Medical transcriptionist takes a hit for HIPAA

I recently received an e-mail from a transcriptionist who described a situation that I think will surprise most medical transcriptionists. It's an issue I found especially interesting in light of a post by Nae at MT Chat, and the responses it got: Yep, my ESP is working real well today doc …

I hadn't even discussed this with Nae, so when she posted that thread, she was not aware of this MT's e-mail to me.

Let me preface this by saying there are usually 2 sides to a story and I only have one, so my conclusions are going to be based on that. I'm not going to name names, but if any MTSOs have had a similar experience from their side, or if you're in management and you think this is your company, I'd like to hear the “other” side.

In a nutshell, an MT who was being paid a premium line rate because of her experience and skills on multiple accounts, was demoted due to “potential reportable events” (PREs) involving privacy and security breaches.

The reason? Selecting the wrong doctor as attending, and sending a copy to the wrong physician. In the first case, the error was noted by the MT, but too late – the report had already been sent in, at which point it was immediately distributed. Even though the MT sent an e-mail, noting the error, this error was counted in the disciplinary action that was taken against her. In the second instance, the name dictated sounded almost exactly like another name – and the MT selected the incorrect name.

As amusing as it is to say “we can't read your mind, doc,” I'm wondering if some of the people responding to that post at MT Chat want to rethink their answer. Although Nae's example is “send a copy to Dr. Patel,” in a case where there are multiple doctors with that name, it could have easily been “send a copy to Dr. Smith,” where there are not only multiple Dr. Smiths on a list, but Dr. Smyth, Smythe and etc. All it takes is one large university hospital or VA account to realize there are many, many ways to spell names we all thought had a common spelling, for both patients and physicians. With no training and no physician list, it would be obvious to an MT that picking the correct one among a number of Dr. Patels is impossible and needs to be flagged to QA – but what about Dr. Carter v. Karter? If someone says “send a copy to John Carter” and you find a John Carter on the roster – would you look any further to see if there was also a John Karter and therefore flag the report to someone up the food chain?

In my opinion, there were a couple of errors that occurred prior to the MT making the error.

  1. It was a new account and no training was given.
  2. No physician list was provided, including a list of attendings and their fellows or residents.
  3. The MT company has no written policy regarding PREs and how they will be handled.
  4. The MT company has no written policy regarding disciplinary action to be taken in the case of MT errors of this kind.
  5. No software safeguards are in place.
  6. As is usually the case, training for dictators at the facility also appears to be substandard – GIGO.

Some of these seem like no-brainers, don't they? I don't know how anyone can be expected to perform with minimal errors on a new account without any direction or instructions, regardless of how experienced they are. An experienced MT may be able to pick up and transcribe any dictator at any facility – but years of experience is going to give an MT the ability to somehow instinctively grasp account specifics.

This is not a small company, this MT is not an independent contractor. The disciplinary action taken cut the MT's pay by 20% to 25% yet there's no written policy in place. No inservice on HIPAA, no training on the account, no written disciplinary policy – but with no warning, the company takes action that cuts pay 25%.

Hello, MT employees – have you asked your employer what the written policy is for your company? What happens when a mistake like this happens? What are your responsibilities? What disciplinary action may be taken against you? What recourse do you have?

Technology being what it is, why doesn't the EMR software – that same software that immediately routes the transcript to all interested parties upon completion by the MT unless it's flagged – have some safeguards built in? I realize that EMR technology is evolving, but is anyone doing anything to ensure that copies don't go to Dr. Carter if he's not involved in the patient's care and Dr. Karter is? If not, why not? You'd think that while everyone is out spending money on streamlining the process and reducing labor costs, they'd also be doing something to ensure security is more automated. Even a delay of a certain number of minutes would be helpful (something like the 7-second delay on newscasts), so if errors are caught shortly after the report is completed, there's some hope of rerouting it before it's gone out for distribution.

Are MTs paid enough to take on this kind of responsibility? Are YOU paid enough to take on this kind of responsibility? What I see happening is that more and more MTs will send every questionable physician name to QA or to the hospital staff to deal with. Then, someone will get mad – probably at the MTs. Because it seems nobody is willing to hold the dictators responsible. So here's a tip for all you working MTs out there – unless you're 100% certain, flag that report. The sooner these questions start piling up on the desks of people who are actually paid enough to deal with PREs, the sooner the problem will be resolved.

This situation was a FAIL of epic proportions, primarily on the part of the transcription service for not having policies in place, by not having in-service sessions for employees to train in HIPAA compliance and on account specifics. Well, shame on management for taking its shortcomings out on the transcriptionist.

MT Services and their independent contractors

Related Posts:

10 thoughts on “Medical transcriptionist takes a hit for HIPAA”

  1. Julie,

    I completely agree with you. The MT had done her work of transcribing the dictation correctly, but due to lack of security safeguards, proper hipaa training and management inability to make that dictation handed to correct doctor, you can’t hold the MT alone for taking the responsibility to hand over the dictation to correct doctor. This negligence of sending the MT report to wrong doctor clearly spells out the lack of HIPAA Training in that MT company. The employer as well as the managers needs to be fully aware about the HIPAA security and privacy laws, and need to undergo hipaa training to make sure every patient reports that they transcribe are handed to correct doctor and needs to store them properly, and to protect them from any unauthorized person.

    Mike
    http://hipaatraining.net/

  2. I don’t know whether it’s the same MT who clarified about this error with me way back in the first week of November. Here it is: http://bit.ly/5oYNNw

    My answer also was the same. Yes it is a HIPAA violation but why do you want to take the headache yourself? If the dictator is careless, pass the buck back to him or the QA than to bear the cross yourself. After all, you are not going to get a gold medal if you spot the right doctor!

    Julie, you are right. First of all we all need to have a caveat for ourselves before signing up with any new employer, a “written policy.”

  3. @Raj – yes, this is the same MT/situation. I think it’s important for MTs to realize the importance of making sure a company has a policy in place and that they are trained on how to handle potential problems.

    @Mike – Thanks for the link and the information.

    Bottom line – with HIPAA, HITECH and state laws (such as California’s SB541), MTs need to be aware that THEY may be held responsible for breaches.

  4. While I agree completely that this incident reveals numerous shortcomings in the transcription company’s overall compliance posture with respect to HIPAA, there’s also a bit of hysteria mixed into the soup that seems to be fairly prevalent when it comes to HIPAA. The tendency to “overinterpret” HIPAA is symptomatic of a certain degree of ignorance about its provisions as well as its legislative/adminisrative history, and I find this tendency to be quite common even among people who think they “know HIPAA”.

    In a rare display of common sense on the part of government officials, the inadvertent disclosure of PHI to unauthorized individuals was anticipated and comes within the scope of “incidental disclosures”. Incidental disclosures are “permitted” under HIPAA (in the sense that they do not expose the disclosing entity to civil or criminal liabilities), provided that the disclosing entity takes reasonable precautions to prevent them from happening and/or to limit what is disclosed.

    In other words, there is nothing about this incident that inherently constitutes a “reportable event”, nor anything that would be required to be included in the Accounting for Disclosures. This is no different from a nurse who hands a doctor who asks to see the chart on “Mr. Smith” (his patient) the chart of another patient named Smith (not his patient). While this would technically constitute a much more egregious disclosure (the entire record instead of just a report), it would be the height of nonsense to believe that HIPAA intends for such an incident to be “reportable”.

    Of course, an entity CAN declare any unauthorized disclosure to be “reportable” if it wishes to do so, because any entity CAN implement rules that are stricter than HIPAA’s provisions require. If your privacy folks want to weave a hair shirt for everyone to wear, I suppose nothing can stop them from doing so. But if they do so, let’s not call this incident a HIPAA violation because it is nothing of the kind. It would be a violation of the policies of that particular entity.

  5. I should add to my earlier comment that I am not in any way excusing the failure of the transcription company to implement clear, written policies and procedures in an effort to limit (“prevent” is utterly unrealistic) the occurrence of incidents such as this one. It’s simple enough to implement a rule that no assumptions are to be made by the MT when the intended recipient of a copy is not clearly identified. Reports involving ambiguous recipients would be sent to the “hold” queue to be resolved by office staff, or, failing that, forwarded to the client for resolution.

    While the rule is simple, it isn’t without potential problems if it’s diluted by “common sense” expectations to reduce “unnecessary holds”. For instance, you have a report that makes reference to a lung resection and you have a chest cutter on staff named “Stein” – among other Steins. If the MT is going to catch it in the neck for not presuming that a copy to “Dr. Stein” MUST refer to the chest surgeon, we’ve diluted the rule and imposed a layer of complexity on the MT that will inevitably lead to someone making the “right” (but WRONG) assumption sooner or later when it turns out that the patient is also seeing one of the other “Dr. Stein’s” for something and was never seen by the chest surgeon. We have a tendency to do this sort of thing in our business, it seems – one minute criticizing the MT for doing something “stupid” and the next minute criticizing her for not exercising enough initiative.

  6. @Brian

    Yes it is not such a major breach to worry about and run like a headless chicken nor I doubt there is going to involve any civil or criminal liabilities in accidental errors like these but in employer v/s employee cases like these where employers want to axe down the pay/payroll, employers are tweaking HIPAA to their own advantage as a sword for pay cuts or to expel highly paid employees.

    Moreover I don’t think it is the MT’s duty to look into whether the patient has signed a written consent to whom carbon copies are to be marked.

  7. As the EHR becomes fully implemented, this sort of incident should become nearly a thing of the past. A patient’s record will incorporate the identifiers of every physician who has treated them, and it will be child’s play for the system to check requested copies against those identifiers before any are sent. In addition, such transmission to a remote EHR would only succeed if that patient’s EHR already does, in fact, exist in that system. If not, an error or exception would be generated.

    In fact, copies themselves will be sharply curtailed as the only thing that would be needed in many cases is notification that the report has been added to the patient’s record, which the physician would then review through the usual authentication process he uses to access any patient records on that system (e.g., the hospital).

    In other words, the necessity of “copies” will be reduced in the first place, and the transmission of any electronic copies that are necessary can easily be confined to those that are appropriate.

  8. My husband, the lawyer, tells me that there is no private cause of action for the patient privacy provisions of HIPAA. According to him, several federal district courts nationwide and the Fifth Circuit Court of Appeals have decided that individual patients have no private cause of actions for violations of HIPAA. See Acara v. Banks, No. 06-30356, 2006 WL 3262444 (5th Cir. Nov. 13, 2006). News reports indicate that the only person or entity that could enforce the patient privacy provisions of HIPAA, the Secretary of the U.S. Department of Health and Human Services, has yet to bring one enforcement action for patient privacy provision violations as of the end of the Bush administration. If anyone has evidence of a successful enforcement action by the Secretary for patient privacy violations, please post. My husband would appreciate that information (as would I). It sounds like the medical provider is seriously overeacting in light of the actual potential threat of enforcement action.

  9. A patient at mayo hospital in Phoenix az was having surgery. The patient had the
    word hotrod tattoed on his penis. The surgeon took a picture of the patients penis
    with his cellphone and was showing staff the picture. Someone called the arizona
    republic to report the incident. The surgeon was fired. The patient was awarded
    250,000$.

    This crap happens everyday in healthcare. There are more perverts and unprofessional acts than you can imagine,by nurses and physicians. Your
    attorney husband is wrong in his assertion. Just because the hipaa act says
    this or that is irrevelent. You can sue for damages.

Leave a Reply

Your email address will not be published. Required fields are marked *