Frequently Asked Questions

1. What is HIPAA?
2. What is the deadline for HIPAA compliance?
3. What are the important requirements of HIPAA for a medical transcription company?
4. Can the Internet be used for medical transcription data transfer and still meets HIPAA requirements?
5. If tapes are used to record dictation, will these meet HIPAA regulations?
6. What is a Covered Entity?
7. What is a Business Associate?
8. Who is liable for privacy violation under HIPAA?
9. How would this regulation be enforced, and what happens if there is a breach in confidentiality or privacy?
10. What are some of the penalties for not complying with HIPAA?
11. What rights does the patient have under HIPAA?
12. Are there any Fax specific guidelines according to HIPAA?
13. What are the benefits of using ASP services that comply with HIPAA requirements?
14. To what extent Medikin is HIPAA complaint?
15. Can the Privacy Officer of Medikin help us in meeting our HIPAA compliance? If yes, what are the fees for this service?

(1) What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. It is a federal regulation that protects the privacy of patient’s healthcare information.

The HIPAA legislation has four primary objectives:

• Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions
  
• Reduce healthcare fraud and abuse
  
• Enforce standards for health information
  
• Guarantee security and privacy of health information

(2) What is the deadline for HIPAA compliance?
The rule requires that healthcare organizations insurers and payers that have been using any electronic means of storing patient data and performing claims submission must comply the guidelines by April 14, 2003.

(3) What are the important requirements of HIPAA for a medical transcription company?
MTSOs should comply with the following basic requirements:

• Ensure the security and confidentiality of the patient’s Protected Health Information (PHI).
  
• Maintain an audit trail of all individuals who have had access to a PHI.

Please see the Legal Compliance section for more details.

(4) Can the Internet be used for medical transcription data transfer and still meets HIPAA requirements?
Yes, there is no restriction on the use of Internet as long as proper encryption and security measures are in place during data transfer.

(5) If tapes are used to record dictation, will these meet HIPAA regulations?
There are certain issues with tapes. There is no easy way to create and verify an audit trail of who has had the tape and who listened to the PHI on the tape. If the tape is lost, one cannot guarantee the security of the information on it.

(6) What is a Covered Entity?
HIPAA defines a Covered Entity (CE) as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a HIPAA transaction. A physician’s office or medical clinic would fall under the category of a Covered Entity.

(7) What is a Business Associate?
A Business Associate (BA) is a person or organization that performs a function or activity on behalf of the Covered Entity (CE), but is not a part of the covered entity’s work force. A medical transcription service provider would be classified under the definition of a Business Associate.

(8) Who is liable for privacy violation under HIPAA?
The penalties are levied on the facility or the covered entity because they bear the initial responsibility to protect the PHI. However, if a breach occurs by a Business Associate or one of the independent contractors that is in the chain of trust, these penalties can be extended to include them as well.

(9) How would this regulation be enforced, and what happens if there is a breach in confidentiality or privacy?
There is no HIPAA police force, but there is a governmental agency that will help to enforce this regulation. If a patient feels that there has been a violation of his patient’s rights or if his PHI has been violated in anyway, he can make a written or verbal report to the Office of Civil Rights. If necessary, the Office of Inspector General will become involved if such breach is serious enough.

(10) What are some of the penalties for not complying with HIPAA?
The maximum civil penalties for multiple violations by a Covered Entity during a calendar year is capped at $25,000. HIPAA also provides for criminal liability for Covered Entities that knowingly obtain or disclose individually identifiable health information. The maximum penalty is a fine of up to $50,000 and imprisonment of one up to year. If the offense is committed under false pretenses, the maximum penalty is a fine of up to $100,000 and imprisonment of five years. If the offense is committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the maximum penalty is a fine of up to $250,000 and imprisonment of ten years.

(11) What rights does the patient have under HIPAA?
HIPAA provides the patient with a full set of rights in relation to his/her healthcare documentation, which include:

• A full review of his/her entire medical record,
  
• The right to request changes within documentation, which could, however, be denied by physician for specific reasons,
  
• The right to request documentation every time his/her PHI is accessed, along with identity of the individual accessing the document with specific reason for doing so,
  
• Access to the PHI information that was wrongfully shared,
  
• The right to be informed of the facility’s (Covered Entity’s) policies and procedures are for security and privacy.

When the patient becomes aware of these rights you should be prepared to deal with any legitimate requests that the patient may have.

(12) Are there any Fax specific guidelines according to HIPAA?
HIPAA has defined guidelines related to faxing information that concern a patient and their PHI. Your facility should establish fax policies based on federal and state privacy statutes.

• Written authorization by a patient must be obtained to fax PHI to a party outside the covered entity’s operation. Take a scenario where you work as an MT for ABC Clinic and have transcribed a patient’s consultation. Another clinic XYZ wants to have a copy of that consultation. In this case, you must have the patient’s authorization. Reasonable steps must be taken to ensure that the fax is sent to the appropriate destination. Preprogrammed numbers should be tested regularly to ensure that those numbers have not been changed. If you fax to a particular facility or doctor ask them intermittently if they have changed that number, so you can make sure your preprogrammed numbers are accurate.
• Each time a fax is sent that contains PHI, you need to have a complete fax cover sheet that must include the destination, person to whom you are faxing, number of pages, date, and a list of all documentation included in the fax. A copy of that fax cover must be kept on file because the patient has the right to determine who has accessed the PHI.
• In sending and receiving faxes, your fax machine must be in as secured an area as your computer. This cannot be in an area where people would pass by your fax machine and pick up pieces of material and read it and have access to confidential information.

(13) What are the benefits of using ASP services that comply with HIPAA requirements?
An ASP platform operates on the latest hardware and software technologies ensuring authorized access and control of PHI and other health documentation. Application security and Internet data transfer can better be encrypted monitored and controlled on an ASP platform in comparison to stand-alone machines. Also, an ASP provider would likely have a redundant infrastructure to cushion any hardware or software failure or breach. An ASP provider caters to a number of MTSO’s, so it is in a better position to leverage the high costs of meeting HIPAA requirements.

(14) To what extent is Medikin HIPAA complaint?
Please see Medikin’s Compliance section for more details.

(15) Can the Privacy Officer of Medikin help us in meeting our HIPAA compliance? If yes, what are the fees for this service?
Yes, our Privacy Officer can guide you in his professional capacity in meeting HIPAA compliancy requirements. Please contact us at hipaainfo@medikin.com for details on this service.

Disclaimer
The information provided here is for information purposes only and is not to be constructed as legal advice. In all matters pertaining to HIPAA compliance, legal counsel should be sought.