January 2017

Transcription Trends: MTSOs Face HIPAA Compliance Challenges
By Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, and Nick Mahurin
For The Record
Vol. 29 No. 1 P. 30

These days, HIPAA compliance efforts are a hot topic in health care documentation circles. For business associates (BAs), it's a necessary overhead burden; however, it's especially challenging for medical transcription service organizations (MTSOs) that are charging less today than they did 20 years ago. (Can you name any other component in the health care sector where prices haven't increased by at least double digits?)

No matter the circumstances, MTSOs and BAs must be certain they fully comprehend the compliance process.

Advances in Technology and Cybercrime
Technology advances have entirely changed the landscape of capturing, storing, and releasing protected health information (PHI). MTSOs have adapted well, providing options to meet their customers' changing needs.

The electronification of health information was intended to enable fluid sharing of such records to support care. Unfortunately, these technology advances have led to a commensurate rise in the accessibility and value of health care data, a fact noticed by the bad guys. Indeed, when the privacy and security provisions of HIPAA were conceived, regulators surely intended to protect our privacy from a modesty perspective.

Today's more acute problem is medical identity theft. One look at the Health and Human Services' Wall of Shame, which highlights breaches involving 500 or more patients, and it's easy to see how rapidly cybercrime has increased. As of this writing, the number of patients whose data had been hacked in 2016 stood at more than 20 million.

Experiencing cybercriminal activities such as hacking, ransomware, and phishing schemes can be devastating for any BA. The potential investigative process that follows can be expensive, disruptive, and protracted. If noncompliant practices are discovered, it can lead to large fines as well as the implementation of a multiyear corrective action plan.

As security risks continue to make headlines, health systems, hospitals, and individual providers work in an environment of heightened awareness. More providers are requesting evidence of security best practices before putting ink to a contract. This may range from a simple questionnaire to a multipage document requiring attachments to be returned for review. Providers must be certain their data are properly protected, a process that requires more than getting a BA agreement (BAA) in place.

Since 2009, BAs have been required to enter into BAAs—even if the covered entity (CE) doesn't initiate it. In other words, sometimes MTSOs must persuade providers to execute a BAA. There are also instances in which MTSOs sometimes must resist demands from providers to conduct risky communication practices such as e-mailing ePHI.

A Closer Look at BAAs
While the BAA requirement has been around for seven years, its content has evolved. Now it's longer and more detailed. Certainly, provision of technical, administrative, and physical safeguards is required content language, but the devil lies in the details. MTSOs are advised to read closely because there is likely other language present—such as required notification in the event of a security incident. In fact, an actual breach is generally addressed separately.

MTSOs must pay particular attention to the timeframe in which they have to notify the CE. In some cases, it could be the standard language per the rule: "without unreasonable delay, but in no case greater than 60 days." However, do not be surprised to see timelines as short as 24 hours or three business days. Whatever the requirement, remember that a signature is a promise to comply.

Responsibility doesn't end with notification. In the case of an incident determined to be a breach, the process to document, report, and put in place remediation efforts begins. This comes at great cost to any organization. Keep in mind there is likely an indemnification clause in the BAA that essentially means any and all costs will fall to the responsible party. As a result, when negotiating a BAA, be sure to push back on indemnification language that is too general or that applies to risks on the CE's side.

Beyond the hard and measurable price tag of resolving a breach are the more long-lasting costs associated with the loss of client trust and reputational damage. That said, it is important to remember that bad things happen to good organizations. There are many well-intended and sound-practicing health care groups and BAs that have been exploited by cybercriminals.

Vetting BAs
Selecting a BA partner is a decision health care providers and other BAs must take seriously. When considering a BA, there are a number of essential questions that should be asked of potential partners, including the following:

• Is there someone in charge of HIPAA?
• Is there a designated privacy and security official?
• Has staff received HIPAA privacy, security, and breach notification education?
• Are there clear and easy-to-understand policies and procedures in place?
• Do home-based staff work in secure environments that align with policies and procedures?

Create a questionnaire that addresses these questions, and require evidence-based documentation to accompany the responses. Also, obtain the name and contact information of the potential partner's privacy and/or security official. Set up a meeting with that person to discuss pertinent issues. Generally speaking, the willingness and timeliness with which a potential BA responds to this request will reveal its current level of compliance preparedness.

How the Work Gets Done: Does It Matter?
Traditional transcription is typically performed in a dictation/transcription system maintained and operated by the provider, MTSO, or BA platform vendor. Various forms of documentation support can involve transcribing, editing, or scribing directly into the CE's EMR. In principle, strong privacy and security practices are important no matter what systems are used. The interesting part becomes the division of responsibilities between the customer and the vendor in establishing and honoring such policies. For home-based direct EMR access, there are several common profiles, including the following:

• Installed app. The medical transcriptionist (MT) can install the EMR program on his or her computer and use a virtual private network (VPN) to access the customer's server.

• Remote desktop/app. The customer provides a Citrix or other brand experience in which an entire Windows computer desktop or a single app appears in the MT's computer. The program runs elsewhere but is viewable locally.

• Cloud. In other cases, the EMR is in the cloud—even users at the hospital or clinic use it over the web. In this case, an MT uses it in the same way. Because encryption happens over another protocol such as Secure Sockets Layer, or SSL, a VPN typically isn't needed. Even when a VPN is used, keep in mind it is a two-way street. If the bad guys are already in the host system, damage is imminent. Plus, a VPN connection can allow that hostility to travel to the remote user's system.

For everyone's protection, to comply with regulations and to contain any potential for exposure, limit access to the minimum required for each worker to perform his or her job. Decisions need to be made on what the CE believes is best. The MTSO can then recommend a best-fit solution based on those requirements.

From a business perspective, objective, verifiable, and equitable billing practices based on line counts once made transcription an attractive outsourcing option. When documenting in the EMR, however, most firms use their platforms for dictation and playback while the MT types directly into the EMR encounter. Because EMRs lack line-counting mechanisms, billing has been based on hourly rates or dictation minutes that only roughly correlated to the work effort.

The dictation/transcription of previous generations is evolving rapidly, with revolutionary new ideas beginning to emerge to solve these problems. For example, one platform is preparing to release a new feature that will count keystrokes and mouse clicks inside the EMR as the MT works. This allows the vendor and the customer to return to a sensible billing scenario that genuinely tracks work effort.

Other Assurances and Protections
Cyber insurance is gaining steam in the health care industry. Most regular, small business insurance packages do not cover cyber liability.

It isn't just sloppy bad actors who find themselves victimized by identity thieves. The news of the past few years has been filled with accounts of many reputable commercial and government enterprises being hacked. The fact is that even good IT systems have vulnerabilities. A cyber policy will address more than indemnification issues. For example, on-call experts will help remediate a crisis as it is unfolding and can even assist with fines imposed by the Office for Civil Rights. In other words, cyber insurance can be a practical way for MTSOs to confidently manage HIPAA compliance concerns.

Best Go-Forward Plan
MTSOs play a vital role in supporting detailed, accurate, timely documentation that allows providers to spend more time taking care of patients. It is a critical partnership that providers have long depended upon.

In today's environment where providers face increasing regulatory requirements (such as meaningful use and MACRA) and the growing threat of cyber criminals, health care decision-makers must implement HIPAA compliance practices that conform with best practices to ensure patient data are safeguarded during every step of the process.

— Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, is a member of For The Record's editorial advisory board and chief privacy officer at Just Associates.

— Nick Mahurin is CEO at InfraWare.