Hospitals are faced with multiple pressures nowadays, many of them financial. The need for hospital management to meet financial constraints often translates into a desire to contract with vendors at the lowest possible immediate cost, sometimes without thought as to the other non-price issues in a contract. It is important not to overlook some of the legal issues that may be associated with vendor contracts, especially with vendors that may subcontract out portions of their tasks. This article will discuss specifically the considerations that should be given by healthcare providers to choosing a medical transcription vendor, and various tips to protect hospitals when entering into a medical transcription contract, particularly in light of the recently effective privacy regulations, and the security regulations, of the federal Health Insurance Portability and Accountability Act (HIPAA).

Medical transcription is a vital part of a hospital's operations. The need to have accurate, timely transcription of operating room reports, discharge summaries, radiology reports, etc. is essential not only for communication among healthcare providers treating patients, but also for defense of medical malpractice suits, accurate coding and billing for services, and satisfaction of regulatory requirements. Yet transmission of confidential medical information outside of hospital walls places an obligation on the Hospital to ensure that the vendor protects the confidentiality of such information, especially given the heightened focus that HIPAA places on privacy of medical information. The recent case in which a Pakistani subcontractor to a medical transcription company threatened to release information unless she was paid more illustrates how important it is for hospitals and healthcare providers to look carefully at vendors to whom medical information is sent, and to protect themselves contractually from liability for acts of the vendors or their subcontractors.

The above story started with the University of California at San Francisco Medical Center forwarding a portion of its transcription work to Transcription Stat, a company it has used for two decades. This firm has fifteen subcontractors throughout the country to handle the "thousands of files a day" received from UCSF. One of those subcontractors, a woman in Florida, further subcontracted the work, to a man in Texas, Tom Spires. Allegedly unbeknownst to the other parties, Tom Spires also used subcontractors, one of whom was a Pakistani woman, Ms. Beloch. On October 7, UCSF received an e-mail from Ms. Beloch in Pakistan, stating that Spires owed her money and would not respond to her, and demanding that UCSF require Spires to pay her. She then wrote that if she was not paid, "I will expose all the voice files and patient records of UCSF . . . on the Internet." To show that she was serious, Ms. Beloch attached dictation reports from UCSF physicians regarding two patients.

Although one of the parties involved ultimately paid the Pakistani subcontractor and she agreed to renege on her threat, this situation poses obvious concerns for all of the parties involved. How can a hospital best protect itself from a situation such as this?

The privacy regulations of the federal HIPAA law, effective April 14, 2003, were intended to assure the privacy and confidentiality of personal health information. However, HIPAA's privacy rules apply only to healthcare providers, payers and clearinghouses. Because the law does not directly apply to other parties that may obtain medical information (e.g., transcription companies and other hospital vendors), the regulations attempt to make hospitals responsible to take certain actions with regards to vendors to which a hospital provides medical information. HIPAA's privacy regulations require that if a hospital or other provider releases medical information to another person or entity to perform a function on the provider's behalf (the provider's "business associate"), the provider must enter into a "business associate" agreement requiring that the business associate maintain the confidentiality of that medical information.

HIPAA's privacy regulations require that business associate contracts contain a number of different provisions. The contract must specify the permitted uses and disclosures of information by the business associate; and must require the business associate not to use or further disclose the information except as permitted by the contract, and to use appropriate safeguards to prevent use or disclosure of the information other than as allowed by the contract. The contract must also "ensure that any agents, including a subcontractor," to whom the business associate provides medical information "agrees to the same restrictions and conditions that apply to the business associate with respect to such information." The contract must authorize termination if the business associate violates a material term of the contract.

In addition to HIPAA's privacy regulations, HIPAA's security regulations should be considered when contracting with a medical transcription company. Although the security regulations will not be effective until 2005, because the final security rule applies to electronic medical information (in storage or transmission), medical transcription vendors will be among those business associates covered by HIPAA's security rules.

Similar to the privacy rule, HIPAA's security rule requires that hospitals enter into a contract with business associates who "create, receive, maintain or transmit electronic protected health information" that specifies how the business associate will protect that information. Additional security provisions will need to be added to business associate contracts with transcription vendors and other business associates that receive or transmit electronic information. For example, the security regulations require with regards to electronic medical information, that any business associate shall "(i) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information that it creates, receives, maintains or transmits on behalf of the covered entity, as required by the security standards, (ii) ensure that any agent, including subcontractors to whom the business associate provides such information, agrees to implement reasonable and appropriate safeguards to protect it, and (iii) report to the covered entity any security incident relating to the" electronic information that the vendor maintains for the hospital.

Hospitals should therefore be asking their medical transcription vendors both about how the vendor maintains the privacy of medical information, and how the vendor safeguards the security of electronic information. This should include the following:

1. Does the vendor have security safeguards for information that is maintained at the vendor's data headquarters (e.g., require each employee to have a secure password)? Are both voice files and data files maintained in a secure data safe?
2. Is there an audit trail that shows who has accessed data in the vendor's archive system?
3. How long is data maintained, and is it destroyed after that period of time? The hospital may wish to specify that data is maintained only for that period of time that allows the hospital to ensure that the transcribed report is in the medical record, e.g., no more than one year.
4. Is electronic medical information transmitted from the vendor to the hospital in a secure fashion, e.g., through encryption?
5. How has the transcription vendor set up the system to allow the hospital to access the hospital's directory on the vendor's server? For example, it is safest to allow only one person authorized by the hospital (e.g., the Director of Medical Records) to draw data down from the transcription vendor's computer system.
6. Does the transcription vendor have policies to safeguard home workstations of transcriptions who may work from a computer in a home office that may also be used by other persons in that home? Are transcriptionists allowed to store any hospital files on their home workstations? Medical transcription company Silent Type, in Fort Lee, New Jersey, guards against confidentiality and security breaches by purchasing a computer, software, security programs and engines for each of its transcriptionists, so that the medical transcription occurs only on the company computer. Owner Marilyn Grebin states that no other software (that may contain viruses) may be loaded onto the computer, and no one else (family members, friends, etc.) is allowed to use the company compouter containing confidential information.
7. Are voice files automatically deleted after being transcribed?

The obligation of a hospital and business associate to ensure confidentiality and security of information becomes more complicated if all of the parties receiving information are not located inside the United States. Entities not domiciled in the United States may not be subject to, or even aware of, U.S. laws.

Following are some tips that a hospital can use when considering entering into a contract for medical transcription services, both to minimize the chance of a HIPAA or confidentiality violation, and to ensure that the hospital is able to take appropriate action with regards to a transcription service that may not be performing up to required standards.

1. Ensure that the hospital's contract with a medical transcription company obligates the vendor to not only maintain confidentiality itself, but to require any person or entity to which the vendor sends information to maintain confidentiality and security of information, and to comply with all of the obligations of the vendor under the vendor's business associate agreement with the hospital.
   
   In the UCSF case, the transcription vendor, her subcontractor, and his subcontractor were simply intermediaries. It makes a hospital wonder how many transcription vendors operate by simply contracting with another party whose cost is low enough to allow the first vendor to skim off a profit, and so on down the line until the only person left to do the work is someone whose wages are below those livable in the United States. It is difficult to ascertain how HIPAA's privacy or security requirements can be satisfied if a transcription company is simply a pass-through: can anyone identify who has the data, how it is stored, or where. HIPAA should assist hospitals in making sure that their transcription vendors truly take responsibility for the medical information given to them.
2. Require indemnification from the vendor for any breach of the contract (including confidentiality) not only by the vendor, but by any of the vendor's subcontractors or entities to which the subcontractor may send information.
3. Consider whether you wish to place restrictions on the subcontractors that a vendor may use, e.g., explicitly require that any of a vendor's subcontractors receiving medical information be physically located in the United States, and to explicitly prohibit any subcontractors from themselves sending any of the hospital's information outside of the United States.
4. Consider whether you want to use a medical transcription company that subcontracts ANY work at all. Many transcription companies (those using subcontractors) will tell you that there is a shortage of transcriptionists in the United States. Yet one successful transcription company, Silent Type in New Jersey, not only has no shortage of U.S. transcriptionists; it has transcriptionists on a waiting list to work with this company. The secret, according to owner Marilyn Grebin, is to offer the transcriptionists full time employment with benefits, give them responsibility for only one client to allow a familiarity and comfort level to develop with that client's physician and transcription needs, and give them incentives for meeting high performance standards.
5. Consider whether the transcription company is making any investment to obtain and retain your hospital as a customer. Is it purchasing computers and equipment for use on your account, or is it simply subcontracting all work out and keeping a percentage of the fee for itself as profit? This will give you a clue as to how much your transcription vendor values its relationship with you, and how carefully you should review the other contract terms.
6. Ensure that you protect your institution by including specific performance standards in the contract. These should include turn-around time, error rate, and template consistency (so that the documents follow a certain standard form). Not only are written performance standards important to give you the ability to terminate the contract if they are not met, they also can help you consider whether choice of this vendor comes with hidden costs. Although the vendor may appear to be less costly than another, does the high error rate require you to allocate time from other employees to review, edit and correct the work?
7. Training staff regarding confidentiality - HIPAA requires that all persons with access to personal health information receive training regarding the confidentiality requirements of the law. In addition, laws in some states, such as New York's AIDS Confidentiality Law, require training of staff as to the confidentiality of certain information. It is much easier to place the burden of training on the transcription company than the hospital.
8. Consider whether the persons doing the work are independent contractors of the medical transcription company, hired by the vendor on a project basis, or whether the vendor actually employs the transcriptionists. It may cost a transcription company a little more to hire staff as W-2 employees, but the benefits to the hospital are multiple. Marilyn Grebin, owner of transcription company Silent Type, describes how hiring transcriptionists as employees allows for much more control over the transcriptionists and their work. According to Ms. Grebin, hospitals prefer having only a few transcriptionists who work with the hospital and its doctors regularly, and have familiarity with that institution's abbreviations, document formats and sometimes physician accents. It allows her to track the work and its quality, and is one of the primary bases for Silent Type's "100 percent guarantee of satisfaction."
9. Ensure that the contract contains the terms standard to protect you in any contract: (a) the ability (of both parties) to terminate the contract for cause (e.g., failure to comply with the terms of the contract) and not for cause (although if the vendor has made a substantial capital investment in your account, this clause may only be agreed upon if the hospital takes some responsibility for this investment), (b) an appropriate length of time for the contract , (c) inability of the vendor to assign the contract without the hospital's permission, and (d) a requirement that any claim be brought in the State where your institution is located.

A California state senator has discussed introducing legislation to prohibit provider and payer organizations in that state from sending confidential medical information outside of the United States for transcription or other outsourced data processing activities. Whether other states follow suit remain to be seen. In the meantime, hospitals can minimize the risk of transcription vendors treating information inappropriately by following certain common sense and legal guidelines, such as those set forth above.