Utilizing a medical scribe can significantly reduce the amount of time a physician spends documenting a patient’s electronic health record (EHR). While many healthcare organizations still use traditional medical scribes that accompany the physician on appointments, some healthcare organizations are now employing foreign virtual medical scribes that observe the physician remotely.
Although the cost benefits of using a foreign virtual medical scribe are attractive to many healthcare organizations, some healthcare organizations may wonder whether such benefits are outweighed by the potential HIPAA risks that might arise from granting a foreign scribe access to their patient’s EHR, which contains electronic Protected Health Information (ePHI).
This blog post aims to highlight the HIPAA risks associated with employing foreign virtual medical scribes and outline what measures healthcare organizations can take to mitigate such risks.
HIPAA Enforcement Overseas is Uncertain
Because virtual medical scribes qualify as a “business associate” (BA) of a “covered entity” (CE) under HIPAA, virtual scribes are required to adequately safeguard ePHI. This means that virtual scribes, like any other BA, can face penalties if they fail to implement adequate administrative, physical, and technical safeguards as required by the HIPAA Security Rule. Because foreign virtual medical scribes are a relatively recent innovation, there is limited information available to determine how the Office of Civil Rights (OCR) – the department which enforces HIPAA – will address foreign scribes that violate HIPAA. It is unlikely that OCR will pursue foreign BAs because the OCR’s jurisdiction is limited to the United States and because the chances that overseas vendors will voluntarily pay their fines are slim. Rather, it is likely the OCR will pursue the domestic CE that hired the foreign BA, even if the CE remained compliant with HIPAA at all times.
So how can healthcare organizations ensure that they do not become liable for the HIPAA violations of their foreign medical scribes? In short, they can’t. Because the OCR is unlikely to pursue foreign offenders, healthcare organizations will, in all probability, be liable for the HIPAA violations of the foreign scribes they hire. However, healthcare organizations can use the following risk management tips when selecting a foreign virtual medical scribe to reduce their chances of becoming liable for a foreign scribe’s HIPAA violations.
Risk Management Tips for Healthcare Organizations Considering Foreign Virtual Scribes:
- Determine what steps the scribe service has taken to become HIPAA compliant.
Review the scribe service’s website to see what, if any, measures the vendor has implemented to comply with HIPAA. If a scribe service claims they are HIPAA compliant but provides no details on how they maintain compliance, it may be unwise to use that scribe service without first confirming how the scribe service will protect your patients’ ePHI.
- Obtain a Business Associate Agreement with the scribe or the scribe service.
HIPAA requires that a CE have a Business Associate Agreement (BAA) in place with any BA that has access to ePHI. Therefore, healthcare providers must have either the scribe service provider or each individual scribe sign a BAA before granting access to any ePHI. HHS requires a BAA contain the following:
- A description of the permitted and required uses of ePHI;
- Provide that the business associate will not use or further disclose the ePHI other than as permitted or required by the contract or as required by law; and
- Require the business associate to use appropriate safeguards to prevent a use or disclosure of ePHI other than as provided for by the contract.
If a foreign scribe service provider uses their own proprietary software to connect the scribe with the physician or to receive ePHI, the scribe service provider must sign a BAA to ensure their platform is HIPAA compliant. But if the scribe service provides scribes that will work exclusively on your organization’s EHR and no ePHI is transmitted to the scribe service provider, then only the individual scribe would be required to sign a BAA.
Additionally, because foreign vendors may be more susceptible to certain types of cyber threats, HHS requires that CEs take such risk into account when conducting the risk analysis and risk management required by the Security Rule. To that end, healthcare organizations contracting with overseas scribes should be aware of the particular cyber threats common in the region where the scribe is located and should require the scribe service or the individual scribe to take specific precautions to mitigate such threats in the BAA.
- Create and document your own HIPAA training with the virtual scribe.
Consider having the scribe complete your organization’s HIPAA compliance training program. Even if a scribe has already been trained on HIPAA compliance by the scribe service provider, it is best to ensure and document that the scribe has received adequate training and understands your healthcare organization’s specific expectations.
- Limit the virtual scribe’s access to ePHI.
Healthcare providers should restrict the scribe’s access to ePHI by requiring a unique username and password for each scribe that will only grant access to your EHR during times when the scribe is expected to be working. The scribe should also only be authorized to access the portion of the EHR necessary for the scribe to document the notes dictated by the provider.
Furthermore, if the scribe is working exclusively through your EHR, ePHI should not be made available for the scribe to download directly to the scribe’s device. If the scribe is incapable of downloading any ePHI, then there will be less risk of the scribe losing ePHI.
Additionally, the healthcare organization should have the capability to immediately suspend the scribe’s access to ePHI in the event of a breach in order to mitigate additional exposures.
- Maintain and review logs of scribe access to ePHI.
Logs detailing each time a scribe signs in and accesses ePHI should be kept and reviewed periodically. If it is discovered that a scribe has accessed ePHI unnecessarily or without authorization, the scribe’s access should be suspended immediately while the organization investigates.
While there are certainly more risks associated with foreign virtual scribes compared to domestic virtual scribes, healthcare organizations can significantly reduce HIPAA risks by limiting, controlling, and closely monitoring a foreign scribe’s access to ePHI