MT World News Center

Tools & Resources
Calorie Counter
Human Anatomy Images and Diagrams
Most Common Drugs
Medical Transcription Services
Productivity Tools
Normal Lab Values
Medical Terminology
Medical Transcription Associations
Medical Transcription Certification
Counting Lines
Medical Abbreviations
Medical Plurals
Calendar of Events
Understanding HIPAA
Grammar Rules
IC vs Employee Status
Comic Relief!
MT Article Archive
Neurology Resources

Search Drug Database

Pharma Search Tool

Search Language Database

Language Search Tool





Understanding HIPAA

Free Info on our recommended Medical Transcription Program leading to an exciting home based medical transcription career

Christopher L. Dunn, Author

What is HIPAA?

The Department of Health and Human Services has developed a series of privacy regulations known collectively as the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). These regulations are designed to protect the privacy rights of individuals with regard to their confidential medical records. The act greatly restricts the dissemination and transmittal of personal patient information and will dramatically affect the way healthcare information is handled.

Who do the HIPAA Regulations Apply to?

HIPAA regulations have been crafted to have broad application. The provisions of the Act extend to all health care plans, health care providers who transmit health records in an electronic format, and health care clearinghouses and billing companies. The bill refers to these organizations as "Covered Entities". Ultimately, however, almost everyone will be affected in one way or another by these regulations, which will impact both consumers and providers of health care services.

Are Medical Transcription Services Considered "Covered Entities"?

Most Medical Transcription Services and their employees are not considered "Covered Entities" under the Act unless their organization also engages in services that put them in the category of "Covered Entity". Medical Transcription Services are typically regarded under the Act as "Business Associates". The Act defines a Business Associate as "any person or organization that performs a function or activity on behalf of a Covered Entity, but is not part of the Covered Entity's workforce (employees, volunteers, trainees and others under the Covered Entity's direct control, regardless of whether they are paid by the Covered Entity." Be aware that state regulations may differ from national regulations and certain States may define MT Services as Covered Entities.

Free Info on our recommended Medical Transcription Program leading to an exciting home based medical transcription career

As a Business Associate, a Medical Transcription Service may not be directly governed by HIPAA regulations. However, Business Associates are governed indirectly by virtue of the fact that Covered Entities are required to obtain written assurances from the Business Associates that they deal with to ensure that patient identifying information is appropriately safeguarded. These written assurances must be included in a written contract between the Covered Entity and the Business Associate.

Because of the strict requirements of the Act relating to Covered Entities, Business Associates can expect that the Covered Entities for whom they perform services will be vigilant in requiring evidence of compliance from their Business Associate partners. This will likely take different forms from organization to organization. However, MT Services should plan to understand and implement their own action plans and oversight mechanisms to ensure that they meet the requirements of the Act.

Free Info on our recommended Medical Transcription Program leading to an exciting home based medical transcription career

How does HIPAA Apply to Independent Medical Transcriptionists?

Medical transcriptionists who operate as Independent Contractors to Medical Transcription Services (Business Associates) and who have direct access to patient health information are referred to by the Act as "Third Parties." Third Parties must have a written contract with the Business Associate for whom they provide contract services to assure that patient information conveyed to them will be appropriately safeguarded and that all electronic data transmissions between the Third Party and the Business Associate are conducted in accordance with the approved national standard. This contract should be similar in nature and scope to the contract between the Business Associate and the Covered Entity.

When does HIPAA Become Effective?

The rules became officially effective on April 14, 2001. However, the Act provided for a period of time before complete compliance was mandated. Small health care plans, for example, had until April 14, 2004 to become completely compliant. All other covered entities were required to become fully compliant by April 14, 2003.

Does the Act Govern the Transmittal of Electronic Patient Information?

The Act calls for the standardization of electronic document transmittal. The national standard which has been prescribed by HIPAA for electronic health record transmittal is ANSI X12. This national standard governs both the content and the format of patient information that is sent electronically between two organizations.

What are the Other Key Provisions of the Act?

The primary focus of the Act is to restrict the dissemination of patient health care information. The conditions under which information can be conveyed are spelled out very explicitly. If the Act does not specifically allow for health care information to be shared in a certain manner or under a certain set of conditions, it is prohibited.

The rules specifically pertain to health information that is transmitted or maintained in any form (oral, paper, electronic, etc.) and which contains patient identifying information. Patient identifying information includes such things as name, address, social security number, phone number, and any other information which could be used to identify an individual.

In order to be compliant, covered entities must implement measures to ensure that patient information is protected in accordance with the provisions of the Act. Specifically:

  • Written notification must be given to individuals telling them how information will be used and to whom it will be disseminated (insurance and billing companies, or other health care practitioners, for example).

  • Written consent must be obtained from the individual allowing for the use and maintenance of personal information as provided for by the Act.

  • Disclosure or use of information for any other purpose or to any other organization requires specific authorization from the individual.

  • Reasonable efforts must be made by covered entities to minimize the dispersal of patient information.

  • Health information can be conveyed to Business Associates ("Business Associates" is a term that typically includes Medical Transcription Service Providers and their employees) only after written assurance is provided to guarantee the protection of the information.

  • Privacy officials must be appointed by each covered entity to develop, implement and oversee privacy policy for the covered organization. A primary contact person must also be designated to handle complaints and inquiries about the organization's policy.

  • All employees of the covered entity must receive formal training to ensure that they understand the requirements of the privacy Act as they pertain to their specific duties.

  • Covered entities must establish adequate administrative, technical and physical safeguards to ensure that all privacy requirements are upheld within the organization.

What are the Penalties for Non-Compliance?

Covered entities which fail to comply with the final regulations by the mandated compliance date may incur stiff penalties, including the payment of a fine. In certain cases, criminal charges may be brought against the non-compliant entity.

Free Info on our recommended Medical Transcription Program leading to an exciting home based medical transcription career

  ^ Top