HIPAA – Safeguarding Confidential Information

‘Personal’ got more personal with the HIPPA legislation setting out broad parameters for confidential sharing of medical records and health care information for the benefit of the patients and also the doctors in the long run.

Act and regulations- ‘Covered Entities’

HIPAA regulations have been crafted to have broad application. The provisions of the Act extend to all health care plans, health care providers who transmit health records in an electronic format, and health care clearinghouses and billing companies. The bill refers to these organizations as “Covered Entities”. However, almost everyone will be affected in one way or another by these regulations, which will impact both consumers and providers of health care services.

It is important to understand that state regulations may differ from national regulations and certain States may define MT Services as Covered Entities.

Role of Business Associates

As a Business Associate, a Medical Transcription Service may not be directly governed by HIPAA regulations. However, Business Associates are governed indirectly by virtue of the fact that Covered Entities are required to obtain written assurances from the Business Associates that they deal with to ensure that patient identifying information is appropriately safeguarded. These written assurances must be included in a written contract between the Covered Entity and the Business Associate.

These strict requirements guarantee vigilance in delivering evidence of compliance to the Business Associate partners.

Independent Medical Transcriptionists

Medical transcriptionists who operate as Independent Contractors to Medical Transcription Services (Business Associates) and who have direct access to patient health information are referred to by the Act as ‘Third Parties’. Third Parties ought to have a written contract with the Business Associate, assuring that the patient information conveyed, will be appropriately safeguarded. This contract should be similar in nature and scope to the contract between the Business Associate and the Covered Entity.

History of HIPAA

The rules became officially effective on April 14, 2001. However, the Act provided for a period of time before complete compliance was mandated. All other covered entities were required to become fully compliant by April 14, 2003.

Transmittal of Electronic Patient Information

The Act calls for the standardization of electronic document transmittal. The national standard which has been prescribed by HIPAA for electronic health record transmittal is ANSI X12. This national standard governs both the content and the format of patient information that is sent electronically between two organizations.

Key Provisions of the Act

* To restrict the dissemination of patient health care information.
* The rules specifically pertain to health information that is transmitted or maintained in any form (oral, paper, electronic, etc.) and which contains patient identifying information.
* In order to be compliant, covered entities must implement measures to ensure that patient information is protected in accordance with the provisions of the Act.

Protection of patient information

Written notification must be given to individuals telling them how information will be used and to whom it will be disseminated (Insurance and billing companies, or other health care practitioners, for example). Even written consent must be obtained from the individual allowing for the use and maintenance of personal information as provided by the Act.

Disclosure or use of information for any other purpose or to any other organization requires specific authorization from the individual. Reasonable efforts must be made by covered entities to minimize the dispersal of patient information. Health information can be conveyed to Business Associates (Business Associates” is a term that typically includes Medical Transcription Service Providers and their employees) only after written assurance is provided to guarantee the protection of the information.

Privacy officials must be appointed by each covered entity to develop, implement and oversee privacy policy for the covered organization. A primary contact person must also be designated to handle complaints and inquiries about the organization’s policy.

All employees of the covered entity must receive formal training to ensure that they understand the requirements of the privacy Act as they pertain to their specific duties. Covered entities must establish adequate administrative, technical and physical safeguards to ensure that all privacy requirements are upheld within the organization.

Penalties for Non-Compliance

The ACT states that, ‘Covered entities which fail to comply with the final regulations by the mandated compliance date may incur stiff penalties, including the payment of a fine’. In certain cases, criminal charges may be brought against the non-compliant entity.

Acroseas’ view

Considering all the measures that HIPAA lays out, we believe that this is a change for the better,  for safeguarding the rights of patients. These measures ensure disclosure of information and hiring of privacy officials. It’s a significant step towards maintaining peace between the Business Associates and the Medical Transcriptionists.

Personal just got more personal with HIPPA developing an Act for confidential sharing of medical records and

health care information for the benefit of the patients and also the doctors in the long run.

Act and regulations- ‘Covered Entities’

HIPAA regulations have been crafted to have broad application. The provisions of the Act extend to all

health care plans, health care providers who transmit health records in an electronic format, and health

care clearinghouses and billing companies. The bill refers to these organizations as “Covered Entities”.

However, almost everyone will be affected in one way or another by these regulations, which will impact both

consumers and providers of health care services.

It is important to understand that state regulations may differ from national regulations and certain States

may define MT Services as Covered Entities.

Role of Business Associates

As a Business Associate, a Medical Transcription Service may not be directly governed by HIPAA regulations.

However, Business Associates are governed indirectly by virtue of the fact that Covered Entities are

required to obtain written assurances from the Business Associates that they deal with to ensure that

patient identifying information is appropriately safeguarded. These written assurances must be included in a

written contract between the Covered Entity and the Business Associate.

These strict requirements guarantee vigilance in delivering evidence of compliance to the Business Associate

partners.

Independent Medical Transcriptionists

Medical transcriptionists who operate as Independent Contractors to Medical Transcription Services (Business

Associates) and who have direct access to patient health information are referred to by the Act as ‘Third

Parties’. Third Parties ought to have a written contract with the Business Associate, assuring that the

patient information conveyed, will be appropriately safeguarded. This contract should be similar in nature

and scope to the contract between the Business Associate and the Covered Entity.

History of HIPAA

The rules became officially effective on April 14, 2001. However, the Act provided for a period of time

before complete compliance was mandated. All other covered entities were required to become fully compliant

by April 14, 2003.

Transmittal of Electronic Patient Information

The Act calls for the standardization of electronic document transmittal. The national standard which has

been prescribed by HIPAA for electronic health record transmittal is ANSI X12. This national standard

governs both the content and the format of patient information that is sent electronically between two

organizations.

Key Provisions of the Act

* To restrict the dissemination of patient health care information.
* The rules specifically pertain to health information that is transmitted or maintained in any form

(oral, paper, electronic, etc.) and which contains patient identifying information.
* In order to be compliant, covered entities must implement measures to ensure that patient information

is protected in accordance with the provisions of the Act.

Protection of patient information

Written notification must be given to individuals telling them how information will be used and to

whom it will be disseminated (Insurance and billing companies, or other health care practitioners, for

example). Even written consent must be obtained from the individual allowing for the use and maintenance of

personal information as provided by the Act.

Disclosure or use of information for any other purpose or to any other organization requires specific

authorization from the individual. Reasonable efforts must be made by covered entities to minimize the

dispersal of patient information. Health information can be conveyed to Business Associates (“Business

Associates” is a term that typically includes Medical Transcription Service Providers and their employees)

only after written assurance is provided to guarantee the protection of the information.

Privacy officials must be appointed by each covered entity to develop, implement and oversee privacy

policy for the covered organization. A primary contact person must also be designated to handle complaints

and inquiries about the organization’s policy.

All employees of the covered entity must receive formal training to ensure that they understand the

requirements of the privacy Act as they pertain to their specific duties. Covered entities must establish

adequate administrative, technical and physical safeguards to ensure that all privacy requirements are

upheld within the organization.

Penalties for Non-Compliance

The ACT states that, ‘Covered entities which fail to comply with the final regulations by the mandated

compliance date may incur stiff penalties, including the payment of a fine’. In certain cases, criminal

charges may be brought against the non-compliant entity.

Acroseas’ view

Considering all the steps that HIPAA is currently taking, we believe that this is a very good initiative for

safeguarding the rights of theirs patients everywhere. These measures ensure disclosure of information and

hiring of privacy officials. It’s a brave step towards maintaining peace between the Business Associates and

the Medical Transcriptionists.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s