Privacy regulations compliance

Vuescribe and its technology partners take painstaking measures to protect all patient information. The Vuescribe internal procedures, and the procedures of out technology partners for privacy and security meet and exceed all HIPAA regulations related to Electronic Transmission of Patient Information.

Vuescribe operations are

The following pertains to the the Vuescribe Voice Dictation Service Partner:

Physical Security

  1. Access to the voice recording facilities is controlled by key entry only. Only authorized staff who are fully aware and trained in the HIPAA Privacy requirements will be issued access.

Information Security:

  1. We use an ICSA certified firewall and filter on incoming ports allowing only FTP and management ports for administrative access into our system.
  2. Our network performs Network Address Translation (NAT) and addresses cannot be routed without traversing the firewall.
  3. When our FTP Server is accessed with any FTP Client that also supports SSL all files are encrypted while being sent across the internet. This means, anyone intercepting any data while it is being transferred from our server to your computer could not interpret or decode this data.
  4. To access any data from our FTP Server, a valid username and password is required.
    We are not responsible for the security of files (documents or sound files) that are transferred to or from our server.

Desktop Access:

  1. Access to our network is limited by auto-logoff, ID/password protection, password protected screensavers, and a security-enabled OS (WinNT)
  2. Only fully trained staff have access to the server and dictation files for support and maintenance.


  1. Our data storage and backup system hardware consists of two Intel Pentium 1.3 GHz server towers with 490 MB of RAM Memory. The system operates on the Windows NT platform. The operating software and digital voice software reside on two 80 GB mirrored hard drives whichb provide full fault tolerance and total system redundancy. Only one of the server towers is in use at any particular time, thereby guaranteeing a second level of system redundancy as well as a readily accessible emergency parts inventory.


  1. We are not responsible for nor will we provide access to any files on our system to any other person other that those authorized by the originator of the dictation.
  2. We will not release any files directly to a patient.
  3. The responsibility for enabling the patients to control their health records including access, disclosures, ‘minimum necessary’ standard, consent and authorization, etc. resides the medical professional who initiated that document.

The following is from the HIPPA Compliance declaration of our Application Software Supplier.

  • All user access to the application is password protected.
  • Our servers are located in the USA and transcribed documents are stored in fully secured data centers.
  • Files that are being processed need not be downloaded but can be processed directly on the USA server, so that no local copies of sensitive documents are stored outside the server.

Appendix A

What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was a result of congressional healthcare reform proponents to reform healthcare. The HIPAA legislation has four primary objectives.

  • Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions
  • Reduce healthcare fraud and abuse
  • Enforce standards for health information
  • Guarantee security and privacy of health information

Of the four primary objectives, the fourth objective has the most impact on medical transcription.

What is the deadline for HIPAA compliance?
The rule requires that healthcare organizations insurers and payors that have been using any electronic means of storing patient data and performing claims submission must comply with the this rule by April 14, 2003. Since medical transcription deals with electronic means of handling and storing patient data, April 14, 2003 is the deadline by which medical transcription service organization (MTSO) must comply with the HIPPA requirement.

What are the important requirements of HIPAA for a medical transcription company?
MTSOs must be able to support two requirements.

  1. Ensure the security and confidentiality of the patient’s Protected Health Information (PHI), and
  2. Maintain an audit trail of all individuals who have had access to a PHI.

This means that transcription service providers must implement technology and business processes in their operation to support these two key requirements.

Can the Internet be used for medical transcription and still meet HIPAA requirements?
Yes, as long as the MTSO uses encryption and password protection to prevent unauthorized access to the PHI. Dictations done on a telephone does not need to be encrypted. However, voice files transmitted by portable recorders should be encrypted prior to transmission over the Internet.
Transcribed documents must be sent back to the healthcare provider in a secure manner using encrypted email or a secure FTP site or may be faxed with a disclaimer statement explaining the confidential nature of the document.

If tapes are used to record dictations, will this meet HIPAA regulations?
This may cause a problem. There is no easy way to create and verify an audit trail of who has had the tape and who listened to the PHI on the tape. If the tape is lost, one cannot guarantee the security of the information on it.

Who and what is a Covered Entity and a Business Associate?
HIPAA defines a Covered Entity (CE) as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a HIPAA transaction. A physician’s office or medical clinic would fall under the category of a Covered Entity.
A Business Associate (BA) is a person or organization that performs a function or activity on behalf of the Covered Entity (CE), but is not a part of the covered entity’s work force. A medical transcription service provider would be classified under the definition of a Business Associate.

Who is liable for privacy violation under HIPAA?
Civil and criminal penalties can be imposed for noncompliance with HIPAA. The imposition of these penalties are against Covered Entities (e.g. healthcare provider) but not directed directly against Business Associates (e.g. medical transcription service organization).
Healthcare providers should ask their transcription company about their privacy and security regulations and ensure that they are contractually obligated to comply with these regulations.

What is the penalty for not meeting HIPAA compliance?
The total amount from civil penalties for multiple violations by a Covered Entity during a calendar year is capped at $25,000.
HIPAA also provides from criminal liability for Covered Entities for knowingly obtaining or disclosing individually identifiable health information. The maximum penalty is a fine of $50,000 and imprisonment of one year. If the offense is committed under false pretenses, the maximum penalty is a fine of $100,000 and imprisonment of five years. If the offense is committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the maximum penalty is a fine of $250,000 and imprisonment of ten years.

What rights does the patient have under HIPAA?
HIPAA provides the patient with many new rights in relation to their healthcare documentation. Some of them are:

* Review his/her entire medical record
* Request changes within documentation, which can be denied by physician for specific reasons
* Request documentation of every time his or her PHI was accessed, along with identity of the individual accessing the document with specific reason for doing so
* To know how much of the PHI information was shared
* What the facility (Covered Entity’s) policies and procedures are for security and privacy

When the patient becomes aware of these rights you should be prepared to deal with any legitimate requests the patient may have.