The Health Insurance Portability and Accountability Act (“HIPAA“) and its supporting regulations protect what’s called “Protected Health Information” or “PHI.” You know that “Notice of Privacy Practices” document you sign when you see your doctor or go to the hospital? That’s because of HIPAA.
PHI
At its core, HIPAA protects the confidentiality and security of PHI. PHI includes any information that could identify the patient, including name, age, address, phone number, email address, social security numbers, diagnosis, medical history, medical record numbers, observations of health, any unique identifier, or the even the simple fact that the patient is in the hospital or medical facility. Healthcare providers may not share PHI with anyone expect those chosen by the patient with some exceptions, like parents/legal guardians for child patients. This is called the Privacy Rule. HIPAA also requires secure storage of PHI (called the “Security Rule“).
Business Associates
As you might imagine, HIPAA and its regulations dictate very specific requirements for healthcare providers to keep patient data secure. When a healthcare provider contracts with someone else to provide services, and providing those services requires access to PHI, that subcontractor becomes a “Business Associate.” Business Associates are required to follow the same Privacy and Security Rules under HIPAA as the healthcare provider.
Business Associates include lots of different kinds of businesses and people, from law firms and accountants to third party claims administrators to temporary nurse staffing agencies to language solutions providers.
PHI in Language Services
Language service providers (“LSPs”) in the healthcare field deal with a lot of PHI. Consider for moment who hears more PHI about a patient: the doctor or the interpreter? At first blush, doctor may seem like the obvious answer. But let’s take a closer look. Consider a typical visit to a hospital emergency department, as an example:
- Registration – Interpreter needed. No medical staff needed in this process, but lots of PHI involved (name, address, phone number, SSN, insurance, etc.).
- Triage – Medical staff enter the picture here, but not typically the attending physician. The interpreter, however, is there to hear it all – what happened? what are the symptoms? medical history? medications taken? pain level?
- Testing – Whether it’s a portable EKG, taking blood, an xray or other testing, various medical staff interact with the patient, before or after the attending physician speaks with the patient. Again, the interpreter hears everything between the patient and each medical professional.
- Consultation with the doctor – The attending physician will, of course, speak with the patient at least a couple of times. The interpreter will hear this, as well.
- Insurance and payment – At some point, a representative from the financial side of the hospital will come in to collect insurance information and possibly payment of a co-pay. Lots of PHI for the interpreter to hear and interpret – no doctor present.
- Vitals checks, IV, medications, other treatments – Various medical staff will check in on the patient to check vitals, put in an IV or change an IV bag, administer medication, put in stitches, or any number of a variety of treatment options. The interpreter is there to hear and interpret it all.
- Discharge – The attending physician may or may not be there for the final discharge … but the interpreter certainly is.
As you can see, the interpreter is there for the patient’s every conversation with every staff member – whether medical staff or administration. That’s a lot of PHI! On top of that, the LSP’s scheduling system likely includes the patient’s name to help the interpreter get to the right place. The LSP’s invoice also likely includes the patient’s name to allow the facility to match up its records. The patient’s name along with the name of the medical facility and date/time the patient was at the facility? All PHI.
HIPAA Compliance in Language Services
Healthcare facilities invest significant resources on HIPAA compliance internally and with each and every Business Associate. To ensure your language service provider is HIPAA-compliant, consider the below factors:
- HIPAA Policies and Procedures. Does your language service provider have appropriate HIPAA Policies and Procedures in place?
- HIPAA-compliant technology. From interpreter scheduling systems to invoicing systems, how does your language service provider protect electronic PHI? Is data encrypted at rest and in transit? How are invoices delivered? (Important tip: When invoices display PHI, make sure your LSP delivers them securely, which means never through unencrypted email!)
- HIPAA-trained staff. Just like doctors, nurses, administrators and other healthcare staff must be trained on HIPAA compliance, so must interpreters and LSP administrative staff. Ask your language service provider how it trains its staff and ask for documentation.
- Business Associate Agreement. Has your language service provider signed a Business Associate Agreement, committing to HIPAA compliance and specific notification and remediation steps?
- Insurance. Does your language service provider carry insurance that covers a HIPAA breach?
Keeping PHI confidential and secure is vital in the healthcare industry. At Vocalink Global, we understand that language access compliance in healthcare necessarily includes HIPAA-compliance. That’s why we designed our medical interpreting and medical translation solutions with confidentiality and security in mind. Want more information? Connect with us today!