Renegotiate outsourced transcription contracts with both Privacy and Security Standards in mind

Healthcare Financial Management, April, 2003 by Cheryl Servais

Today, most hospitals use outside transcription vendors to provide all or some of their transcription services. Vendors range in size from independent contractors who pick up tapes and deliver hard copy reports to sophisticated international companies that utilize web-based technologies to receive dictation in voice files and transmit reports to the provider in text files. No matter the size or complexity of the operation, a provider (known as a "covered entity" or CE in HIPAA terms) must have an agreement with the vendor (known as a "Business Associate" or BA under HIPAA). This article explores what must be included in such an agreement.

Dictation from physicians about the diagnoses and treatments of patients falls under the definition of "protected health information" (PHI) as stated in the HIPAA Standards for Privacy ('164.501). The Security Standard requires protection for the same scope of information as that covered by the Privacy Standards, except that it only covers information if it is in electronic form ('160.103). Since PHI that is dictated and transcribed is electronic in nature, it is covered by the recently published Security Standards. This coverage extends to the information received, manipulated and transmitted by a transcription vendor.

The preamble of the Security Standards states, "While individual transcription companies ... may not be covered entities, they will be business associates of the covered entity because their activities fall under...that statute." Thus, a coveted entity is responsible for ensuring that the transcription vendor it uses (whether for total outsourcing or for overflow work) follows the standards prescribed for a covered entity under HIPAA. The HIPAA Security Standards do not prescribe any specific technology. This makes sense in the transcription world where the range of technical sophistication among vendors varies greatly. However, whatever technology and media are utilized in recording dictation and transcribing reports from that dictation, the coveted entity must ensure that its vendor complies with the various standards.

A covered entity will ensure the security of "electronic PHI" (ePHI) transmitted or received from its transcription vendor by executing a "business associate agreement" (BAA). Such an agreement can be an amendment to an existing contract between the covered entity and the transcription vendor. The same contract can be amended to include the required provisions of both the Privacy and Security Standards.

Restrictions on Redisclosure.

According to Privacy regulations, the BAA must provide that the vendor will not use or further disclose the information other than as permitted or required by the contract or as required by law. The contract must stare the purposes for which the vendor may use and disclose PHI and must indicate generally the reasons and types of persons to whom the vendor may make further disclosures. For example, a transcription vendor may disclose information it receives to subcontractors or to web-server hosts. It may hire couriers to pick up dictation tapes and/or deliver reports. Permission for such secondary disclosures needs to be specified in the BAA with the transcription vendor. The BAA must make the vendor responsible for ensuring that if it delegates any of the functions, activities or services specified in the BAA with the CE to any person, that person agrees to abide by the restrictions and conditions that apply to the BA under the agreement. When the disclosure is a delegation of a function, activity, or servic e, the BA has agreed to perform for a CE, the recipient who undertakes such a function steps into the shoes of the BA and must be bound to the restrictions and conditions.

Return or Destruction of PHI.

The BAA should require that, if feasible, any PHI the vendor has should be destroyed or returned at the end of the contract. Thus any stored dictation files, tapes, etc must be returned to the facility so they may be transcribed by CE employees or another transcription vendor. Any transcribed documents kept on file by the vendor (whether in paper or electronic media) must be destroyed upon termination of the contract. The method for destruction should be specified in the agreement.

Security Safeguards

The BAA must contain satisfactory assurances from the BA that it will appropriately safeguard the information it receives and creates in accordance with the Security Standards. To meet these assurances, the BA must agree to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of all ePHI. The BAA should include safeguards that:

(1) ensure any agent, including a sub-contractor, to whom the BA provides ePHI agrees to implement reasonable and appropriate safeguards. Requesting policies and procedures related to these safeguards such as use of screen savers on PCs or keeping PCs in locked rooms away from others, does not seem unreasonable.