I’ve been heavy into the revision for the Stedman’s Guide to the HIPAA Privacy Rule the last few weeks. It’s an exciting project and one that will now include the security rule and speak to more than just medical transcription, covering healthcare documentation in general. The HITECH Act recently enacted made some very significant changes to the HIPAA rules, and doing this writing has given me cause to wonder just how many business associates are really watching that. It’s like negotiating a maze and trying to figure out how to get to the end.

The rules now require a business associate to follow them as if they were a covered entity. That means a lot more work, and it means written policies and procedures that show how you do all of the things required for compliance. It also means updated business associate contracts. Many of the people I’ve talked to are “waiting on the customer” to get these things done, however, that will not make you compliant and it sure won’t pass an audit should your company be one that the government selects for their random audits. Someone asked me the other day if I found this exciting or scary. My response was when I think about so many smaller businesses who probably are not doing these things, it’s scary. I know what a big job it is to run a business and just one big fine because you’re not doing things right could have a huge impact on your business operations.

Today we have added a page here that shows some of the services we can provide. I hope you will stop and take a minute to look through that. If we can help, we’re here.

What are you doing to be sure you have these things in place? Are all of your policies and procedures documented? What’s your biggest struggle related to the new changes?

The HITECH Act was effective last month, and many of you have written to ask what you should have done by this time to be compliant. This post will give some highlights of where you should be by this time. If you're not there yet, now is the time to get it done because it means you are out of compliance.

This list covers those who are independent contractors and/or business owners. Keep in mind that an independent contractor IS a business owner, so if you are an IC with a company of one, these rules still apply to you if you contract directly with a covered entity. If, however, you contract with a medical transcription service, then you are most likely a subcontractor to them. While you do still have to follow the rules, it's a tad different in what you are required by law to have in place.

By now, you should have:

• Identified both a privacy and security officer for your company (this can be the same person, although it does not have to be).
• Performed a formal risk analysis of your systems, both for privacy and security.
• A set of formal written policies and procedures for all of the things related to the privacy and security rules. Within the security rule, you must at least address every point in the specifications even if you don't institute them. When something is not done, then addressing it must show why it was not reasonable for you to do that. In that justification, you also have to show why an alternative would not work.
• Outline a strategy for disaster recovery and access to information in the event of a disaster.
• Conducted training on both privacy and security for your staff (and security training must be done annually, which should also be outlined in your policies).
• Updated your business associate contracts to add the new language required with the changes in the rules

And that's just the start of the list! If you haven't started on this yet, NOW is the time to get something going. The law now requires audits be done to be sure people are compliant and you don't want to be the one who gets audited and is found to have completely ignored the new rules.

What have you done in your workplace to be sure these things are in place?

HIPAA Rules tend to address two specific groups: covered entities and business associates. Which group are in in?

Covered Entities
Covered entities are those who provide health care to patients, health plans who insure patients, clearinghouses that process information for a healthcare provider, and in the Security Rule, Medicare prescription drug card sponsors.

Business Associates
Business associates provide services for covered entities. This could be an attorney for a hospital or physician, a coding and billing service, or a medical transcription service.

What about Independent Contractors?
Independent contractors are really business owners, you just have a business of one. If you are an independent contractor, you could be a business associate, if you provide services direct to the covered entity. What that means is if you are a medical transcriptionist and you provide transcription services for a doctor or hospital, you are a business associate. If, however, you are a medical transcriptionist who contracts with a medical transcription service, you are not a business associate, but a subcontractor. Be sure you know which role applies to you because it impacts what you have to do to be compliant.

What About Employees?
If you are an employee of a covered entity, you are a part of what is known as the "workforce." Workforce is defined as employees and paid or unpaid volunteers, trainees, and other personnel whose conduct in the performance of work for a covered entity is under the direct control of that entity. The term does not include independent contractors, who are considered business associates.

Doesn't HITECH change all of this?
With the introduction of the HITECH Act, some medical transcription services, in an effort to figure out how it all applies to them, are now calling themselves a covered entity. This is not the case. The definition of these two groups has not changed. What has changed is how the rules apply to each group. If you have a medical transcription service and provide services for a covered entity, you are still their business associate. The difference now is that you must follow the privacy and security rules just like a covered entity must follow them. Your status did not change, however, the application of the rules DID change to impact how you do business.

Does It Really Matter?
Medical transcriptionists who work as independent contractors have often been classified as a subcontractor, an agent, and even a business associate. Prior to the changes that have been brought about with the HITECH Act, perhaps it didn't matter. With the new rules and regulations, it absolutely does matter. Be careful to not let someone classify you as a business associate unless that is really your role. If you are a transcription service owner, don't fall into the trap of classifying yourself as a covered entity just because the rules now say you have to do all of the same things. Having the correct classification can save you a lot of headaches down the line so be sure you have it right. Remember that the law now requires audits be done. If you find yourself misclassified as a business associate or a covered entity, you could find the Department of Health and Human Services on your doorstep asking to see all of your written policies and procedures and proof of your risk analysis. It DOES matter.

Determining what group you are in is the first step toward understanding your responsibilities for being compliant. It gives you the starting point for the road map that is called HIPAA Compliance.