Explained by Raymond F. Posa, MBA
Technology Advisor to the
American Academy of Podiatric
Practice Management,
President, R. Francis Associates 

Offshore Transcription and HIPAA
(Volume 55)

I was recently forwarded an article regarding offshore transcription and the possible dangers that may be attached to it.

The original article was part of a LAZARUS AT LARGE piece written by David Lazarus. The article in part said:
“A woman in Pakistan doing cut-rate clerical work for UCSF Medical Center threatened to post patients' confidential files on the Internet unless she was paid more money.  To show she was serious, the woman sent UCSF an e-mail earlier this month with actual patients' records attached.
The violation of medical privacy  -  apparently the first of its kind  -  highlights the danger of ‘off shoring’ work that involves sensitive materials, an increasing trend among budget-conscious U.S. companies and institutions.
U.S. laws maintain strict standards to protect patients' medical data.  But those laws are virtually unenforceable overseas, where much of the labor-intensive transcribing of dictated medical notes to written form is being exported.“

I read this and was not surprised, but don’t read into this that it is an overseas issue.  When you contract with a firm for transcription, for example, you have a Business Associates Agreement (BAA) with that company.  The purpose of the BAA is to protect and insulate you from outsourced liabilities and it extends the reach of HIPAA beyond covered entities.

A rogue employee can commit such an act whether here on main street USA or half way around the world.  Your local computer software company could just as easily have a disgruntled employee and release all of your patient information on the web as easily as this transcriptionist.

Your responsibility is to protect yourself with a BAA; economic market forces will take care of the rest.  If a company has an incident as described, it is up to that company to respond aggressively to the employee and prosecute to the full extent of the law in order to instill confidence in their clients that they take this matter seriously.

This is also a great example of why you must have a BAA with any non-covered entity who has access to your patient data.  You should also make sure that your BAA has a requirement that the associate has liability insurance to protect you in the event that one of the BAA’s employees does breach confidentiality.

TCS  -  Just Another HIPAA Three-Letter Word,  Or,  A Glimpse of the HIPAA Dark Side
(Volume 53)

I recently read a story about one of the Blue Shields regarding HIPAA-compliant electronic claims. They said that if submissions have more than a few problematic claims they are rejecting the entire submission(prior to HIPAA they would accept most claims and reject only the problem claims). In addition, they are only advising the sender of 3 rejections at a time. Therefore, they end up fixing the first 3, resending the file and then getting 3 more! On top of that, the providers have to wait for the rejection report that they used to get immediately

What they are experiencing is the TCS Train Wreck.

By law, payors do not have to accept non-compliant claims after October 16, 2003. This is the date when TCS (transaction code sets) went into effect.

I was a recent participant at the National HIPAA Summit in Baltimore and one of the topics that my partner, David Fienberg (one of the developers of the X12 code sets), spoke about was the train wreck that could occur if all payors stopped payments on non-compliant transactions. It would bring the medical industry to a grinding halt.  Realizing this, and the fact that Medicare itself is not fully compliant, the government implemented the TCS contingency plan, which basically says that they will continue to accept legacy claims, i.e. Paper and non-HIPAA-compliant electronic claims, and allow providers more time to test their electronic claims. Most payors have followed the government’s lead on this, although they are not required to.

It is imperative that all providers begin testing their TCS and fully document their efforts. By law a payor can refuse to pay claims and providers could be fined for having non-compliant claims. What each provider must do is have a fully documented Plan (Yes, the one from October 2002, when everyone applied for their extensions) and document their continuing efforts to achieve compliance.

As for this Blue Shield, if they are going to withhold payment because a claim was non-compliant, I would suggest throwing it right back at them. It sounds like they are not compliant, either, and a case like this would be one for the state insurance commissioner. You see, if they say that claims are being rejected because they are non-compliant, then their response should be in the HIPAA-compliant format.

Briefly, here is how HIPAA transactions code sets are supposed to work. Your claim gets formatted in the new X12 format, the new universal format for claims.  It is then sent electronically to the payor.  Upon receipt the payor will generate a response code set saying “we received your claim”; they can no longer claim that your claim got lost or they never received it. Once received they process the claim and if there are exceptions they will, within 24 hours, generate another code set that gets sent back to you detailing ALL the exceptions, not just three at a time. Under the HIPAA TCS you should always know in 24 hours what the status is of any claim.

Unfortunately, the payors are depending upon the HIPAA confusion to hold up payments because once fully implemented, their payout cycle will go from weeks to days, and that will cost them huge amounts of money. Once we understand the motivations of the payors it all becomes very clear. The payors are being so gracious by allowing providers to continue to use legacy submissions because they get to hold on to the money much longer than they could under HIPAA.

That’s TCS in a nut-shell.

So a word to the wise, if you are not testing and or documenting real efforts to become compliant, in early 2004 you risk having your payments cut off.

HIPAA Security Ideas - Part 5
(Volume 41)

Have you ever thought about a parachute?  It’s a nice invention.  Could you imagine having to wear one all the time?  It would be cumbersome and awkward, but could you imagine not having one when jumping from an airplane?  Computer backup systems are the same way.  They can be a nuisance and a bit of a bother, but like a parachute, when you need one nothing else will do.

I have seen so many cases over the years where clients blindly put tapes into their backup units, assume they work and the next day switch tapes and just go about their business.  As a matter of sound business practice, you need to test and verify your backups to make sure that they are actually backing up your data properly and the information is without errors.

Under HIPAA security rules, not only are you required to perform regular backups, but you are also required to test and verify that the backup was successful.  But you must also have a procedure to make sure you can restore the data and you must also have a provision to make sure you keep a copy safe and off-site.

Conventional tape backups are fairly easy to use but making sure that they are meeting the contingency requirements of HIPAA can be a laborious effort for your staff and may even be beyond what the staff can do themselves.

To every HIPAA problem there seems to be a HIPAA solution.  Actually, this solution has been around for several years but is now finding a new niche in the medical field, especially in small offices.  It is web-based backup services.  There are many companies offering this service.  The way they work is as follows: special client backup software is installed on your computer.  This software runs a batch every night just like a tape would.  The backup client takes your backup and compresses and 128-bit encrypts its.  It then sends it to a remote server, where it is received and processed.  The remote server opens the files and verifies the data against a known copy in your folder.  The server then recovers a file from your backup to ensure its integrity.  The remote server now puts together a report with all of the vital information about your backup and E-mails you a report.  Every morning you have an E-mail confirming that your backup has taken place, was successful and is fully restorable.

These services are very inexpensive, as low as $25 a month.  They address several points of concern in HIPAA security compliance.  They provide a safe, hands-off approach to backing up your data; they keep your data safe and off-site; they provide you with documentation that you are meeting and exceeding the HIPAA mandates; and they relieve your staff of the responsibility of performing the backups themselves.


HIPAA Security Ideas - Part 4
(Volume 38)

In the last few articles I discussed preventing unauthorized access to your computer workstations via Biometrics, I discussed protecting your data from malicious software via Anti-Virus software and I discussed protecting discarded PHI via shredders.  In this article I will discuss one of the most overlooked pieces of security, Firewalls.  Firewalls are designed to prevent unauthorized access to your computers from the web.

The broadband explosion has provided Internet users with a better, faster solution than the traditional dial-up connections we've been used to over the years.  That's the good news.  The bad news is, broadband connections have some drawbacks, the most serious of which is the fact that they are "always on."  A connection that never shuts off is a hacker's dream.  Hackers like "always-on" connections like DSL, cable modems and T1 lines because they're always there and they're predictable.  This isn't to say that broadband connections are bad.  Quite the contrary: Broadband is a great technology.  Users just need to make sure they're using the appropriate level of protection that a firewall solution can offer.

Without a firewall in place, hackers can access your PHI and either use it for their own purposes or disseminate it to the world at large.  A hacker in your system can have other serious consequences. For example:

Lost Data - What if someone deleted data on your offices' network?  What if you didn't have that data backed up?  How much would that cost you?
Down Time  What would it cost in terms of labor to restore lost or damaged data?  What would be the cost in lost productivity, having an office full of employees sitting around waiting for the computer system to be restored?
Computer Jacking - Do you like impersonators?  Well, hackers who get control of your computer can launch attacks against other networks using your computer.  When the cyber police find out, guess who they're going to be looking for? 

Attacks like those previously mentioned occur in many forms.  Some are minor while others create havoc and do a lot of damage
Firewalls are a great way to protect your practice’s computers from intruders.  They're designed to defend against attack by implementing a series of rules that permit, or deny, traffic to pass between your network and the Internet.  Based on the way these rules are set, the inbound and outbound flow of information maybe extremely tight or very relaxed.  The trick is to maintain a balance between your practice’s need for security and your employees' need to get their work done without interference.

Firewalls are absolutely necessary and are not very expensive.  I would strongly suggest having the firewall installed by an expert.  While anyone can take it out of the box and plug it in, the trick is to configure it properly.  Otherwise, it becomes a useless piece of hardware sitting on your network not protecting you, and only providing you a false sense of security until your network is compromised.


HIPAA Security Ideas - Part 3
Anti-Virus Software and Operating System Patches
(Volume 37)

Anti-Virus software is essential in today’s computer environment, so much so that I tell clients to not even bother running their PCs if they are not running up-to-date virus software.  Why?  Because viruses are so prolific that in a very short time you WILL get one.  Anti-virus vendor watchdog groups are reporting that new virus activity was up 17.5 percent over the past six months, and viruses getting are more sophisticated, with more sophisticated targeting.

Just to demonstrate this fact for my clients, my anti-virus program has an audible alert option that I can switch on for demonstration purposes; it goes off every time a virus attempts to enter my system.  When activated, it will beep every 5 to 10 seconds all day every day, that’s how bad things are.

Some users believe it won’t happen to them or they can’t afford the software or the update subscriptions.  My response is, you can’t afford not to have it.  The cost of repairing a system after being infected will cost much more than even the most expensive anti-virus software; plus you can’t even put a monetary value on the cost of lost data.  I consider the money paid for anti-virus software to be part of the operating expense of a computer, just like electricity is.

In just the last two weeks we have had some real nasty viruses make their presence felt.  We had the Backdoor.Prorat which is a backdoor Trojan Horse that gives its creator full control over your computer, by opening port 58343.  Due to the high number of infections, this virus has been upgraded to a Category 4 from a Category 3 threat.

Another one we just had to deal with is W32.Bugbear.  It is a mass-mailing worm that also spreads through network shares.  It is polymorphic and also infects executable files.  It also possesses keystroke-logging and backdoor capabilities and attempts to terminate the processes of various antivirus and firewall programs.

Under HIPAA security requirements you are required to safeguard your systems from outside intrusion, and failing to do so is a violation.  Virus attacks and outside hacks are considered “common knowledge” and you are responsible to implement procedures to prevent intrusions.  Just installing anti-virus software is not enough.  You must configure it so that it will quarantine the virus and /or delete it.  You need to also make sure the virus patterns that the manufacturer provides are up to date. You also need to know how and when the manufacturer updates its virus tables.  For example, Norton has an auto-update capability built into its software.  The thing to know about Norton is that even though you are doing an update every day, Norton only updates its server every Wednesday; so the rest of the days of the week you are not getting anything new.  In order to get the new daily update you have to go manually to the Norton site and manually download the daily update. This is important because the Backdoor virus was deployed to exploit this fact and it came out on Thursday and infected many systems, before users were able to get the new updates.

The key is to know your anti-virus software and very specifically how it functions and any limitations it may have.
Once you have your anti-virus software installed and configured and getting its updates, you’re done, right?  Wrong.  There is another key component that must also be done: that is updating your operating system.  Microsoft Windows from 95 on has a Windows update feature that goes out to the Microsoft web site and gets all of the latest patches for your version of Windows. This is critical because many viruses are written to exploit vulnerabilities in Windows.  Even though you have anti-virus software, if you have critical holes in Windows you are still subject to getting a virus. The anti-virus software also depends upon the Operating system being secure.

You should be checking for Windows updates on a daily basis.  In Windows 98 and later, Windows has a scheduler feature whereby Windows will automatically go to the Microsoft update site and find any new critical updates and download them for you.  It will then have a little pop-up alert letting you know that the updates are downloaded and ready to be installed.

Be safe: stay current with your Windows updates and anti-virus updates.


HIPAA Security Ideas - Part 2  
(Volume 34)

Does anyone remember the Lunar Space program of the ’60s?  There were so many technologies developed for that program that eventually made their way into everyday life; can anyone say Teflon?  Likewise, biometrics has evolved from the security needs of the government to the consumer market.

Biometrics is any security device that uses unique physical attributes of the users to identify themselves. There are currently face scanners, palm scanners, retina scanners and fingerprint scanners on the market today.  For our purposes I will contain this discussion to fingerprint scanners.  The fingerprint scanners are the least expensive of the biometric devices yet still offer outstanding security.

The way the fingerprint systems work is as follows.  The scanners come bundled with security software that acts as an overlay on your desktop.  The software intercepts the log in procedure and requires a fingerprint input in order to proceed.  The software also has a registration process that scans each person’s fingerprint and digitally records the fingerprint as an algorithm, so it never keeps a "picture" of your actual fingerprint.  The scanning software then works in conjunction with the Windows operating system security and allows you to assign rights and permissions to each user.  It is really a fascinating piece of technology.

Now for the sixty-four-thousand-dollar question: what does this have to do with my practice?  The answer is HIPAA.  Under the security rules that were just finalized and become mandatory in April of 2005, you are required to secure all your computers by the following means:

1) Each user has their own unique log in name and password of a minimum of 6 characters.
2) No users shall know or use another person's password.
3) The passwords must be changed at least every 90 days.
4) The passwords must have the proper access level assigned to them based upon the person’s job function.

The reality of the situation is that if you use complex passwords and change them frequently, people will forget them; then the system administrator has to redo their account and set up a new password.  Worse yet, if they can't remember the password, they will write them on a sticky note and put them where they can find it easily, like on the screen.  Also, in a small office, people are close and share information and they will share their passwords.  By using the fingerprint scanners you eliminate all of that and actually make logging in fast and easy.  The person just touches the fingerprint scanner and in about a second they are logged in.  It takes no thought, just press and go.  The scanner's software knows who it is that is logging in and gives them the rights and permissions that they are supposed to have.  You can't lose your password, you can't forget it, and you can't give it to someone else.

This is an outstanding way to provide security to your computer system; it impresses the patients and the staff and best of all, it is inexpensive, less than $150 per scanner.  If you'd like more information about it, contact me or visit our web site.


By: Raymond F. Posa, MBA
Technology Advisor to the American Academy of Podiatric Practice Management
President, R. Francis Associates

To be continued..........


FAQ Archive

   Previous HIPAA Tips 


Any questions or comments can be addressed to Mr. Posa by E-mail

Or you can go to WWW.NJHIPAA.COM for detailed information on HIPAA


Copyright 2002-2010, Gayle S. Johnson.
All Rights Reserved