New Laws Will Challenge Transcription Businesses
By Brenda J. Hurley, CMT, AHDI-F
The American Recovery and Reinvestment Act (ARRA) and its Title XIII called the HITECH Act greatly expand on HIPAA compliance requirements. The ARRA has introduced the first federally mandated data breach notification requirement, and the HITECH Act has expanded the data privacy and security requirements that had been required previously by covered entities now to business associates (ie, medical transcription services). Business associates will also be subject to civil and criminal penalties, including a provision that allows individuals to receive financial compensation for a violation of their information.
Enforcement under this new federal law has sharpened teeth. Here is a summary:
• The new law clarifies that employees or other individuals of the workforce are subject to civil penalties.
• It requires Health and Human Services (HHS) to formally investigate any complaints and impose civil penalties for violation of rules due to “willful” neglect.
• It requires that any civil monetary penalty or settlement amount as a result of a privacy or security rule violation be transferred to the Office for Civil Rights to be used for enforcement of the HIPAA privacy and security rules.
• The law establishes a tiered system of civil monetary penalties ranging from $100 for unknowing violations up to $50,000 for each violation due to willful neglect. The HHS secretary determines the violation’s penalty amount.
• It requires the HHS secretary to conduct periodic audits to ensure covered entity and business associate compliance with new rules.
• The law also gives the state attorneys general authority to bring suit in district courts for any person violating the rules on behalf of state residents.
New federal standards also require that encryption be used for all individually identifying data stored and transmitted. Some state laws already require that encryption be used for both storage and transmission.
A breach is defined as “unsecured” protected health information—or in simple terms, protected health information that is not encrypted. With so much at stake, it will be imperative for both the covered entity (ie, the healthcare facility) and the business associate (ie, the medical transcription service) to eliminate any potential risk for breach.
One example of high risk for the medical transcription service involves the robust report distribution that many such services provide as a benefit for their clients (healthcare facilities). Commonly, this includes automatic faxing, remote printing, and/or electronic uploading of transcribed reports in a process that has been customized for that specific healthcare client and/or provider. While this system provides efficient and timely distribution of the transcribed report in a variety of delivery methods, it is not without considerable potential risks. The automatic faxing is usually designed to fax the report directly to the dictator and to those who were listed within the report to receive courtesy copies. Depending on the size of the healthcare facility’s staff and referring list, there could be hundreds or thousands of fax numbers in the provider database.
Because fax numbers periodically change (ie, physicians move offices, area codes change), this means that, at times, it is a wrong number that can result in an error in delivery (ie, no fax machine answers, no answer at all occurs); when that occurs, the report never gets sent and, of course, there is no breach. But at times those fax numbers are reassigned to different businesses (or individuals) with a fax machine and when that occurs, they will receive the fax of a report in error, thus causing a breach.
Who will be responsible to verify that the fax numbers provided by the healthcare facility to the medical transcription service are accurate, and who will perform periodic audits to ensure those numbers continue to be correct throughout the course of their contract? The quantity of faxes could vary, of course, but it would not be unusual to have 100 or more faxes per day automatically delivered through the report distribution system implemented by medical transcription businesses for their clients’ facilities.
Some believe that faxing in this volume will need to stop because a fax is “unprotected” by definition (it is not encrypted) thus resulting in a breach, while reports delivered electronically are protected because they will be encrypted, so if it is received by the wrong recipient, it does not constitute a reportable breach.
Automatic faxing of transcribed reports will require reengineering by medical transcription companies if they want to greatly reduce their burden for potential breach risks. It is time to get busy, as the expected effective date for compliance of these new breach notification rules will begin September 23. The penalties are increased in fines assessed and expanded in legal accountability for both the medical transcription company and for the individual members of their workforce.
The clock is ticking … fast!
— Brenda J. Hurley, CMT, AHDI-F, is a consultant in the medical transcription industry.