HIPAA defines companies that provide service to Healthcare Providers
as Business Associates. Though the guidelines and regulations
of HIPAA are not directly enforced upon Business Associates, but
rather on the Healthcare Providers, At TranscriptionStar, we are
meticulously working on complying to very details of the Security
and Privacy regulations of HIPAA. Besides, we are active participants
and followers of guidelines by HL7 EHR
Security and Privacy Issues and JCAHO (http://www.jointcommission.org/)
We help the Providers to fulfill the PHI Privacy and Security
requirements. We always enter into a written agreement with each
physician or physician group that we will honor the privacy guidelines
established by HIPAA and maintain technical and personnel safeguards
to maintain the security of that data. Click here to find the
detailed Security and Privacy regulations (link to Security Guidelines
of Administrative Simplification document)
Our HIPAA compliant and secured online facility lets you to access
Transcripts anytime anywhere. Transcripts are made available for
12 months in our Archival systems. This facility comes with convenient
search options to retrieve patient reports you are looking for.
Our organization is an active participant in HL7 EHR
Security and Privacy Issues.
Guidelines of Administrative Simplication
Documented formal practices to manage the selection and execution
of security measures to protect data and the conduct of personnel
in relation to the protection of data.
Contingency - Data Backup, Disaster Recovery, Emergency Mode
Information Access Control - Access Authorization, Access Establishment,
Personnel Security - Personnel clearance including custodial
Security Configuration Mgmt - Hardware/software installation
Security Incident Procedures - Report/Response Procedures
Security Mgmt. Process - Risk analysis and Management
Sanction and Security policy
Termination Procedures - locks changed, removal from access lists
and user account(s)
Training - User ed. Concerning virus protection and password
Physical Safeguards :
The protection of physical computer systems and related buildings
an equipment form fire and other natural and environmental hazards,
as well as from intrusion. Physical safeguards also cover the
use of locks, keys, and administrative measures used to control
access to computer systems and facilities.
Media Controls - Access control, Accountability, Data Backup
and Storage, Disposal
Physical Access Controls - Disaster Recovery, Emergency Mode
Operation, Equipment Control
(limited access) Need-to-Know Procedures for personnel access
Policy and guidelines on workstation use
Secure workstation locations
Security Awareness Training (including business associates like
Technical Security Services
Include the processes that are put into place to protect and
to control and monitor information access.
Access Control - Applies primarily to EMR and includes: Context-based,
Role-based, and User-Based
Access, Encryption, and Emergency access procedures
Authorization Control - Role-based and User-Based access
Entity Authentication - Requisite: Auto Logoff and Unique User
ID, plus at least one of the following:
Password, PIN, Tele-callback, Token, Biometric signature
Technical Security Mechanisms
Include the processes that are put into place to prevent unauthorized
access to data that is transmitted over a communications network.
Communications/Network controls - Requisite: Integrity Controls
and Message Authentication
plus one of the following:
Access Control, Encryption
If using a network, add:
Alarm, Audit Trail, Entity Authentication, Event Reporting
*These are excerpts from Federal Register documentation on Administrative
Simplification regarding Security. For comprehensive text, download
documentation from the web by clicking here.
Guidelines of Administrative Simplification*
The Privacy Rule provides the first comprehensive Federal protection
for the privacy of health information and is carefully balanced
to provide strong privacy protections that do not interfere with
patient access to, or the quality of, healthcare delivery.
By the compliance date of April 14, 2003 covered entities (Health
Plans, Healthcare Clearinghouses, and Healthcare Providers) must
implement standards to protect and guard against the misuse of
individually identifiable health information. Failure to timely
implement these standards may, under certain circumstances, trigger
the imposition of civil or criminal penalties.
Incidental Uses and Disclosures
An incidental use of disclosure is a secondary use of disclosure
that cannot be reasonably be prevented, is limited in nature,
and that occurs as a result of another use or disclosure that
is permitted by the Rule. An incidental use or disclosure is NOT
permitted if it is a by-product of an underlying use or disclosure
which violates the Privacy Rule.
Minimum Necessary (45CFR
The essence of this rule is the conveyance of patient information,
in whatever form that conveyance may take (documented, verbal,
data transfer, etc.) with the minimum amount of data necessary
to meet the current treatment needs of the patient. The Privacy
Rule requires covered entities to take reasonable steps to limit
the use or disclosure of protected health information to the minimum
necessary to accomplish the intended purpose.
Under the Privacy Rule, a person authorized to act on behalf
of the individual in making health care related decisions is the
individual's personal representative. Covered entities are required
to treat an individual's personal representative as the individual
with respect to uses and disclosures of the individual's protected
health information. The personal representative has the ability
to act for the individual, exercise the individual's rights, and
may also authorize disclosures of the individual's protected health
Business Associates (45CFR
164.502(e), 164.504(e), 164.532(d) and (e))
By law, the HIPAA Privacy Rule applies only to covered entities.
However, most healthcare providers do not carry out all of their
activities and functions by themselves. Often the use of services
provided by a variety of other persons and businesses are required.
The Privacy Rule allows covered providers to disclose protected
health information to these "business associates" if the providers
obtain satisfactory assurances that the business associate will
use the information only for the purposes for which it was engaged
by the covered entity, will safeguard the information from misuse,
will help the covered entity comply with some of the covered entity's
duties under the Privacy Rule, and help the covered entity carry
out its healthcare functions.
A member of the covered entity's workforce is NOT a business
An independent medical transcriptionist that provides transcription
services to a physician IS a business associate.
A software vendor only becomes a "Business Associate" when it
is required that a company representative view patient data in
relation to providing services in the installation or maintenance
of computer software. If the viewing of patient data can be avoided
in this regard, a software vendor is not considered a business
*These are excerpts from Privacy Rule guidelines created by the
U.S. Dept. of Health and Human Services Office of Civil Rights.
For comprehensive text, visit the Office
of Civil Rights on the web.