCUMENT all the above.

HIPAA/HITECH compliance is not impossible for small MT operators and independent contractors. But for many of us accustomed to flying below the radar in a minimalistic regulatory environment, business as usual is no longer good business.

From the Nation News in Barbados:

The majority of Barbadian workers who underwent one year of Government-sponsored training in the medical transcription field, were put on the breadline because they were performing below the required standard of work.

So said Robert Harvey, director of the United States based company TRSi, which trained the workers and set up a local company here.

A year after the company set up business here, 60 of the less than 100 workers have either left the company, or were dismissed.

[Harvey] said TRSi intended to expand its operations in Barbados despite this setback.

From Reuters comes word of a new survey of health information technology professionals that paints a sobering portrait of the state of health information security here in the U.S.:

According to the October 2009 Ponemon report, Electronic Health Information at Risk: A Study of IT Practitioners, 80 percent of healthcare organizations surveyed had experienced at least one incident of lost or stolen electronic health information in the past year - four percent had more than five patient data breaches. More than two-thirds of these healthcare organizations had already digitized at least a quarter of their patient records and a third had digitized more than half.

Electronic medical records promise to improve patient quality of care and safety - as well as reduce costs - but the study showed that IT practitioners don`t believe they have management support to protect patient privacy as a priority.

According to survey respondents:

• 70 percent say senior management does not view privacy and data security as a priority;
• 53 percent say their organization fails to take appropriate steps to protect the privacy rights of patients while less than half judge their existing security measures as "effective or very effective"
• The average cost of a data breach, per patient record, exceeded $210 per compromised record, creating an opportunity for organized computer crime rings to traffic in stolen medical records.

"The majority of IT practitioners in our study don`t believe that their organizations have adequate resources to protect patients` sensitive or confidential information," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "The lack of resources and support from senior management is putting electronic health information at risk."

The study, sponsored by LogLogic and independently conducted by the Ponemon Institute, surveyed 542 senior IT practitioners from healthcare organizations with an average of more than 1,000 employees about how secure they believe electronic patient medical records are.

Clearly, maintaining the security of electronic protected health information (ePHI) is a global problem.

According to articles in The Economic Times and The Daily Mail, an undercover investigation by Britain's ITV1 television program "Tonight" has revealed that medical records of UK citizens are available for purchase from Indian black marketeers. Quoting from The Economic Times article:

The modus-operandi employed to procure the records was simple. Chris Rogers, the [television] programme’s presenter, contacted two Indian salesmen through an internet chat room, and posed as a marketing executive keen on buying medical records to sell insurance and medicines.

Rogers bought 116 files with detailed medical records of British patients from the two salesmen, whom the programme named as Jayesh Bagchandnani and Kunal Gargatti, the Daily Mail, a prominent British tabloid, reported on Sunday.

Bagchandnani reportedly said they came from staff at an Indian ‘transcription’ centre where medical records are computerised. Bagchandnani told Rogers: “We can do really good business with these leads. These leads will give you diagnose, entire diagnose of all the India’s top 10 BPO customers, what the customer is facing. There are 17 teams or you can say team managers. The floor managers, they are working as freelancers for me and I am telling them to pull the data for me. They work for me.”

Researchers for the programme then met Gargatti, in Mumbai. “You have the doctor’s name, doctor’s address, doctor’s phone number. Each and every thing here. I have 30,000 files to give you today, right now. I’ve around 140 diseases here. You just tell me which disease you’re looking out for — I can give you anything ,” he told them.

The files procured were of patients of London Clinic, one of Britain’s top private hospitals. Several hospitals in the National Health Service have also outsourced their transcription to India, sparking concern over data safety following the latest investigation. 

In this HITECH era of increased scrutiny of protected health information security here in the U.S., this has to be a worst-case scenario for offshore outsourcing firms already concerned about the effect HITECH will have on their business.

There was a very good turnout for the webinar, over 160 attendees, I'm told. There were a number of questions asked, and my answers appear below. The entire presentation can be accessed free of charge at this link. Please feel free to post any comments or questions here.

Q: Would you recommend some type of errors & omissions insurance or liability insurance to cover our business liability with this new regulation?

A It's interesting, just a year ago I would have said no, but with the recent changes, I'm starting to feel differently. With all the added liabilities for business associates under HITECH, E&O insurance is probably not a bad idea. I haven't looked into what's out there recently; if you come across any information I'd appreciate it if you'd share it with me.

Q Are there any policies in place from a HIPAA perspective on mobility and dictation?

A I'm not aware of any HIPAA or HITECH regulations that specifically address mobile devices, etc. in terms of security, but my approach would be to make sure there are adequate safeguards in place to secure data from mobile devices, that you have your policies and procedures in writing, staff is educated on them, and compliance is documented regularly. Certainly mobile devices are not specifically exempt from HIPAA, so we have to proceed on the assumption that HIPAA applies to mobile data as well.

Q: Do confidentiality agreements cover the requirements and hold the MT responsible for confidentiality?

A HITECH specifically requires that business associates have detailed contracts with their covered entities that spell out the responsibilities for each party. My recommendation is that you treat independent contractors as business associates as well, which means that both you and they would be liable in case of a breach, but at least you would have some covering if you can show that you did your due diligence to make sure they were aware of their obligations under their contract. Now in terms of employees, as opposed to ICs, it's my understanding that your employees would be covered under the business associate contract you have with your covered entities. However, it would be your responsibility to ensure that all your employees are aware of your policies and procedures regarding security, and that they are in fact compliant with all those policies, and be able to document all of this. What this would look like for your company in terms of how you ensure compliance is something that you will have to determine based on your specific situation. But whatever approach you take, again, it has to address all "reasonable" potential risks and you need to document everything.

Q Has anyone been prosecuted for HIPAA violations?

AYes, there have been a handful of cases, but they've all involved out and out identity theft or holding information for ransom or selling confidential patient information to the press, etc. None that I'm aware of stemming from inadvertent breaches.

Q: How will the increase in cross-border healthcare delivery (through telemedicine or medical travel) influence the medical transcription profession? What tasks will remain local to the patient and primary care provider and what would be done at the distant provider?

A My sense is that the trend to outsourcing in general will continue to affect this aspect of healthcare documentation as well. Because of the ubiquity of the Internet coupled with digital audio technology, there really are few significant barriers to remote transcription, so I would anticipate that the geographical source of the dictators and dictations will continue to be less important in terms of who performs the transcription and where they're located. Of course, this question doesn't address what effect the implementation of EHR/EMR technology is going to have on transcription in general, and that's a subject of lots of debate and speculation. The truth is, we really don't know yet.

Q: So is there any hope of an MT certificate holder actually being hired anywhere? I obtained a certificate from a community college. None of us found employment because all requests for MTs required at least 2 to 5 years of experience. Where does that leave us? Our investment, time, and training appears to be even more worthless with voice recognition around the corner? Same scenario with Billing & Coding. I've been transcribing legal depositions for a court reporter for workers' comp, malpractice, accidents, homicides, etc. Your comments, please?

A I wish I had a simple answer. There's no question that the barriers to entry in our profession are significant, but not insurmountable. There are some larger national MT companies who do hire new graduates, IF you can pass their screening exams. You may just have to keep knocking on doors, so to speak, until you find someone who's willing to at least let you test. Having an RMT certification from AHDI can be a help in this regard also.

Q: So is the issue offshoring or service providers' inabilities to provide secure transactions?

A In practical terms I think it's definitely more about security than it is about where the data is going. As I said during the webinar, most of the same security concerns that can be raised regarding offshore transcription would also apply to transcription done by home-based workers right here in the U.S.

Q: How can a home based business comply today in advance to adhere to the safeguards? Is there a website that can we can follow step by step?

A Unfortunately there's no "one-stop shop" in terms of HIPAA compliance, in large part because every situation is different and there's no one set of solutions that will apply to every scenario. This is a case where investing in the services of a consultant to help you determine what your needs are and designing policies and procedures to fit your situation would seem to be a wise investment. Obviously coming from a consultant that advice can sound self-serving, but I sincerely believe it to be valid nonetheless.

On Wednesday, Oct. 14 at 2 p.m. ET / 11 a.m. PT, I'll be one of the presenters at a free webinar hosted by FierceEMR editor Neil Versel entitled Evolving Medical Transcription: Technology's impact on traditional transcription processes.  Other presenters will include:

Mary Pat Whaley, Practice Administrator at Halifax Regional Medical Center and Editor at Manage My Practice.com. Whaley is an experienced operations executive with 25 years of experience managing primary care, specialty care, laboratory, imaging, and ambulatory surgery facilities. Projects that she excels in are building projects, revenue cycle management, and information technology selection, implementation and management.

Lisa McGrath, Marketing Communications Account Executive, 3M Health Information Systems. McGrath manages all marketing and promotional activities for 3M’s document management and dictation, transcription and speech recognition solutions. As member of both HIMSS and MTIA, McGrath leads the 3M presence at the annual HIMSS conference as well as the AHDI and MTIA events.

Click here to register for this event. 

Quoting from HIPAA Regulation: §164.312

A covered entity must, in accordance with §164.306:

(a) (1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

(2) Implementation specifications:

(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

(c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

(d) (1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

As you can see, much of this information seems geared more toward larger facilities than on home-based or small office-based transcription service providers; clearly we have to find ways to adapt these regulations to the specifics of each operation. But in general, the physical safeguards section of the HIPAA Security Rule deals with the physical aspects of maintaining security when dealing with electronic protected health information (ePHI). We're talking about things like how you go about providing access to the computer(s) where ePHI will be maintained for any length of time. Is it in a room with a lock on the door? Who has a key? Is the computer in a cabinet or desk that can be locked in some fashion? As I read the regulations, it is necessary to not only have the means to control access to equipment containing ePHI, but you must document that plan and have a way to track every person who accesses equipment where ePHI is stored. This would include the individual(s) performing transcription, of course, but it would also include anyone else who has access to that computer, including anyone performing repairs or maintenance on the equipment. That in itself should be all the incentive you need to make sure you have a dedicated computer that cannot be accessed by anyone not covered under your business associate (BA) agreement with the covered entity (CE). Obviously the fewer people who have access to your equipment, the less onerous your recordkeeping procedures will be.

Notice also that this section of the HIPAA regulations deals with such issues as having a disaster recovery and emergency operations mode plan. What are your provisions for backup and restoration of ePHI in case of power outage, equipment failure, etc.? Furthermore, this rule requires you to have and document a policy regarding removable media which may be used to store ePHI, including USB flash drives, CD-ROMs, DVD-ROMs, portable hard drives, etc. What precautions do you take in regards to any removable media containing ePHI that leaves the workstation? Do you have a log of the who, what and when of such events? Finally, this rule requires that a policy be in place that deals with the destruction/deletion of ePHI when you no longer have reason to maintain it in your possession. How do you go about removing ePHI from your hard drive and/or removable media? How long do you keep ePHI, and do you have a specific procedure in place to make sure files with ePHI are deleted in a timely manner according to your policy?

It's important to note that the HIPAA regulations, in many instances, do not specifically dictate HOW you must physically safeguard ePHI, so there is a certain amount of flexibility inherent in the rule. However, it seems clear to me that the intent of all these regulations is to ensure that, A) the policies and procedures that are put into place do in fact adequately protect ePHI; B) those policies and procedures are in writing; C) all personnel handling ePHI are familiar with these policies and procedures (with documentation to prove it, of course); and D) there is documentation to demonstrate that the policies and procedures are in fact consistently carried out in the BA's day-to-day operations. In my opinion, these four steps are the key to successfully complying with all the provisions of the HIPAA Security Rule regarding ePHI.

In my next post, I'll talk about the HIPAA Security Rule regulation dealing with technical safeguards for ePHI, which is probably the area of greatest concern for MT service owners and independent contractors, who use the Internet to send and receive files containing electronic protected health information.

For this second installment in a series of articles on the added responsibilities for transcription service providers under HITECH, I'll be drawing heavily from information from the HIPAA Survival Guide, specifically the section regarding the HIPAA Security Rule, which deals with electronic protected health information (ePHI). In a nutshell, the Security Rule requires three kinds of safeguards with regard to ePHI: administrative, physical, and technical. It probably won't come as any shock to you, since this is a document created by government bureaucrats, that there's some overlap between these three areas, not to mention the occasional lack of clarity and specificity.

With that in mind, let's look first at the administrative requirements for protecting PHI under HIPAA and HITECH. Keep in mind that although reference is made to covered entities (CEs), with the passage of HITECH, business associates (BAs), including transcription service providers, must also now adhere to the provisions of the Security Rule. According to the HIPAA Survival Guide, administrative safeguards are defined as "administrative actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the CE's workforce in relation to the protection of that information." My translation of this definition is that one of the requirements for HIPAA compliance is to have written policies that lay out in detail, A) the measures you've put in place to protect ePHI; B) the measures you have in place to deal with any breaches of your written policies on security; and C) the measures you have in place to train your workforce to comply with A and B. But simply having written policies and procedures in place isn't enough; you must also actually enforce them, and be able to document that you have in fact enforced them.

(Did I mention that all of this was dreamed up by bureaucrats?)

Even though I'm mentioning administrative safeguards first, the reality is that order to formulate the written policies and procedures that will guide your operations with regard to security, you first have to have an understanding of what HIPAA and HITECH require in terms of protecting ePHI, which I will deal with in future posts. Once you know what's required in terms of physical and technical safeguards, you'll then be ready to do an assessment of your particular situation to determine what specific threats to security exist in your operational workflow in light of the HIPAA/HITECH requirements. At that point you should be in a position to create the written policies and procedures covering your specific operation.

In this first installment in a series of articles about how the HITECH portion of the ARRA legislation (also known as the stimulus bill) will change the way medical transcriptionists operate, I want to focus on some of the new obligations for business associates, including transcription service providers under the new legislation. A good starting point is this article from For The Record magazine entitled, "Pulling It All Together - The HITECH Act & HIPAA," which deals with some of these new responsibilities for business associates handling electronic protected health information (ePHI). Here are some key passages, with my emphases added:

Breach notification requirements also extend to business associates (BAs). Under HITECH, BAs are now directly accountable for violations. Further, if a BA becomes aware of a violation on the part of a covered entity (CE) with whom it works, it has an obligation to report the breach if the CE does not take steps to remedy the situation.

As a result, BAs that have not already done so will need to implement security and notification policies and procedures of their own, as well as work with CEs to reach agreements on how notifications will be handled.

In most cases, this will require BAs to carefully evaluate and revise existing contracts not only with CEs but also with any subcontractors that may handle personal health information (PHI) on behalf of clients.

“Agreements will have to be amended to reflect that the nature of the relationship between the business associate and covered entity has changed, such that the BA actually has affirmative duties to take certain steps,” says Helen Oscislawski, JD, a health law attorney with Fox Rothschild LLP. “For one, BAs now have a direct obligation, if they are aware a covered entity has engaged in a breach, to report the breach to HHS if the CE fails to take steps to remedy the breach and terminating the contract is not an option. This was in reverse before. Now we have a bilateral, mirrored obligation on both ends. It changes the dynamic between these parties in many ways.”

Further, while previously the determination of whether a BA would be held accountable for breaches was handled in contracts, they are now directly at risk for the same statutory and civil monetary penalties as covered entities, including those pursued by state attorneys general.

As you can see, HITECH has clearly changed the ground rules with regard to who is responsible for securing ePHI. It used to be that the burden was by and large all on the covered entity, i.e., the client, to be HIPAA compliant. That is no longer the case. Under HITECH, business associates must now be proactive in ensuring that all ePHI is handled in a secure manner, whether or not the client sees the need to do so. In my own personal experience as an MT service owner dealing with small physician practices, as well as providing consulting services to other small MTSOs and independent contractors, I'm well aware of the challenge this presents to many of us. Every doctor we deal with, as well as their office personnel, must now be educated on the need for security measures that up to this point may have been ignored.

Furthermore, HITECH not only requires that proper security measures be put in place (more specifics on that in later articles), there must be a written contract between CEs and BAs which clearly spells out the legal obligations of all parties under HIPAA and HITECH. In other words, the days of doing business with a client on the basis of a conversation in person or over the phone are over. Everything has to be in writing, and it has to be very explicit in terms of what each party is required to do under the law. Again, this means that if you don't already have a written HIPAA compliance contract in place for every client, now is the time to get it done. And even if you DO have existing written agreements in place, they must all now be updated to reflect the new obligations under HITECH.

The bottom line is that transcription service providers can no longer afford to sit back and wait for the client to initiate a conversation about contracts and security procedures. Now under HITECH, if we aren't HIPAA compliant, we can be slapped with the same monetary penalties that used to be reserved for covered entities. 

From a post on MTChat.com:

I think MTs are going to start losing actual real jobs a whole heap sooner in greater numbers than most of us are willing to admit is already happening.

It is happening here in our area now and we do have a pretty good working knowledge of what the employment outlook for MTs is here given the client base we have. Getting hired here now is 10 times harder than it has ever been. No one is hiring new staff. No one is adding employees ... no one is picking up ICs ... they are shifting the bulk and burden of what work is left to existing staff only and making do with what they have ... and of course, letting folks go as the accounts continue to automate and walk out the door, usually with no warning. Its has been going on steadily for the last couple of years, it is just that no one really openly talked about it until lately.

I think MTs, especially long-term stay at home independents like you or I, are going to have to start accepting that we have hit the place where there are no choices but to start lowering expectations of what we think the real worth of MT is in the process of medical documentation to stay employed or to doing work that essentially is what I consider as data entry for lower pay. Either that or transition/train for some other field of work as quickly as they can. Two really ugly choices, but that is what is happening here in my area and I doubt that is really any different in other areas of the country. New ones just starting out are not going to know any different because they are gonna be lucky to get hired at all, and, if hired it will be at the ever-dropping rates that are now the norm not the exception.

I've been an optimist when it comes to the future of MT even after many of my colleagues were expressing ever more pessimistic views about the state of the industry. However, lately I've had cause to revisit my opinions on this issue, although for different reasons than those voiced by Renee Priest above. My growing conviction is that it will be enforcement of HIPAA, given dramatically more muscle by the recently passed HITECH legislation, that may very well spell the end for small MTSOs and independent contractors. In following posts I'll be examining in greater detail the specifics of the new requirements for business associates under HIPAA/HITECH, but suffice it to say for now that life as we know it for mom-and-pop operations is about to get a whole lot more complicated.