|
FAQs about HIPAA
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
was a result of congressional healthcare reform proponents to reform
healthcare. The HIPAA legislation has four primary objectives: 1. Assure
health insurance portability by eliminating job lock due to pre existing
medical conditions 2. Reduce healthcare fraud and abuse 3. Enforce
standards for health information 4. Guarantee security and privacy of
health information Of these objectives, the fourth most greatly impacts
medical transcription.
What is the deadline for HIPAA compliance?
HIPAA requires health care organizations that use any electronic means
of storing patient data to comply with its security guidelines by
4/14/2003, which includes medical transcription organizations.
What are the important requirements of HIPAA for a medical transcription
company?
Medical Transcription Service Organizations (MTSOs) must be able to
support two requirements through its technology and business processes:
-
Ensure the security
and confidentiality of all patient’s Protected Health Information
(PHI)
-
Maintain an audit
trail of all individuals who have had access to PHI
Can the Internet be used for medical transcription and still meet HIPAA
requirements?
Yes, as long as the MTSO uses encryption and password protection to
prevent unauthorized access to PHI. Dictation done over the telephone
does not need to be encrypted, but voice files transmitted by portable
recorders should be encrypted prior to transmission over the Internet.
Transcribed documents must be transmitted securely using encrypted e
mail, a secure FTP site, or they may be faxed with a disclaimer
statement explaining the confidential nature of the document.
If tapes are used to record dictations, will this meet HIPAA
regulations?
Tapes may cause a problem since it is difficult to create and verify an
audit trail of who has had a tape and who may have listened to any PHI
it contains. Furthermore, if tapes are lost, anyone who obtains the tape
can access the information it contains.
Who and what is a Covered Entity and a Business Associate?
HIPAA defines a Covered Entity (CE) as a health plan, a healthcare
clearinghouse, or a healthcare provider who transmits any health
information in electronic form in connection with a HIPAA transaction. A
physician’s office or medical clinic would fall under the category of a
Covered Entity. A Business Associate (BA) is a person or organization
that performs a function or activity on behalf of the Covered Entity
(CE) but is not a part of the covered entity’s work force. A medical
transcription service provider would be classified under the definition
of a Business Associate.
Who is liable for privacy violation under HIPAA?
Failure to comply with HIPAA regulations can bring about civil and
criminal penalties. These penalties apply directly to Covered Entities
such as healthcare providers, but do not apply directly to Business
Associates such as medical transcription organizations. Therefore,
health care providers should ask their medical transcription
organization about privacy and security regulations and ensure that they
are contractually obligated to comply with HIPAA regulations.
What is the penalty for HIPAA non compliance?
The maximum civil penalty for multiple violations by a Covered Entity
during a calendar year is capped at $25,000. However, HIPAA also allows
for criminal penalties for Covered Entities who knowingly obtain or
disclose individually identifiable health information. The maximum
penalty is a fine of $50,000 and imprisonment for one year. If the
offense is committed under false pretenses, the maximum penalty is
$100,000 and imprisonment for five years. If the offense is committed
with the intent to sell, transfer, or use individually identifiable
health information for commercial advantage, personal gain, or malicious
harm, the maximum penalty is a fine of $250,000 and imprisonment for ten
years.
What rights does the patient have under HIPAA?
HIPAA provides patients with many new rights in relation to their
healthcare information, including (but not limited to):
-
The right to review
their entire medical record
-
The right to request
changes within documentation, which can be denied by physician for
specific reasons
-
The right to request
documentation of every time their PHI was accessed along with the
identity of who accessed it and their specific reason for doing so
-
To know how much of
their PHI information was shared
-
What the facility
(Covered Entity’s) policies and procedures are for security and
privacy
When patients becomes aware of these rights, health care
providers should be prepared to deal with any legitimate requests
patients may have. |
