- What is HIPAA?
- What is the deadline for HIPAA compliance?
- What are the important requirements of HIPAA for a medical
- Can the Internet be used for medical transcription data transfer
and still meets HIPAA requirements?
- If tapes are used to record dictation, will these meet HIPAA
- What is a Covered Entity?
- What is a Business Associate?
- Who is liable for privacy violation under HIPAA?
- How would this regulation be enforced, and what happens if
there is a breach in confidentiality or privacy?
- What are some of the penalties for not complying with HIPAA?
- What rights does the patient have under HIPAA?
- Are there any Fax specific guidelines according to HIPAA?
- What are the benefits of using ASP services that comply with
- To what extent Medikin is HIPAA complaint?
- Can the Privacy Officer of Medikin help us in meeting our
HIPAA compliance? If yes, what are the fees for this service?
(1) What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability
Act. It is a federal regulation that protects the privacy of patient’s
The HIPAA legislation has four primary objectives:
- Assure health insurance portability by eliminating job-lock due to
pre-existing medical conditions
- Reduce healthcare fraud and abuse
- Enforce standards for health information
- Guarantee security and privacy of health information
(2) What is the deadline for HIPAA compliance?
The rule requires that healthcare organizations insurers
and payers that have been using any electronic means of storing patient data
and performing claims submission must comply the guidelines by April 14, 2003.
(3) What are the important requirements of HIPAA for a medical transcription
MTSOs should comply with the following basic requirements:
- Ensure the security and confidentiality of the patient’s Protected
Health Information (PHI).
- Maintain an audit trail of all individuals who have had access to a
Please see the Legal Compliance section for more details.
(4) Can the Internet be used for medical transcription data transfer
and still meets HIPAA requirements?
Yes, there is no restriction on the use of Internet
as long as proper encryption and security measures are in place during data
(5) If tapes are used to record dictation, will these meet HIPAA regulations?
There are certain issues with tapes. There is no easy
way to create and verify an audit trail of who has had the tape and who listened
to the PHI on the tape. If the tape is lost, one cannot guarantee the security
of the information on it.
(6) What is a Covered Entity?
HIPAA defines a Covered Entity (CE) as a health plan,
a healthcare clearinghouse, or a healthcare provider who transmits any health
information in electronic form in connection with a HIPAA transaction. A physician’s
office or medical clinic would fall under the category of a Covered Entity.
(7) What is a Business Associate?
A Business Associate (BA) is a person or organization
that performs a function or activity on behalf of the Covered Entity (CE), but
is not a part of the covered entity’s work force. A medical transcription
service provider would be classified under the definition of a Business Associate.
(8) Who is liable for privacy violation under HIPAA?
The penalties are levied on the facility or the covered
entity because they bear the initial responsibility to protect the PHI. However,
if a breach occurs by a Business Associate or one of the independent contractors
that is in the chain of trust, these penalties can be extended to include them
(9) How would this regulation be enforced, and what happens if there
is a breach in confidentiality or privacy?
There is no HIPAA police force, but there is a governmental
agency that will help to enforce this regulation. If a patient feels that there
has been a violation of his patient’s rights or if his PHI has been violated
in anyway, he can make a written or verbal report to the Office of Civil Rights.
If necessary, the Office of Inspector General will become involved if such breach
is serious enough.
(10) What are some of the penalties for not complying with HIPAA?
The maximum civil penalties for multiple violations
by a Covered Entity during a calendar year is capped at $25,000. HIPAA also
provides for criminal liability for Covered Entities that knowingly obtain or
disclose individually identifiable health information. The maximum penalty is
a fine of up to $50,000 and imprisonment of one up to year. If the offense is
committed under false pretenses, the maximum penalty is a fine of up to $100,000
and imprisonment of five years. If the offense is committed with the intent
to sell, transfer or use individually identifiable health information for commercial
advantage, personal gain or malicious harm, the maximum penalty is a fine of
up to $250,000 and imprisonment of ten years.
(11) What rights does the patient have under HIPAA?
HIPAA provides the patient with a full set of rights
in relation to his/her healthcare documentation, which include:
- A full review of his/her entire medical record,
- The right to request changes within documentation, which could, however,
be denied by physician for specific reasons,
- The right to request documentation every time his/her PHI is accessed,
along with identity of the individual accessing the document with specific reason
for doing so,
- Access to the PHI information that was wrongfully shared,
- The right to be informed of the facility’s (Covered Entity’s)
policies and procedures are for security and privacy.
When the patient becomes aware of these rights you should be prepared to deal
with any legitimate requests that the patient may have.
(12) Are there any Fax specific guidelines according to HIPAA?
HIPAA has defined guidelines related to faxing information that concern
a patient and their PHI. Your facility should establish fax policies based on
federal and state privacy statutes.
- Written authorization by a patient must be obtained to fax PHI to a party
outside the covered entity’s operation. Take a scenario where you work
as an MT for ABC Clinic and have transcribed a patient’s consultation.
Another clinic XYZ wants to have a copy of that consultation. In this case,
you must have the patient’s authorization. Reasonable steps must be
taken to ensure that the fax is sent to the appropriate destination. Preprogrammed
numbers should be tested regularly to ensure that those numbers have not been
changed. If you fax to a particular facility or doctor ask them intermittently
if they have changed that number, so you can make sure your preprogrammed
numbers are accurate.
- Each time a fax is sent that contains PHI, you need to have a complete
fax cover sheet that must include the destination, person to whom you are
faxing, number of pages, date, and a list of all documentation included in
the fax. A copy of that fax cover must be kept on file because the patient
has the right to determine who has accessed the PHI.
- In sending and receiving faxes, your fax machine must be in as secured
an area as your computer. This cannot be in an area where people would pass
by your fax machine and pick up pieces of material and read it and have access
to confidential information.
(13) What are the benefits of using ASP services that comply with HIPAA
An ASP platform operates on the latest hardware and
software technologies ensuring authorized access and control of PHI and other
health documentation. Application security and Internet data transfer can better
be encrypted monitored and controlled on an ASP platform in comparison to stand-alone
machines. Also, an ASP provider would likely have a redundant infrastructure
to cushion any hardware or software failure or breach. An ASP provider caters
to a number of MTSO’s, so it is in a better position to leverage the high
costs of meeting HIPAA requirements.
(14) To what extent is Medikin HIPAA complaint?
Please see Medikin’s Compliance section for
(15) Can the Privacy Officer of Medikin help us in meeting our HIPAA
compliance? If yes, what are the fees for this service?
Yes, our Privacy Officer can guide you in his professional
capacity in meeting HIPAA compliancy requirements. Please contact us at firstname.lastname@example.org
for details on this service.
The information provided here is for information purposes only and is not to
be constructed as legal advice. In all matters pertaining to HIPAA compliance,
legal counsel should be sought.