I’ve been heavy into the revision for the Stedman’s Guide to the HIPAA Privacy Rule the last few weeks. It’s an exciting project and one that will now include the security rule and speak to more than just medical transcription, covering healthcare documentation in general. The HITECH Act recently enacted made some very significant changes to the HIPAA rules, and doing this writing has given me cause to wonder just how many business associates are really watching that. It’s like negotiating a maze and trying to figure out how to get to the end.

The rules now require a business associate to follow them as if they were a covered entity. That means a lot more work, and it means written policies and procedures that show how you do all of the things required for compliance. It also means updated business associate contracts. Many of the people I’ve talked to are “waiting on the customer” to get these things done, however, that will not make you compliant and it sure won’t pass an audit should your company be one that the government selects for their random audits. Someone asked me the other day if I found this exciting or scary. My response was when I think about so many smaller businesses who probably are not doing these things, it’s scary. I know what a big job it is to run a business and just one big fine because you’re not doing things right could have a huge impact on your business operations.

Today we have added a page here that shows some of the services we can provide. I hope you will stop and take a minute to look through that. If we can help, we’re here.

What are you doing to be sure you have these things in place? Are all of your policies and procedures documented? What’s your biggest struggle related to the new changes?

How many times have we heard that in our industry? In a medical report, the understanding is that if it isn't documented, it didn't happen. That is what makes healthcare documentation so critically important. It is also what makes it important that documentation is complete and correct. No physician can use the excuse "well, even if it's not written down, that IS how I did it" when they are called into court and questioned about the care they provided a patient.

Our world is now a lot more like this related to HIPAA and the HITECH Act. Do you have your written policies and procedures? Have you updated all of your business associate contracts to include the new language required by law? If not, then you are, simply put, not compliant. If it's not written down, it doesn't exist in this new world we are in now.

It's the same thing with your risk analysis and gap analysis. Have you done these? If so, is it documented? If it's not documented, then you will not be able to say it's done if you happen to be one of the unlucky ones who gets audited.

Take the time now to get the things in order that you must have to be sure you can SHOW that you are compliant. Simply saying you follow the rules just isn't enough anymore. Get it documented!

How about it? Do you have a written gap analysis? Are your policies written and well documented? What do you still need to do to assure you are compliant?

The HITECH Act was effective last month, and many of you have written to ask what you should have done by this time to be compliant. This post will give some highlights of where you should be by this time. If you're not there yet, now is the time to get it done because it means you are out of compliance.

This list covers those who are independent contractors and/or business owners. Keep in mind that an independent contractor IS a business owner, so if you are an IC with a company of one, these rules still apply to you if you contract directly with a covered entity. If, however, you contract with a medical transcription service, then you are most likely a subcontractor to them. While you do still have to follow the rules, it's a tad different in what you are required by law to have in place.

By now, you should have:

• Identified both a privacy and security officer for your company (this can be the same person, although it does not have to be).
• Performed a formal risk analysis of your systems, both for privacy and security.
• A set of formal written policies and procedures for all of the things related to the privacy and security rules. Within the security rule, you must at least address every point in the specifications even if you don't institute them. When something is not done, then addressing it must show why it was not reasonable for you to do that. In that justification, you also have to show why an alternative would not work.
• Outline a strategy for disaster recovery and access to information in the event of a disaster.
• Conducted training on both privacy and security for your staff (and security training must be done annually, which should also be outlined in your policies).
• Updated your business associate contracts to add the new language required with the changes in the rules

And that's just the start of the list! If you haven't started on this yet, NOW is the time to get something going. The law now requires audits be done to be sure people are compliant and you don't want to be the one who gets audited and is found to have completely ignored the new rules.

What have you done in your workplace to be sure these things are in place?

The HIPAA rules all speak of "protected health information," or PHI. What does that really cover? It is important to understand what it is so that you are sure you have the correct protections in place. Let's explore the definition of PHI a bit here.

The rule defines individually identifiable health information as:
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
1. That identifies the individual; or
2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

It then goes on to define "protected health information" in this way:
Protected health information, or PHI, is individually identifiable health information:
1. Transmitted by electronic media; or
2. Maintained in electronic media; or
3. Transmitted or maintained in any other form or medium.

What that tells us is that it covers health information in ANY form. While the privacy rule applies to the information in any form, the security rule focuses on information that is created and stored electronically, including spoken conversations.

What about De-Identified Information?
The rules do allow for the use of information if it is de-idenfied. What is important to remember here is that the rule includes several things that must be removed before something is considered de-identified. Here's the list:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this

Historically, we have faithfully removed all demographic information from the headers of a report, and we have used the words "the patient" when a physician dictates the name of the patient. If you really look at the above list, you will see that it's much more detailed than that. When a pacemaker is implanted, for example, the physician gives the model number and serial number, right in the middle of the report. With (M) above, that report is not considered de-identified information.

The rule also states that the information must be such that a reasonable person with a statistical background would not be able to figure out the person's identity. Lastly, it says that the covered entity must not have knowledge that the information could be used, alone or with other information, to identify the person.

It is critical to understand the meaning of PHI and how it applies to your setting. It is also important that all persons involved in the workforce be clear on the definitions.

HIPAA Rules tend to address two specific groups: covered entities and business associates. Which group are in in?

Covered Entities
Covered entities are those who provide health care to patients, health plans who insure patients, clearinghouses that process information for a healthcare provider, and in the Security Rule, Medicare prescription drug card sponsors.

Business Associates
Business associates provide services for covered entities. This could be an attorney for a hospital or physician, a coding and billing service, or a medical transcription service.

What about Independent Contractors?
Independent contractors are really business owners, you just have a business of one. If you are an independent contractor, you could be a business associate, if you provide services direct to the covered entity. What that means is if you are a medical transcriptionist and you provide transcription services for a doctor or hospital, you are a business associate. If, however, you are a medical transcriptionist who contracts with a medical transcription service, you are not a business associate, but a subcontractor. Be sure you know which role applies to you because it impacts what you have to do to be compliant.

What About Employees?
If you are an employee of a covered entity, you are a part of what is known as the "workforce." Workforce is defined as employees and paid or unpaid volunteers, trainees, and other personnel whose conduct in the performance of work for a covered entity is under the direct control of that entity. The term does not include independent contractors, who are considered business associates.

Doesn't HITECH change all of this?
With the introduction of the HITECH Act, some medical transcription services, in an effort to figure out how it all applies to them, are now calling themselves a covered entity. This is not the case. The definition of these two groups has not changed. What has changed is how the rules apply to each group. If you have a medical transcription service and provide services for a covered entity, you are still their business associate. The difference now is that you must follow the privacy and security rules just like a covered entity must follow them. Your status did not change, however, the application of the rules DID change to impact how you do business.

Does It Really Matter?
Medical transcriptionists who work as independent contractors have often been classified as a subcontractor, an agent, and even a business associate. Prior to the changes that have been brought about with the HITECH Act, perhaps it didn't matter. With the new rules and regulations, it absolutely does matter. Be careful to not let someone classify you as a business associate unless that is really your role. If you are a transcription service owner, don't fall into the trap of classifying yourself as a covered entity just because the rules now say you have to do all of the same things. Having the correct classification can save you a lot of headaches down the line so be sure you have it right. Remember that the law now requires audits be done. If you find yourself misclassified as a business associate or a covered entity, you could find the Department of Health and Human Services on your doorstep asking to see all of your written policies and procedures and proof of your risk analysis. It DOES matter.

Determining what group you are in is the first step toward understanding your responsibilities for being compliant. It gives you the starting point for the road map that is called HIPAA Compliance.