Regulation of Medicine
What Healthcare Providers Need to Know Before Hiring Virtual Medical Scribes
Medical scribes are professionals who document patient encounters and physician dictation into a patient’s medical records. Using a medical scribe can significantly reduce the amount of time a physician spends documenting a patient’s electronic health record (EHR). Traditionally, medical scribes would physically accompany physicians to their appointments to document the patient’s records. While many healthcare organizations still use traditional medical scribes who accompany the physician, some organizations now are employing virtual medical scribes who observe physicians remotely.
Although the cost benefits and flexible schedules of virtual medical scribes are attractive to many healthcare organizations, some may wonder whether such benefits are outweighed by the potential HIPAA and liability risks that might arise from granting a virtual scribe access to their patients’ EHR, which contains electronic Protected Health Information (ePHI).
This article highlights the potential HIPAA and liability risks associated with employing virtual medical scribes and outlines the measures healthcare organizations can take to mitigate such risks.
HIPAA and Liability Risks Associated with Virtual Medical Scribes
Because virtual medical scribes qualify as a business associate (BA) of a covered entity (CE), virtual scribes are required to adequately safeguard ePHI under HIPAA. This means that virtual scribes, like any other BA, can face penalties if they fail to implement adequate administrative, physical and technical safeguards as required by the HIPAA Security Rule. However, CEs also can be penalized for the HIPAA violations of a BA if it is determined that the CE failed to duly vet or monitor the BA. To avoid such HIPAA risks, it is imperative that healthcare organizations confirm before hiring that the scribe or scribe service has implemented adequate safeguards to protect ePHI.
In addition to HIPAA concerns, healthcare organizations also should be aware of the unique liability risks that virtual medical scribes may pose. Before choosing a service, it is important to understand the level of supervision that will be required and the tasks that scribes can and can’t perform.
Healthcare organizations can use the following risk management tips when selecting a virtual medical scribe to reduce their chances of being penalized for a scribe’s HIPAA violation and to reduce liability exposures.
Virtual Scribe HIPAA Compliance Tips
1. Determine the steps the scribe service has taken to become HIPAA compliant
Review the scribe service’s website to see what, if any, measures the vendor has implemented to comply with HIPAA. If a scribe service claims it is HIPAA-compliant but provides no details on how it maintains compliance, it may be unwise to use that service without first receiving satisfactory assurances that it will adequately safeguard your patient’s ePHI.
2. Obtain a Business Associate Agreement with the scribe or the scribe service
HIPAA requires that a CE have a Business Associate Agreement (BAA) in place with any BA that has access to ePHI. Therefore, healthcare providers must have either the scribe service provider or each individual scribe sign a BAA before granting access to any ePHI. At a minimum, the BAA should:
Contain a description of the permitted and required uses of ePHI;
State that the business associate will not use or further disclose the ePHI other than as permitted or required by contract or by law; and
Require the business associate to use appropriate safeguards to prevent a use or disclosure of ePHI other than as allowed by the contract.
If a scribe service provider uses proprietary software to connect with the physician or receives ePHI at any point, the scribe service provider must sign a BAA to ensure that its platform is HIPAA-compliant. But if the service supplies scribes who will work exclusively on your organization’s EHR and no ePHI is transmitted to the service provider, then only the individual scribe would be required to sign a BAA.
3. Document scribe’s HIPAA training certificate before onboarding
If a scribe service claims its scribes have completed HIPAA training, healthcare providers should receive and document their HIPAA training certificates before allowing them to access ePHI. If a scribe has not been trained on HIPAA compliance, consider having them complete your organization’s own HIPAA compliance training.
4. Limit the virtual scribe’s access to ePHI
Healthcare providers should restrict the scribe’s access to ePHI by requiring a unique username and password for each scribe that will grant access to your EHR during times when the individual is expected to be working. The scribe should only be authorized to access the portion of the EHR necessary for the individual to document the notes dictated by the physician.
Furthermore, if the scribe is working exclusively through your EHR, ePHI should never be available for download directly to the scribe’s device. If the scribe can’t download any ePHI, the risk of the individual losing ePHI is limited.
In addition, the healthcare organization should be able to immediately suspend the scribe’s access to ePHI in the event of a breach to mitigate additional exposures.
5. Maintain and monitor logs of scribe access to ePHI
Logs detailing each time a scribe logs in and accesses ePHI should be kept and reviewed periodically. If it is discovered that a scribe has accessed ePHI unnecessarily or without authorization, the individual’s access should be suspended immediately while the practice investigates.
Additional HIPAA Risks Associated with Virtual Scribes Located Outside the U.S.
Because overseas virtual medical scribes are a relatively recent innovation, it is unclear how the Office of Civil Rights (OCR) – the department that enforces HIPAA – will address non-compliant virtual scribes located outside the United States. It is unlikely that OCR will pursue foreign BAs because the OCR’s jurisdiction is limited to the U.S. and the chances that overseas vendors will voluntarily pay their fines are slim. Rather, it is likely the OCR will pursue the domestic covered entity (CE) that hired the foreign BA, even if the CE remained compliant with HIPAA at all times.
So how can healthcare organizations ensure that they do not become liable for the HIPAA violations of their overseas virtual scribes? In short, they can’t. Because the OCR is unlikely to pursue offenders located outside its jurisdiction, healthcare organizations will in all probability be liable for the HIPAA violations of the overseas scribes they hire.
In addition, because foreign vendors may be more susceptible to certain types of cyber threats, HHS requires that CEs take such risks into account when conducting the risk analysis and risk management required by the HIPAA Security Rule. To that end, healthcare organizations contracting with overseas scribes should be aware of the particular cyber threats common in the region where the scribe is located. They should include provisions in the BAA that require the scribe or scribe service to take specific precautions to mitigate such threats.
Virtual Scribe Liability Risk Management Tips
1. Clearly define the scribe’s duties in the employment contract
The employment contract should make it clear that the scribe’s job is to document patient encounters and the physician’s dictation into the EHR. The employment contract also should expressly forbid the scribe from performing any clinical tasks such as diagnosing the patient or ordering medication.
2. Provide scribes with adequate EHR training at orientation
Most virtual scribes will be unfamiliar with your EHR platform. For that reason, each scribe should be sufficiently trained on your organization’s EHR system before beginning documentation. Such training should include instructions on how the scribe should sign in and out of the system, notify physicians of system alerts, and sign and date entries.
3. Develop a scribe performance audit policy
Healthcare providers should consider establishing a scribe performance audit policy before hiring a virtual medical scribe. The scribe’s performance should be audited periodically by the healthcare organization to confirm compliance with the organization’s guidelines, including confirmation that the scribe is not performing any clinical tasks. Performance audits also will give the healthcare organization an opportunity to provide constructive feedback directly to the scribe.
4. Review all scribe entries for accuracy
Because liability for any errors in the EHR will ultimately rest with the healthcare provider, the physician that dictated the notes to the scribe should carefully review entries for any errors or inaccuracies. While all scribe entries in a patient’s EHR should be reviewed carefully, special attention should be paid to the accuracy of entries that may affect the patient’s course of treatment. After the scribe’s entries have been reviewed, the physician should electronically sign and date the EHR to confirm that the physician was present at the patient visit and that the scribe’s entries are accurate.
5. Ensure that scribes are up-to-date on all training
In addition to the initial EHR training, healthcare organizations should provide ongoing training for virtual scribes since organizational policies as well as federal and state regulations change over time.
6. Notify patients of the scribe’s presence
If a virtual scribe will be observing the physician during appointments, the physician should notify patients that the scribe will be listening to and/or viewing the visit and explain the scribe’s role beforehand. The physician also should explain that the patient may refuse to have the scribe present during all or certain parts of the appointment.
The information in this article is provided is for educational purposes only, and should not be relied upon as legal advice.
Additional MagMutual Resources:
Want to learn more?
Interested in how MagMutual can help?View our products
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.