Tracking the Trail: As HITECH takes hold, MTSOs must lay groundwork to keep PHI secure

For years, medical transcription service organizations (MTSOs) and independent contractors (ICs) have abided by HIPAA. But compliance was contract-based, not a direct regulatory obligation-leaving the ball in the covered entity’s court to decide how much protection was enough.

Now, those dynamics have changed. Feb. 17, 2010 marked the first anniversary of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the first time business associates (BAs) will be held directly accountable for HIPAA violations. Amid new security demands, MTSOs and ICs must prove they’re keeping a close eye on who sees what, or they could find the government on their tail.

Personal health information (PHI) has always been vulnerable, but now MTSOs and ICs have a hand in keeping it out of the wrong paws. “This is not HIPAA, this is certainly bigger,” said Brenda Hurley, CMT, AHDI-F, medical transcription consultant and educator.

Breach notification rules, which were finalized last summer, require BAs to notify covered entities (CEs) if any leak occurs on their watch. “There are specifics about what needs to go to the CE, such as your name, the name of the patient, the work type, so they can identify what it was, where it went and why,” Hurley explained.

BAs face fines up to $1.5 million for HIPAA violations, and a breach affecting more than 500 people warrants an immediate notification to the Department of Health and Human Services (HHS) and a media alert.

To reduce breaches, HITECH requires BAs to appoint a privacy / security official to oversee compliance. Companies also must conduct a security risk assessment, which identifies gaps where information could be exposed. It’s an area where CEs and BAs should work together, according to Harry Rhodes, MBA, RHIA, CHPS, CPHIMS, FAHIMA, director of practice leadership for the American Health Information Management Association (AHIMA). “First of all, you need to have some kind of asset inventory,” he advised. “Look at what information the BA is holding and how important it is. Then you have to identify possible threats.”

The assessment proves to auditors that efforts are being made, but its not just for HHS’ benefit. BAs can use the findings to prioritize actions in the event of a breach, such as knowing which areas to shut down to contain any disclosures. Audit trails assist in locating the source of a breach and tacking where the leak spread, but that depends on the BA having such software capability and knowing how to access it, according to Rhodes.

To avoid a breach, HITECH also requires MTSOs and ICs to encrypt any PHI that the company handles, whether the data is being transferred, stored, used or destroyed. MTSOs and ics should look to the National Institute for Standards and Technology for guidance on security controls, such as encryption software for storage and virtual private networks for secure transfer, Rhodes said.

Many MTSOs, by virtue of BA agreements, already have encryption in place, but there could be overlooked areas. Encryption has been more common for data transfer than storage amount MTSOs, Hurley said. Data disposal has also been neglected, Rhodes added.

Encryption also produces a safe harbor of protection in the event of a breach. A loss, theft or hacking incident need not be reported when data is properly encrypted. In other words, if an individual can’t access, view or use the PHI contained in the device or network, it doesn’t constitute a breach.

In light of these new responsibilities, BAs are advised to draft new agreements with CEs. Some MTSOs may think a broad statement about following all current and future regulations will suffice, but it leaves too much up for debate, Rhodes said.

Contracts should lay out specifics, such as a deadline for BAs to notify CEs about a breach. CEs have 60 days to inform patients of an incident but there’s no federal guideline for how soon BAs have to sound the alarm.

The agreement should also affirm a BA’s obligation to protect information at the corporate level and among any MTs or subcontractors it employs. “They have to carry that level of trust to whomever they provide PHI,” Hurley said.

Is your company ready?

CEs are probably eager to share HIPAA responsibilities, but MTSO preparedness is another story. Despite all its hype, HIPAA was a bit of a dud for MTSOs, so there amy be some “complacency” about HITECH, Hurley said. “We haven’t done a good job getting the message out to the MTSOs,” she added.

Several MTSOs declined discussion about the new requirements, but Matt Read, head o customer service for TransTech Medical Solutions, Houston, said his company is HITECH-compliant, and it’s been for some time. “We were able to stay one step ahead of the regulations so when new stuff comes out, we don’t have to revamp anything-we just add another page to our book,” he explained.The MTSO already had a security official, risk analysis and controls in place, so the biggest change was updating BA agreements to reflect HITECH. An improved breach notification log also makes identifying and reporting potential breaches easier. “We track the patterns and trends,” Ready said.

Employees also undergo annual training on HIPAA compliance, and new ones get a thorough explanation of policies. “Everyone throws out ‘PHI.’ Well, what is PHI?” Read asked. “So a lot of it is educating them on what they are and what they are not allowed to do and making sure they understand that.

That being said, Read admitted his company had fewer challenges to face than some MTSOs. “We do absolutely nothing offshore, and all of our 350 transcriptionists are employed-we don’t use any contractors,” he said. “So it makes it a little easier for us.”

Hurley agreed that employing offshore work or ICs can complicate compliance. BAs are responsible for their entire work force, including outsourced help which differs from financial relationships. “Under IRS, [MTSOs are] not responsible [for ICs], but under [HITECH] you are,” Hurley explained.

Most HITECH discussions have focused on security document-based PHI, such as emails and databases, but the regulations have been less clear about voice files. MTSOs should be aware that audio can be just as vulnerable to breach, Hurley and Read noted.

Transcription rarely takes the spotlight, so when it comes to HITECH enforcement MTSOs and ICs may expect to be off the radar. But laying low is a high risk, according to the experts. The transcription industry has already witnessed enough breaches to warrant scrutiny and its dependence on computers makes it a worthy target. “We are the largest remote work force in all of health care, and we handle more data than any industry I can think of,” Hurley said.

BAs are expected to educate employees about HIPAA and HITECH requirements, but MTs should take it upon themselves to learn their responsibilities. under HTECH, MTSOs are accountable for violations, but individual MTs may also face criminal or civil charges for offenses. Ignorance is no excuse; MT employees are expected to be diligent at all times to avoid the potential for a breach. Similarly, MTSOs and CEs must mutually serve as watchdogs.

MTSOs would be wise to comply now instead of waiting for an incident to occur “This needs to be a priority,” Hurley said. “If you’re not ready, you better be-really fast.”