|Explained by Raymond F. Posa, MBA
Technology Advisor to the
American Academy of Podiatric
President, R. Francis Associates
Offshore Transcription and HIPAA
I was recently forwarded an
article regarding offshore transcription and the possible dangers that may
be attached to it.
The original article was part of a LAZARUS AT LARGE piece written by David
Lazarus. The article in part said:
“A woman in Pakistan doing cut-rate clerical work for UCSF Medical
Center threatened to post patients' confidential files on the Internet
unless she was paid more money. To show she was serious, the woman
sent UCSF an e-mail earlier this month with actual patients' records
The violation of medical privacy - apparently the first of its
kind - highlights the danger of ‘off shoring’ work that
involves sensitive materials, an increasing trend among budget-conscious
U.S. companies and institutions.
U.S. laws maintain strict standards to protect patients' medical data.
But those laws are virtually unenforceable overseas, where much of the
labor-intensive transcribing of dictated medical notes to written form is
I read this and was not surprised, but don’t read into this that it is
an overseas issue. When you contract with a firm for transcription, for example, you have a
Business Associates Agreement (BAA) with that company. The purpose
of the BAA is to protect and insulate you from outsourced liabilities and
it extends the reach of HIPAA beyond covered entities.
A rogue employee can commit such an act whether here on main street USA or
half way around the world. Your local computer software company
could just as easily have a disgruntled employee and release all of your
patient information on the web as easily as this transcriptionist.
Your responsibility is to protect yourself with a BAA; economic market
forces will take care of the rest. If a company has an incident as
described, it is up to that company to respond aggressively to the
employee and prosecute to the full extent of the law in order to instill
confidence in their clients that they take this matter seriously.
This is also a great example of why you must have a BAA with any
non-covered entity who has access to your patient data. You should
also make sure that your BAA has a requirement that the associate has
liability insurance to protect you in the event that one of the BAA’s
employees does breach confidentiality.
- Just Another HIPAA Three-Letter Word, Or,
A Glimpse of the HIPAA Dark Side
I recently read a
story about one of the Blue Shields regarding HIPAA-compliant
electronic claims. They said that if submissions have
more than a few problematic claims they are rejecting
the entire submission(prior to HIPAA
they would accept most claims and reject only the
problem claims). In addition, they are only advising
the sender of 3 rejections at a time. Therefore, they
end up fixing the first 3, resending the file and then
getting 3 more! On top of that, the providers have to
wait for the rejection report that they used to get
What they are experiencing is the TCS Train Wreck.
By law, payors do not have to accept non-compliant
claims after October 16, 2003. This is the date when
TCS (transaction code sets) went into effect.
I was a recent participant at the National HIPAA
Summit in Baltimore and one of the topics that my
partner, David Fienberg (one of the developers of the
X12 code sets), spoke about was the train wreck that
could occur if all payors stopped payments on
non-compliant transactions. It would bring the medical
industry to a grinding halt. Realizing this, and
the fact that Medicare itself is not fully compliant,
the government implemented the TCS contingency plan,
which basically says that they will continue to accept
legacy claims, i.e. Paper and non-HIPAA-compliant
electronic claims, and allow providers more time to
test their electronic claims. Most payors have
followed the government’s lead on this, although
they are not required to.
It is imperative that all providers begin testing
their TCS and fully document their efforts. By law a
payor can refuse to pay claims and providers could be
fined for having non-compliant claims. What each
provider must do is have a fully documented Plan (Yes,
the one from October 2002, when everyone applied for
their extensions) and document their continuing
efforts to achieve compliance.
As for this Blue Shield, if they are going to withhold
payment because a claim was non-compliant, I would
suggest throwing it right back at them. It sounds like
they are not compliant, either, and a case like this
would be one for the state insurance commissioner. You
see, if they say that claims are being rejected
because they are non-compliant, then their response
should be in the HIPAA-compliant format.
Briefly, here is how HIPAA transactions code sets are
supposed to work. Your claim gets formatted in the new
X12 format, the new universal format for claims.
It is then sent electronically to the payor.
Upon receipt the payor will generate a response code
set saying “we received your claim”; they can no
longer claim that your claim got lost or they never
received it. Once received they process the claim and
if there are exceptions they will, within 24 hours,
generate another code set that gets sent back to you
detailing ALL the exceptions, not just three at a
time. Under the HIPAA TCS you should always know in 24
hours what the status is of any claim.
Unfortunately, the payors are depending upon the HIPAA
confusion to hold up payments because once fully
implemented, their payout cycle will go from weeks to
days, and that will cost them huge amounts of money.
Once we understand the motivations of the payors it
all becomes very clear. The payors are being so
gracious by allowing providers to continue to use
legacy submissions because they get to hold on to the
money much longer than they could under HIPAA.
That’s TCS in a nut-shell.
So a word to the wise, if you are not testing and or
documenting real efforts to become compliant, in early
2004 you risk having your payments cut off.
HIPAA Security Ideas - Part 5
Have you ever thought about a parachute?
It’s a nice invention. Could you imagine having to wear one all the
time? It would be cumbersome and awkward, but could you imagine not having
one when jumping from an airplane? Computer backup systems are the same
way. They can be a nuisance and a bit of a bother, but like a parachute,
when you need one nothing else will do.
I have seen so many cases over the years where clients blindly put tapes into
their backup units, assume they work and the next day switch tapes and just go
about their business. As a matter of sound business practice, you need to
test and verify your backups to make sure that they are actually backing up your
data properly and the information is without errors.
Under HIPAA security rules, not only are you required to perform regular
backups, but you are also required to test and verify that the backup was
successful. But you must also have a procedure to make sure you can
restore the data and you must also have a provision to make sure you keep a copy
safe and off-site.
Conventional tape backups are fairly easy to use but making sure that they are
meeting the contingency requirements of HIPAA can be a laborious effort for your
staff and may even be beyond what the staff can do themselves.
To every HIPAA problem there seems to be a HIPAA solution. Actually, this
solution has been around for several years but is now finding a new niche in the
medical field, especially in small offices. It is web-based backup
services. There are many companies offering this service. The way
they work is as follows: special client backup software is installed on your
computer. This software runs a batch every night just like a tape would.
The backup client takes your backup and compresses and 128-bit encrypts its.
It then sends it to a remote server, where it is received and processed.
The remote server opens the files and verifies the data against a known copy in
your folder. The server then recovers a file from your backup to ensure
its integrity. The remote server now puts together a report with all of
the vital information about your backup and E-mails you a report. Every
morning you have an E-mail confirming that your backup has taken place, was
successful and is fully restorable.
These services are very inexpensive, as low as $25 a month. They address
several points of concern in HIPAA security compliance. They provide a
safe, hands-off approach to backing up your data; they keep your data safe and
off-site; they provide you with documentation that you are meeting and exceeding
the HIPAA mandates; and they relieve your staff of the responsibility of
performing the backups themselves.
HIPAA Security Ideas - Part 4
In the last few articles I
discussed preventing unauthorized access to your computer workstations
via Biometrics, I discussed protecting your data from malicious
software via Anti-Virus software and I discussed protecting discarded
PHI via shredders. In this article I will discuss one of the
most overlooked pieces of security, Firewalls. Firewalls are
designed to prevent unauthorized access to your computers from the
The broadband explosion has provided Internet users with a better,
faster solution than the traditional dial-up connections we've been
used to over the years. That's the good news. The bad news
is, broadband connections have some drawbacks, the most serious of
which is the fact that they are "always on." A
connection that never shuts off is a hacker's dream. Hackers
like "always-on" connections like DSL, cable modems and T1
lines because they're always there and they're predictable. This
isn't to say that broadband connections are bad. Quite the
contrary: Broadband is a great technology. Users just need to
make sure they're using the appropriate level of protection that a
firewall solution can offer.
Without a firewall in place, hackers can access your PHI and either
use it for their own purposes or disseminate it to the world at large.
A hacker in your system can have other serious consequences. For
Lost Data - What if someone deleted data on your offices'
network? What if you didn't have that data backed up? How
much would that cost you?
Down Time What would it cost in terms of labor to restore
lost or damaged data? What would be the cost in lost
productivity, having an office full of employees sitting around
waiting for the computer system to be restored?
Computer Jacking - Do you like impersonators? Well,
hackers who get control of your computer can launch attacks against
other networks using your computer. When the cyber police find
out, guess who they're going to be looking for?
Attacks like those previously mentioned occur in many forms.
Some are minor while others create havoc and do a lot of damage
Firewalls are a great way to protect your practice’s computers from
intruders. They're designed to defend against attack by
implementing a series of rules that permit, or deny, traffic to pass
between your network and the Internet. Based on the way these
rules are set, the inbound and outbound flow of information maybe
extremely tight or very relaxed. The trick is to maintain a
balance between your practice’s need for security and your
employees' need to get their work done without interference.
Firewalls are absolutely necessary and are not very expensive. I
would strongly suggest having the firewall installed by an expert.
While anyone can take it out of the box and plug it in, the trick is
to configure it properly. Otherwise, it becomes a useless piece
of hardware sitting on your network not protecting you, and only
providing you a false sense of security until your network is
HIPAA Security Ideas - Part 3
Anti-Virus Software and Operating System Patches
Anti-Virus software is essential in today’s
computer environment, so much so that I tell clients to not even
bother running their PCs if they are not running up-to-date virus
software. Why? Because viruses are so prolific that in a
very short time you WILL get one. Anti-virus vendor watchdog
groups are reporting that new virus activity was up 17.5 percent over
the past six months, and viruses getting are more sophisticated, with
more sophisticated targeting.
Just to demonstrate this fact for my clients, my anti-virus program
has an audible alert option that I can switch on for demonstration
purposes; it goes off every time a virus attempts to enter my system.
When activated, it will beep every 5 to 10 seconds all day every day,
that’s how bad things are.
Some users believe it won’t happen to them or they can’t afford
the software or the update subscriptions. My response is, you
can’t afford not to have it. The cost of repairing a system
after being infected will cost much more than even the most expensive
anti-virus software; plus you can’t even put a monetary value on the
cost of lost data. I consider the money paid for anti-virus
software to be part of the operating expense of a computer, just like
In just the last two weeks we have had some real nasty viruses make
their presence felt. We had the Backdoor.Prorat which is a
backdoor Trojan Horse that gives its creator full control over your
computer, by opening port 58343. Due to the high number of
infections, this virus has been upgraded to a Category 4 from a
Category 3 threat.
Another one we just had to deal with is W32.Bugbear. It is a
mass-mailing worm that also spreads through network shares. It
is polymorphic and also infects executable files. It also
possesses keystroke-logging and backdoor capabilities and attempts to
terminate the processes of various antivirus and firewall programs.
Under HIPAA security requirements you are required to safeguard your
systems from outside intrusion, and failing to do so is a violation.
Virus attacks and outside hacks are considered “common knowledge”
and you are responsible to implement procedures to prevent intrusions.
Just installing anti-virus software is not enough. You must
configure it so that it will quarantine the virus and /or delete it.
You need to also make sure the virus patterns that the manufacturer
provides are up to date. You also need to know how and when the
manufacturer updates its virus tables. For example, Norton has
an auto-update capability built into its software. The thing to
know about Norton is that even though you are doing an update every
day, Norton only updates its server every Wednesday; so the rest of
the days of the week you are not getting anything new. In order
to get the new daily update you have to go manually to the Norton site
and manually download the daily update. This is important because the
Backdoor virus was deployed to exploit this fact and it came out on
Thursday and infected many systems, before users were able to get the
The key is to know your anti-virus software and very specifically how
it functions and any limitations it may have.
Once you have your anti-virus software installed and configured and
getting its updates, you’re done, right? Wrong. There is
another key component that must also be done: that is updating your
operating system. Microsoft Windows from 95 on has a Windows
update feature that goes out to the Microsoft web site and gets all of
the latest patches for your version of Windows. This is critical
because many viruses are written to exploit vulnerabilities in
Windows. Even though you have anti-virus software, if you have
critical holes in Windows you are still subject to getting a virus.
The anti-virus software also depends upon the Operating system being
You should be checking for Windows updates on a daily basis. In
Windows 98 and later, Windows has a scheduler feature whereby Windows
will automatically go to the Microsoft update site and find any new
critical updates and download them for you. It will then have a
little pop-up alert letting you know that the updates are downloaded
and ready to be installed.
Be safe: stay current with your Windows updates and anti-virus
HIPAA Security Ideas - Part 2
Does anyone remember the Lunar
Space program of the ’60s? There were so many technologies
developed for that program that eventually made their way into
everyday life; can anyone say Teflon? Likewise, biometrics has
evolved from the security needs of the government to the consumer
Biometrics is any security device that uses unique physical attributes
of the users to identify themselves. There are currently face
scanners, palm scanners, retina scanners and fingerprint scanners on
the market today. For our purposes I will contain this
discussion to fingerprint scanners. The fingerprint scanners are
the least expensive of the biometric devices yet still offer
The way the fingerprint systems work is as follows. The scanners
come bundled with security software that acts as an overlay on your
desktop. The software intercepts the log in procedure and
requires a fingerprint input in order to proceed. The software
also has a registration process that scans each person’s fingerprint
and digitally records the fingerprint as an algorithm, so it never
keeps a "picture" of your actual fingerprint. The
scanning software then works in conjunction with the Windows operating
system security and allows you to assign rights and permissions to
each user. It is really a fascinating piece of technology.
Now for the sixty-four-thousand-dollar question: what does this have
to do with my practice? The answer is HIPAA. Under the
security rules that were just finalized and become mandatory in April
of 2005, you are required to secure all your computers by the
1) Each user has their own unique log in name and password of a
minimum of 6 characters.
2) No users shall know or use another person's password.
3) The passwords must be changed at least every 90 days.
4) The passwords must have the proper access level assigned to them
based upon the person’s job function.
The reality of the situation is that if you use complex passwords and
change them frequently, people will forget them; then the system
administrator has to redo their account and set up a new password.
Worse yet, if they can't remember the password, they will write them
on a sticky note and put them where they can find it easily, like on
the screen. Also, in a small office, people are close and share
information and they will share their passwords. By using the
fingerprint scanners you eliminate all of that and actually make
logging in fast and easy. The person just touches the
fingerprint scanner and in about a second they are logged in. It
takes no thought, just press and go. The scanner's software
knows who it is that is logging in and gives them the rights and
permissions that they are supposed to have. You can't lose your
password, you can't forget it, and you can't give it to someone else.
This is an outstanding way to provide security to your computer
system; it impresses the patients and the staff and best of all, it is
inexpensive, less than $150 per scanner. If you'd like more
information about it, contact me or visit our web site.
By: Raymond F. Posa, MBA
Technology Advisor to the American Academy of Podiatric Practice
President, R. Francis Associates
To be continued..........
Any questions or comments can be addressed to
Mr. Posa by E-mail Rposa@Rfrancis.com
Or you can go to WWW.NJHIPAA.COM
for detailed information on HIPAA