The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data or the confidential use of protected health information (PHI). “Covered entities” or “business associates” that handle PHI are required to be HIPAA-compliant. Covered entities refer to health plans, health care clearinghouses, and health care providers. Business associates mean all organizations or individuals who act as a vendor or subcontractor with access to PHI. Medical transcription companies come under the business associate category and can be held liable for PHI exposure. That’s why they need to strictly enforce HIPAA transcription confidentiality regulations.
What HIPAA Transcription Compliance Means
HSS.gov defines a “business associate” as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. As a business associate, the medical transcription company has to provide a written assurance or sign a contract with the covered entity or healthcare provider that they will appropriately safeguard patient identifying information. This means that the medical transcription service provider must have the necessary infrastructure and regulations in place for securing and maintaining the confidentiality of PHI.
The HIPAA regulations that apply to a medical transcription company are as follows:
- The company must ensure that the confidentiality, integrity, and availability of all PHI handled or transmitted is preserved.
- They should not use or further disclose the information other than as permitted or required by the contract or as required by law.
- They should implement appropriate safeguards to prevent reasonably anticipated but unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to PHI.
- They must protect PHI they handle against reasonably anticipated threats to the security or integrity of the information.
- They should ensure workplace compliance.
Measures for HIPAA Compliance in Medical Transcription
A company that provides HIPAA compliant medical transcription services will have proper measures to ensure security, health care compliance and privacy of PHI. Achieving HIPAA transcription compliance requires the company to maintain and implement effective written policies and procedures as well as implement administrative, physical and technical safeguards and controls to protect PHI:
- Implement measures to restrict physical access to computers and the facility or facilities in which they are housed, while ensuring properly authorized access is allowed.
- Ensure all computers and portable devices with PHI are password-protected
- Enforce policies and procedures to secure PHI with specific controls such as strong passwords, email encryption, intrusion prevention software, locking down USB ports, etc.
- Have employees sign confidentiality agreements
- Train staff on overall policies and practices to protect the security of electronic PHI in accordance with HIPAA rules. Provide yearly HIPAA training to staff handling PHI.
- Implement policies and procedures to protect the facility and equipment from unauthorized physical access, tampering, and theft
- Physical safeguards for all workstations that access PHI to restrict access to authorized users
- Establish and implement procedures to create and maintain retrievable exact copies of EPHI
- Have policies and procedures in place for guarding against and detecting malicious software
- Have procedures for creating, changing, and safeguarding password
- Have measures in place to report and address security incidents
- Develop and implement policies and procedures for responding to an emergency or other occurrence, such as fire, vandalism, system failure, or natural disaster that harms systems that contain PHI
- Implement device and media controls for the receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the transfer of these items within the facility
- Implement technical security measures to guard against unauthorized access to PHI being transmitted over the internet
- Encrypt confidential patient information whenever appropriate
- Perform HIPAA-required risk analysis, and review and update security policies periodically
.
In addition to strictly implementing HIPAA confidentiality agreements, reliable medical transcription companies conduct annual audits to assess their administrative, technical, and physical measures and address any gaps to comply with HIPAA privacy and security standards.
Choose a HIPAA Compliant Transcription Company
According to a HIPAA journal report, there has been an upward trend in healthcare data breaches over the past 10 years, with 2020 seeing more data breaches reported than any other year since records were first published. Many of these breaches involved business associates. Here are some examples:
- In June 2018, 619 patients were informed by UC San Diego Health that their PHI may compromised by an external data breach involving a third-party medical transcription provider.
- In May 2018, a Mass.-based provider of speech recognition software reported that a healthcare data breach occurred when an unauthorized third party gained access to 45,000 patient records hosted on one of its medical transcription platforms. Nearly 900 patients of the San Francisco Health Network were affected by the breach
- Children’s National Health System in Washington reported a pediatric transcription breach in 2016. The hospital held a medical transcription company’s misconfigured file server accountable for a data breach that exposed thousands of patient records on the internet.
Healthcare providers need to do their research well and choose medical transcription company that can provide accurate and timely EHR documentation, and also ensure the confidentiality of PHI with strict measures to enforce HIPAA compliance.