Just about everyone has heard of HIPAA in one form or another. But what exactly is HIPAA compliance, and how does it relate to transcription companies and their services? To delve further into what requires HIPAA Compliance, we first need to clarify the difference between different categories of data and which ones fall under HIPAA requirements.
Data that pertains to the Healthcare field can take the form of medical practitioner’s notes, patient interviews, medical research reports, case study summaries, drug trial subject interviews, medical conferences, etc, but not all of it necessarily requires HIPAA compliance.
A Brief Overview of HIPAA Compliance
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of USA-based regulatory standards that outline the lawful use and disclosure of Protected Health Information (PHI). This series of regulations have become a standard for many countries across the world.
This compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR) in the United States. The OCR’s role in maintaining medical HIPAA compliance comes in the form of routine guidance on new issues affecting health care and in investigating common HIPAA violations.
HIPAA regulation identifies two types of organizations that must be HIPAA compliant:
- Covered Entities: Which is any healthcare organization that collects, creates, or transmits PHI electronically.
- Healthcare organizations that are considered covered entities include healthcare providers, healthcare clearinghouses, and health insurance providers.
- Business Associates: Business associates are defined by HIPAA regulations as any company or organization that encounters Protected Health Information (PHI) in any way while working on behalf of a covered entity. These include transcription companies as well.
The HIPAA Rules that Apply to Transcription Companies
The HIPAA Rules that pertain to using a third-party transcription company include:
HIPAA Privacy Rule: The core takeaway from this rule is that a provider’s regulatory standards must be documented in the covered entities’ policies and procedures. For medical providers to use a transcription company’s compliant service, the provider must impose specified written safeguards on the information used or disclosed by its business associates. This is outlined within a Business Associates Agreement (BAA).
HIPAA Security Rule: This states that the covered entity (or healthcare provider) must make sure that they have met the national standards for the secure maintenance, transmission, and handling of PHI data. It’s crucial that covered entities understand that liability does not fall on the Business Associate, it falls on the covered entity, and that’s why it’s important to verify the process is being followed.
TranscribeMe provides secure maintenance, transmission, and handling of ePHI through our SFTP and cloud based systems which restrict access to data to only those people who are qualified and trained on HIPAA compliant procedures and practices.
HIPAA Omnibus Rule: This states that the Business Associates must comply with the security rule.If a transcription company is saying ‘we’re HIPAA compliant’ but does not sign a BAA, then they are not HIPAA compliant.
Not all Medical Data Needs to be HIPAA-Compliant
Very often, our teams are requested to provide a HIPAA-compliant workflow but come to find out that they do not need that type of workflow. Some common examples that we see a request for unnecessary HIPAA-compliant workflows are:
- At a medical conference, where the participants are discussing general medical research or results, but patient names or any Protected Health Information (PHI) is not referenced, then that type of information does not need to be handled in a HIPAA compliant workflow.
- Focus group discussions where there is no identifiable information revealed. If eight people are in a focus group and their names are not used, and the topic of the focus group is “how are you faring six months after chemo?” if they use the participant’s names in publications, then yes, a HIPAA-compliant workflow should be used.
However, if participants are anonymous, then a compliant workflow isn’t necessary.
If the participant mentions they are taking this medication and receiving these treatments, then yes, that is Protected Health Information (PHI) and would require a HIPAA-compliant workflow.
- Any medical information that’s discussed in general terms, does not require a HIPAA-compliant workflow – it’s when you get into a patient’s specific information, that’s when a HIPAA workflow is necessary.
Most patient studies and research studies all tend to need HIPAA compliance.
Not all HIPAA-compliant data is related to the medical field
A common misconception about HIPAA is that it is only related to the medical field when in reality HIPAA compliance comes up across many industries – here are some examples:
- Data research firms will sometimes have interviewees that give Personal Identifiable Information (PII) and discuss health-related information. Once that happens and is recorded, that data research firm must make sure that their audio is handled through a HIPAA-compliant workflow.
- Market research firms handing out surveys usually contain PII and must be handled through a HIPAA-compliant process.
- For example, a medical research firm asked the general public ‘have you gotten headaches before?’ or ‘what have you done to get rid of your headaches?’, along with ‘what’s your first and last name’
- Law firms specializing in personal injury, insurance defense, malpractice, and elder law are likely privy to client protected health information (PHI). However, attorneys working in other practice areas may also deal with PHI, so all attorneys must follow the security and data privacy standards set forth by HIPAA guidelines as well.
Hospitals for the most part have to be completely HIPAA compliant since their business is in treating patients.
HIPAA Compliance Needs Will Depend on the Data Stored
Overall, whether or not you need to use a HIPAA-compliant workflow depends on what is in your data, and not the type of data that you have. The responsibility and liability of ensuring that your data is transcribed using a HIPAA-compliant workflow falls on the covered entity, not the 3rd party.
One last important aspect is that If a covered entity receives written consent from the patient to use their data, then HIPAA compliance no longer applies. It’s all about privacy and the patient’s control over their privacy.
TranscribeMe takes HIPAA compliance seriously and has the experience to provide accurate and compliant medical transcription services. Our HIPAA-compliant transcription services will provide you with accurate and timely service.