Medical records and patient data documents contain data that is crucial for providing high quality patient care. Katwa’s system can help any health care provider to add and maintain accurate and up to date patient records in a coordinated database.
Katwa is committed to achieving and maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. As your trustworthy partner in the chain of carrying patient health information, we have in place specific technical and physical security features for our data system, including identification of authorized users, control of system access, data integrity, and backup/recovery to ensure availability and reliability.
Listed below is an overview of the security features we have implemented:
Using our system, physicians may review, edit, and electronically sign reports, completing patient records and adding them permanently to the database. Furthermore, administrators can track the transcription process from dictation through to delivery and see, in real time, costs per line, costs per physician, and costs per report type, all from any web browser.
And finally, in compliance with HIPAA, security is maintained using a combination of authorized mechanisms and secure socket layer protocol.
Authentication
Authentication is ensured through efficient use of passwords to establish user identity. Access to our proprietary workflow and distribution system is granted only after authentication.
Integrity
Data, program, system, and network integrity play a role in ensuring that information is exchanged only in an authorized manner.
Audit Trail
Complete logging of all modifications made to each and every document, including editor, editor's role, and time of edit.
System Security Monitoring
Monitoring of activities occurring in our system to prevent and/or detect any breach.
Data Storage and Transmission Features
Secure physical storage of all data and secure transmission. This includes constant surveillance by network experts, premises protected by security guards, backup generators, and securely encrypted transmission between Katwa and its clients.
Confidentiality
We restrict access to all confidential information. Only select employees may access the system for administrative and support purposes. These employees are very limited in number and are committed to the Katwa privacy and security policies.
We take the extra precaution of requiring nondisclosure and confidentiality agreements from all employees, which provides explicit legal confidentiality protections.
At Katwa, we take the security of your data very seriously and remain vigilant to adapt our technologies to the latest and most promising developments in the field, so that the highest level of security is maintained.
Employee Hiring, Training, and Background Checks
Katwa’s Human Resources department conducts extensive background checks on all new employees prior to our "employee confirmation process." Once confirmed, employees can access our system only with valid logons and passwords. Furthermore, access to sensitive information is on a "need to know basis" and we constantly keep watch to prevent any of our clients’ data from being accessed except by authorized employees.
In addition, Katwa employees receive confidentiality training (as required by HIPAA) and must sign confidentiality agreements. Security practices related to e mail, workstation use, and Internet use are closely monitored and updated annually.
FAQ
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996
(HIPAA) was a result of congressional healthcare reform proponents to reform
healthcare. The HIPAA legislation has four primary objectives: 1. Assure health
insurance portability by eliminating job lock due to pre existing medical
conditions 2. Reduce healthcare fraud and abuse 3. Enforce standards for health
information 4. Guarantee security and privacy of health information Of these
objectives, the fourth most greatly impacts medical transcription.
What is the deadline for HIPAA compliance?
HIPAA requires health care organizations that use any electronic means of storing patient data to comply with its security guidelines by 4/14/2003, which includes medical transcription organizations.
What are the important requirements of HIPAA for a medical transcription company?
Medical Transcription Service Organizations (MTSOs) must be able to support two requirements through its technology and business processes:
-
Ensure the security and confidentiality of all patient’s Protected Health Information (PHI)
-
Maintain an audit trail of all individuals who have had access to PHI
Can the Internet be used for medical transcription and still meet HIPAA requirements?
Yes, as long as the MTSO uses encryption and password protection to prevent unauthorized access to PHI. Dictation done over the telephone does not need to be encrypted, but voice files transmitted by portable recorders should be encrypted prior to transmission over the Internet.
Transcribed documents must be transmitted securely using encrypted e mail, a secure FTP site, or they may be faxed with a disclaimer statement explaining the confidential nature of the document.
If tapes are used to record dictations, will this meet HIPAA regulations?
Tapes may cause a problem since it is difficult to create and verify an audit trail of who has had a tape and who may have listened to any PHI it contains. Furthermore, if tapes are lost, anyone who obtains the tape can access the information it contains.
Who and what is a Covered Entity and a Business Associate?
HIPAA defines a Covered Entity (CE) as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a HIPAA transaction. A physician’s office or medical clinic would fall under the category of a Covered Entity.
A Business Associate (BA) is a person or organization that performs a function or activity on behalf of the Covered Entity (CE) but is not a part of the covered entity’s work force. A medical transcription service provider would be classified under the definition of a Business Associate.
Who is liable for privacy violation under HIPAA?
Failure to comply with HIPAA regulations can bring about civil and criminal penalties. These penalties apply directly to Covered Entities such as healthcare providers, but do not apply directly to Business Associates such as medical transcription organizations.
Therefore, health care providers should ask their medical transcription organization about privacy and security regulations and ensure that they are contractually obligated to comply with HIPAA regulations.
What is the penalty for HIPAA non compliance?
The maximum civil penalty for multiple violations by a Covered Entity during a calendar year is capped at $25,000.
However, HIPAA also allows for criminal penalties for Covered Entities who knowingly obtain or disclose individually identifiable health information. The maximum penalty is a fine of $50,000 and imprisonment for one year. If the offense is committed under false pretenses, the maximum penalty is $100,000 and imprisonment for five years. If the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the maximum penalty is a fine of $250,000 and imprisonment for ten years.
What rights does the patient have under HIPAA?
HIPAA provides patients with many new rights in relation to their healthcare information, including (but not limited to):
-
The right to review their entire medical record
-
The right to request changes within documentation, which can be denied by physician for specific reasons
-
The right to request documentation of every time their PHI was accessed along with the identity of who accessed it and their specific reason for doing so
-
To know how much of their PHI information was shared
-
What the facility (Covered Entity’s) policies and procedures are for security and privacy
When patients becomes aware of these rights, health care providers should be prepared to deal with any legitimate requests patients may have.
