E-News Exclusive

Is Your Scribe Service HIPAA Compliant? What to Know and What to Ask

By Terry Ciesla

Terry Ciesla
Photo credit: ScribeEMR

COVID-19 and the universal acceptance of telemedicine are driving adoption of remote scribe services.

Hospital and physician networks alike are realizing financial and quality-of-life benefits from outsourcing EMR documentation, charting, and other ancillary services. This includes more efficient workflow, an increase in patient visits per week, fewer charting backlogs, and a boost in revenue cycle efficiency.

Understandably, giving an outside firm access to an EMR and other sensitive patient information raises a red flag, which could be a nonstarter for health care providers that would nevertheless benefit from these services.

HIPAA compliance is one of the top three concerns health care organizations express when considering virtual scribes. Here's a checklist of what to know and what to ask to ensure a scribe service is HIPAA compliant before giving them access to your patients’ electronic protected health information (ePHI). If a service can't prove it’s HIPAA compliant—with certification to authenticate training—then move on. A less expensive scribe service isn't worth risking the possibility of incurring significant penalties for a HIPAA violation.

Five Key Components for Virtual HIPAA Compliance

1. Business Associate Agreement: HIPAA Requirement
All health care providers, insurers, medical service companies—virtually any entity that touches health information—must have a signed business associate agreement (BAA) in place with any vendor or business associate that has access to their ePHI.

Because health care providers are ultimately responsible for HIPAA violations, it’s important to track and review all BAAs annually to assess HIPAA compliance.

Make sure the BAA you have in place with your virtual scribe service includes permitted use or disclosure of ePHI, and the scribe’s obligations for establishing and maintaining all the necessary processes and safeguards for protecting ePHI.

2. Limiting Access: What a Virtual Scribe Can and Cannot Do
A well-trained, HIPAA-compliant scribe should log into the EMR system to begin a session and log out once patient visits and charting are completed. All ePHI should stay in the EMR.

A virtual scribe can do the following:

• log in and use telemedicine to hear and capture the ambient conversation between physician and patient;
• securely log in and work within your EMR during a patient visit;
• use standardized templates to record patient history, drug lists, and diagnostic information;
• complete required checklists;
• document and prep prescriptions and referrals for a provider to fulfill; and
• initiate X-ray and lab orders for provider approval.

A virtual scribe service and the scribe shouldn’t do the following:

• record a visit;
• transfer data;
• download, store, or print patient information; and
• perform clinical functions.

3. Training and Certification: Ask for Documentation
Ask for detailed information about the scribe service’s HIPAA compliance training program. Make sure they perform regular (annual) updates and obtain HIPAA certification from an accredited industry resource. Scribes should also be trained on, and compliant with, a facility’s HIPAA protocols.

Scribe companies should have ISO/IEC 27001:2013 certification, which indicates they invest in the people, processes, and technology to protect their data.

SOC 2 certification is an additional level of certification that focuses on five trust services: security, availability, processing integrity, confidentiality, and privacy.

Cyber liability insurance protects scribe services from internet-based and other risks relating to IT infrastructure and activities. Every reputable company conducting business online should have it.

4. Password Protection and Other Critical Security Policies
Computers used by outside vendors can be a conduit for cybersecurity attacks. The most frequent cause of health care data breaches is credentials hacked by brute force phishing attacks on weak passwords.

A strong password management policy guides users to take all necessary precautions, including the following:

• Every virtual scribe should have their own unique password, with a date, time, and identity stamp that tracks activity within the EMR.
• Passwords should be a long, alphanumeric string of 15-plus characters generated by a password manager and changed routinely.
• Two-factor authentication is key, so if login credentials are exposed in a phishing attack, the hacker cannot access the EMR.

Additional teleworking, mobile phone, and clear screen policies are designed to minimize exposure. At the scribe service facility, no mobile phones should be allowed on a work floor, and all screens should be shut down and cleared when a scribe leaves their desk.

5. Check Impartial Industry Rankings
Impartial organizations, such as KLAS Consulting, vet medical service organizations and publish widely respected industry reports based on user practice interviews. They are a good source of credible first-party information on company practices and HIPAA compliance.

Red Flags
Be wary of virtual scribe platforms that download ePHI and artificial intelligence systems that record and store patient encounters. Where is your organization’s ePHI being stored, and what security protocols are in place to prevent unauthorized access? These programs make it harder to fully document the visit and have charts closed after a visit, and often, charts are not closed for more than 24 hours. In addition, you will need to spend more time reviewing and editing artificial intelligence–transcribed charts, and you will need more data protocols to control access.

The acceptance of offshore scribe services is helping to meet the growing demand for this beneficial service. However, any benefits will be negated if the vendor is not in tune with HIPAA regulations.

— Terry Ciesla is senior vice president of ScribeEMR in Woburn, Massachusetts.