The XY Files in an MT World : HIM in the News

Bits and Pieces

Jay Vance — Mon, 15 Jun 2009 18:35:00 GMT

Here are some of the happenings in the world of medical transcription as of late: MedQuist/AHDI Settlement Update According to the AHDI website , the free program offerings for eligible members of the MedQuist settlement class are anticipated to become...(read more)

Beth Israel/Google Health Fiasco--Is Technology Really the Problem?

Jay Vance — Tue, 28 Apr 2009 11:55:00 GMT

Recently the Boston Globe has been reporting on problems arising when Beth Israel Deaconess Medical Center sent insurance claims data (i.e., billing codes) to Google Health PHR as a means of summarizing patients' medical condition. As it turned out, this...(read more)

HITECH Makes Business Associates Liable Under HIPAA

Jay Vance — Mon, 02 Mar 2009 16:14:00 GMT

Medical transcription providers should be educating themselves on how the Health Information Technology for Economic and Clinical Health Act (HITECH) portion of the American Recovery and Reinvestment Act of 2009, also known as the stimulus bill, is changing the way HIPAA regulations will apply to business associates. Up to this point, business associates of covered entities were not directly liable under HIPAA for breaches of private health information (PHI). As a result of HITECH, however, business associates, including transcription providers, will now be directly liable for failure to adhere to HIPAA regulations regarding the use of PHI.

According to Ed Jones from hipaa.com:

Application of the Security Rule to business associates of covered entities is a significant change. Previously, if there were a breach involving a business associate of which the covered entity were aware, then the covered entity could just terminate the contract if the breach was not remedied. Responsibility and liability rested with the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. A breach requires notification, which is triggered when there is an incident of "unsecured protected health information." The Secretary of HHS is required to issue guidance on what constitutes "unsecured protected health information" within 6o days of February 17, 2009. In the absence of such guidance in the time specified, then a default definition pertaining to a failure of encryption as endorsed by the National Institute of Standards and Technology (NIST) of such information [applies]. The notification provision requires both covered entities and business associates to notify affected parties directly and individually in a timely manner, and to use appropriate public media for cases involving over 500 individuals. This is a specification that was not defined under HIPAA Administrative Simplification. Increased penalties for a breach by a covered entity are immediately effective.

Writing for WTN News, attorney John Barlament explains further:

For the first time, business associates must comply directly with many of HIPAA's Security Rules. This will require every business associate to take several actions, including appointing a security official, developing written policies and procedures, and training its workforce on how to protect electronic protected health information ("EPHI"). These provisions go well beyond the previous requirements for business associates, where business associates only had to comply with the written business associate agreement.
Business associates also will need to follow HIPAA's Security Rules relating to physical safeguards (such as locking computers that contain EPHI), technical safeguards (such as encrypting emails) and the requirement to adopt written policies and procedures. Failing to do so will - for the first time - subject a business associate to civil monetary penalties and criminal penalties for each notification (and, as discussed below, the civil monetary penalties are now increased).

A covered entity or business associate that has a specified security breach will be required to notify each individual affected by the security breach. This can involve written notification by mail or, if specified by preference by the individual, email. If the covered entity or business associate lacks current contact information, it may be required to post notice of the breach on its website or in newspapers or other broadcast media (e.g., television). For certain large breaches (involving more than 500 residents in a particular area) a "prominent media outlet" must be notified of the breach. The U.S. Department of Health and Human Services ("HHS") also must be contacted, and HHS is to establish a website listing these breaches. There is an exception for certain unintentional breaches.

The Act states that business associates must comply directly with certain HIPAA Privacy Rules, primarily the requirement to have and follow a business associate agreement. The scope of this change is unclear. It could mean that every entity must determine whether it is a business associate with respect to a covered entity. If so, the business associate may be required to enter into a business associate agreement with the covered entity. Previously, it was a covered entity's responsibility to identify all its business associates (a business associate did not need to identify whether it actually was a business associate).

The civil monetary penalties are significantly increased. Currently, the amount of the penalty is generally $100 for each violation. This $100 amount (and its related cap of $25,000 for multiple violations) increases to $1,000 per violation for a violation due to "reasonable cause and not to willful neglect" (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year). These changes are immediately effective (i.e., they are in effect today) and represent a dramatic increase in the penalties under HIPAA.
In addition, state attorney generals can now bring a HIPAA enforcement action against a covered entity or business associate that violates these rules. Further, the state attorney general can obtain attorney's fees under such an action (although the attorney's fees are discretionary and not mandatory).
HHS - the main enforcer of HIPAA - now is required to conduct "periodic audits" to ensure that both business associates and covered entities are compliant with these new rules. Audits were possible under the old regulations. However, audits tended to be fairly rare, perhaps due to a lack of funding at HHS. Now, some monetary penalties or settlements collected by HHS are transferred to HHS's Office of Civil Rights to be used for purposes of enforcing HIPAA. This appears to solve the funding issue that HHS had apparently experienced. Thus, clients can expect to see increased HIPAA audits and enforcement.

So what does all this mean for the independent MT contractor and mom-and-pop transcription provider, not to mention regional and national MT service providers? While we don't yet know what the final HHS guidelines will look like, it seems clear to me that a whole boatload of new liability has just been dumped on MTs, whether we're ready for it or not. I'll be following the progress of the HHS rule-setting process with great interest, and will report back as new information becomes available.

MedQuist Class Action Settlement Goes to AHDI; No Money to Individual MTs

Jay Vance — Mon, 12 Jan 2009 14:16:00 GMT

I woke up this morning to find a Google Alert in my inbox regarding a most interesting post on Julie Weight's MT Exchange blog. The blog post quoted a MedQuist memorandum to its transcriptionists announcing the settlement of a lawsuit "...that was brought as a class action on behalf of current and former medical transcriptionist employees of MedQuist Inc. and MedQuist Transcription Ltd. ("MedQuist"). The suite alleges that MedQuist manipulated its company systems to underpay medical transcriptionists for transcription work that was compensated on a per-line basis. Defendants deny that they did anything wrong. The parties have agreed to settle the lawsuit."

I did a little digging and found the memo in its entirety. I must say it makes for interesting reading. The notice states that the lawsuit was settled for $1.5 million in cash, of which no less than $1 million is to be distributed to the Association for Healthcare Documentation Integrity (AHDI) "to fund programs for the general benefit of medical transcriptionists and the medical transcription industry. Qualifying class members will also be eligible to participate in certain AHDI programs free of charge. No payments will be made directly to any individuals."

A subsequent portion of the notice states that "AHDI is offering certain of its programs free of charge to qualifying class members through December 31, 2009. Program options include a choice of one of the following: free one-year individual AHDI membership, or free one-year subscription to AHDI's web-based knowledge base and information portal (i.e., Benchmark KB), or free registration for up to five (5) online AHDI educational webinars; or free registration for credentialing prep course; or free AHDI educational product bundle." The notice instructs interested parties to visit the AHDI website for more information, but I was not able to find anything concerning this settlement or how to apply for the free programs on the site.

According to the notice, individuals who would otherwise be part of the class covered by this settlement do have the option of excluding themselves from the settlement, thus preserving their right to sue MedQuist individually. The settlement covers all MTs who worked for MedQuist from November 29, 1998 through August 11, 2008 who were paid on a line-based unit of measure. Interestingly, it appears from my reading of the settlement notice that the process had not actually reached the class certification stage before the settlement was reached.

I would love to know how MTs affected by this settlement feel about the money going to AHDI rather than being distributed amongst the individuals whose paychecks may have been directly affected by MedQuist's allegedly improper line-counting methods (MedQuist admits no guilt in regards to any of the plaintiffs' allegations as part of the settlement). In any case, this certainly is a windfall for AHDI, which has struggled with declining membership revenues for a number of years. Hopefully many of the MTs who are eligible will take advantage of the free programs AHDI will be required to offer as a result of this settlement. As someone who actually worked for MedQuist during the covered period, you can bet I will!

A Major Step Forward for PHRs

Jay Vance — Wed, 19 Nov 2008 16:27:00 GMT

On November 12, acting CMS administrator Kerry Weems and HHS Secretary Michael Leavitt announced a pilot program which will enable Medicare members in Arizona and Utah to use their choice of four commercial personal health record (PHR) providers to access their own data from CMS databases. Beginning in early 2009, beneficiaries with Original Medicare will be able to use Google Health, HealthTrio, NoMoreClipboard.com, or PassportMD to maintain a PHR which will include Medicare information from CMS.

Said HHS Secretary Mike Leavitt, "This pilot is a major step forward for Medicare. It will provide information and tools that will empower consumers to manage their health better. Importantly, the pilot provides beneficiaries with a choice of products to meet their individual needs."

What I find remarkable about this new endeavor is that CMS, by all accounts a fairly conservative entity when it comes to sharing its data and embracing new technologies, is actually going to allow both consumers and third-party service providers to access personal health information (PHI) of Medicare beneficiaries. It's hard to see this move as anything less than an explicit endorsement of a "Health 2.0" infrastructure in general and of the concept of PHRs in particular. It would also, evidently, signify that CMS has accepted the HTTPS Internet transmission protocol as secure enough for PHI. From what I hear, in the past CMS has been loathe to allow the transmission of PHI data to or from its databases via the Internet.

CMS funds more than half of the healthcare in the U.S., and isn't shy about attempting to drive adoption and change through its reimbursement policy. I will be very curious to see whether or not, by offering patients access to their own claims data, CMS will create patient expectation that will motivate the private payer community to do the same. It will also be interesting to see what effect this move will have on adoption of PHRs by consumers. Again, it's hard not to see this as a golden opportunity for MTs and others in the health care documentation arena to jump on this bandwagon by providing value-added services to help consumers establish and maintain their own PHRs. CMS and major online players such as Google Health have already done a lot of the marketing work for us with this new initiative.