Medical Transcription Work and HIPAA
As a medical transcriptionist, you’ll be entrusted with sensitive patient data. Legally speaking, you won’t get very far down the medical transcription trail before you run into HIPAA (pronounced hip-uh). You have a legal, moral, and ethical duty to protect patient data. Besides, it’s the right thing to do.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. The key component that medical transcriptionists must be up on is the Privacy Rule. That’s the part that defines a set of national standards for protection and disclosure of certain types of individual health information, called protected health information (PHI). In a nutshell, if PHI gets out in violation of the Privacy Rule, heads will roll.
This is a boiled-down, summary of key information extracted from hundreds of pages of legislation. It’s intended to give you the big picture, not a definitive legal determination about how HIPAA applies to you.
HIPAA is a federal statute that made sweeping changes to healthcare laws. Although it was enacted in 1996, it wasn’t fully implemented until 2003. Since then, additional laws have been passed that modified regulations and added enforcement provisions.
HIPAA’s primary purpose was to help workers continue health insurance coverage when they change jobs or become unemployed. It also included another section, called Administration Simplification (AS), which is the part that has substantially impacted the medical transcription profession. The AS section of HIPAA gives patients greater control of (and access to) their own medical records and how their personal health information is used.
It also includes the Privacy Rule and the Security Rule, which together regulate how particular members of the healthcare industry must manage individual health information. You can think of it as the who, what, how, and “or else” of protecting personal health information.
The Privacy Rule applies to all PHI, including paper and electronic. The Security Rule deals specifically with standards for the security of electronic protected health information (e-PHI). It defines administrative, physical, and technical safeguards that must be employed.
Failure to comply with HIPAA can lead to stiff penalties. Civil penalties go from $100 per violation to $25,000 per calendar year, and criminal penalties top out at ten years’ imprisonment and a $250,000 fine. Now that’s an “or else” with some teeth to it!
HIPAA laws apply to
Healthcare clearinghouses (entities that facilitate handling electronic healthcare transactions)
Healthcare providers who transmit health information in electronic form for certain types of transactions, such as submitting insurance claims
Business associates of the preceding (potentially including you)
The first three are collectively referred to as covered entities. Business associates is a term used to described third parties that covered entities disclose PHI to, such as medical transcription services.
Before a covered entity can disclose PHI to a business associate, there must be a written contract in place that ensures the associate will appropriately safeguard the information. The contract is called a business associate agreement, and medical transcriptionists who contract with medical transcription service organizations (MTSOs) can expect to sign one.
Originally, business associates were accountable to the covered entity through these contracts, and the covered entity was accountable to the federal government for HIPAA compliance. The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, included provisions that made business associates directly liable to the government for HIPAA violations.
The Privacy Rule and Security Rule are enforced by the Office of Civil Rights (OCR). In 2010, the OCR issued a Notice of Proposed Rulemaking (NPRM) that expands the definition of business associate to include subcontractors, a category that includes medical transcriptionist independent contractors (ICs) who work for MTSOs. The NPRM potentially makes medical transcriptionist ICs directly liable to the federal government for failure to comply with HIPAA regulations.
In summary, HIPAA + HITECH + NPRM = MT ICs must preserve, protect, and defend the privacy and confidentiality of the records (voice files, transcribed reports, logs, and so on) handled during the transcription process, and prevent theft or loss of protected health information.
If you’re aching for further, intricate details, visit the following websites:
The health information privacy information website of the U.S. Department of Health and Human Services provides extensive information about the HIPAA Privacy Rule and Security Rule. It also includes business associate contract examples.
For an overview of HIPAA from the big-picture perspective, not just the patient privacy components, Wikipedia is a good place to start.
HIPAA is a federal law, but it doesn’t override state laws regarding patient privacy. Some states have different laws regulating patient privacy. It’s best to be aware of both and comply with the most stringent requirements.