• What is HIPAA?
• What are the important requirements of HIPAA for a medical transcription company? Do you meet those?
• Can the Internet be used for medical transcription and still meet HIPAA requirements?
• Who and what is a Covered Entity and a Business Associate?
• How do you enforce HIPAA in your Practice?
• How secure is transfer of data?
• How do you control FDD, HDD, Pen drive accessibility of the employee?
• What sort of firewall do you have and what is your firewall policy?
• How do you block Yahoo, Hotmail, Alta vista etc. on your PCs?
• How do you block Chatting over internet?
• What is the data backup policy?
• How do you ensure HIPAA Compliance?
• In case of Information leakage what is Indoswift’s policy?

 

 

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was a result of congressional healthcare reform proponents to reform healthcare. The HIPAA legislation has four primary objectives.

• Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions
• Reduce healthcare fraud and abuse
• Enforce standards for health information
• Guarantee security and privacy of health information of the four primary objectives, the fourth objective has the most impact on medical transcription

What are the important requirements of HIPAA for a medical transcription company? Do you meet those?

MTSOs must be able to support two requirements. Ensure the security and confidentiality of the patient's Protected Health Information (PHI) and maintain an audit trail of all individuals who have had access to a PHI. This means that transcription service providers must implement technology and business processes in their operation to support these two key requirements.Of course, we meet all of those.

Can the Internet be used for medical transcription and still meet HIPAA requirements?

Yes, as long as the transcription company uses encryption and password protection to prevent unauthorized access to the PHI. Dictations done on a telephone does not need to be encrypted. However, voice files transmitted by portable recorders should be encrypted prior to transmission over the Internet.Transcribed documents must be sent back to the healthcare provider in a secure manner using encrypted email or a secure FTP site or may be faxed with a disclaimer statement explaining the confidential nature of the document.

Who and what is a Covered Entity and a Business Associate?

HIPAA defines a Covered Entity (CE) as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a HIPAA transaction. A physician's office or medical clinic would fall under the category of a Covered Entity.A Business Associate (BA) is a person or organization that performs a function or activity on behalf of the Covered Entity (CE), but is not a part of the covered entity's work force. A medical transcription service provider would be classified under the definition of a Business Associate.

How do you enforce HIPAA in your Practice?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) says that we have to Ensure Secure Transfer of data and security and confidentiality of the patient's Protected Health Information (PHI) and maintain an audit trail of all individuals who have had access to a PHI.

• Secure Transfer of data
• Security and Confidentiality of the PHI
• Audit trial of all the individuals who have had access to PHI

How secure is transfer of data?

Indoswift is using the services of SAVVIS Internet Data Centers in Irvine , CA and El Segundo , CA (A HIPAA Compliant Company) for secure transfer of data over the internet which meet the prime requirement of the HIPAA. So at Indoswift it is ensured that all the requirements of HIPAA are fulfilled in all respects.

How do you control FDD, HDD, Pen drive accessibility of the employee?

We have password protected drive and only the server administrator can have access to those. No one is allowed to bring in any kind of bag inside the production area. Also there is a strict physical check and monitoring through our management system.

What sort of firewall do you have and what is your firewall policy?

HPresently we are using specialized software best available till date. We restrict the internet access to other computers via our customized network policy, which restrict users for limited site search and also restrict them from downloading.

How do you block Yahoo, Hotmail, Alta vista etc. on your PCs?

We restrict its usage by our customized network policy and track the internet usage on server from time to time. There is only limited access on the PCs for sites such as www.rxlist.com, www.docfinderplus.com, etc. Access for other public sites is strictly denied.

How do you block Chatting over internet?

Firstly, no PC has chatting softwares installed on them. Secondly, because of the limited access on the website nobody is able to go beyond selected limited medical websites (which of course don’t have chatting options).

What is the data backup policy?

Our servers are built with fault tolerance – mirrored drives. A redundant system is ready in case of failure. A backup system is also ready offsite in case primary system fails. We take backups everyday to another hard disk and weekly on DAT Tapes. A monthly back-up of computer systems will be done and stored in a locked outbuilding on our property.

How do you ensure HIPAA Compliance?

Indoswift realizes that patient data is one of the most valuable assets a healthcare organization possesses, and it deserves the utmost protection. As a transcription service provider, Indoswift has following measures in place to protect the confidentiality, integrity and availability of protected health information:

• Voice files and data transmissions are transferred over a secure internet connection employing the latest encryption technologies
• Security measures to assure that all of our transcription areas are protected from unauthorized individuals. We are also planning to have hidden camps in production area and at main entrance.Restricting who can access information by utilizing user IDs and passwords; and changing passwords regularly
• Requiring employees to sign confidentiality agreements and providing employees ongoing training on privacy and security issues. “HIPAA counseling” before deploying any MT to the unit is part of it.
• Secured sever system to protect against intrusions so that information cannot be altered or destroyed
• Indoswift does not subcontract without the permission of its primary client.
• No bags, CDs, FDD, HDD, Pen-Drives, floppies, mobiles, and pagers are allowed inside the production area.
• No printer access for MTs or QAs.
• All employees of Indoswift work at our managed location. They do NOT work from home.
• Any spoiled hard copies of notes and copies of patient schedules are cross-cut shredded on site.These are only some of the practices Indoswift enacts to protect patient privacy. Indoswift wants to be everything you need in a transcription partner. That includes not having to worry about the compliance status of your outsourced transcription partner.

In case of Information leakage what is Indoswift’s policy?

So far we have not encountered any such leakage. In case of information leakage, if someone found guilty termination of employment and legal proceeding against guilty are the clauses which have been mentioned for such offence in our confidentially and non-disclosure agreement.