HIPAA is Health Insurance Portability and Accountability Act of 1996-A law mandating that anyone belonging to a group health insurance plan must be allowed to purchase health insurance within an interval of time beginning when the previous coverage is lost. The law protects employees, especially those with long-term health conditions who may be reluctant to leave jobs because they are afraid pre-existing condition clauses will limit coverage of any such conditions under a new insurance plan, from losing health insurance due to a change in employment status. This act was basically designed to protect the privacy rights of individuals with regard to their confidential medical records. The act greatly restricts the dissemination and transmittal of personal patient information and has dramatically affected the way healthcare information is handled. HIPAA regulations have also tried to restrict the use of preexisting condition exclusions, create special enrollment periods and prohibit discrimination based on health-status related conditions in enrollment and premiums.
HIPAA - Primary objectives
This act was a result of congressional health care reform proponents to reform healthcare. The four primary objectives it serves to achieve are:
- Reduce healthcare fraud and abuse
- Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions
- Enforce standards for health information
- Guarantee security, privacy, and confidentiality of patient health information
Of the four primary objectives, the fourth objective has the most impact on medical transcription since it deals with handling and transfer of sensitive information of patient health data usually in electronic form. All transcription organizations, therefore, must be able to support two requirements:
1. Ensure the security and confidentiality of the patient’s Protected Health Information and
2. Maintain an audit trail of all individuals who have had access to Protected Health Information.
This means that transcription service providers must implement technology and business processes in their operation to support these two major requirements.
HIPAA Regulations and its reach-HIPPA regulations have been devised to have broad application with a variety of extensions. These provisions extend to all health care providers who transmit health records in an electronic format and health care billing companies. The Act refers to these organizations as "Covered Entities". Most Medical Transcription Services and their employees are not considered "Covered Entities" under the Act unless their organization also engages in services that put them in the category of "Covered Entity". Medical Transcription Services are typically regarded under the Act as "Business Associates".
Covered Entity and Business Associate
HIPAA defines a Covered Entity (CE) as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with an HIPAA transaction. A physician’s office thereby would fall under the category of a Covered Entity.
The Act defines a Business Associate as "any person or organization that performs a function or activity on behalf of a Covered Entity, but is not part of the Covered Entity's workforce (employees, volunteers, trainees and others) under the Covered Entity's direct control, regardless of whether they are paid by the Covered Entity." A medical transcription service provider would be classified under the definition of a Business Associate.
As a Business Associate, the Medical Transcription Service may not be directly governed by HIPAA regulations. But however, indirectly, the Business Associates are governed in accordance with the fact that Covered Entities are required to obtain written assurances from the Business Associates that they deal with to ensure that patient identifying information is appropriately safeguarded. These written assurances must be included in a written contract between the Covered Entity and the Business Associate.
HIPAA & Independent Medical Transcriptionists?
Medical transcriptionists who operate as Independent Contractors to Medical Transcription Services (Business Associates) and who have direct access to patient health information are referred to by the Act as "Third Parties." Third Parties must have a written contract with the Business Associate for whom they provide contract services to assure that patient information conveyed to them will be appropriately safeguarded and that all electronic data transmissions between the Third Party and the Business Associate are conducted in accordance with the approved national standard. This contract should be similar in nature and scope to the contract between the Business Associate and the coveted entity.
Deadline for Complying with guidelines of HIPAA?HIPAA act requires that healthcare organizations insurers and payors that have been using any electronic means of storing patient data and performing claims submission must comply with this rule by April 14, 2003. Since medical transcription deals with handling and storing patient data in electronic form, it is necessary that all such organizations must comply with this deadline. Small health care plans will have until April 14, 2004, to become completely compliant. However, all other covered entities must become fully compliant by April 14, 2003.
Standards prescribed for Transmittal of Electronic Patient Information - HIPAA act requires that healthcare organizations insurers and payors that have been using any electronic means of storing patient data and performing claims submission must comply with this rule by April 14, 2003. Since medical transcription deals with handling and storing patient data in electronic form, it is necessary that all such organizations must comply with this deadline.
Internet & HIPAA compliance-With advancing technology, the internet has become the major source of electronic data transmission over the years and will surely continue to do so. Hence, it becomes necessary on the part of medical transcription service provider to use encryption and password protection to prevent unauthorized access to any patient information. Dictations done on a telephone does not need to be encrypted. However, voice files transmitted by portable recorders should be encrypted prior to transmission over the Internet.
Transcribed documents must be sent back to the healthcare provider also in a secured manner using encrypted email or a secure FTP site or may be faxed with a disclaimer statement explaining the confidential nature of the document. However, use of tapes lends a high degree of a doubt since there is no way to verify an audit trail as to who has had the tape and who listened to patient data on the tape. If the tape is lost, one cannot guarantee the security of the information on it.
Other Key Provisions of the Act - The primary focus of the Act is to restrict the leakage and dissemination of patient health care information. The conditions under which information can be conveyed are very explicitly stated. The rules specifically pertain to health information that is transmitted or maintained in any form be it oral, paper, electronic, etc and which contains patient identifying information. Patient identifying information includes such things as name, address, social security number, phone number, and any other information, which could be used to identify an individual.
In order to be compliant with the rules and regulations of HIPAA, covered entities must implement measures to ensure that patient information is protected in accordance with the provisions of the Act. Specifically:
1. A proper written proof must be provided to individuals telling them as to how their information will be used and to whom it will be disseminated (i.e. to insurance and billing companies, or other health care practitioners).
2. Similarly, a written consent should also be obtained from the individual allowing for the use and maintenance of personal information as provided for by the Act.
3. Disclosure of information for any other purpose must be done always after documented specific authorization from the individual.
4. All efforts must be made by covered entities to minimize the dispersal of patient information through any means.
5. Covered entities must establish and maintain adequate administrative, technical and physical measures to ensure that all privacy requirements are upheld within the organization.
6. Business Associate must be directed specifically to safeguard all patient related information in the best possible way and covered entities should periodically review the standards of security and confidentiality of their Business Associate.
Penalty imposition for the non-compliance-The total amount of civil penalties for multiple violations by a Covered Entity during a calendar year is capped at $25,000.
HIPAA also provides from criminal liability for Covered Entities for knowingly obtaining or disclosing individually identifiable health information. The maximum penalty is a fine of $50,000 and imprisonment of one year. If the offense is committed under false pretenses, the maximum penalty is a fine of $100,000 and imprisonment of five years. If the offense is committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the maximum penalty is a fine of $250,000 and imprisonment of ten years.
Both Civil and criminal penalties can be imposed for noncompliance with HIPAA. The truss of these penalties is usually directed against Covered Entities but not directed directly against Business Associates. However, indirectly, the business Associates do come under penalty imposition since they are contractually obligated to comply with these regulations.
Rights of the patient under HIPAA provides the patient with many new rights in relation to their healthcare documentation. Some of them include:
- Right to review their entire medical record and data.
- Right to request changes within documentation (though this comes under the preview of the physician who can deny for specific reasons
- Right to request documentation every time their information was accessed, along with the identity of the individual accessing the document with the specific reason for doing so.
- Right to know how much of the information was shared.
- Right to know what the Covered Entity’s policies and procedures are for security and privacy.