Transcription Compliance under HITECH

HITECH changes to the HIPAA privacy and security rules put new responsibilities on both providers who outsource medical transcription and the companies that provide services for them.

Joanne Glunt, senior VP of field operations at Webmedx, and Edna Palmer, manager of central transcription at Bon Secours in Richmond, VA, describe steps covered entities can take to mitigate privacy and security risks and keep compliant with the new regulations.

* * *

When President Obama signed the American Recovery and Reinvestment Act (ARRA) in February 2009,  the HIPAA rules for privacy and security of protected health information (PHI) became more accountable, enforceable, and subject to litigation. A healthcare provider’s responsibility for controlling protected health information (PHI) was greatly expanded—as were the penalties for failing to do so.

The changes have direct impact on the decisions a provider makes on medical transcription: where services will be performed, who will be performing them, and how the agreements will be written. There are new concerns to contemplate, new criteria to weigh, and new items to add to checklists.

Outsourcing under HITECH: What’s New

HIM’s ability to comply with HIPAA is easiest if medical transcription is performed in-house, under an organization’s own internal policies and security procedures. However, this is not the norm. In most situations, medical transcriptionists (MTs) are working outside an organization’s four walls and beyond HIM’s immediate control.  As the degrees of separation increase, so do the risks for breach of information.

Most MTs work from home, or other locations outside the facility. Coupled with at-home MTs, most provider organizations have a handful of independent contractors (ICs) to augment the internal workforce. Hence the first degree of separation and first layer of HIPAA risk.

In addition, many HIM directors outsource a portion of the transcription workload to a medical transcription service organization (MTSO) that performs the work in different parts of the United States. Last, and perhaps most open to risk, is outsourcing transcription to a MTSO that performs the work offshore. The more degrees of separation, the less control HIM directors have and the greater risk to CEs under HIPAA.

The modifications to HIPAA help provider organizations by making business associates (BAs) just as liable and contractually obligated to protect PHI as the provider. Both partners now are subject to the same civil and criminal penalties.  Even subcontractors of BAs have the same responsibilities and potential fiduciary and legal downsides as every other party involved in processing PHI.

  • Employees of covered entities as well as ICs and BAs are now subject to civil penalties and legal accountability.
  • Health and Human Services (HHS) is legally bound to investigate all complaints.
  • Civil penalties range from $100 to $50,000 and can be up to $100,000 to $250,000 with jail time if false premises or data selling are involved.
  • All breaches of unencrypted PHI must be disclosed. Breaches of more than 500 records most be disclosed to the media.
  • HHS is required to conduct periodic compliance audits.
  • All BAs must have written policy and procedure manuals and must have performed a risk assessment.
Offshore Requires Greater Scrutiny

Compliance with the new provisions is greatly complicated when MTSOs are located offshore. This is because foreign countries are not bound by U.S. Law, and therefore HIPAA and HITECH have no standing. Even more daunting is the possibility that the offshore entity is using subcontractors. While HIM directors may have some recourse contractually with an offshore MTSO, it is doubtful they have any options with the vendor’s subcontractors should a breach occur.

Covered entities within the United States must answer to U.S. law, regardless of where the breach occurs or how far removed the guilty party is from the covered entity. Hence, covered entities are wise to place greater scrutiny on their offshore transcription services now that new HIPAA rules are in force.

Devil in the Details: Technical, Legal, and Operational

In the end, there is no easy answer to ensuring that PHI is kept private. Laws, contracts, policies, and procedures are vital, but ultimately covered entities rely on individuals to do the right thing.

“The best course of action for HIM directors is one of solid due diligence,” says Susan Lucci, RHIT, CMT, AHDI-F, 2010/2011 past-president of AHDI, the Association for Healthcare Documentation Integrity. “They can engage internal IT and legal resources to help make transcription outsourcing decisions. IT staff can ensure that data protection is in place, while legal counsel will assist with writing MTSO contractual obligations and delineating [covered entity] versus BA responsibilities.”

From a technical perspective, data and voice files must be encrypted while being transferred and while at rest on a server. This practice makes it much more difficult for cyber-thieves to access PHI.

Second, the files should be stored on a U.S. – based server in a secure location. MTs should access the information they need, with appropriate security, perform the work on the U.S. server, and the MTSO or the covered entity’s IT department should maintain control of the information.  Information is much more secure if accessed on a virtual private network, or VPN, rather than over the Internet.

There must be complete audit trail accountability to ensure that PHI is accessed on a “need to know” basis. Finally, the CE should have a solid disaster recovery plan and test it regularly.

Legal counsel will help write and review the MTSO contract, which must include HIPAA protection clauses for vendors located outside the US. Indemnification, contractual penalties, and all transparency issues must be clearly stated and enforceable.

Many countries have their own privacy laws, which should be included in the MTSO’s contract to ensure accountability. The more detailed the contract, the less opaque offshore transcription becomes.

Finally, MTSOs are business associates, and they must have a compliance or security officer to oversee the entire HIPAA process. Each business associate must conduct security risk assessments to identify potential areas of vulnerability. And they must have a notification policy and procedure in the event of a breach. Federal law specifies which breaches must be reported, what information is required, and who must be notified. Many states have their own notification laws, which may add additional requirements.

HIM Directors should carefully review each of the items mentioned above and discuss them in detail with transcription services partners, especially those performing work offshore.  Agreements should be properly documented and reviewed.  Keep in mind that  HIPAA/HITECH issues are a small, albeit crucial part of any offshore outsourcing contract.

Key Questions to Ask

While HIM Directors may never be completely satisfied that PHI is being protected and offshore transcription services fully comply with HIPAA, these technical and legal steps work well to mitigate privacy and security risk.

Technical Questions

  • Are data and voice files encrypted during transfer and at rest?
  • Are files stored in a U.S.-based server and in a secure location?
  • What is the disaster recovery plan?  Is it tested regularly?
  • Who controls the information?
  • Is there an audit trail?
  • Are files transported and accessed via VPN?

Legal Questions

  • What remedies for indemnification exist?
  • What are the contractual penalties for a breach?
  • Where will work be performed and by whom? (Address transparency and subcontractor issues)
  • Is accountability with U.S. privacy laws included?
  • What is the breach notification plan?
  • Are country-specific security and privacy laws included?

Operational Questions

  • Are HIPAA policies and procedures in place? (Ask to review)
  • How frequently are internal security audits (risk assessments) performed?
  • What is the issue or problem escalation hierarchy?
  • Is there a privacy and security officer in place?
  • Who has access to PHI and for what purpose?
  • What privacy and security training do MTs receive?

In a best case scenario, having strict HIPAA policies, procedures and contractual agreements in place will protect a covered entity from exposure. In the worst case, it demonstrates that the provider made a best-faith effort, and it may serve to remove criminal liability in case of a breach. Finally, if HIM Directors must go offshore for medical transcription services, risks will increase. The more transparent everything is throughout the service partnership, the safer providers will be.


  1. HIPAA besides putting responsibility it is also helps in providing high quality, precise and secure transcription solution to global business. Offshore companies take great care in providing most accurate, fast and economically priced transcription solutions.

    Post a Reply
    • With all due respect Champak, I think this article outlines areas of weakness in compliance to both the letter of the law (HIPAA & HITECH) and The nature or reason of the law as one moves all aspects of medical record retrieval further away from the source of the patient’s medical record.
      Granted, the burgeoning complexity of increased use in magnitudes of order of severely decreased healthcare resources, an increasingly litigious culture combined with implacably determined for-growth-of-profit engineered payer-payee systems necessitates “most accurate, fast, and economically priced” solutions, however that should never sacrifice the protections and PATIENT (singular) access that HIPAA and HITECH were set up for. There needs to be a fully transparent and complete disclosure of the use of and handling of medical records with a very strong compliance ethic that includes mandatory, consistent and proctored education from origin all-the-way-through-to-endpoint, perhaps even updating breach prevention policies that include all details of disclosure to endpoint even naming third, fourth, fifth…etc parties down to the person. The remedial penalties both civil and criminal should appropriately follow the chain to endpoint as well, this with intended consequence that no one, in any place, country, etc. cut corners or in other ways create hazards that could potentialy cause a breach.
      The mass proliferation of now un-countable and therein arguably accountable individuals handling a single patients medical records combined with deplorable and unscrupulous practices in interrim contracts such as the presumtious inclusion of unlimited access -unlimited time clauses in the middle of medical records collection routes through third parties just about rips the spirit of the law to shreds and dogpiles a crushing crowd on top of the well-being of the patient in my opinion.

      Post a Reply
  2. As a medical transcriptionist in Radiology I am concercerned with the recent XP issues. It is about 3 weeks to a switch over from XP to ? That is the problem. The company/hospital I have worked with for 10 years has not indicated what that change will be. Bring a patient and health care worker this is of utmost importance. How can I get answers about this isssue. Have consulted my company, who in turn contacted their client to no avail. Not only is the integrity of privacy policy at stake by my own personal financial concerns. Can anyone give me advise on how to deal with this?

    Post a Reply
  3. What is the rule of thumb when a doctor leaves out something in the dictation, can the transcriptionist legally pull and type into the dictation themselves without the doctor actually dictating that information?

    Post a Reply

Leave a Reply to George Phillips Cancel reply

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!