·
Are breaches limited to only protected health
information (PHI) that is electronic form?
Response: No, breaches
can occur when unsecured PHI, in any form or medium, is accessed by an
unauthorized person.
·
The doctor dictated the patient’s phone number in the
Plan section of the report. Should the
MT transcribe it as dictated, flag it or ignore it?
Response: The first thing
you should do is review the facility’s policy for use of personal identifying
elements (such as the patient’s phone number) within the body of the
report. Facilities vary greatly as to
their ‘rule’ or ‘policy’ for how this should be done. If you are unsure as to
how to handle this, flag the report or contact your supervisor, whatever is the
policy that you follow for when you have questions related to a report. Many
believe that HIPAA does not allow these personal identifying elements within
the body of the report; however, this is not true. The report is protected
health information because it has to include patient demographic information in
order to be attached to or uploaded in the correct patient chart. We often
forget about this because we seldom see the viewable “final” report; we just
see the sections that we are involved with, such as the body of the report
being transcribed or edited. So the healthcare report is already protected
under HIPAA, the inclusion or exclusion of the patient’s identifying elements within
the report does not make the report more protected or less protected in the
eyes of HIPAA.
Healthcare
organizations constantly struggle with this issue when establishing a policy
related to allowing PHI elements within the body of the report or to restrict
the personal identifying elements only to the demographic section of the
report. There are pros and cons on both sides of this issue. As just one example, the report that has
limited the PHI elements only in the demographic sections can be easily
‘scrubbed’ of all PHI elements if that report would ever need to be
de-identified in the future. Complete and thorough de-identification, however,
becomes a very labor-intense and cumbersome process when PHI elements are
allowed within the body of the report.
The healthcare organization must weigh all of the pros and cons when
establishing their policy for the use of personal identifying elements within healthcare
reports.
·
Can an intern or a nurse practitioner share the same
dictation ID number with their attending physician?
Response: No. Critical to the transcribed report is the proper
identification of the author of the dictation.
An assigned number for each individual dictator provides a level of
assurance that each report they dictate will be accurately matched to them for
authentication and for inclusion within the legal medical record. Technology provides the ability to assign
unique identifiers for dictators to facilitate their individual user
identification within the dictation process.
The HIPAA Security Rule has established requirements for technical
safeguards for electronic protected health information (ePHI) in section 164.304
of the Rule. Both Covered Entities and Business Associates must
follow the rules established in these technical safeguards. One of the required
safeguards is access control. Unique user identification is a requirement
established in the HIPAA Security Rule.
·
Can Business Associates be audited by HHS?
Response: Yes. Under the HITECH Act the provision for audits
was established for both Covered Entities and for Business Associates. HHS (Health and Human Services) contracted
with KPMG Associates to create a protocol for performing audits and to create
guidance tips from lessons learned from actual audits. Those audits were
performed late in 2011 and continued through 2012. Audits resumed in 2013 and
since that time Business Associates have been included in the audit program.
·
As an MT independent contractor, am I a Business
Associate to the MT service that I do work for?
Response: Yes. The HIPAA Final Rule in January 2013 made this
change. You are now a Subcontractor Business Associate to the MT service who is
a Business Associate to their clients who are Covered Entities. This was
changed so that all of those who receive the downstream handoff of PHI will share
the responsibilities and obligations of securing the PHI entrusted to them.
·
What is a common breach that has occurred within the medical
transcription?
Response: There is no real “data” specific to medical
transcription breaches, but from my experience it is from faxing unsecured
documents with PHI. The good news is that when this happens it is usually 1
report at a time; the bad news is that it happens far too often.
·
There are secure ways to deliver reports with PHI, so
why are faxes still being used?
Response: Again,
there is no real “data” as to why faxes are still being allowed to be used, but
it has been my experience that clients (i.e., hospitals, clinics, etc.) have
continued to request (require) fax delivery of reports to physician offices
despite the potential risks of breach associated. Often these physician offices
are not able to receive secure electronic delivery of their reports, so faxing
is the easiest way to accomplish report distribution (although not a secured
method).
·
Is all encryption software considered “acceptable” for
securing PHI?
Response: No. The definition of “secure” is established by
HHS and currently is 128-bit or 256-bit encryption algorithm that is in
compliance with standards established by NIST (www.nist.gov).
·
Does HIPAA now require encryption to be used?
Response: The short answer is ‘no’ it is not required; however,
if PHI was breached when unsecured per the guidelines established by HHS
(secured is appropriately encrypted), then all notification requirements for
that breach would need to be immediately implemented. When appropriate encryption of PHI is used,
if it was received by a wrong recipient it could not be accessed, read, or used
(because it was encrypted); therefore, it would not be considered a breach.
Although HIPAA does not require encryption, it is your best defense against a
breach.
·
Do reports that have been de-identified of PHI
elements need to be encrypted?
Response: No. Reports
that have been appropriately de-identified are no longer considered PHI, so
they do not require the same protections that documents that include PHI. De-identified reports and voice files have
many uses in our industry such as sample reports, training, and testing.
·
Are there specific rules for destroying documents with
PHI?
Response: Yes. Destruction of PHI needs to follow the guidelines
established by NIST in its publication (800-88) on media sanitation.
·
What type of shredder should I buy to destroy PHI?
Response: The
answer depends on the media that needs to be destroyed. The NIST publication 800-88 recommends using
a cross-cut shredded for paper and for microfilm to a size such that it is
reasonable to assure that the data cannot be reconstructed. Optical disks (CDs,
DVDs, etc.) need to be pulverized to the point that the residue is no larger
than a 25 mm squared surface area.
High-end shredders or commercial shredders can accomplish this.
·
As a medical transcription service, a Business
Associate, is our client (the Covered Entity) responsible for the HIPAA
training of our workforce?
Response:
No. There could be some circumstances, however,
where the client will want to train certain members of your workforce, such as
on software applications, but they are not responsible for training your
workforce on their obligations and responsibilities related to HIPAA.
· I am an employee of an MT service, if there is a
problem with privacy can I be personally liable?
Response: HHS has made it clear that individuals can be
criminally liable in some limited circumstances. Generally these are
individuals who have intentionally breached patient’s information for personal
gain or incidents of willful neglect. HIPAA
has become recognized as the standard of care for protected health information
and when it has not been followed some patients have filed civil suits for
privacy breaches of their information. With that said, as long as you are acting
within the scope of your duties and comply with all established P&Ps, your
personal risk would be greatly minimized.
·
As a
medical transcription service, a Business Associate, do I follow the FTC
security regulations or the HHS security regulations?
Response: Medical
transcription services would follow the HHS security regulations. The FTC (Federal Trade Commission) rules and
its security regulations would apply to PHR (personal health record) vendors.
· Do breach notification obligations apply if only one
patient’s information is breached?
Response: Yes.
The number of patients involved is only relevant to the type of notifications
required.
·
As an MT
service, a Business Associate, if we faxed a report in error to a local pizza
shop, do we notify the Covered Entity (our client)?
Response: You must
provide certain information to the client (the Covered Entity) from where the
report/dictation originated. You will
also need to investigate the breach and its cause, immediately mitigate
significant risk when possible, and fully document your findings as well as the
steps implemented to prevent future occurrences.
·
I bought a new computer; what should I do with the PHI
on my old computer?
Response: The easiest
way to accomplish this is to remove the hard drive from the old computer and
have it pulverized. Commercial shredding
companies offer this service.
· As
an MT service, a Business Associate, if we fax a report in error to the wrong
doctor’s office is that a breach?
Response: It depends. It is possible that these two organizations (your client
and the office that received the fax) may have what HIPAA calls an Organized
Health Care Arrangement (OHCA). If this is the case, then there is no breach because
they are allowed to share PHI between their facilities. Misdirected faxes that go to another covered
entity are often interpreted by HIPAA experts differently. Some consider it a
simple/minor disclosure (not a breach), while others take a stricter view
and label it as a full breach. Either way all experts do agree that it has to
be investigated, mitigated, and documented. The final decision of a simple
disclosure or a full breach is the client’s (the Covered Entity) decision to make
since they will know the relationship of all parties involved. Business
Associates need to fulfill their obligation by investigating it, mitigating
significant risk, implementing new safeguards for prevention, documenting and
reporting it to their client (the Covered Entity).
·
Is HIPAA training required for all of our
workforce members as well as our subcontractor business associates?
Response: Yes, all
members of your workforce and your subcontractor business associates who have
access to PHI need to receive HIPAA training.
· Is there any requirement for periodic retraining on HIPAA
privacy and security?
Response: HIPAA requires
updating the training when making changes to privacy and security policies
and/or processes. Most organizations offer periodic reminders and refreshers at
least on an annual basis for their workforce members and subcontractor business
associates to reinforce a culture of compliance.