| The HITECH Act was effective last month, and | | | | for all of the things related to the privacy and |
| by now medical transcriptionists should have | | | | security rules. Within the security rule, you must |
| implemented steps for compliance. This article will | | | | at least address every point in the specifications |
| give some highlights of where you should be by | | | | even if you don't institute them. When something |
| this time. If you're not there yet, now is the time | | | | is not done, then addressing it must show why it |
| to get it done because it means you are out of | | | | was not reasonable for you to do that. In that |
| compliance. | | | | justification, you also have to show why an |
| This list covers those who are independent | | | | alternative would not work. |
| contractors and/or business owners. Keep in mind | | | | - Outline a strategy for disaster recovery and |
| that an independent contractor IS a business | | | | access to information in the event of a disaster. |
| owner, so if you are an IC with a company of | | | | - Conducted training on both privacy and security |
| one, these rules still apply to you if you contract | | | | for your staff (and security training must be done |
| directly with a covered entity. If, however, you | | | | annually, which should also be outlined in your |
| contract with a medical transcription service, then | | | | policies). |
| you are most likely a subcontractor to them. | | | | - Updated your business associate contracts to |
| While you do still have to follow the rules, it's a | | | | add the new language required with the changes |
| tad different in what you are required by law to | | | | in the rules |
| have in place. | | | | And that's just the start of the list! If you haven't |
| By now, you should have: | | | | started on this yet, NOW is the time to make |
| - Identified both a privacy and security officer for | | | | that move. Be sure you learn now what you |
| your company (this can be the same person, | | | | must be doing so you are not found to be |
| although it does not have to be). | | | | non-compliant. The law now requires audits be |
| - Performed a formal risk analysis of your | | | | done to be sure people are compliant and you |
| systems, both for privacy and security. | | | | don't want to be the one who gets audited and is |
| - A set of formal written policies and procedures | | | | found to have completely ignored the new rule. |