HIPAA

MedOfficePro is fully committed to handling and protecting the privacy and security of PHI/PMI (patient health information or Patient Medical Information) that belongs to clinicians using its system. MedOfficePro complies with all federal and state regulations that apply to electronic data delivery for its customers. All MedOfficePro employees and associates sign a Non-disclosure/Confidentiality Policy statement. MedOfficePro signs a Business Associate Agreement with customers and has implemented a detailed program across various levels in the organization to ensure that all processed and protected health information is used and disclosed in accordance with Business Associate Agreements. A s a business partner (or a Business Associate), MedOfficePro follows processes and systems that reinforce a customer's HIPAA compliance policies and procedures.

Note: HIPAA remains an on-going initiative at MedOfficePro. The HIPAA Team at MedOfficePro ensures that all employees receive appropriate HIPAA training and awareness on a regular basis. For any questions or clarifications related to HIPAA compliance, you can contact hipaasupport@medofficepro.com.

Read more about Security and Privacy Policies followed at MedOfficePro

Read more on HIPAA Background

Security and Privacy Policies at MedOfficePro

MedOfficePro comprehensive program on HIPAA includes a set of processes that cover physical measures (storage of data and PHI) and IT-related "best practices" for electronic data communications. Internally, MedOfficePro has come up with HIPAA training programs for all employees. The HIPAA training Program is managed by a HIPAA Officer. A brief overview of " best practices" for data handling and transcription processes provided below:

Data Storage and Backup

MedOfficePro has implemented a storage and a data back up system with 99.9% uptime. The system offers full redundancy and achieves it by having two high-end servers at two data centers (at two different geographical locations). The servers are hosted by Tier-1 service providers and come with services (features) such as 24x7/365 monitoring, firewalls, power back ups, etc.

Workforce

As a part of continuing education and awareness program, MedOfficePro's workforce is trained and educated on HIPAA policies on a regular basis. All employees also sign a Confidentially Agreement. MedOfficePro's HIPAA Officer is accountable for ensuring HIPAA compliance is always a part of any new system or process.

Data Transmission

All patient-related data (includes voice) transmission, to and from clients, is over Secure Socket Layer 128 bit encryption. This is the highest level of encryption available for business transactions and exceeds requirements.

Information Access and Audit

All employees are hired carefully with background checks and undergo an induction program to train on MedOfficePro Transcription Platform and HIPAA requirements. All employees sign Confidentiality Agreements. The Confidentially Agreement contains detailed data handling guidelines as well. (No copying of data on diskettes, no emailing of data within the office or outside, etc.)

  • All employees (MTs, QAs, Managers) have unique Username and Passwords to access Transcription Platform. Dictations can be only accessed by securely logging in with a Username and Password, which is issued by our Systems Manager.
  • All Usernames and Passwords are unique and are changed frequently for security purposes.
  • All employees go through once a year HIPAA awareness training.
  • All PHI and transcribed reports are stored on two redundant servers and never on employee PCs.
  • Internet access and privileges are discontinued immediately upon termination of an employee or completion of contract or end of service on the grounds of disciplinary action arising from violation of any company policy.

MedOfficePro discourages paper-based data exchange in the office. In fact, PHI or any other type of patient data exchange for business purposes is always done using Secure Socket Layer or Secure FTP technology (128-bit encrypted) among employees. Use of Email to send and receive any sensitive patient data (Date of Birth, Illness details etc.) is not permitted

HIPAA Background

From a historical perspective, The Health Insurance Portability and Accountability Act (HIPAA) was enacted under President Bill Clinton in 1996. The law was passed primarily for continuity of healthcare coverage for individuals changing jobs. The law includes important provisions that affect multiple entities dealing with healthcare information and data transfer in general.

HIPAA can be confusing to most people as its widespread implementation and enforcement is still not uniform across the country. Simply speaking, insofar as transcription companies are concerned, HIPAA regulations cover requirements to ensure the security and privacy of individuals' protected health information (PHI). Another key objective of HIPAA standards is to maintain the right of individuals to keep information about them private.

The Department of Health and Human Services is responsible for developing and issuing regulations to address these requirements. HIPAA's "Administrative Simplification" provision is composed of four parts, each of which has generated a variety of "rules" promulgated by the Department of Health and Human Services. The four parts of Administrative Simplification are:

  • Standards for Electronic Transactions
  • Unique Identifiers Standards
  • Security Rule
  • Privacy Rule
Standards For Electronic Transactions

The term "Electronic Health Transactions" includes health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions.

In the past, health providers and plans have used many different electronic formats to transact medical claims and related business. Implementing a national standard is intended to result in the use of one format, thereby "simplifying" and improving transactions efficiency nationwide.

Virtually all health plans must adopt these standards. Providers using non-electronic transactions are not required to adopt the standards for use with commercial healthcare payers. However, electronic transactions are required by Medicare, and all Medicare providers must adopt the standards for these transactions. If they don't, they will have to contract with a clearinghouse to provide translation services.

Health organizations also must adopt standard code sets to be used in all health transactions. For example, coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms and actions taken must become uniform. All parties to any transaction will have to use and accept the same coding, for the purpose of reducing errors and duplication of effort. Fortunately, the code sets proposed as HIPAA standards are already used by many health plans, clearinghouses and providers, which should ease transition to them.

Unique Identifiers for Providers, Employers and Health Plans

In the past, healthcare organizations have used multiple identification formats when conducting business with each other - a confusing, error-prone and costly approach. It is expected that standard identifiers will reduce these problems. The Employer Identifier Standard, published in 2002, adopts an employer's tax ID number or employer identification number (EIN) as the standard for electronic transactions. Final standards for Provider and Health Plan identifiers have not yet been published.

Security Rule

The final Security Rule was published on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce. Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices.

The Security Standard is intended to be scalable; in other words, it does not require specific technologies to be used. Covered entities may elect solutions that are appropriate to their operations, as long as the selected solutions are supported by a thorough security assessment and risk analysis.

Privacy Rule

The Privacy Rule is intended to protect the privacy of all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. The rule establishes the first "set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care".

  • Give patients new rights to access their medical records, restrict access by others, request changes, and to learn how they have been accessed
  • Restrict most disclosures of protected health information to the minimum needed for healthcare treatment and business operations
  • Provide that all patients are formally notified of covered entities' privacy practices,
  • Enable patients to decide if they will authorize disclosure of their protected health information (PHI) for uses other than treatment or healthcare business operations
  • Establish new criminal and civil sanctions for improper use or disclosure of PHI
  • Establish new requirements for access to records by researchers and others
  • Establish business associate agreements with business partners that safeguard their use and disclosure of PHI.
  • Implement a comprehensive compliance program, including:
    • Conducting an impact assessment to determine gaps between existing information practices and policies and HIPAA requirements
    • Reviewing functions and activities of the organization's business partners to determine where Business Associate Agreements are required
    • Developing and implementing enterprise-wise privacy policies and procedures to implement the Rule
    • Assigning a Privacy officer who will administer the organizational privacy program and enforce compliance
    • Training all members of the workforce on HIPAA and organizational privacy policies Updating systems to ensure they provide adequate protection of patient data