Thursday, April 24, 2014


Two major components of HIPAA compliance for your business include training of your workforce and written HIPAA Policies and Procedures (P&Ps).  Hurley has products that are easy to use and can help you succeed with achieving and maintaining these HIPAA compliance requirements for your organization.  Unlike so many other HIPAA products available on the market, all of these products are specific for medical transcription services and for independent contractors.

WORKFORCE TRAINING:  There are 3 different training toolkits available for purchase.  Each toolkit consists of a PowerPoint file with audio clips inserted throughout the presentation, a test on the material presented, the answer key for the test, a certificate for proof of training, a PDF file of the PowerPoint slides for quick reference, instructions for how to use these items, and a folder with Microsoft PowerPoint Viewer software for those who do not have PowerPoint software.

HIPAA training products to consider: Each training product has been preapproved by AHDI for 1 ML credit.

1.  HIPAA has Changed - are you Compliant?  If you have not provided any HIPAA training for the last 5 years, this is a product you should consider as it discusses the changes from the “original” HIPAA to the “new” HIPAA that has evolved from the enactment of the HITECH Act and Final Rule.  This toolkit is $500.

2.  HIPAA on the Job!  This training tool is a good reminder for the MT workforce as it offers many of the common situations that occur on the job and applies HIPAA principles for resolution.  Some examples of topics discussed include destruction of hard drives with PHI, home office security tips, hidden risks with samples reports, faxing of PHI, and more!  This toolkit is $500.

3.  HIPAA in Action!  This training toolkit is an excellent refresher with examples from published HIPAA breaches, solutions for avoiding violations, dangers of social media, snooping, and several important “what if” scenarios with ways to be HIPAA smart. This material is new and consistent with the changing HIPAA landscape. This toolkit is $500.

Note: The above 3 products are priced so that you can use them for all your workforce members, there is no per person license fee or use fee.  Once you buy a product for $500 you have unlimited use of it within your organization. You are only restricted from copying it and/or sharing it with others outside of your organization.

4.  Online HIPAA training is available at $35 per person. All 3 training products are online. The participant would select which presentation to purchase, then view the presentation and listen to the audio clips online.  Once done with the presentation, the test will be automatically directed to the participant. When the participant passes the test, a certificate is issued. This would be an affordable training solution for small MT services, or for individuals.

Written HIPAA P&Ps for MT companies:  This product includes a packet of 50 HIPAA P&Ps, their accompanying forms/templates and a complete table of contents, all customized for your organization.  Some of the key policies include a business associate agreement (for clients and for subcontractors), nondisclosure agreement, faxing of PHI, social media participation, de-identification of PHI, physician updates for system access, and lots more! This packet is only $500.

Written HIPAA P&Ps for ICs:  This product includes a packet of 21 HIPAA P&Ps, their accompanying forms/templates and a complete table of contents, all customized for the independent contractor (subcontractor) who is also a HIPAA business associate.  Special rate for this packet only is $200.

Contact Brenda at for purchasing these products or any questions related to them.

Thursday, October 3, 2013

Windows XP Computers


Microsoft has announced that they will no longer support Windows XP (and Office 2003) as of April 8, 2014.  This sunset of XP along with the increased security regulations under the HIPAA Final Rule will create a logistical and budgetary challenge for many MT businesses, healthcare organizations, and MT subcontractors.

Windows XP is often the preferred platform for enterprise-wide applications and individual users in the medical transcription industry.   Even with a VPN connection, there are at a minimum temporary files stored on the local PC that a good hacker can get at.   Configuration of the VPN login/logout process can be set so that all temporary files are deleted upon exiting the VPN which could help with security concerns.

Upgrading a PC from XP to Windows 7 is not for the faint of heart.   The hard drive must be completely wiped before the upgrade.  All data files must be saved to another location (jump drive, external hard drive, network drive, etc.).  Then after the upgrade all software will need to be reinstalled from original media so those CDs or access information will need to be gathered up prior to upgrading.   While IT experts are equipped to handle this, many others would find this to be quite challenging. 
Norton has taken a “wait and see” approach before committing to post demise of XP.   They have stated that they will continue to support their program.  However, they have qualified that “Symantec Support may not be able to provide full threat resolution on XP systems due to a lack of Microsoft security patches.”  See these links for those formal announcements.

It will be an unknown element as to how at risk PCs are without support from Microsoft or how soon that risk will be increased after the official sunset date of April 8, 2014.   Traditionally, however, hackers have taken advantage of this vulnerability so there is clearly the potential for high risk.   With the guarantee of no support from Microsoft and the limited ability of vendors such as Norton to commit to security on Windows XP computers after April 2014, the risk to PHI outweighs the benefit of utilizing out-of-date and technically unsupported hardware.  
We recommend that healthcare organizations, MT services, and MTs take a proactive approach to this issue.  If you are using a Windows XP computer you will need to evaluate your PC to determine if it has the potential for upgrading to Windows 7; if it does then have it upgraded. If it does not, purchase a Windows 7 (NOT a Windows 8) computer. 

You will want to be to be fully operational on a Windows 7 computer before April of 2014, but why wait until the last minute, do it sooner rather than later to improve your selection of Windows 7 computers available for purchase.  
If you have any questions related to this notification, contact Brenda at   

Monday, August 19, 2013

HIPAA Training Courses are now online!

HIPAA Training Courses are now online!

HIPAA training is a requirement for those who have access to protected health information (PHI).  While often this is provided from an employer, independent contractors (ICs) who work as self-employed medical transcriptionists may not have access to affordable training options.  In fact, ICs who work for MT businesses are now defined as HIPAA business associates, and HIPAA training is a requirement for them. 

 Do you know your obligations related to HIPAA and the protection of PHI?  If not, you may want to consider the HIPAA training tutorials that are now offered by Hurley Makes It Happen! 

There are three 1-hour courses online which are only $35 each.  Once you have completed the viewing of the tutorial, you will be required to take a quiz.  When you complete the quiz and achieve a passing score, you will be issued a certification of completion of HIPAA training for your records.

Do you have an AHDI credential (i.e. CMT, CHDS) and need a medicolegal credit?  Each course has been preapproved by AHDI for 1 medicolegal credit.

Here are the HIPAA training products to consider: Each training product has been preapproved by AHDI for 1 ML credit.

1.  HIPAA has Changed - are you Compliant?  If you have not provided any HIPAA training for the last 5 years, this is a product you should consider as it discusses the changes from the “original” HIPAA to the “new” HIPAA that has evolved from the enactment of the HITECH Act and Final Rule.  

2.  HIPAA on the Job!  This training tool is a good reminder for the MT workforce as it offers many of the common situations that occur on the job and applies HIPAA principles for resolution.  Some examples of topics discussed include destruction of hard drives with PHI, home office security tips, hidden risks with samples reports, faxing of PHI, and more! 

3.  HIPAA in Action!  This training toolkit is an excellent refresher with examples from published HIPAA breaches, solutions for avoiding violations, dangers of social media, snooping, and several important “what if” scenarios with ways to be HIPAA smart. This material is new and consistent with the changing HIPAA landscape.

The courses are located online 24/7 on the training platform for OAK Horizons.  Check it out now at

If you have any questions about these new HIPAA training courses, contact Brenda J. Hurley, CMT, AHDI-F, at   If you have any questions about the OAK Horizons platform, contact Kathy Martin, AHDI-F, at

HIPAA compliance has just gotten a little easier!

Friday, August 9, 2013


 Press Release

For Immediate Circulation  
August 9, 2013


Campion joins HIPAA compliance consulting team!

The consulting company of Hurley Makes it Happen! has recently announced that Melissa J. Campion, RHIA, CHPS, CHDA, CMT, HIT Pro-IM, Pro-TR, has joined their team as their chief technical consultant. 

Campion has extensive experience with technology systems that support medical transcription and electronic health record services.  Her most recent position was at Health First in Rockledge, FL, where she served as an eHIM Senior Systems Analyst.

In her new position, Campion will be using her technical skills to create data flow mapping documents and applying her expertise in security systems to complete HIPAA security risk assessments. Her contribution to the consulting team will be an immediate asset to the customers and clients they serve.

Hurley Makes It Happen! was established as a compliance consulting firm in 2011 by Brenda J. Hurley, CMT, AHDI-F.  The company has grown over the years with products and services customized for HIPAA Business Associates – medical transcription services and medical transcription independent contractors.

Friday, June 28, 2013

Frequently Asked Questions about HIPAA
Brenda J. Hurley, CMT, AHDI-F

·     Are breaches limited to only protected health information (PHI) that is electronic form? 
Response:  No, breaches can occur when unsecured PHI, in any form or medium, is accessed by an unauthorized person.  

·       The doctor dictated the patient’s phone number in the Plan section of the report.  Should the MT transcribe it as dictated, flag it or ignore it?

Response:  The first thing you should do is review the facility’s policy for use of personal identifying elements (such as the patient’s phone number) within the body of the report.  Facilities vary greatly as to their ‘rule’ or ‘policy’ for how this should be done. If you are unsure as to how to handle this, flag the report or contact your supervisor, whatever is the policy that you follow for when you have questions related to a report. Many believe that HIPAA does not allow these personal identifying elements within the body of the report; however, this is not true. The report is protected health information (PHI) because it has to include patient demographic information in order to be attached to or uploaded in the correct patient chart. We often forget about this because we seldom see the viewable “final” report; we just see the sections that we are involved with, such as the body of the report being transcribed or edited. So the healthcare report is already protected under HIPAA, the inclusion or exclusion of the patient’s identifying elements within the report does not make the report more protected or less protected in the eyes of HIPAA. 

Healthcare organizations constantly struggle with this issue when establishing a policy related to allowing PHI elements within the body of the report, or to restrict the personal identifying elements only to the demographic section of the report. There are pros and cons on both sides of this issue.  As just one example, the report that has limited the PHI elements only in the demographic sections can be easily ‘scrubbed’ of all PHI elements if that report would ever need to be de-identified in the future. Complete and thorough de-identification, however, becomes a very labor-intense and cumbersome process when PHI elements are allowed within the body of the report.  The healthcare organization must weigh all of the pros and cons when establishing their policy for the use of personal identifying elements within healthcare reports.

·       Can an intern or a nurse practitioner share the same dictation ID number with their attending physician?

Response: No. Critical to the transcribed report is the proper identification of the author of the dictation.  An assigned number for each individual dictator provides a level of assurance that each report they dictate will be accurately matched to them for authentication and for inclusion within the legal medical record.  Technology provides the ability to assign unique identifiers for dictators to facilitate their individual user identification within the dictation process.  The HIPAA Security Rule has established requirements for technical safeguards for electronic protected health information (EPHI) in section 164.304 of the Rule.  Both Covered Entities and Business Associates must follow the rules established in these technical safeguards. One of the required safeguards is access control.  Unique user identification is a requirement established in the HIPAA Security Rule.

·       Can Business Associates be audited by HHS?

Response:  Yes.  Under the HITECH Act the provision for audits was established for both Covered Entities and for Business Associates.  HHS contracted with KPMG Associates to create a protocol for performing audits and to create guidance tips from lessons learned from actual audits. Those audits were performed late in 2011 and continued through 2012. It has been announced that the audits will continue in 2013, and that they will include Business Associates.

·       As an MT independent contractor, am I a Business Associate to the MT service that I do work for?

Response: Yes.  The HIPAA Final Rule in January 2013 made this change. You are now a Subcontractor Business Associate to the MT service who is a Business Associate to their clients who are Covered Entities. This was changed so that all of those who receive the downstream handoff of PHI will share the responsibilities and obligations of securing the PHI entrusted to them.

·       What is a common breach that has occurred within the medical transcription?

Response: There is no real “data” specific to medical transcription breaches, but from my experience it is from faxing unsecured documents with PHI. The good news is that when this happens it is usually 1 report at a time; the bad news is that it happens far too often.

·       There are secure ways to deliver reports with PHI, so why are faxes still being used?

Response:  Again, there is no real “data” as to why faxes are still being allowed to be used, but it has been my experience that clients (i.e., hospitals, clinics, etc.) have continued to request (require) fax delivery of reports to physician offices despite the potential risks of breach associated. Often these physician offices are not able to receive secure electronic delivery of their reports, so faxing is the easiest way to accomplish report distribution (although not a secured method).

·       Is all encryption software considered “acceptable” for securing PHI?

Response:  No.  The definition of “secure” is established by HHS and currently is 128-bit or 256-bit encryption algorithm that is in compliance with standards established by NIST (

·       Does HIPAA now require encryption to be used?

Response: The short answer is ‘no’ it is not required; however, if PHI was breached when unsecured per the guidelines established by HHS (secured is appropriately encrypted), then all notification requirements for that breach would need to be immediately implemented.  When appropriate encryption of PHI is used, if it was sent to a wrong recipient it could not be accessed, read, or used (because it was encrypted); therefore, it would not be considered a breach. Although HIPAA does not require encryption, it is your best defense against a breach. 

·       Do reports that have been de-identified of PHI elements need to be encrypted?

Response:  No. Reports that have been appropriately de-identified are no longer considered PHI, so they do not require the same protections that documents that include PHI.  De-identified reports and voice files have many uses in our industry such as sample reports, training, and testing.

·       Are there specific rules for destroying documents with PHI?

Response: Yes. Destruction of PHI needs to follow the guidelines established by NIST in its publication (800-88) on media sanitation.

·       What type of shredder should I buy to destroy PHI?

Response:  The answer depends on the media that needs to be destroyed.  The NIST publication 800-88 recommends using a cross-cut shredded for paper and for microfilm to a size such that it is reasonable to assure that the data cannot be reconstructed. Optical disks (CDs, DVDs, etc.) need to be pulverized to the point that the residue is no larger than a 25 mm squared surface area.  High-end shredders or commercial shredders can accomplish this.

·       As a medical transcription service, a Business Associate, is our client (the Covered Entity) responsible for the HIPAA training of our workforce?

Response:  No.  There could be some circumstances, however, where the client will want to train certain members of your workforce, such as on software applications, but they are not responsible for training your workforce on their obligations and responsibilities related to HIPAA. 

·       I am an employee of an MT service, if there is a problem with privacy, can I be personally liable?

Response: HHS (Health and Human Services) has made it clear that individuals can be criminally liable in some limited circumstances. Generally these are individuals who have intentionally breached patient’s information for personal gain or incidents of willful neglect.  HIPAA has become recognized as the standard of care for protected health information and when it has not been followed some patients have filed civil suits for privacy breaches of their information.  With that said, as long as you are acting within the scope of your duties and comply with all established P&Ps, your personal risk would be greatly minimized.

·       As a medical transcription service, a Business Associate, do I follow the FTC security regulations or the HHS security regulations?

Response:   Medical transcription services would follow the HHS security regulations.  The FTC (Federal Trade Commission) rules and its security regulations would apply to PHR (personal health record) vendors.

·       Do breach notification obligations apply if only one patient’s information is breached?

Response:  Yes. The number of patients involved is only relevant to the type of notifications required.

·       As an MT service, a Business Associate, if we faxed a report in error to a local pizza shop, do we notify the Covered Entity (our client)?

Response:  Yes, you must provide certain information to the client (the Covered Entity) from where the report/dictation originated.  You will also need to investigate the breach and its cause, immediately mitigate significant risk when possible, and fully document your findings as well as the steps implemented to prevent future occurrences.

·       I bought a new computer; what should I do with the PHI on my old computer?

Response:  The easiest way to accomplish this is to remove the hard drive from the old computer and have it pulverized.  Commercial shredding companies offer this service.

·       As an MT service, a Business Associate, if we fax a report in error to the wrong doctor’s office is that a breach?

Response:  It depends.  It is possible that these two organizations (your client and the office that received the fax) may have what HIPAA calls an Organized Health Care Arrangement (OHCA). If this is the case, then there is no breach because they are allowed to share PHI between their facilities.  Misdirected faxes that go to another covered entity are often interpreted by HIPAA experts differently. Some consider it a simple/minor disclosure (not a breach), while others take a stricter view and label it as a full breach. Either way it has to be investigated, mitigated, and documented, all experts do agree.  The final decision of a simple disclosure or a full breach is the client’s (the Covered Entity) decision to make since they will know the relationship of all parties involved. Business Associates need to fulfill their obligation by investigating it, mitigating significant risk, implementing new safeguards for prevention, documenting and reporting it to their client (the Covered Entity).

·       Are workforce members required to have training related to the changes made to HIPAA?

Response:  Yes, any member of your workforce who has access to PHI needs to receive training. Remember, this requirement is not limited to employees only.

·       Is there any requirement for periodic retraining on privacy and security? 

Response:  HIPAA requires updating the training for applicable workforce members when making changes to privacy and security policies and/or processes. Most organizations offer periodic reminders and refreshers at least on an annual basis for their workforce to reinforce compliance.

Thursday, March 28, 2013

Saturday, February 16, 2013

The HIPAA Final Rule is Here!

In the medical transcription (MT) industry, the most anticipated proposed change was that related to subcontractors.  The newly expanded definition in the Final Rule for BAs also directly addressed subcontractors.  It states “A Business Associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”  This change will greatly impact a large number of the MT workforce since there are many MT subcontractors (independent contractors) who work for MT services. Their new obligations as HIPAA BAs will be numerous and for a single practitioner these new obligations could be overwhelming. 

Here are some of those key HIPAA BA requirements that all subcontractors who handle PHI will now need to follow:

·       A written BA agreement.  This agreement would be between the subcontractor and the BA they perform services for, such as an MT service. Just as the MT service has been required since the implementation of HIPAA to have a written BAA with the Covered Entity (CE) they provide services for, now the subcontractor must also have a written BAA with the BA they provide services for. The BA must, of course, comply with all of the requirements outlined in the BAA.  HHS posted an updated sample of a BAA consistent with the Final Rule on their website at:

·       Comply with the HIPAA Security Rule.  This includes the administrative, physical and technical safeguards for PHI, as well as a designated HIPAA Security Officer.

·       Maintain written HIPAA policies and procedures.

·       HIPAA training and proof of it.

·       Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of its use.

·       If a subcontractor uses the services of a subcontractor, and they handle PHI, subcontractor A will need to have a written BAA with subcontractor B.

·       Comply with all notification requirements related to the Data Breach Rule.

·       Comply with the contractual Privacy Rule requirements (e.g., termination, HIPAA training, etc.).
The scope of liability has also expanded for the BA to include the actions of their subcontractor BAs.  Penalties for willful neglect have increased to as high as $50,000 per violation with a maximum of $1.5 million in a calendar year.

BAs should immediately review their use of subcontractors/independent contractors, contact them regarding their new obligations as a HIPAA BA, and execute an updated BAA with each subcontractor.  Because of your expanded liability related to their actions under HIPAA, you may want to require them to provide you with a copy of their written P&Ps and proof of their HIPAA training for your records.  BAs will also need to review and update their own P&Ps related to the use of subcontractors/independent contractors to reflect these new changes.
You cannot fix this new challenge by ignoring it or deciding not to establish a BA agreement between the BA and their BA subcontractor.  The Final Rule clearly states that even if there is no written BAA, the subcontractor to the BA is subject to the same legal obligations as a BA regardless of whether they have or have not entered into a written BAA.

The effective date for the Final Rule is March 26, 2013, with the compliance (enforcement) date of September 23, 2013.  The only exception to this would be for business associate agreements (BAAs) which are currently in place, and that deadline is September 23, 2014.  When existing BAAs are renewed or revised before September 22, 2014, they must then confirm to the Final Rule.  New BAAs will be required to follow the Final Rule so that all BAAs by September 23, 2014, are in full compliance with the Final Rule.
For those who are BAs and you think that no one will notice if you skimp on your path to HIPAA compliance, the Office of Civil Rights (OCR) announced in late 2012 that the random HIPAA audits will continue in 2013 and will be expanded to include BAs.  There is no place to hide, if you handle PHI, you have major steps to follow to achieve and maintain HIPAA compliance as mandated in the Final Rule.

There is no time to wait, HIPAA compliance is not an option.