Data Security

GDPR & HIPAA Compliance

American Transcription Services, LLC (ATS) is committed to safeguarding its clients’ data and privacy rights. This includes patient confidentiality and document security requirements for GDPR compliance. In this context, we have developed a GDPR-compliant data security policy to provide our clients with a comprehensive overview of how we store, transfer, and handle any information they provide to us.

Policy Statement

As a leading healthcare service provider, ATS is dedicated to upholding the highest standards of data security and patient privacy. We recognize that the protection of sensitive patient information is paramount to our operations, and we are fully committed to complying with the General Data Protection Regulation (GDPR) and other relevant data protection laws and regulations.

Our Commitment

At ATS, we understand that patient data is among the most sensitive and personal information. We are unwavering in our commitment to the following:

  • Confidentiality: We recognize the significance of maintaining the confidentiality of patient information. All patient data entrusted to us, whether in the form of medical records, billing information, or other health-related details, will be handled with the utmost discretion.
  • Integrity: We are dedicated to preserving the integrity of patient data. Any information we receive will be securely stored and transferred with complete fidelity to the original source.
  • Availability: ATS pledges to ensure the availability of patient data when needed by authorized personnel. Our commitment extends to providing timely access to patient records while implementing stringent controls to prevent unauthorized access.
  • Compliance: We recognize and respect the legal and ethical obligations imposed by GDPR and other relevant regulations. We are committed to full compliance with these requirements and will take all necessary measures to protect patient rights and privacy.

Scope of the Policy

Data Types Covered

This GDPR policy encompasses the protection and management of various types of sensitive patient data, including but not limited to:

  • Patient Health Records (PHR): Detailed medical records containing patient diagnoses, treatment plans, medical history, laboratory results, and other health-related information.
  • Billing Information: Patient financial data, including insurance information, billing statements, and payment details related to healthcare services.
  • Medical Histories: Comprehensive patient medical histories, including past illnesses, surgeries, medications, and any relevant medical conditions.
  • Diagnostic Data: Information related to patient diagnoses, such as radiology reports, pathology reports, and diagnostic test results.
  • Demographic Information: Patient identification details, including names, addresses (if applicable), phone numbers (if applicable), and other personal identifying information.

ATS usually collects PHRs from clients who want to avail of our healthcare services. We use secure digital communication channels to gather this information from customers.

Systems and Processes

This GDPR policy applies to all systems, processes, and activities involved in the handling, processing, and storage of patient data. It covers the following:

  • Medical Transcription Services: The process of transcribing healthcare professionals’ audio dictations into text format, including the secure collection, transcription, and delivery of patient data.
  • Insurance Liaison Services: ATS acts as an intermediary between insurance providers, hospitals, and patients during claim negotiation processes, which may involve the exchange of patient information.
  • Data Storage: The secure storage of patient data in cloud-based or on-premises systems, ensuring data integrity, confidentiality, and availability.
  • Data Transmission: The secure transfer of patient data between healthcare providers, transcribers, and other authorized entities, both within and outside the organization.
  • Access Controls: Mechanisms for granting and managing access to patient data, including authentication, authorization, and access permissions for employees, contractors, and third-party vendors.

Roles and Responsibilities

We’ve defined clear roles to ensure accountability for data security, privacy, and compliance. The most prominent roles include:

Data Security Officer (DSO)

The Data Security Officer (DSO) oversees and ensures the proper implementation of data security policies and practices across the organization. The DSO’s primary responsibilities include:

  • Policy development: Collaborating with stakeholders to develop and update data security policies in accordance with GDPR, HIPAA, and other relevant regulations.
  • Compliance monitoring: Regularly monitoring and ensuring compliance with data security policies and regulations.
  • Incident response: Leading the incident response team in addressing security breaches, data incidents, and potential threats.
  • Training: Providing training and awareness programs to educate employees, contractors, and vendors about data security.
  • Risk assessment: Conducting risk assessments and vulnerability analyses to identify and mitigate security risks.

Data Custodians

Data custodians are individuals within the organization responsible for the custody and protection of patient data. Their responsibilities include:

  • Data classification: Classifying patient data based on sensitivity (e.g., confidential, sensitive, public) and applying appropriate access controls and handling procedures.
  • Access control: Managing and granting access permissions to patient data on a need-to-know basis, ensuring that employees, contractors, and vendors have access only to data necessary for their roles.
  • Data storage: Ensuring secure storage of patient data, both in transit and at rest, in compliance with data security policies.
  • Monitoring: Regularly monitoring data access and usage to identify and report any unauthorized access or policy violations.

Data Processors

Data processors, including employees, contractors, and third-party vendors, play a crucial role in handling patient data. Their responsibilities include:

  • Data handling: Safely and accurately processing patient data, following data security policies and procedures.
  • Access control: Adhering to access controls and permissions defined by data custodians to ensure data confidentiality.
  • Training: Participating in data security training programs to understand and adhere to data security policies and best practices.
  • Incident reporting: Reporting any data security incidents, breaches, or potential threats promptly to the Data Security Officer.
  • Data disposal: Complying with data retention and disposal guidelines, securely disposing of data when it is no longer needed.

Third-Party Vendors and Contractors

Third-party vendors and contractors who have access to patient data must also adhere to data security and privacy standards. Their responsibilities include:

  • Compliance: Complying with all data security and privacy requirements specified by ATS, including GDPR and other relevant regulations.
  • Data handling: Handling patient data with the same level of care and security as internal employees, following ATS data security policies.
  • Audit and oversight: Allowing ATS to audit and oversee their data security practices to ensure compliance.
  • Incident reporting: Reporting any data security incidents or breaches that occur while handling patient data promptly to ATS.

We ensure that all stakeholders are aware of their obligations in maintaining data security and patient privacy.

Data Classification

At American Transcription Services, we classify patient data into the following categories based on sensitivity:

Confidential Data

This category includes patient health records (PHR) and billing information. Access to confidential data is strictly limited to authorized personnel with a legitimate need-to-know. Data handling procedures include encryption during transmission and storage.

Sensitive Data

Data such as medical histories and diagnostic information are classified as sensitive. Access controls ensure that only relevant individuals, as per the principles of least privilege (section 5), have access. These data types are also subject to encryption during transmission and storage.

Public Data

Limited non-sensitive patient information, such as basic demographic details, may be considered public. However, access controls are still enforced to prevent unauthorized disclosure.

Access Controls

Access to patient data is granted and revoked through the following procedures:

  • Authentication: All employees, contractors, and third-party stakeholders must undergo identity verification through secure credentials (e.g., usernames, passwords, biometrics) to gain access.
  • Authorization: Access rights are systematically defined, and users are granted or denied access based on predefined criteria. The principle of least privilege is strictly enforced, ensuring that employees have access only to the data necessary for their specific roles.

Physical Security

Our team members who work remotely exclusively use company-provided laptops and desktops and have to comply with company protocols and policies about the security of data. Their machines are loaded with desk time applications to monitor every fraction of their work.

They aren’t allowed to store PHIs and other client files on their personal devices. Furthermore, these nodes are updated with robust encryption software and malware protection software to protect the data on their computers.

We also prioritize cleaning up of temp files created after the completion of our services. The deletion of all documents from computers after service delivery follows an established protocol.

Data Storage and Transmission

At ATS, we use secure cloud storage solutions to store all patient information we receive from clients. Each type of client-sourced file passes through robust 256-bit encryption at rest and during transit. Our host uses Secure Sockets Layer (SSL)/Transportation Layer Security (TLS) to protect data in transit between dictation applications and our servers. SSL/TSL creates a secure tunnel protected with 128-bit or greater Advanced Encryption Standard (AES) encryption.

We ensure secure data transmission and storage through the following measures:

  • Encryption Protocols: Patient data is encrypted during both transmission and storage. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) is employed for data transmission, and data storage systems employ encryption algorithms like Advanced Encryption Standard (AES) for data at rest.
  • Network Security: Robust firewalls and intrusion detection systems are in place to protect data during transmission over networks. Regular updates and diligent monitoring of network traffic are conducted to detect and mitigate threats.
  • Secure Storage: Data is securely stored on the cloud and on-premise devices. Access controls are strictly enforced to prevent unauthorized access to stored data.

Authentication and Authorization

Authentication

ATS uses a combination of secure methods to verify the identity of users accessing patient data. These methods may include:

  • Usernames and strong, periodically changed passwords.
  • Multi-factor authentication (MFA) to ensure an extra layer of security.
  • Biometric authentication, where applicable and feasible, such as fingerprint or facial recognition.

Authorization

The authorization process involves specifying access rights based on user roles and responsibilities. ATS employs the principle of least privilege, ensuring that employees, contractors, and third-party vendors have access only to the data necessary for their specific roles. Authorization is controlled through role-based access control (RBAC) mechanisms, which are regularly reviewed and updated as job responsibilities change.

Incident Response

ATS maintains a well-defined incident response protocol to address data breaches, unauthorized access, and other security incidents. Our incident response plan covers the following:

Containment: In the event of a security incident or data breach, immediate containment actions are initiated to prevent further unauthorized access, data leakage, or damage. Containment may involve isolating affected systems or networks.

Investigation: A comprehensive investigation is launched to determine the nature, scope, and impact of the incident. This involves collecting evidence, conducting forensic analysis, and identifying the root cause.

Notification: If required by data protection regulations, affected parties, regulatory authorities, and relevant stakeholders will be promptly notified of the incident. The notification process will be carried out as per legal requirements and within the specified timeframes.

Recovery: Recovery measures are initiated to restore normal operations while minimizing any potential damage. This includes actions to remediate vulnerabilities, repair affected systems, and strengthen security controls to prevent similar incidents in the future.

Data Retention and Disposal

We follow established guidelines for retaining patient data in compliance with legal requirements and ensure secure data disposal when data is no longer needed.

Retention Guidelines

Patient health data, billing information, and other details are retained only for the duration necessary to fulfil its intended purpose or as required by applicable laws and regulations. A data retention schedule is maintained to define specific retention periods for different types of patient data.

Secure Data Disposal

Procedures for secure data disposal are in place, including:

  • Secure shredding of physical documents containing patient data.
  • Secure erasure or destruction of electronic data, including data on servers, databases, and portable devices.
  • Regular auditing and verification of data disposal processes to ensure compliance with data security and privacy standards.

Training and Awareness

We predominantly recruit new employees through referrals from our current. We even run extensive background checks before hiring some. Moreover, our employees sign NDAs as and when required by a client to uphold privacy at all moments. We also conduct regular training programs to educate employees about data security policies, procedures, and best practices.

These include:

  • Data Security Training: All employees, contractors, and third-party vendors receive comprehensive training on data security policies, procedures, and compliance with data protection regulations like GDPR and HIPAA.
  • Security Awareness Campaigns: Regular security awareness campaigns are conducted to reinforce the importance of data security and promote a culture of vigilance among all stakeholders.

Third-Party Management

ATS specifies rigorous requirements for third-party vendors and partners who have access to patient data through the following:

  • Contractual Agreements: Third-party vendors are required to enter into contractual agreements that mandate adherence to data security and privacy standards consistent with ATS policies.
  • Auditing and Oversight: ATS conducts audits and oversight to ensure third-party compliance with data security policies and regulatory requirements.

Monitoring and Auditing

We employ various methods for monitoring and auditing of data access and usage:

  • Logging and Records: Detailed logs and records are maintained to track data access and usage, enabling the identification of potential security breaches or policy violations.
  • Regular Audits:Regular internal and external audits are conducted to assess compliance with data security policies and regulations.

Continuous Improvement

The GDPR policy is regularly reviewed and updated to adapt to new security threats, technologies, and regulations. It ensures data protection measures remain robust and up-to-date.

We reserve the right to update or modify the above GDPR Privacy Policy, as deemed necessary, to adapt to the changing business and market needs. We are not liable to inform you about the change in the policy before it has been made. Following the change, we will inform the same through the appropriate communication channels.

Enforcement and Consequences

We take proactive measures to enforce the regulations and protocols outlined in this policy. The consequences of violating the data security policy are clearly defined and communicated to all stakeholders. Disciplinary actions, including warnings, suspension, termination, and potential legal repercussions, may be taken in response to policy violations.

Your Data Protection Rights

At American Transcription Services, we believe in maintaining complete transparency with our clients. So, we give you the authority to request us to delete our copy of your files from our systems after the successful completion of your project.

If you want to request the deletion of any data, you can reach out to your account manager directly.

Reach Out to Us

If you have any questions about our GDPR Data Security Policy, the data we hold, or your data protection rights, please feel free to contact us.