|
|
HIPAA/LAW:
Legal Q/A
July 2002
"How HIPAA Security Applies to Transcriptionists"
by Steve Fox, Esq., & Rachel Wilson, Esq.,
Pepper Hamilton LLP
QUESTION: To what extent are medical transcriptionists required
to comply with HIPAA?
ANSWER: Medical transcriptionists are required to implement
reasonable safeguards designed to protect the privacy and security
of personal health information (PHI).
Medical transcriptionists are subject to the business associate
requirement set forth under HIPAA's privacy rule (the "Privacy
Rule"). They are subject to this requirement because the transcriptionist
performs a function on behalf of health care providers that includes
the use and disclosure of PHI. Accordingly, transcriptionists are
prohibited from using or disclosing PHI in any manner that would
violate the Privacy Rule if done by the provider itself. It is important
to keep in mind, however, that covered entities, although not allowed
to use or disclose PHI in any manner except as permitted under HIPAA,
are not required to protect against any and all, known, unknown,
or unlikely uses or disclosures in violation of the Privacy Rule.
Safeguards must be reasonable, but not foolproof.
HIPAA's proposed security standards (the "Security Standards")
apply to PHI that is either electronically maintained or transmitted.
Covered entities will be required to enter into chain of trust agreements
with medical transcriptionists when PHI is processed electronically
through the transcriptionist. (Of course, this assumes that the
"chain of trust" concept remains in the final rule.) Pursuant
to these chain of trust agreements, transcriptionists will be obligated
to maintain the integrity and confidentiality of PHI while in receipt
of such information and during transmission of the same. HIPAA falls
short of mandating specific technology solutions that covered entities
must implement (or require of their chain of trust partners to implement),
in order to ensure the security of PHI; requiring only that covered
entities implement appropriate administrative procedures, physical
safeguards, and technical security services and mechanisms to guard
data integrity, confidentiality, availability and to prevent unauthorized
access to certain data.
Read past HIPAA Legal Q/A articles.
Clarification: In last month' s article, we stated that
employer sponsors of group health plans generally have certain compliance
obligations under the Privacy Rule as business associates. This
statement resulted in some confusion among HIPAAlert subscribers.
The sentence should have read, "Employer sponsors of group
health plans have certain compliance obligations under the Privacy
Rule as do business associates." The point we intended to make
is that, much like the business associate requirement under the
Privacy Rule, covered entities are required to obtain certain written
assurances from employer sponsors related to the use and disclosure
of PHI.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP. This article was co-authored by Rachel H. Wilson,
Esq., of Pepper Hamilton LLP. www.pepperlaw.com
Disclaimer: This information is general in nature and should not
be relied upon as legal advice.
|
 |
 |
