WebShuttle - It's Free »

HIPAA Information

HIPAA Security and Privacy Information

 

Healthcare Insurance Portability and Accountability Act (HIPAA) is a federal healthcare law established August 21, 1996 to promote standardization and efficiency in the health care industry and to provide confidentiality protections for processed health data in accordance with the new standards. HIPAA healthcare laws directly affect health insurance providers, healthcare clearinghouses, and healthcare providers. The law indirectly affects the business associates of the aforementioned entities. HIPAA was enforced beginning April 15, 2003.  To read how HIPAA will affect transcription companies and healthcare providers, click the links below.

 

Impact of HIPAA on Transcription Companies and other “Business Associates”

 

HIPAA defines companies that provide service to Healthcare Providers as Business Associates. While the guidelines and regulations of HIPAA are not directly enforced upon Business Associates, but rather on the Healthcare Providers they serve, it is vital that every Business Associate promote compliance in the services they offer to the Healthcare Provider in order to maintain a business relationship with that entity.

A Transcription Company, in it’s handling of physician dictation records, must enter into a written agreement with each physician or physician group that they will honor the privacy guidelines established by HIPAA and maintain technical and personnel safeguards to maintain the security of that data. It is the responsibility of the Healthcare Provider to establish privacy agreements with all of its Business Associates who handle protected patient data.

Transcription Companies should review the Security and Privacy guidelines enforced upon Healthcare Providers in order to anticipate the expectations demanded of transcription companies by each provider in order that they maintain their compliance with HIPAA. 


Impact of HIPAA on Healthcare Providers

 

A physician or physician group is one of three "covered entities" directly affected by the regulations and guidelines of HIPAA. It falls on the covered entities to observe and implement the regulations of HIPAA throughout its organization and down throughout any/all business associates.

 

 

Bytescribe is committed to providing products that offer optimal security in a HIPAA compliant environment.  Bytescribe has evaluated and tested software products and services to ensure support for HIPAA compliance.  Bytescribe strives to be knowledgeable regarding HIPAA rules and regulations and to make every effort to add adequate security functionality to its products.

 

Below are current guidelines to using Bytescribe products in a HIPAA compliant environment. 

 

Securing Orator Dictation Server

 

In order to properly secure the Orator Dictation System, some steps may need to be taken to provide optimal security.  Below are listed some basic guidelines:

 

  1. Locate the server in a secure place.  If possible, locate the server in a room that is only accessible to administrators and persons with proper permissions.  
  2. Password protect the server.  Utilize Windows password protected screen saver function.  Set the screen saver to activate within a suitable time limit. 
  3. If exporting voice files via the Internet or LAN, properly secure servers to which files may be exported.  When exporting files via the Internet, use software that will encrypt files during transfer.

 

Security with DocShuttle Management Software

 

  1. Enable the encryption functionality when uploading voice files to an FTP site.
  2. Use secure FTP ports 990 or 2500 when supported by the FTP server.
  3. The Administrator should limit access for transcriptionists to only job types assigned to the transcriptionists.

 

Security Guidelines of Administrative Simplification*

 

Administrative Procedures

Documented formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data.

Contingency – Data Backup, Disaster Recovery, Emergency Mode

Information Access Control – Access Authorization, Access Establishment, Access Modification

Personnel Security – Personnel clearance including custodial services

Security Configuration Mgmt – Hardware/software installation and maintenance

Virus checking

Security Incident Procedures – Report/Response Procedures

Security Mgmt. Process – Risk analysis and Management

Sanction and Security policy

Termination Procedures – locks changed, removal from access lists and user account(s)

Training – User ed. Concerning virus protection and password management

Physical Safeguards

The protection of physical computer systems and related buildings an equipment form fire and other natural and environmental hazards, as well as from intrusion. Physical safeguards also cover the use of locks, keys, and administrative measures used to control access to computer systems and facilities.

Media Controls – Access control, Accountability, Data Backup and Storage, Disposal

Physical Access Controls – Disaster Recovery, Emergency Mode Operation, Equipment Control

(limited access) Need-to-Know Procedures for personnel access

Policy and guidelines on workstation use

Secure workstation locations

Security Awareness Training (including business associates like transcription companies)

Technical Security Services

Include the processes that are put into place to protect and to control and monitor information access.

Access Control – Applies primarily to EMR and includes: Context-based, Role-based, and User-Based

Access, Encryption, and Emergency access procedures

Audit Controls

Authorization Control – Role-based and User-Based access

Data Authentication

Entity Authentication – Requisite: Auto Logoff and Unique User ID, plus at least one of the following:

Password, PIN, Tele-callback, Token, Biometric signature

Technical Security Mechanisms

Include the processes that are put into place to prevent unauthorized access to data that is transmitted over a communications network.

Communications/Network controls – Requisite: Integrity Controls and Message Authentication

plus one of the following:

Access Control, Encryption

If using a network, add:

Alarm, Audit Trail, Entity Authentication, Event Reporting

*These are excerpts from Federal Register documentation on Administrative Simplification regarding Security. 

 

 

Privacy Guidelines of Administrative Simplification*

 

The Privacy Rule provides the first comprehensive Federal protection for the privacy of health information and is carefully balanced to provide strong privacy protections that do not interfere with patient access to, or the quality of, healthcare delivery.

By the compliance date of April 14, 2003 covered entities (Health Plans, Healthcare Clearinghouses, and Healthcare Providers) must implement standards to protect and guard against the misuse of individually identifiable health information. Failure to timely implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

 

Incidental Uses and Disclosures (45CFR 164.502(a))

An incidental use of disclosure is a secondary use of disclosure that cannot be reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. An incidental use or disclosure is NOT permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.

Minimum Necessary (45CFR 164.502(b), 164.514(d))

The essence of this rule is the conveyance of patient information, in whatever form that conveyance may take (documented, verbal, data transfer, etc.) with the minimum amount of data necessary to meet the current treatment needs of the patient. The Privacy Rule requires covered entities to take reasonable steps to limit the use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose.

Personal Representatives (45CFR 164.502(g))

Under the Privacy Rule, a person authorized to act on behalf of the individual in making health care related decisions is the individual’s personal representative. Covered entities are required to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information. The personal representative has the ability to act for the individual, exercise the individual’s rights, and may also authorize disclosures of the individual’s protected health information.

Business Associates (45CFR 164.502(e), 164.504(e), 164.532(d) and (e))

By law, the HIPAA Privacy Rule applies only to covered entities. However, most healthcare providers do not carry out all of their activities and functions by themselves. Often the use of services provided by a variety of other persons and businesses are required. The Privacy Rule allows covered providers to disclose protected health information to these "business associates" if the providers obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule, and help the covered entity carry out its healthcare functions.

A member of the covered entity’s workforce is NOT a business associate.

An independent medical transcriptionist that provides transcription services to a physician IS a business associate.

A software vendor only becomes a "Business Associate" when it is required that a company representative view patient data in relation to providing services in the installation or maintenance of computer software. If the viewing of patient data can be avoided in this regard, a software vendor is not considered a business associate.

 

*These are excerpts from Privacy Rule guidelines created by the U.S. Dept. of Health and Human Services Office of Civil Rights. 

Customer Feedback

"Just wanted to state that I have been a customer of Bytescribe for the past 7 years and not only is their Dictation System completely user friendly (both dictator and transcriber functionality), but customer service received from Bytescribe staff is impeccable! Bytescribe is the BEST for dictation services!!!"    Lori - Algonquin, Illinois

"I have always felt I was getting a superior quality product at a reasonable price with stellar customer support."
Joy - Anaheim Hills, CA