I work for a distributor of digital dictation/transcription systems, utilized in medical dictation/transcription. I had a couple of questions for you:

  • When does full HIPAA compliance take effect for large, medium, and small health care facilities, with regard to portability of medical records over the internet (email, or otherwise)?
  • Are there different dates of compliance for medical transcription services?

The compliance dates for Privacy must be followed by all covered entities. The only exception is for small health plans which has an extra year to meet those deadlines. The compliance dates for the Privacy Rule is April 14, 2003, or, for small health plans, April 14, 2004. ASCA does not apply to the HIPAA Privacy Rule. Rather, ASCA delays compliance with the Transaction and Code Set standards adopted by the HIPAA Transactions Rule for covered entities that file a compliance plan. More information about ASCA can be found on the web site for the Centers for Medicare and Medicaid Services at http://cms.hhs.gov/hipaa/. (Posted 12/2/03)

I teach in a public school, because I have day to day contact with students, shouldn't I be able to know if a student has a highly contagious disease that may put my life in risk? How /When should this information be shared with me???
Covered entities under the HIPAA Privacy Rule maintain the right to report information to a public health authority for the purpose of preventing or controlling disease, injury, or disability. The public health department in your area will dispense this information per their protocol. Therefore to answer your question HIPAA has not impeded this process. Please contact the public health department in your area for further inquires concerning highly contagious diseases. (Posted 10/15/03)

We are a group of 7 doctors looking into getting our dictations transcribed online overseas. At this point we are looking into the legality of allowing voice files to go overseas and have heard that HIPAA laws cannot be enforced overseas, according to international law. We need some clarification on this. If you have any documentation or information regarding patient files leaving the country, please advise. We need written documentation or notification of where we can find this documentation on the internet, if possible, of the HIPAA compliance issue with regard to the chain of custody for documents once they leave the country.
Unfortunately, I cannot find any documents regarding the chain of custody of PHI once it leaves the country. And you are right in assuming that HIPAA is not enforceable internationally.

But what you must consider is that under HIPAA, you as a covered entity are responsible for the privacy and security of Protected Health Information (PHI). HIPAA defines PHI as any information whether oral or recorded in any form or medium that is created or receifed by a health care provider, health plan, etc. and that relates to the past, present, or future physical or mental health or condition of an individual...

Therefore, you as a provider must protect that PHI. When you send it off to the overseas transcription service, you are required to enter into a Business Associate Agreement with that transcription service. Whether or not they must comply with HIPAA is not an issue. What is an issue is that you cannot send PHI to an entity that will not take the same precautions as you would as a covered entity to protect and secure this PHI. You are responsible for that PHI. (Posted 9/8/03)

I am starting a medical billing at my home. I would like to know the HIPAA rules and regulations for my business.
The scenario you are describing will most likely fall into the Business Associate provisions of HIPAA. There are far too many rules and regulations to describe here in much detail, but the basis of your participation as a Business Associate means that you will take many of the same precautions with Protected Health Information (PHI) as a HIPAA Covered Entity (a provider in this case) would take. That is, you must safeguard against the disclosure of this information to those who do not need it for the purposes of Treatment, Payment or Operation, or to those who do not have specific authorization to view or receive such data.

I would advise you to get familiar with the Privacy rules of HIPAA. These can be found at the website for the Office of Civil Rights (OCR) at www.ocr.gov. Additionally, I would have your legal counsel review business associate agreements and to discuss the HIPAA regulations with you.

There are also many consulting firms who specialize in HIPAA rules and regulations, such as our firm, Beacon Partners(Posted 6/12/03)

I need to know how to explain HIPAA Compliance to our customers who have their Workers' Comp coverage with our company. They are receiving Health Insurance Portability and Accountability Act Payer Transactions Questionaires from local hospitals. Do my customers need to contact and register with HIPAA? Basically when a worker is injured the employer fills out a form listing how the injury occurred and fax it to me and I forward to the Work Comp carrier. Sometimes medical bills come to me and or the employer and I fax or mail to the Work Comp carrier. What do we need to do?
There is NO registration with HIPAA (the Health Insurance and Portability Act of 1996). HIPAA is not an agency, it is a set of very comprehensive regulations designed to protect patient privacy and rights and to streamline the electronic transaction process between providers and payers.

HIPAA has essentially exempted many aspects of Workers’ Comp. Information may be disclosed between payers and providers and regulatory agencies to process, subrogate and settle Workers’ Comp claims. Since HIPAA is so large and so complex, I would recommend that you either review the regulations yourself or get to a training seminar or class to more clearly outline the regulations and how they apply to you and your clients.

The regulations can be found at the website for the U.S. Dept of Health and Human Services and a number of other sites. (Posted 6/5/03)