INTRODUCTION

   ITO has adopted the following Security Policy as part of its effort to comply with HIPAA standards. We endeavor to protect the security of Electronic health information, as well as to protect the confidentiality and integrity of confidential health information, as required by law, professional ethics, and accreditation requirements.

All “USERS” refer to those who participate in the processes of dictation, transcription, maintenance, storage, and retrieval of transcribed data of ITO.

GENERAL POLICY

1. No Right to Privacy. The transcription system and all transcribed data are part of the business equipment of ITO, are owned by ITO, and are not the USERS property. Consequently, USERS have no right to privacy in their use of the transcription system or its data.

2. Right to Monitor, Audit, Read. ITO and its Clients reserve the right to monitor, audit, and read transcribed documents. The network administrator may override USER passwords. ITO may monitor the content and usage of the transcription system to support operational, maintenance, auditing, security, and investigative activities.

3. Training and Authorization Required. A USER may use the transcription system only after having completed proper training and having received proper authorization in accordance with ITO Personnel Security Policy. The Director of Transcription Operations is responsible for such training and authorization.

4. USER's Acknowledgment Required. A USER may use the transcription system only after signing an acknowledgment stating that the USER acknowledges and understands the USER's obligation to protect security and maintain confidentiality when using the transcription system, that the USER will fulfill his or her obligations, and that the USER will face disciplinary action if he or she does not, in accordance with ITO’s and/or the Client’s policies. The HIPAA Compliance Officer of ITO is responsible for obtaining and keeping such written acknowledgment from each USER.

5. Access. Access to health information, records, tapes, dictation, or a combination thereof is limited to authorized USERS on a need-to-know basis.

6. Dictation and Dictation Playback. Dictation and dictation playback must be done in a secure environment that protects the information from being overheard by unauthorized persons. Health information may not be dictated into cellular phones or into public telephones where others can overhear the dictation or into equipment with an activated auto answer, such as an answering machine.

7. Shipping of Dictation. Dictation on audio cassette tapes, CDs, or other voice files may be shipped only in accordance with carriers authorized by the HIPAA Compliance Officer of  ITO.

8. Log-off Required. USERS must log off computers and dictation equipment when not transcribing unless using a pause feature that removes the document from screen view and access until the transcriptionist reactivates it.

9. Electronic Transmission of Transcribed Data. No USER may electronically transmit transcribed data except as authorized by the HIPAA Compliance Officer of ITO, consistent with relevant system security policies and chain of trust partner agreements. At no time may USERS email or disclose Patient Information through an Instant Messenger  program. Faxing may only be done when authorized by the HIPAA Compliance Officer of ITO.

10. Storage and Deletion of Dictation on Voice File. USERS may store dictation on an audio cassette tape, CD, or any other voice file only for the length of time necessary to transcribe and review documentation and in a manner that protects against unauthorized access. Once the dictation has been transcribed and that transcribed data received by ITO and/or the Client of ITO as directed by ITO Director of Transcription Operations, the dictation on the voice file must be deleted from a digital system or erased from an analog system in a manner approved by ITO HIPAA Compliance Officer to protect the confidentiality of the data. Transcribed tapes may not be reused until they are first erased.

11. Authentication of Report. After a USER completes transcription of a report, he or she must authenticate it by an identifier assigned by ITO Director of Transcription Operations. This authentication does not, however, constitute the formal authentication of the report required by law and professional standards.

12. Release of Patient Data. No USER may release any patient data except to the individual who dictated the data, ITO and/or the Clients of ITO, or persons authorized in writing by ITO of Transcription Operations.

13. Enforcement. All supervisors are responsible for enforcing this Policy. Employees who violate this policy are subject to discipline, up to and including termination from employment, in accordance with ITO Policies and Procedures.