Bytescribe is committed to providing products that offer optimal security in a HIPAA compliant environment. Bytescribe has evaluated and tested software products and services to ensure support for HIPAA compliance. Bytescribe strives to be knowledgeable regarding HIPAA rules and regulations and to make every effort to add adequate security functionality to its products.
Below are current guidelines to using Bytescribe products in a HIPAA compliant environment.
Healthcare Insurance Portability and Accountability Act (HIPAA) is a federal healthcare law established August 21, 1996 to promote standardization and efficiency in the health care industry and to provide confidentiality protections for processed health data in accordance with the new standards. HIPAA healthcare laws directly affect health insurance providers, healthcare clearinghouses, and healthcare providers. The law indirectly affects the business associates of the aforementioned entities. HIPAA was enforced beginning April 15, 2003
Transcription Companies and Healthcare Providers
HIPAA defines companies that provide service to Healthcare Providers as Business Associates. While the guidelines and regulations of HIPAA are not directly enforced upon Business Associates, but rather on the Healthcare Providers they serve, it is vital that every Business Associate promote compliance in the services they offer to the Healthcare Provider in order to maintain a business relationship with that entity.
A Transcription Company, in it’s handling of physician dictation records, must enter into a written agreement with each physician or physician group that they will honor the privacy guidelines established by HIPAA and maintain technical and personnel safeguards to maintain the security of that data. It is the responsibility of the Healthcare Provider to establish privacy agreements with all of its Business Associates who handle protected patient data.
Transcription Companies should review the Security and Privacy guidelines enforced upon Healthcare Providers in order to anticipate the expectations demanded of transcription companies by each provider in order that they maintain their compliance with HIPAA.
A physician or physician group is one of three “covered entities” directly affected by the regulations and guidelines of HIPAA. It falls on the covered entities to observe and implement the regulations of HIPAA throughout its organization and down throughout any/all business associates.
Securing Orator Dictation Server
In order to properly secure the Orator Dictation System, some steps may need to be taken to provide optimal security. Below are listed some basic guidelines:
- Locate the server in a secure place. If possible, locate the server in a room that is only accessible to administrators and persons with proper permissions.
- Password protect the server. Utilize Windows password protected screen saver function. Set the screen saver to activate within a suitable time limit.
- If exporting voice files via the Internet or LAN, properly secure servers to which files may be exported. When exporting files via the Internet, use software that will encrypt files during transfer.
Security with DocShuttle Management Software
- Enable the encryption functionality when uploading voice files to an FTP site.
- Use secure FTP ports 990 or 2500 when supported by the FTP server.
- The Administrator should limit access for transcriptionists to only job types assigned to the transcriptionists.
To ensure overall security, review the Security Guidelines of Administrative Simplification.
- Documented formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data.
- Contingency – Data Backup, Disaster Recovery, Emergency Mode
- Information Access Control – Access Authorization, Access Establishment, Access Modification
- Personnel Security – Personnel clearance including custodial services
- Security Configuration Mgmt – Hardware/software installation and maintenance
- Virus checking
- Security Incident Procedures – Report/Response Procedures
- Security Mgmt. Process – Risk analysis and Management
- Sanction and Security policy
- Termination Procedures – locks changed, removal from access lists and user account(s)
- Training – User ed. Concerning virus protection and password management
- The protection of physical computer systems and related buildings an equipment form fire and other natural and environmental hazards, as well as from intrusion. Physical safeguards also cover the use of locks, keys, and administrative measures used to control access to computer systems and facilities.
- Media Controls – Access control, Accountability, Data Backup and Storage, Disposal
- Physical Access Controls – Disaster Recovery, Emergency Mode Operation, Equipment Control
- (limited access) Need-to-Know Procedures for personnel access
- Policy and guidelines on workstation use
- Secure workstation locations
- Security Awareness Training (including business associates like transcription companies)
Technical Security Services
- Include the processes that are put into place to protect and to control and monitor information access.
- Access Control – Applies primarily to EMR and includes: Context-based, Role-based, and User-Based
- Access, Encryption, and Emergency access procedures
- Audit Controls
- Authorization Control – Role-based and User-Based access
- Data Authentication
- Entity Authentication – Requisite: Auto Logoff and Unique User ID, plus at least one of the following:
- Password, PIN, Tele-callback, Token, Biometric signature
Technical Security Mechanisms
- Include the processes that are put into place to prevent unauthorized access to data that is transmitted over a communications network.
- Communications/Network controls – Requisite: Integrity Controls and Message Authentication
- plus one of the following:
- Access Control, Encryption
- If using a network, add:
- Alarm, Audit Trail, Entity Authentication, Event Reporting