April, 2023
Scribes have long been employed in medical practices as a tool to increase the productivity of physicians and practitioners by lessening the demand on their time for documentation in an electronic health record (EHR). A well trained and competent scribe does exactly that. Given the staffing challenges of recent years, practices are struggling to hire staff for all positions. One of the emerging trends to combat staff shortages is the use of foreign virtual scribes who “observe” the physician and participate in the patient encounter remotely. These services are generally available at a lower cost than a full-time, in-house staff member. While this may seem like the solution to a problem, practices should be aware of the risks associated with this type of relationship.
While the potential for an incorrect entry exists with all scribes, it is heightened in this scenario. English may not always be the first language of a foreign scribe. Even if it is, American colloquialisms vary by region and can be confusing for those not familiar with them. This presents a serious risk to patient safety. Physicians and practitioners are responsible to review and validate the scribe’s documentation. Failure to catch and correct a mistranslation could result in irrevocable patient harm.
One of the greatest risks is the potential HIPAA threat arising from access to the electronic health record. Practices are responsible for ensuring the safety and security of patients’ electronic Protected Health Information (ePHI). That can be difficult to do when all employees are under one roof. Granting access remotely around the globe, given the increasing cybersecurity incidents, requires an even higher level of due diligence. Speaking of cybersecurity, another consideration is the threat to the service provider which may be greater based on their location. The practice must take the relationship and potential threats to the service provider into consideration when conducting the practice’s security risk analysis. Health and Human Services specifically addresses the need for this when utilizing a foreign communication service provider (CSP) and the risk to ePHI in a FAQ found here.
A virtual medical scribe and the company for which they work are considered a business associate to the practice’s role as a covered entity. This means they too have an obligation to safeguard ePHI. Should they fail to implement adequate administrative, physical, and technical safeguards as required by the HIPAA Security Rule, they could face penalties. While they may willingly sign a business associate agreement, the issue becomes one of enforcement of penalties should they fail to meet their obligations. At this point, guidance is not available from the Office of Civil Rights (OCR) regarding how they will manage a foreign actor for violating HIPAA. The OCR’s authority does not extend beyond the United States, and it seems unlikely they would pursue these organizations. The practice, however, is within the OCR’s authority making it much easier to seek recovery from them. Unless the business associate voluntarily pays any imposed fines, the practice may be left responsible even if it was compliant.
SVMIC recommends extreme caution before entering into any agreement that places a practice’s system and information at risk. The agreement should clearly outline the responsibilities and obligations of both parties. For those groups considering a foreign CSP, practices should at least consider the following:
Beyond the risk issues outlined, all scribes, whether in person or virtual, must be qualified and properly trained to perform the job. The American Health Information Management Association (AHIMA) provides excellent guidance on those requirements and best practices here. Regardless of the situation, practices should ensure they are using scribes appropriately which requires review and authentication of the information.
Practices must weigh the perceived benefit of these arrangements against the significant risks associated with these services, understanding they will almost certainly be held responsible for any breaches and penalties arising from these relationships. Given the uncertainty of how a breach, or any legal issue for that matter, might be handled given the lack of US jurisdiction over a foreign actor, SVMIC cannot recommend or suggest the use of a foreign based entity.
Stephen Dickens, JD, FACMPE, is the Vice President of the Medical Practice Services Department at SVMIC. Mr. Dickens has spent over 20 years working in medical practice, hospital, and home care executive positions. He is a Past Chair of the Medical Group Management Association. During his tenure, MGMA had more than 33,000 members working in over 18,000 healthcare organizations where some 385,000 physicians practiced. Additionally, he is a Past President of the MGMA Financial Management Society and Tennessee MGMA. He is a Board Certified Medical Practice Executive and Fellow in the American College of Medical Practice Executives.
Our team is here to answer any questions you might have or to help you fill out a quote application.