Hipaa Compliance
 

Calscribe has successfully rolled out and implemented a strategy for compliance with the Standards of Privacy of Individually Identifiable Health Information or “Privacy Rule” which is codified at 45 C.F.R. Parts 160 to 164 under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

 

For Calscribe to perform its services on behalf of the physician, it requires the Patient’s “Entire medical and billing record” as dictated by the physician, which is in turn transcribed into a printable report and delivered to the physician also referred to as “Protected Health Information” or PHI.

 

With regards to the use and disclosure of this PHI:

 
  1. Calscribe agrees to and has taken appropriate actions to abide by the requirements set forth in the Privacy Rule. These actions have been implemented as per the phases outlined below.

  2. Calscribe enters into strict agreements with the physicians that clearly outline the use and disclosure of the PHI only as permitted or required by law.

  3. Calscribe enters into strict confidentiality agreements with all its employees and sub-contractors that implement the same restrictions and conditions on the use/disclosure of PHI that apply to Calscribe.

  4. Calscribe uses appropriate safeguards to maintain the security of the PHI and implements the mechanisms outlined below to prevent unauthorized and/or disclosure of the PHI.

  5. Calscribe maintains a complete audit trail that time-stamps and tracks the flow of and access to the PHI throughout the transcription lifecycle.

     
    Security systems
     
    Physical security
     

    All data at Calscribe is hosted on servers that are located at a professional data center in Culver City, California, USA. This data center provides Backup, Un-interrupted Power Supply and 24x7 operation. All servers are located in a burglarproof and fireproof environment under lock and key. A redundant backup server is provided that replicates the live server for safety and 24x7 up time. All data is backed up and archived securely at a remote location away from the primary server.

     
    Access security
     

    Calscribe employs user-ids and passwords to protect sensitive user information. All user-ids and passwords traverse the net over a secure SSL channel between the browser and the server.

     

    All sensitive information is encrypted and secured. It is disseminated only on a need to know basis and all local copies of PHI are deleted as soon as transcription is completed and uploaded to minimize the window.

     

    It implements a need to know policy whereby only the practice administrator may view all practitioners’ documents. Individual practitioners can view reports dictated only by them respectively.

     
    Internet Security
     

    Calscribe has identified all the data paths (both internally and over the internet) that occur during the transcription life cycle. It has employed the highest form of 128-bit encryption to ensure that no data traverses these paths without encryption and security.

     

    Data at Calscribe traverses the Internet in the following manner:

     
    1. Between the End User and Calscribe Web Site. This occurs when the user Logs-In and views the reports and other details from the site www.calscribe.com using a browser. These transactions between the user and Calscribe will be viewed securely using the SSL encryption technology built into the browser and enabled by our secure site. This proven technology is used by all major B2C sites to accept credit cards over the Internet.

    2. Between the Calscribe server and Transcription units: This occurs when the transcribers download audio files and upload transcribed documents. These transactions again are implemented securely by encrypting the respective files prior to receiving or sending the respective files. This encryption is done using the Microsoft Crypto API that uses Digital certificates and the Microsoft Enhanced provider RSA algorithm to encrypt/decrypt files.

     
    Transcription unit Security
     

    All Transcription units are advised to educate their employees on Hipaa Privacy and security rules. They must demonstrate documented processes, procedures, policies and controls that show compliance to these rules. They are advised to maintain an audit trail that tracks the flow of PHI within their organization and audit who listens, transcribes, edits, views and logs the ingress/egress/deletion of the PHI. They must keep both the audio and generated reports in an unencrypted form locally ONLY FOR AS LONG AS IT IS REQUIRED TO COMPLETE THE JOB. They are strongly advised to close this window as soon as possible and incorporate in their workflow a specific step that ensures that this data is COMPLETELY DELETED FROM ALL LOCAL SYSTEMS after encryption & uploading is done to the Calscribe Secure server.

     
    Audit Trails and Logs
     

    The Calscribe solution is deployed on Microsoft Windows 2000 Server technology. It uses the Windows Security to track all access and logging. It also implements its own audit trail with timestamps and logs all audio delivery and report delivery. Information on who has logged in and accessed which reports is also maintained.

     
    Calscribe HIPAA Implementation Strategy
     
    Phase One -- HIPAA Awareness
     

  • obtain information regarding HIPAA Electronic Transactions and Code Sets Standards
  • discuss this information with your vendors and consultants; and
  • conduct preliminary staff education.

  •  

    Actual Start Date: (month/year) 09/2002
    Actual Completion Date: (month/year) 11/2002

     
    Actions taken:
     

    • Solution reviewed with consultant from MT India and HipaaGaurd.
    • All staff and sub-contractors appraised of the relevant HIPAA regulations.
    • All confidentiality agreements reviewed and signed.
    • Staff trained on all Calscribe processes and practices that implement the requirements set forth by the Privacy Rule.

     
    Phase Two -- Operational Assessment
     

  • inventory the HIPAA gaps in your organization;
  • identify internal implementation issues and develop a work plan to address them

  • Actual Start Date: (month/year) 10/2002
    Actual Completion Date: (month/year) 11/2002

    The Following gaps were identified:

     

    • Full 128 bit encryption of PHI as it traverses the Physician -> Calscribe Server -> Transcriber -> Quality Auditor -> Calscribe Server -> Physician electronic path.
    • Develop appropriate softwares to implement secure access from the Calscribe server to the transcribers and back.
    • Track / audit and timestamp the arrival of dictated audio and transcribed reports.
    • Ensure a minimal window where the PHI is un-encrypted and ensure that all local copies of audio and reports are immediately erased after use from all locations except Calscribe secure servers.
    • Implement a fully redundant hot-standby server that fully backs up and replicates the live server for 24x7 uptime.
    • Implement a disaster recovery policy by backing up the data to a remote secure location.

     
    Phase Three -- Development and Testing
     

  • Finalize development of applicable software and install it;
  • Complete staff training on how to use the software; and
  • Start and finish all software and systems testing.

  • Actual Start Date: (month/year) 11/2002
    Actual Completion Date: (month/year) 01/2002

    Actions taken:
     

    • Detailed design developed for the implementation of CalCryptorFTP program. Program developed tested and deployed at all Calscribe locations. This program employs Microsoft Enhanced RSA provider 128-bit encryption technology to encrypt all data and deliver it between the Calscribe Server and transcribers.
    • Calscribe software upgraded to timestamp and audits all PHI information.
    • Secondary server deployed at Culver City, California for redundancy and disaster recovery.
    • Staff trained on all Calscribe processes and practices that implement the requirements set forth by the Privacy Rule.
    • Hipaa compliance agreements signed with all subcontractors and their processes audited to ensure that all local copies of PHI are immediately erased upon delivery and the un-encrypted window is minimized.
    • Solution reviewed by technical consultants from Microsoft India for encryption compliance.