December 21, 2009

HIPAA Targets
By Selena Chavis
For The Record
Vol. 21 No. 24 P. 10

Greater enforcement, heightened scrutiny, and extended coverage—it’s all part of the HITECH Act that is provisioned to raise the bar on how covered entities approach the security of protected health information (PHI).

And the impact on dictation and transcription practices is expected to fall right in the limelight of this effort. But according to many healthcare professionals, placing more HIPAA compliance efforts on dictation and transcription procedures may be a new focus for many healthcare providers and their affiliated partners.

Chris Casto, vice president of Ohio-based Dolbey Systems, a medical dictation and document management software company, suggests that if a covered entity believes all health record information starts in the dictation system, there should be little dispute as to where privacy and security strategies should expand.

“With dictation, [many healthcare providers] don’t think about it until it’s not working,” he explains, adding that most of Dolbey’s customers have placed PHI protection at the forefront but not necessarily on the level that includes sound dictation practices. “It’s one more headache that they don’t want to deal with, but this area can be a wide open door. There have been lots of efforts to protect paper and electronic records … but it [patient information] all started in a dictation system.”

Alongside the dictation process, much more scrutiny will be extended to transcription companies—or business partners in general—as it relates to protecting health information. While covered entities have long been in the hot seat when it comes to criminal and civil penalties associated with HIPAA, HITECH provisions will soon expand the reach of those penalties to include the business associates (BAs) of covered entities.

“That’s a pretty significant change,” says Mark Sullivan, chief compliance officer with MedQuist, a provider of medical transcription software. “Previously with a company that was a BA, the obligation was indirect via a contract with a covered entity. There wasn’t direct liability.”

According to Mark Ivie, chief operating officer with Pennsylvania-based M*Modal, BAs include third-party companies such as accounting firms, billing agencies, transcription companies, and other service providers that may be able to access PHI from a covered entity. Under the HITECH Act, those companies are now directly subject to HIPAA security and privacy requirements, as well as to the same civil and criminal penalties that hospitals, pharmacies, and other HIPAA-covered entities have faced for a number of years. Prior to HITECH, BAs that failed to properly protect patient information were accountable to the covered entities, but they did not face federal penalties.

“Now we can be audited and fined directly,” Ivie points out, adding that the industry expects enforcement to become tougher going forward. “No one knows the extent other than there will be more audits. I have read documents that say the number of issues has been rising steadily. … Clearly, they plan to get tougher.”

PHI Sensitivity
According to Sullivan, the transcription industry has been sensitive to HIPAA for some time, especially following the fallout from recent breaches. A number of high-profile cases in recent years have spotlighted issues related directly to patient privacy involving BAs, causing many in the industry to raise an eyebrow as to the best strategy for dealing with such situations.

Probably one of the most notable cases involved the University of California, San Francisco (UCSF) Medical Center in late 2003. The organization received an e-mail from a disgruntled Pakistani transcriptionist who vowed to put UCSF medical files on the Internet if she wasn’t paid money that she was owed. The transcriptionist retracted her threat the next day after she received some money.

More recently, The Economic Times reported in October about a successful sting operation by a United Kingdom agency in India where some health-related data were bought from a medical transcription company.

Clearly, the intent for malicious theft and activity surrounding PHI is out there, Sullivan acknowledges, but he believes the primary form of breach that occurs is likely inadvertent. “The penalties break down along those lines,” he notes. “The real heavy civil and criminal liabilities are for actions involving the intentional misuse of PHI.”

Under HIPAA, PHI is confidential, personal, identifiable health information about individuals that is created or received by a health plan, provider, or healthcare clearinghouse and is transmitted or maintained in any form. Identifiable means that a person reading this information could reasonably use it to identify an individual.

Sullivan says that while not clearly defined in the act itself, the industry has pinpointed 18 PHI identifiers that apply to patients, relatives, employers, or household members of patients. The potential harm to patient information being breached goes far beyond what a physician records as part of the healthcare status.

“It’s not just Mark Sullivan and just his medical condition. It could be my Social Security number, my insurance numbers, my beneficiary information, and the list goes on,” he says.

Higher Stakes
A recent HIMSS Analytics survey found that a large share of BAs were not ready for the new HITECH rules. In fact, the report found that about one third of those surveyed were not even aware they needed to comply with security and privacy provisions in HIPAA, putting healthcare entities that contract with them at great risk.

Prior to the HITECH Act, penalties equated to a maximum of $100 for each violation or $25,000 for all identical violations of the same provision. A covered healthcare provider, health plan, or clearinghouse could also bar the imposition of a civil money penalty by demonstrating that it was unaware violations had occurred.

New HITECH provisions will strengthen the civil money penalty scheme by creating tiered ranges of penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of identification.

Alongside more stringent penalties, BAs will now also be required to report any violations they become aware of when working with a covered entity.

With HITECH in place, Casto says healthcare providers and BAs will have to look at their practices differently concerning how dictation is handled. Carelessness will have no place in the market going forward.

“It is very common that our customers will send us dictations systems for repair, and it will have PHI all over,” he says, adding that breach notification may require such activity to be reported by the customer. “It’s a problem; they just don’t think about it.”

Casto also points to the number of outsourced companies that work directly off the Internet, opening themselves up for breaches. “A lot of people would be shocked as to how many of those companies have an FTP site that works off the Internet,” he notes.

Then there is the issue of older, outdated technology that in no way complies with the tighter HITECH requirements. Casto suggests that if a survey were conducted regarding current dictation equipment used in hospitals and healthcare organizations, it would likely find that the last big investment made in medical dictation systems would have occurred about 10 years ago in preparation for Y2K compliance.

While many have made upgrades for HIPAA requirements, Casto believes a large share of the equipment out there is not going to meet the needs of HITECH. “Those dictation systems implemented in the late ’90s probably still work fine today … but it leaves them more open to breach,” he emphasizes.

Like the policy that is currently in place at MedQuist and many other BAs and covered entities, organizations will also have to move to a zero tolerance policy when it comes to PHI breaches.

Sullivan points to the well-known case that occurred at UCLA Medical Center last year when 13 hospital employees were fired, six more suspended, and six doctors disciplined for looking at Britney Spears’ computerized medical records without authorization.

Rewriting Agreements
One of the first steps to moving forward toward HITECH compliance will be for covered entities to revisit their BA agreements to comply with the February 17, 2010, deadline, says Ivie. Covered entities will likely want to ensure that language in the agreements reflects the new HITECH security and privacy provisions.

While there are no current standards that have been released or proposals for new BA agreements, he points out that the agreements will need to entail some basic measures, including the development and implementation of a privacy policy, the appointment of a privacy officer, regular training for employees, and a system for periodic risk assessments and audits.

Sullivan says MedQuist is reviewing its form BA agreement, as well as addressing customer inquiries about existing BA agreements in light of the new rules: “With the direct liability and stricter criminal and civil penalty exposure, I think it’s something that companies will need to be more mindful of and diligent with to ensure compliance.”

Best Practices: Assessing the Risk
One of the primary ways that MedQuist combats both inadvertent and malicious security breaches is by eliminating PHI from both dictation and transcribed reports. All identifiable patient information is left out, according to Chris Spring, vice president of product management.

“Doctors don’t dictate any PHI in reports,” Spring explains. “For instance, if they happen to dictate a patient name by mistake, the transcriptionist would then be directed to change it to ‘patient’ in the report.”

Going back to the issue of outdated equipment and practices, Casto notes that the first question Dolbey asks in a risk assessment is, “Do you still have people using cassette tapes?” While this may seem remarkable to some healthcare entities, he says the practice is still pretty widespread.

“There is no way to encrypt a cassette tape,” he says, adding that data encryption across networks should be a primary security requirement.

Also still used in the industry are digital portable recorders, and while these devices are slightly more advanced than a cassette machine, Casto notes that doctors carry the devices around and routinely lose them.

The implementation of a centralized dictation system is key to securing private patient information, Casto adds, also noting that a system should require passwords and a password-changing scheme.

“I would say, by and large, most dictation systems do not work that way today,” he says.

Audit trails prove to be the greatest challenge to getting a handle on safeguarding PHI with dictation and transcription. While many systems provide for this type of tracking, Casto says healthcare organizations and physicians will not always utilize the feature the way it was designed.

Pointing out that physicians will often share passwords, Casto says it’s hard to know whether more than one user is using the same password. “You need something to make users change their passwords often,” he adds.

There is also the issue of controlling how the information is stored. “Most hospitals use outsourced transcriptionists or professionals who work from home,” Casto notes, emphasizing that the organization loses control of the data to some degree when that occurs. “Audio files are often sent from work PCs to home PCs.”

Ivie points out that covered entities and BAs should look to the consulting industry for assistance, as there will be much greater scrutiny of BA agreements and practices going forward on behalf of both the federal government and covered entities. “Consultants were readily available when HIPAA was first introduced,” he says. “BAs could still tap into some of that knowledge that is still out there.”

— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications covering everything from corporate and managerial topics to healthcare and travel.