The press release published by Federal Trade Commission (FTC) in January 2014 is a grim reminder of just how important HIPAA compliance is for a medical transcription company. The California-based transcription company settled FTC charges following the complaint that it disclosed personal information of thousands of people, including medical histories and examination notes, on the Web. The company had failed to implement proper security measures when handling the data.
The medical transcription service provider had hired contractors to transcribe the audio files sent by its customers. The contractors would download the files from the company’s server, transcribe them, and then upload them back to the network. The company would send the transcripts to the customers either directly or by e-mail. However, things took an ugly turn when, according to the complaint, the medical transcript files prepared by the company during March 2011 to October 2011 were indexed by a major search engine and became accessible to anyone who used the search engine.
The company’s privacy statements and policies promised that materials going through their system are highly secure and are never disclosed to anyone. However, it had failed to implement the necessary data security measures. Even installing anti-virus software was contracted out. The medical transcription service provider that the company hired stored and sent the files on a server that could be accessed online by an unauthenticated user.
The FTC charge settlement prevents the owners of the company from misrepresenting the extent to which the company protects the privacy and security of their customers’ personal information. Under the terms of the settlement, the company must implement a comprehensive information security program which can protect the sensitive personal information of its customers, including that sent to independent service providers. The company must evaluate that program every two years for the next twenty years. This incident goes to show just how vigilant the medical transcription service provider should be when handling Protected Health Information (PHI).
HIPAA Omnibus Final Rule
The HIPAA Omnibus final rule expands the obligations of all health care providers to protect PHI, extends these obligations to their ‘business associates’ (other individuals and companies) who have access to PHI, and increases the penalties for violations of any of these obligations.
“Business associates” include contractors and sub-contractors. A covered entity (health care provider) is not required to establish a business associate agreement (BAA) with the sub-contractors of third party providers. But a third party provider who hires sub-contractors to perform a function or service that involves the use of PHI should enter into a business associate agreement with them according to which the business associate should comply with the contractual obligations specified in the business associate agreement and liable under the following rules:
- Impermissible uses and disclosures of PHI
- Failure to enter into a BAA with subcontractors who create or receive PHI on their behalf
- Failure to provide breach notification to the covered entity
- Failure to provide access to a copy of electronic PHI to the covered entity, the individual, or the individual’s designee (whichever is specified in the BAA)
- Failure to disclose PHI when HHS requires that to investigate or determine the business associate’s HIPAA compliance
- Failure to take efforts to limit PHI to minimum necessary level to accomplish the planned purpose of the use, disclosure or request
- Failure to provide an accounting of disclosures
- Failure to comply with the requirement of the security rule
Business associates may be subject to severe penalties when they violate these rules. So third party providers should ensure that they comply with HIPAA rules. Experts suggest the following steps to demonstrate compliance:
- Implement or update privacy and security risk management and governance programs
- Implement or update comprehensive HIPAA privacy, security and breach notification policies and procedures
- Provide proper education and training to the employees regarding HIPAA polices and procedures and their disciplinary consequences
- Conduct a legitimate HIPAA Security Risk Analysis
- Implement or update a strong, proactive Business Associate/Subcontractor
- Management program
- Perform a HIPAA security evaluation
- Carry out Privacy Rule and Breach Notification Rule compliance gap assessments
- Review and update your policies, procedures and practices regarding the access, amendments and accounting of disclosures from plan members
- Encourage customers to have a Notice of Privacy Practices (NPP) and review and update any NPP
- Document any compliance gaps identified and develop a remediation plan to close them
HIPAA and security are extremely critical in healthcare. Identifying and managing the deficiencies in your organization is important to prevent any breaches.