Commitment to HIPAA Compliance

Bytescribe is committed to providing products that offer optimal security in a HIPAA-compliant environment. Bytescribe has evaluated and tested software products and services to ensure support for HIPAA compliance. We strive to be knowledgeable regarding HIPAA rules and regulations and to make every effort to add adequate security functionality to our products.

Below are current guidelines for using Bytescribe products in a HIPAA-compliant environment:

Definition of HIPAA

The Healthcare Insurance Portability and Accountability Act (HIPAA) is a federal healthcare law established on August 21, 1996, to promote standardization and efficiency in the healthcare industry and to provide confidentiality protections for processed health data in accordance with new standards. HIPAA healthcare laws directly affect health insurance providers, healthcare clearinghouses, and healthcare providers. The law indirectly affects the business associates of these entities. HIPAA enforcement began on April 15, 2003.

Transcription Companies and Healthcare Providers

HIPAA defines companies that provide services to Healthcare Providers as Business Associates. While the guidelines and regulations of HIPAA are not directly enforced upon Business Associates, but rather on the Healthcare Providers they serve, it is vital that every Business Associate promote compliance in the services they offer to Healthcare Providers in order to maintain a business relationship with those entities.

Transcription Companies, in their handling of physician dictation records, must enter into a written agreement with each physician or physician group to honor the privacy guidelines established by HIPAA and maintain technical and personnel safeguards to secure that data. It is the responsibility of the Healthcare Provider to establish privacy agreements with all of its Business Associates who handle protected patient data.

Transcription Companies should review the Security and Privacy guidelines enforced upon Healthcare Providers to anticipate the expectations demanded by each provider in maintaining compliance with HIPAA.

Securing Orator Dictation Server

To properly secure the Orator Dictation System, the following steps may be necessary for optimal security:

• Locate the server in a secure place, accessible only to administrators and authorized personnel.
• Password protect the server using Windows password-protected screen savers set to activate within a suitable time limit.
• Ensure any exported voice files are properly secured, with file encryption during Internet transfers.

Security with DocShuttle Management Software

• Enable encryption when uploading voice files to an FTP site.
• Use secure FTP ports (e.g., 990 or 2500) when supported by the FTP server.
• Limit access for transcriptionists to only the job types assigned to them.
• Regularly review the Security Guidelines of Administrative Simplification.

Administrative Procedures

Documented formal practices are essential to manage the selection and execution of security measures protecting data, as well as the conduct of personnel in relation to data protection. Key areas include:

• Contingency – Data Backup, Disaster Recovery, Emergency Mode
• Information Access Control – Access Authorization, Establishment, Modification
• Personnel Security – Personnel clearance, including custodial services
• Security Configuration Management – Hardware/software installation and maintenance
• Virus checking, incident response procedures, risk analysis, and management

Physical Safeguards

Physical safeguards focus on protecting computer systems and related equipment from environmental hazards and intrusions. They also cover administrative measures used to control access:

• Media Controls – Access control, accountability, data backup, storage, and disposal
• Physical Access Controls – Equipment control, disaster recovery, and emergency mode operation
• Policy on workstation use, secure workstation locations, security awareness training

Technical Security Services

Technical security services are processes that protect and control information access:

• Access Control – Context-based, role-based, user-based access, encryption, emergency access
• Audit Controls and Authorization Control – Role-based and user-based access
• Data Authentication and Entity Authentication – Auto logoff, unique user ID, passwords, and biometrics

Technical Security Mechanisms

These mechanisms prevent unauthorized access to data transmitted over communications networks:

• Communication/Network controls – Integrity controls, message authentication, access control, encryption
• For networks – Alarm systems, audit trails, entity authentication, and event reporting

Request for Return Merchandise Authorization (RMA)

Bytescribe must be contacted via email to receive an RMA number and instructions for return. A request for an RMA should be emailed to returns@bytescribe.com and should include the order number, product, name of purchaser, date of purchase, and a brief description of the reason for the return. Bytescribe will reply with return instructions.