This year is flying by us. Before we know it, it's going to be 2010 – and that means significant changes in privacy and security measures for service providers to the healthcare industry. One of the more important changes for the medical transcription industry is the Health Information Technology for Economic and Clinical Health (HITECH) Act, which becomes effective in February 2010. Just when you thought the government couldn't make anything more convoluted and difficult than HIPAA – they came up with HITECH. Never underestimate the ability of bureaucracy to confuse the public!
In an effort to help doctors make sense of this mess, The AMA News collaterally helps out business associates, so it's a good idea to follow along if you are interested in what the doctors are being told and how it applies to medical transcription services. Attorney Steven Harris, reporting in the AMA News, writes:
Those agreements you signed to comply with the Health Insurance Portability and Accountability Act probably need to be torn up, rewritten and re-signed.
One of the most significant changes that HITECH makes to HIPAA is that the relationship becomes bilateral. Under HIPAA, medical transcription service providers were not covered entities. Under HITECH, they are. Under HIPAA, the physician was responsible for monitoring business associates for breaches. Under HITECH, the business associate must also monitor the physician's compliance.
In another article, Stimulus package alters HIPAA rules for business associates, Mr. Harris goes into some informative detail about what business associates are supposed to be protecting:
A business associate is someone who, on behalf of a covered entity, performs an activity involving the use of disclosure of individuals' health care information.
…Under the stimulus bill, several HIPAA security provisions now apply to business associates in the same manner that those provisions apply to covered entities. That means business associates of covered entities will now have an affirmative duty to protect the confidentiality of electronic protected health information created, received, maintained or transmitted in performing services for or on behalf of covered entities.
Even if you are only providing services 1:1 to a physician, read the article by Mr. Harris and take steps to protect yourself. He suggests that a contract should outline what steps the physician will take if there is a suspected breach, so that both parties know what to expect and for reporting purposes.
At this point, other than to say it's probably time to start looking at the contractual relationship you have with your clients, regardless of how little you think you are and/or whether or not you believe HITECH will impact you in any significant way. I'm not going to go into detail about what MTs may or may not be required to do as a result of this legislation; I will suggest that you follow Mr. Harris' articles at the AMA News. They're written for doctors, but MTs and MTSOs will be able to apply much of what he writes about.