Opt for HIPAA compliant Medical Transcription Companies

HIPAA compliant medical transcription companies are the ones which offer quality-oriented digital medical transcription and other services to hospitals, physicians, outpatient clinics and healthcare facilities dealing in various specialties including orthopedics, pediatrics, gastroenterology, radiology, cardiology and so on. Medical transcription companies offer transcription of history and physical reports, ER reports, clinic notes, follow up notes, consultation reports and health reports.

Medical transcription companies are becoming increasingly popular these days because not only are they cost saving but they also ensure quality, speed with advanced technologies and accuracy with digitalized documentation, in-house proofreaders, editors and quality analysts to ensure three levels of quality assurance..

Before hiring a Medical Transcription Company, make sure that is HIPAA complaint guaranteeing total confidentiality for client data with secure FTP and browser based file transferring as the Health and Human Services department with its Health Insurance Portability and Accountability Act (HIPAA) requires privacy of medical records, prohibiting the usage of personal information for any other purpose.

Also while opting for these HIPAA compliant medical transcription companies, just make sure that they provide quick, reliable and cost-effective client-focused services that maintain high quality and also consider whether you need short term or long term services.

HIPAA waivers in case of declared emergency or disasters

After hurricane Katrina and Rita, DHHS has reviewed its guidance so that the families searching for loved ones in disasters like hurricane, tornado, earthquake or unnatural disasters, do not have to face HIPAA privacy roadblocks.

If an emergency or disaster is declared by the President or if a public health emergency is declared by the secretary of HHS, certain sanctions and penalties may be waived by the secretary against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.

These waivers apply only to

1. Hospitals in the emergency area and for the emergency period identified in the public health emergency declaration.

2. Hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals.

3. For up to 72 hours from the time the hospital implements its disaster protocol.

These waivers may be listed down as:

1. The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b));

2. The requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a));

3. The requirement to distribute a notice of privacy practices (45 CFR 164.520);

4. The patient’s right to request privacy restrictions (45 CFR 164.522(a)); and

5. The patient’s right to request confidential communications (45 CFR 164.522(b)).

However, as soon as the presidential or secretarial declaration terminates, a hospital must then comply with all requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Distinction between HIPAA, HHS & FDA Protection of Human Subjects Regulations

Apart from HIPAA Privacy Rule, there are other human subject regulatory requirements, which apply to most federally funded and to some privately funded research, to help ensure the privacy of subjects and the confidentiality of information. Much of the biomedical and behavioral research conducted in the United States is governed either by the rule entitled “Federal Policy for the Protection of Human Subjects” (also known as the “Common Rule,” which is codified for HHS at subpart A of Title 45 CFR Part 46) and/or the Food and Drug Administration’s (FDA) Protection of Human Subjects Regulations at Title 21 CFR Parts 50 and 56.3 FDA, a component of HHS, has additional human subject protection regulations, which apply to research involving products regulated by FDA.

The Privacy Rule does not replace or act in lieu of these human subject protection regulations which means that the researchers who are also (or who work for) covered entities may find themselves responsible for complying with multiple sets of regulations. There are some basic points of distinctions among the Privacy Rule, the HHS Protection of Human Subjects Regulations, and the FDA Protection of Human Subjects Regulations.

On the basis of their overall objectives, it can be said that The HHS Protection of Human Subjects Regulations are intended to protect the rights and welfare of human subjects involved in research conducted or supported by HHS. On the other hand, the FDA Protection of Human Subjects Regulations are intended to protect the rights, safety, and welfare of participants involved in studies subject to FDA jurisdiction under 21 U.S.C. 355(i) and 21 U.S.C. 360g(j). And lastly, HIPAA Privacy Rule intends to establish a Federal floor of privacy protections for most individually identifiable health information by establishing conditions for its use and disclosure by certain health care providers, health plans, and health care clearing houses.

On the basis of applicability, it can be said that HHS Protection of Human Subjects Regulations applies to human subjects research conducted or supported by HHS. The FDA Protection of Human Subjects Regulations applies to research involving products regulated by FDA. Federal support is not necessary for FDA regulations to be applicable. When research subject to FDA jurisdiction is federally funded, both the HHS Protection of Human Subjects Regulations and the FDA Protection of Human Subjects Regulations apply. On the other hand, HIPAA Privacy Rule applies to HIPAA-defined covered entities, regardless of the source of funding.

HIPAA loopholes exposed by Wall Street Journal

This is one of the reports from the Wall Street Scrap Book- “Increasingly complex confidentiality issues” in federal medical privacy rules “are affecting patients and their insurance coverage.”

The reports also mention that complaints of privacy violations “have been piling up.” HHS received 23,896 complaints related to medical-privacy rules between April 2003 and Nov. 30, 2006. However, 75 per cent of these complaints were found to be without any violation and had to be closed, as said by an HHS spokesperson.

Since HIPAA was enacted in 2003, HHS has not charmed enforcement actions against any entity for violating the privacy rule. Let us consider the case of the attorney Patricia Galvin. Her notes from psychotherapy sessions at Stanford Hospital & Clinics were accessed by her insurer, UnumProvident, due to which she was denied disability benefits.

As published in the Journal, UnumProvident said the notes indicated that Galvin was not “too injured to work” after she was interested in a car fortune and applied as want-term disability leave. Galvin has filed a lawsuit against Stanford and UnumProvident with a view violating medical privacy laws, supply other issues, under the federal Robustness Guaranty Portability and Responsibility Accomplishment.

As per the HIPAA, there is provision for added protection for mental health records, but Stanford in court papers said that “psychotherapy notes that are kept together with the patient’s other medical records are not defined as ‘psychotherapy’ notes impaired HIPAA.” Peter Swire, a law professor at Ohio State University, said, “We’re three years into the enforcement of the rule, and they haven’t brought their first enforcement ambitiousness.” He added, “It sends the signal that the health system can give someone the brush-off this issue.”

Is the transition to HIPAA 5010 too demanding on hospitals?

The American Recovery and Reinvestment Act is acting tough on hospitals by requiring them to do many Herculean tasks at one go, some of them being converting to an EHR, transition to HIPAA 5010, coordinate vendor and health plan testing, train staff members on new technology and so on.

Among them the transition to HIPAA 5010 is perhaps the most demanding one because its compliance deadline is just about two years away that is Jan 1 2012. Even as it is a year ahead of the October 1, 2013 deadline for the ICD-10 cutover, the two terminal dates overlap enough so that both upgrades will have to be underway at the same time.

During its first national provider education call about HIPAA Version 5010, CMS provided an overview of the updated national code standard for billing software and answered several questions from providers, vendors, and other health information management and health information technology professionals.

It was said during the call that Medicare Administrative Contractors must be ready to use 5010 by January 1, 2011, thus giving providers one full year to coordinate testing efforts. The Medicare fee-for-service implementation of 5010 will include the following:

* Improved claims receipt, control, and balancing procedures
* Increased consistency of claims editing and error handling
* Improved efficiency for returning claims needing correction earlier in the process
* Improved assignment of claim numbers closer to the time of receipt.

What if your laptop containing PHI gets lost or stolen?

Just imagine this… A doctor’s laptop containing Personal Health Information of about 1,000 patients gets stolen or lost. What is to be done next?

The first issue which comes to the mind in this scenario is that PHI should never be stored in a laptop in the first place. The correct practice would be to use EMR to store all the patient information on the server and in any case, PHI should never be stored in a laptop.

If, however, it does happen, then the advancement in technology these days comes to immediate aid. As soon as your laptop gets stolen you need to report it stolen and then the authorities start the process of tracking down your laptop (in the same way as they track stolen cars). Then if your laptop ever gets connected to a network, it will call back to the main center and receive the command to wipe out the laptop.

It will also give the authorities the information about where it was connected so the police can possibly recover the stolen laptop as well. This is the beauty of technology these days and an increasing number of companies are allowing this facility on their laptops these days.

Adhering to HIPAA as a medical transcriptionist working from home

In order to have a good reputation as a medical transcriptionist, you not only need to have a quality work record, you are also to be reliable enough for keeping confidential all the medical data that pass your hands.

Medical transcriptionists working in a medical transcription company usually adheres to the Health Insurance Portability and Accountability Act (HIPAA) standards, but if you are working from home, you must follow certain steps keep medical records secure and confidential.

Firstly, keep your office in a private place out of the reach of family and friends so that all the medical data – the voice recordings and the transcribed information – are beyond anyone’s reach.

Protect your medical transcription work on the computer with passwords and keep your anti-virus software updated. Again, keep the firewall on whenever you are connected to a network and when sending files to your client, make sure the files are transmitted over a secure computer network.

Encrypt e–mails that contain queries and information on the medical records. Lastly, back-up your medical transcription work periodically on an external drive.

Parental access to child’s medical records as per HIPAA

The HIPAA Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law. However, the exceptions to this when the parent would not be the minor’s personal representative under the Privacy Rule are:

When the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law;
When the minor obtains care at the direction of a court or a person appointed by the court; and
When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.

However, even in these exceptional situations, if the State or other applicable law requires or permits parental access, the parent may have access to the medical records of the minor related to this treatment. All the same if the State or any other law denies such access, parental access would be denied. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information.

Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.

Difference between consent & authorization under the HIPAA Privacy Rule

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed.

The Privacy Rule requires authorization for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization.

Filing a complaint with OCR – HIPAA

One can file a complaint with OCR if he/she believes that a covered entity violated health information privacy rights or committed another violation of the Privacy Rule. OCR can investigate complaints against covered entities related to the Privacy Rule. Under the Privacy Rule an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

The rules which the complaint must follow are:

  • The complaint must be filed in writing, either on paper or electronically, by mail, fax, or email.
  • It should contain the name of the covered entity involved and describe the acts or omissions you believe violated the requirements of the Privacy Rule.
  • The complaint must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”

If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. There is no need to sign the complaint and consent forms if sent by email because submission by email represents your signature.