|
ANSWER: Medical transcriptionists are required to implement reasonable safeguards
designed to protect the privacy and security of personal health information
(PHI).
Medical transcriptionists are subject
to the business associate requirement set forth under HIPAA's privacy rule (the
"Privacy Rule"). They are subject to this requirement because the
transcriptionist performs a function on behalf of health care providers that
includes the use and disclosure of PHI. Accordingly, transcriptionists are
prohibited from using or disclosing PHI in any manner that would violate the
Privacy Rule if done by the provider itself. It is important to keep in mind,
however, that covered entities, although not allowed to use or disclose PHI in
any manner except as permitted under HIPAA, are not required to protect against
any and all, known, unknown, or unlikely uses or disclosures in violation of the
Privacy Rule. Safeguards must be reasonable, but not foolproof.
HIPAA's proposed security standards
(the "Security Standards") apply to PHI that is either electronically maintained
or transmitted. Covered entities will be required to enter into chain of trust
agreements with medical transcriptionists when PHI is processed electronically
through the transcriptionist. (Of course, this assumes that the "chain of trust"
concept remains in the final rule.) Pursuant to these chain of trust agreements,
transcriptionists will be obligated to maintain the integrity and
confidentiality of PHI while in receipt of such information and during
transmission of the same. HIPAA falls short of mandating specific technology
solutions that covered entities must implement (or require of their chain of
trust partners to implement), in order to ensure the security of PHI; requiring
only that covered entities implement appropriate administrative procedures,
physical safeguards, and technical security services and mechanisms to guard
data integrity, confidentiality, availability and to prevent unauthorized access
to certain data.
Scribernet has undertaken HIPAA
compliance and has taken painstaking measures to protect all patient
information. Our levels of security meet and exceed all HIPAA
regulations related to electronic transmission of EPHI.
Scribernet has implemented the following technical safeguards in
compliance with the Department of Health and Human Services, Office of the
Secretary, Health Insurance Reform, Security Standards (Final rule as
specified in the Federal Register, Section 164.312. Please read the full Federal Register text
on Privacy and Security in
the ".pdf" format, by clicking here
 Access control:
Scribernet
has implemented procedures in the Webscriber system that gives the
Electronic Patient Records (Electronic Protected Health Information,
EPHI), the ability to allow access only to persons that
have been granted access right.
Protection of Webscriber secure server resources is provided primarily bt he
firewall. Firewalls screen all inbound and
outbound traffic to grant access only to authorized applications, and onlt to
legitimate users. Determining who is a
legitimate user (proof of identity) is the role of authentication. Thus
Webscriber's authorization or access control protects
the privacy of information stored on servers.
User Identification and Authentication:
Webscriber assigns a unique number for identifying and
tracking user identity, author identity and patient identity.
Encryption and decryption:
Scribernet takes advantage
of proven, well-accepted and open standards for authentication and
encryption. Webscriber has
implemented Triple DES 168 bit encryption and decryption (with a 8 bit key),
and transmitted via
secure sockets layer (SSL), during transmission and
maintenance of EPHI at the website. To ensure the identity
of Scribernet web
servers to our customers, we have purchased Secure Server, True Business ID from
Geotrust.
A secure logo will be displayed on all Scribernet
(www.client.scribernet.com) trusted WEB pages. This is the only
next
generation web trust service that combines state-of-the-art
128-bit SSL encryption and identity verification. GeoTrust
is a leading provider of next generation information security
services, delivers secure e-commerce transactions, identity
verification and authentication solutions to the global web
community.
Audit Controls:
Software procedural
mechanisms have been implemented that record and examine activity in
the Webscriber system that
contain EPHI. Procedures and protocols
are implemented at Scribernet facility throughout the
transcription processing
phase to assure that all work is completed,
and all documentation is tracked and
accounted for. Auditing of activities
occurring in our system
provides for:
- Creation of records concurrent
with any use
- Trail records identifying user,
data source etc.
- Monitoring all changes to access
authorities
When you
upload files for transcription you'll be providing details of a very sensitive
nature. Scribernet
will not disclose any information about any person or matter contained in
your uploaded files. You retain ownership of all data, and a complete audit
trail is available of all personnel who have ever accessed files. Security of your data is important to Scribernet. Our policies and
technology are designed to adopt the latest and most promising developments in
the field. We understand the importance of protection of your data on the
Internet.
Integrity:
Webscriber has
implemented procedures to protect against improper alteration and destruction of
EPHI. Scribernet has a two level two (2) time daily backup.
All data is backed up two times per day at the facility, first to a backup
server, second
to a CD and stored in a secure location under management
control.
- Backup process performed in a
dynamic mode so system can be operational 24 hours a day with
no
data loss after system failure if any
- System recovery to point of failure in the
event of hardware/software failure
Transmission Security:
Webscriber guards against unauthorized access to EPHI
that is being transmitted over the electronic network. All
medical data (dictation, transcription, search
facility and EMR) is managed on a secure server that encrypts all
data
communication between your computer and our server. This means,
anyone intercepting any data while it is being
transferred from our
server to your computer could not interpret or decode this data. Scribernet
allows you to view
patient files on the secure server and download if
required. All downloads will be encrypted and then decrypted with
a key.
To access any data from the secure Scribernet website a valid
username and password is required – as an
added level
of precaution
Other Security Measures:
Doctors are
discouraged to insert patient names in dictations - only patient initials. Instead opportunity is given
to insert
patient demographics with a user interface screen before
every voice is uploaded. The patient demographics are kept on
the server in a
small file (the common reference is the file name, which links
this information to the voice file. It is not sent
to
the transcriptionists. When the transcribed text file is returned to
the Web, the patient demographic information is
inserted on the
transcribed text by our software on the server (by referencing the common file
name). Only then is the
transcribed file ready for download at the
client's office. So, even if there is a breach of confidence at the
transciptionist site,
nobody will be able to link the patient information to
the patient name. As a result, PHI security becomes even better.
Privacy Policy:
Besides
the above measures, access to personally identifiable information is restricted
to employees and business
who need access to the information in order
to do their jobs. These employees are very limited in number, and
are
committed to the privacy and security policies. The extra step is
taken to have all employees execute comprehensive
nondisclosure
agreements, which provides explicit legal confidentiality protections..
Please
visit the following links:
http://www.hhs.gov/ocr/hipaa/
http://aspe.os.dhhs.gov/admnsimp/
http://aspe.hhs.gov/search/admnsimp/txfin00.htm
http://www.hhs.gov/news/press/2002pres/hipaa.html
http://www.hhs.gov/news/press/2002pres/hipaa.html
|
The following
is an excerpt from "How HIPAA Security Applies to Transcriptionists" by
Steve Fox, Esq., & Rachel Wilson, Esq., Pepper Hamilton LLP. The
entire content can be found at the following link: 
