HIPAA Compliance
Statement:
Teletouch Services takes painstaking measures to
protect all patient information. Our internal procedures for privacy
and security meet and exceed all HIPAA regulations related to
Electronic Transmission of Patient Information.
Physical Security
-
Access to our
facilities is controlled by key entry only. Only authorized staff
who are fully aware and trained in the HIPAA Privacy requirements
will be issued access.
Information
Security:
-
We
use an ICSA certified firewall and filter on incoming ports
allowing only FTP and management ports for administrative access
into our system.
-
Our network performs Network Address Translation (NAT) and
addresses cannot be routed without traversing the firewall.
-
When our FTP Server is accessed with any FTP Client that also
supports SSL all files are encrypted while being sent across the
internet. This means, anyone intercepting any data while it is
being transferred from our server to your computer could not
interpret or decode this data.
-
To
access any data from our FTP Server, a valid username and password
is required.
-
We
are not responsible for the security of files (documents or
sound files) that are transferred to or from our server.
Desktop Access:
-
Access to our network is limited by auto-logoff, ID/password
protection, password protected screensavers, and a
security-enabled OS (WinNT)
-
Only fully trained staff have access to the server and dictation
files for support and maintenance.
Continuity:
-
Our data storage and backup system hardware consists of two Intel
Pentium 1.3 GHz server towers with 490 MB of RAM Memory. The
system operates on the Windows NT platform. The operating software
and digital voice software reside on two 80 GB mirrored hard
drives whichb provide full fault tolerance and total system
redundancy. Only one of the server towers is in use at any
particular time, thereby guaranteeing a second level of system
redundancy as well as a readily accessible emergency parts
inventory.
Privacy:
-
We
are not responsible for nor will we provide access to any files on
our system to any other person other that those authorized by the
originator of the dictation.
-
We
will not release any files directly to a patient.
-
The responsibility for enabling the patients to control their
health records including access, disclosures, 'minimum necessary'
standard, consent and authorization, etc. resides the medical
professional who initiated that document.
Appendix A
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
was a result of congressional healthcare reform proponents to reform
healthcare. The HIPAA legislation has four primary objectives.
-
Assure health
insurance portability by eliminating job-lock due to pre-existing
medical conditions
-
Reduce healthcare
fraud and abuse
-
Enforce standards for
health information
-
Guarantee security
and privacy of health information
Of the four primary
objectives, the fourth objective has the most impact on medical
transcription.
What is the deadline for HIPAA compliance?
The rule requires that healthcare organizations insurers and payors
that have been using any electronic means of storing patient data
and performing claims submission must comply with the this rule by
April 14, 2003. Since medical transcription deals with electronic
means of handling and storing patient data, April 14, 2003 is the
deadline by which medical transcription service organization (MTSO)
must comply with the HIPPA requirement.
What are the important requirements of HIPAA for a medical
transcription company?
MTSOs must be able to support two requirements.
-
Ensure the security
and confidentiality of the patient’s Protected Health Information
(PHI), and
-
Maintain an audit
trail of all individuals who have had access to a PHI.
This means that transcription service
providers must implement technology and business processes in their
operation to support these two key requirements.
Can the Internet be used for medical transcription and still meet
HIPAA requirements?
Yes, as long as the MTSO uses encryption and password protection to
prevent unauthorized access to the PHI. Dictations done on a
telephone does not need to be encrypted. However, voice files
transmitted by portable recorders should be encrypted prior to
transmission over the Internet.
Transcribed documents must be sent back to the healthcare provider
in a secure manner using encrypted email or a secure FTP site or may
be faxed with a disclaimer statement explaining the confidential
nature of the document.
If tapes are used to record dictations, will this meet HIPAA
regulations?
This may cause a problem. There is no easy way to create and verify
an audit trail of who has had the tape and who listened to the PHI
on the tape. If the tape is lost, one cannot guarantee the security
of the information on it.
Who and what is a Covered
Entity and a Business Associate?
HIPAA defines a Covered Entity (CE) as a health plan, a healthcare
clearinghouse, or a healthcare provider who transmits any health
information in electronic form in connection with a HIPAA
transaction. A physician’s office or medical clinic would fall under
the category of a Covered Entity.
A Business Associate (BA) is a person or organization that performs
a function or activity on behalf of the Covered Entity (CE), but is
not a part of the covered entity’s work force. A medical
transcription service provider would be classified under the
definition of a Business Associate.
Who is liable for privacy violation under HIPAA?
Civil and criminal penalties can be imposed for noncompliance with
HIPAA. The imposition of these penalties are against Covered
Entities (e.g. healthcare provider) but not directed directly
against Business Associates (e.g. medical transcription service
organization).
Healthcare providers should ask their transcription company about
their privacy and security regulations and ensure that they are
contractually obligated to comply with these regulations.
What is the penalty for not
meeting HIPAA compliance?
The total amount from civil penalties for multiple violations by a
Covered Entity during a calendar year is capped at $25,000.
HIPAA also provides from criminal liability for Covered Entities for
knowingly obtaining or disclosing individually identifiable health
information. The maximum penalty is a fine of $50,000 and
imprisonment of one year. If the offense is committed under false
pretenses, the maximum penalty is a fine of $100,000 and
imprisonment of five years. If the offense is committed with the
intent to sell, transfer or use individually identifiable health
information for commercial advantage, personal gain or malicious
harm, the maximum penalty is a fine of $250,000 and imprisonment of
ten years.
What rights does the patient
have under HIPAA?
HIPAA provides the patient with many new rights in relation to their
healthcare documentation. Some of them are:
-
Review his/her entire
medical record
-
Request changes
within documentation, which can be denied by physician for
specific reasons
-
Request documentation
of every time his or her PHI was accessed, along with identity of
the individual accessing the document with specific reason for
doing so
-
To know how much of
the PHI information was shared
-
What the facility
(Covered Entity’s) policies and procedures are for security and
privacy
When the patient
becomes aware of these rights you should be prepared to deal with
any legitimate requests the patient may have. |