Frequently Asked Questions about HIPAA
Brenda J. Hurley, CMT, AHDI-F
· Are breaches limited to only protected health information (PHI) that is electronic form?
Response: No, breaches can occur when unsecured PHI, in any form or medium, is accessed by an unauthorized person.
· The doctor dictated the patient’s phone number in the Plan section of the report. Should the MT transcribe it as dictated, flag it or ignore it?
Response: The first thing you should do is review the facility’s policy for use of personal identifying elements (such as the patient’s phone number) within the body of the report. Facilities vary greatly as to their ‘rule’ or ‘policy’ for how this should be done. If you are unsure as to how to handle this, flag the report or contact your supervisor, whatever is the policy that you follow for when you have questions related to a report. Many believe that HIPAA does not allow these personal identifying elements within the body of the report; however, this is not true. The report is protected health information because it has to include patient demographic information in order to be attached to or uploaded in the correct patient chart. We often forget about this because we seldom see the viewable “final” report; we just see the sections that we are involved with, such as the body of the report being transcribed or edited. So the healthcare report is already protected under HIPAA, the inclusion or exclusion of the patient’s identifying elements within the report does not make the report more protected or less protected in the eyes of HIPAA.
Healthcare organizations constantly struggle with this issue when establishing a policy related to allowing PHI elements within the body of the report or to restrict the personal identifying elements only to the demographic section of the report. There are pros and cons on both sides of this issue. As just one example, the report that has limited the PHI elements only in the demographic sections can be easily ‘scrubbed’ of all PHI elements if that report would ever need to be de-identified in the future. Complete and thorough de-identification, however, becomes a very labor-intense and cumbersome process when PHI elements are allowed within the body of the report. The healthcare organization must weigh all of the pros and cons when establishing their policy for the use of personal identifying elements within healthcare reports.
· Can an intern or a nurse practitioner share the same dictation ID number with their attending physician?
Response: No. Critical to the transcribed report is the proper identification of the author of the dictation. An assigned number for each individual dictator provides a level of assurance that each report they dictate will be accurately matched to them for authentication and for inclusion within the legal medical record. Technology provides the ability to assign unique identifiers for dictators to facilitate their individual user identification within the dictation process. The HIPAA Security Rule has established requirements for technical safeguards for electronic protected health information (ePHI) in section 164.304 of the Rule. Both Covered Entities and Business Associates must follow the rules established in these technical safeguards. One of the required safeguards is access control. Unique user identification is a requirement established in the HIPAA Security Rule.
· Can Business Associates be audited by HHS?
Response: Yes. Under the HITECH Act the provision for audits was established for both Covered Entities and for Business Associates. HHS (Health and Human Services) contracted with KPMG Associates to create a protocol for performing audits and to create guidance tips from lessons learned from actual audits. Those audits were performed late in 2011 and continued through 2012. Audits resumed in 2013 and since that time Business Associates have been included in the audit program.
· As an MT independent contractor, am I a Business Associate to the MT service that I do work for?
Response: Yes. The HIPAA Final Rule in January 2013 made this change. You are now a Subcontractor Business Associate to the MT service who is a Business Associate to their clients who are Covered Entities. This was changed so that all of those who receive the downstream handoff of PHI will share the responsibilities and obligations of securing the PHI entrusted to them.
· What is a common breach that has occurred within the medical transcription?
Response: There is no real “data” specific to medical transcription breaches, but from my experience it is from faxing unsecured documents with PHI. The good news is that when this happens it is usually 1 report at a time; the bad news is that it happens far too often.
· There are secure ways to deliver reports with PHI, so why are faxes still being used?
Response: Again, there is no real “data” as to why faxes are still being allowed to be used, but it has been my experience that clients (i.e., hospitals, clinics, etc.) have continued to request (require) fax delivery of reports to physician offices despite the potential risks of breach associated. Often these physician offices are not able to receive secure electronic delivery of their reports, so faxing is the easiest way to accomplish report distribution (although not a secured method).
· Is all encryption software considered “acceptable” for securing PHI?
Response: No. The definition of “secure” is established by HHS and currently is 128-bit or 256-bit encryption algorithm that is in compliance with standards established by NIST (www.nist.gov).
· Does HIPAA now require encryption to be used?
Response: The short answer is ‘no’ it is not required; however, if PHI was breached when unsecured per the guidelines established by HHS (secured is appropriately encrypted), then all notification requirements for that breach would need to be immediately implemented. When appropriate encryption of PHI is used, if it was received by a wrong recipient it could not be accessed, read, or used (because it was encrypted); therefore, it would not be considered a breach. Although HIPAA does not require encryption, it is your best defense against a breach.
· Do reports that have been de-identified of PHI elements need to be encrypted?
Response: No. Reports that have been appropriately de-identified are no longer considered PHI, so they do not require the same protections that documents that include PHI. De-identified reports and voice files have many uses in our industry such as sample reports, training, and testing.
· Are there specific rules for destroying documents with PHI?
Response: Yes. Destruction of PHI needs to follow the guidelines established by NIST in its publication (800-88) on media sanitation.
· What type of shredder should I buy to destroy PHI?
Response: The answer depends on the media that needs to be destroyed. The NIST publication 800-88 recommends using a cross-cut shredded for paper and for microfilm to a size such that it is reasonable to assure that the data cannot be reconstructed. Optical disks (CDs, DVDs, etc.) need to be pulverized to the point that the residue is no larger than a 25 mm squared surface area. High-end shredders or commercial shredders can accomplish this.
· As a medical transcription service, a Business Associate, is our client (the Covered Entity) responsible for the HIPAA training of our workforce?
Response: No. There could be some circumstances, however, where the client will want to train certain members of your workforce, such as on software applications, but they are not responsible for training your workforce on their obligations and responsibilities related to HIPAA.
· I am an employee of an MT service, if there is a problem with privacy can I be personally liable?
Response: HHS has made it clear that individuals can be criminally liable in some limited circumstances. Generally these are individuals who have intentionally breached patient’s information for personal gain or incidents of willful neglect. HIPAA has become recognized as the standard of care for protected health information and when it has not been followed some patients have filed civil suits for privacy breaches of their information. With that said, as long as you are acting within the scope of your duties and comply with all established P&Ps, your personal risk would be greatly minimized.
· As a medical transcription service, a Business Associate, do I follow the FTC security regulations or the HHS security regulations?
Response: Medical transcription services would follow the HHS security regulations. The FTC (Federal Trade Commission) rules and its security regulations would apply to PHR (personal health record) vendors.
· Do breach notification obligations apply if only one patient’s information is breached?
Response: Yes. The number of patients involved is only relevant to the type of notifications required.
· As an MT service, a Business Associate, if we faxed a report in error to a local pizza shop, do we notify the Covered Entity (our client)?
Response: You must provide certain information to the client (the Covered Entity) from where the report/dictation originated. You will also need to investigate the breach and its cause, immediately mitigate significant risk when possible, and fully document your findings as well as the steps implemented to prevent future occurrences.
· I bought a new computer; what should I do with the PHI on my old computer?
Response: The easiest way to accomplish this is to remove the hard drive from the old computer and have it pulverized. Commercial shredding companies offer this service.
· As an MT service, a Business Associate, if we fax a report in error to the wrong doctor’s office is that a breach?
Response: It depends. It is possible that these two organizations (your client and the office that received the fax) may have what HIPAA calls an Organized Health Care Arrangement (OHCA). If this is the case, then there is no breach because they are allowed to share PHI between their facilities. Misdirected faxes that go to another covered entity are often interpreted by HIPAA experts differently. Some consider it a simple/minor disclosure (not a breach), while others take a stricter view and label it as a full breach. Either way all experts do agree that it has to be investigated, mitigated, and documented. The final decision of a simple disclosure or a full breach is the client’s (the Covered Entity) decision to make since they will know the relationship of all parties involved. Business Associates need to fulfill their obligation by investigating it, mitigating significant risk, implementing new safeguards for prevention, documenting and reporting it to their client (the Covered Entity).
· Is HIPAA training required for all of our workforce members as well as our subcontractor business associates?
Response: Yes, all members of your workforce and your subcontractor business associates who have access to PHI need to receive HIPAA training.
· Is there any requirement for periodic retraining on HIPAA privacy and security?
Response: HIPAA requires updating the training when making changes to privacy and security policies and/or processes. Most organizations offer periodic reminders and refreshers at least on an annual basis for their workforce members and subcontractor business associates to reinforce a culture of compliance.