HITECH: A Big Burden for Small BAs

By Cheryl McEvoy is an assistant editor with ADVANCE.

They know what you’re thinking: HITECH? That’s for the big guys, not me.

And that’s just how they’ll get you.

New HIPAA security requirements for business associates (BAs) under the Health Information Technology for Economic and Clinical Health (HITECH) Act are imposing for any medical transcription service organization (MTSO), but small businesses and independent contractors (ICs) shouldn’t expect any breaks. MTs who go it alone may expect to fly under the radar, but they’re just as vulnerable to security audits as large corporations-and they don’t have plentiful resources (or lawyers) to fall back on.

“There is nothing in the rule that has a scalable value,” explained Brenda Hurley, CMT, AHDI-F, medical transcription consultant and educator. “In other words, it’s not ‘If you’re an MTSO with 20 employees or more, you have these rules.’ The rules apply to everyone.”

As of Feb. 17, 2010, HITECH requires all BAs that transfer, store, use or destroy personal health information (PHI) to implement security controls, such as appointing a security official, conducting a security risk analysis and encrypting data. Most large MTSOs already have such measures in place as a byproduct of contract negotiations with covered entities (CEs). Individual MTs, however, may not have that luxury.

“The big companies have been using this kind of stuff for a long time. They have whole departments dedicated to learning about regulations; they’re really well-educated,” said Ava Marie George, an IC and director for the Association for Healthcare Documentation Integrity (AHDI). “The small IC or the very small MTSO doesn’t have the same experience.”

Relationship Issues

ICs will face different challenges depending on their client relationships, and that’s where things get technical. MTs who subcontract with large MTSOs don’t fall under the HITECH requirement for security compliance–only BAs that contract directly with CEs are liable, while subcontractors are considered third-parties. At the same time, contractors must follow any security demands the MTSO makes; the company will be responsible for any violations subcontractors commit, so they’ll want to cover their tail.

Contracts with hospitals do fall under HITECH, so ICs and small MTSOs will be responsible for compliance. CEs are so versed in HIPAA security protocol, however, that they may give ICs a hand.

George contracts with a hospital that supplies her with a computer and encryption software, but she’s on her own with other clients. Like George, ICs with multiple accounts in different settings may have the hardest time, as they’ll need to keep track of which policies apply where. “It’s like compartmentalizing everything,” she said. “I have my one IC hat on with my hospital that gives me everything, so I don’t have to worry about that. And then I have my other IC hat on when I’m working for somebody else.”

To make matters even more complex, patchwork state privacy laws still exist. Therefore, an MT could meet federal requirements, but still be neglecting standards on the local level, Hurley noted.

For small MTSOs and ICs who purchase their own equipment, compliance is a costly but necessary investment. Encryption tools range in price, but there are affordable options, according to Hurley. The key is knowing what you can or can’t write off as a business expense. “You have to make sure if it’s costing you to do updates you’re keeping receipts for that,” George said.

ICs and small MTSO owners can serve as their own security officials, but if they don’t feel confident taking on the role, they may need to hire a security consultant-on their dollar. “It depends on their level of technical expertise,” said Nikki Burdick, RHIT, RMT, owner of We Transcribe, a small MTSO. Her husband is in the IT business, so she dodged having to pay a bill for system advice, but others won’t be as lucky.

“Thinking” HITECH

There’s more to compliance than just the expense. MTs must change their frame of mind about working with sensitive information, George said. “Offices are going to have to come out of the bedrooms and dining rooms, and they’re going to have to have a secure place where they can lock a door,” she explained. “If [auditors] come in to look at your house and you have [the computer] in a place that’s public or open where patient information can be viewed, you’ve violated HIPAA.”

Small businesses and ICs often contract with single physician offices. While large hospitals are aware of HIPAA security protocol, small practices may not be as attuned to the requirements, nor have the equipment to support secure transfer. Physician education, therefore, may fall to the MT. “There are still people out there using tapes, so [HITECH] is a perfect chance to go back to the client and say ‘Get off the tapes,'” Hurley said.

ICs and owners must take the initiative to draft a BA agreement and require clients to sign it. For those who have longstanding relationships with physicians, the sudden dose of legalese may be uncomfortable, but it’s the only way MTs can assert compliance. When HIPAA was first passed in 1996, Burdick sent a letter to clients to reassure them of her privacy practices; now she’s following up with a BA addendum to give herself peace of mind. “I can say that, if something does occur, I acted in good faith and I feel as though my documentation, my BA agreements, my measures I put in place would help me favorably,” she said.

Only time will tell whether MTs are targeted for enforcement, but if investigators go looking, ICs will be easy to find. “We are everywhere-our Social Security number’s everywhere; what we do is everywhere; we have our own job classification, so they can look at the IRS to find us,” George noted.

Burdick isn’t sure how enforcement will pan out, but she’s not taking any chances. Aside from putting encryption and policies in place, she was heading to an AHDI chapter meeting for specifics on HITECH compliance, and she advised others to do the same. “I always want to be prepared,” she said. “Your business is your lifeline, your income–you don’t want anything to jeopardize that.”

Cheryl McEvoy is an assistant editor with ADVANCE.