‘Personal’ got more personal with the HIPPA legislation setting out broad parameters for confidential sharing of medical records and health care information for the benefit of the patients and also the doctors in the long run.
Act and regulations- ‘Covered Entities’
HIPAA regulations have been crafted to have broad application. The provisions of the Act extend to all health care plans, health care providers who transmit health records in an electronic format, and health care clearinghouses and billing companies. The bill refers to these organizations as “Covered Entities”. However, almost everyone will be affected in one way or another by these regulations, which will impact both consumers and providers of health care services.
It is important to understand that state regulations may differ from national regulations and certain States may define MT Services as Covered Entities.
Role of Business Associates
As a Business Associate, a Medical Transcription Service may not be directly governed by HIPAA regulations. However, Business Associates are governed indirectly by virtue of the fact that Covered Entities are required to obtain written assurances from the Business Associates that they deal with to ensure that patient identifying information is appropriately safeguarded. These written assurances must be included in a written contract between the Covered Entity and the Business Associate.
These strict requirements guarantee vigilance in delivering evidence of compliance to the Business Associate partners.
Independent Medical Transcriptionists
Medical transcriptionists who operate as Independent Contractors to Medical Transcription Services (Business Associates) and who have direct access to patient health information are referred to by the Act as ‘Third Parties’. Third Parties ought to have a written contract with the Business Associate, assuring that the patient information conveyed, will be appropriately safeguarded. This contract should be similar in nature and scope to the contract between the Business Associate and the Covered Entity.
History of HIPAA
The rules became officially effective on April 14, 2001. However, the Act provided for a period of time before complete compliance was mandated. All other covered entities were required to become fully compliant by April 14, 2003.
Transmittal of Electronic Patient Information
The Act calls for the standardization of electronic document transmittal. The national standard which has been prescribed by HIPAA for electronic health record transmittal is ANSI X12. This national standard governs both the content and the format of patient information that is sent electronically between two organizations.
Key Provisions of the Act
* To restrict the dissemination of patient health care information.
* The rules specifically pertain to health information that is transmitted or maintained in any form (oral, paper, electronic, etc.) and which contains patient identifying information.
* In order to be compliant, covered entities must implement measures to ensure that patient information is protected in accordance with the provisions of the Act.
Protection of patient information
Written notification must be given to individuals telling them how information will be used and to whom it will be disseminated (Insurance and billing companies, or other health care practitioners, for example). Even written consent must be obtained from the individual allowing for the use and maintenance of personal information as provided by the Act.
Disclosure or use of information for any other purpose or to any other organization requires specific authorization from the individual. Reasonable efforts must be made by covered entities to minimize the dispersal of patient information. Health information can be conveyed to Business Associates (Business Associates” is a term that typically includes Medical Transcription Service Providers and their employees) only after written assurance is provided to guarantee the protection of the information.
All employees of the covered entity must receive formal training to ensure that they understand the requirements of the privacy Act as they pertain to their specific duties. Covered entities must establish adequate administrative, technical and physical safeguards to ensure that all privacy requirements are upheld within the organization.
Penalties for Non-Compliance
The ACT states that, ‘Covered entities which fail to comply with the final regulations by the mandated compliance date may incur stiff penalties, including the payment of a fine’. In certain cases, criminal charges may be brought against the non-compliant entity.
Considering all the measures that HIPAA lays out, we believe that this is a change for the better, for safeguarding the rights of patients. These measures ensure disclosure of information and hiring of privacy officials. It’s a significant step towards maintaining peace between the Business Associates and the Medical Transcriptionists.