NTS Workforce Privacy, Security, & Compliance

2018 Update:
HIPAA Basics
May 2018

© 2018 Nuance Communications, Inc. All rights reserved. 1

Hello ‐ Thank you for attending the mandatory NTS Workforce Privacy, Security, and 

Compliance update for 2018.  This course will update you on the basics of HIPAA.  

1
NTS: A Position of Trust
• Patient information is highly sensitive and confidential
• Trust - a key component of healthcare delivery
• Role of the federal Health Insurance Portability &
Accountability Act (HIPAA)
• Patient information also protected by state laws
• If state law is more restrictive than HIPAA, we must follow the
state law

We are counting on you to play an important role in

protecting patient information.

© 2018 Nuance Communications, Inc. All rights reserved. 2

At NTS, we occupy a position of trust in the US healthcare system.  To do our work, 
we have access to patients’ most sensitive information – their health information.  
For the healthcare system to operate effectively, patients must have confidence that 
the privacy of their information will be respected.  In the United States, the federal 
Health Insurance Portability and Accountability Act, known as HIPAA, was created to 
provide privacy and security for patient health information, among other purposes. 
Patient health information is also protected by state laws.  If state laws are more 
restrictive than HIPAA, Nuance must comply with the state laws.

2
What Types of Information Does
HIPAA Protect?
HIPAA protects “Protected Health Information” (PHI)
PHI includes:
 Any information relating to a person’s health
 Any part of a medical record
 Any medical payment history

PHI may be electronic, on paper, or oral.

© 2018 Nuance Communications, Inc. All rights reserved. 3

HIPAA protects individually identifiable health information held or transmitted by a 
healthcare provider, a health plan, or any contractor such as NTS that provides 
services to a provider or plan.  HIPAA calls this information “protected health 
information” or “PHI.” Individually identifiable health information is information, 
including patient demographics, that relates to:
• The individual’s past, present, or future physical or mental health or condition, 
• The delivery of health care to the individual, or
• The past, present, or future payment for the provision of health care to the 
individual.

If there is a reasonable basis to believe that a piece of information can be used to 
identify the individual, it would be protected. For example, a medical record, 
laboratory report, or hospital bill would be PHI. 

3
Examples of Protected Health Information
 Patient Name  Vehicle Identifiers
 Patient Address  Device Identifiers and Serial
 Medical Diagnosis Numbers
 Medical Treatment  URLs
 Dates – DOB, DOS, DOD  IP Address Numbers
 Telephone Numbers  Biometric Identifiers
 Fax Numbers  Full Face Photographic Images
 Email Addresses
 Social Security Numbers
 Medical Record Numbers
 Health Plan Beneficiary Numbers
 Account Numbers
 Certificate/License Number

© 2018 Nuance Communications, Inc. All rights reserved. 4

Almost all of the dictations, transcriptions and metadata that NTS handles on behalf 
of its customers will constitute PHI.  This includes diagnosis, treatment, and all of the 
different identifying elements you can see on this slide.  In addition, Nuance’s 
contract with the customer will generally require us to protect ALL of the data we 
handle on behalf of the customer and keep it confidential and secure.  The bottom 
line is – you should treat all of the patient information and data you handle as if it is 
PHI. 

4
Is this PHI?

© 2018 Nuance Communications, Inc. All rights reserved. 5

Even a person’s name can be PHI if associated with a health issue.  For example, the 
fact that a person is a patient of a hospital is PHI.  The example above shows an 
envelope naming Jane Doe as a patient at Mercy Hospital –

5
Our Principal HIPAA Obligations
A business associate’s principal obligations with respect to PHI can be
summarized as:
• Permitted Uses Only:
• Use PHI to provide customer service, but only the minimum
necessary
• Confidentiality: Keep PHI confidential
• Security: Keep PHI secure
• Incidents and Breaches: Notify promptly
• Integrity and Availability: Keep PHI accurate and available

© 2018 Nuance Communications, Inc. All rights reserved. 6

HIPAA sets out rules for how covered entities, such as hospitals and doctors, and 
business associates acting on their behalf, may use PHI.  For example, they may use 
PHI to provide care to a patient and to operate the hospital and the medical practice.  
HIPAA also sets out rules for how covered entities and business associates must 
establish reasonable security.  These requirements can be summarized as: Permitted 
Use Only, Confidentiality, Security, Integrity and Availability.

6
Who is Responsible for HIPAA?

Covered Entities Business Associates

• Hospitals • Person or business

(NTS) performing
• Insurance service for covered
Companies entity
• Clinics

© 2018 Nuance Communications, Inc. All rights reserved. 7

In the healthcare industry, you will often hear some common HIPAA terms, such as 
PHI, “covered entity”, and “business associate”.  Covered Entities include hospitals, 
insurance companies, clinics, self‐insured employers, and small physician practices. 

Business Associates include any person or business, other than a member of the 
covered entity’s own workforce, that performs services for a covered entity and in 
doing so processes patient information on behalf of a covered entity.  NTS is a 
business associate of its covered entity customers.  A Covered Entity is allowed to 
provide PHI to a business associate like NTS so that NTS can provide services to the 
Covered Entity.  To protect the PHI, the Covered Entity and the Business Associate 
enter into a special contract called a Business Associate Agreement.

7
Business Associate Responsibilities
– Subject to HIPAA penalties

– Liable to covered entity for

breach of contract for HIPAA
violation

– Employee of business
associates (NTS) can be held
liable for criminal theft of PHI,
or snooping of PHI

© 2018 Nuance Communications, Inc. All rights reserved. 8

As a business associate, NTS is directly subject to HIPAA.  This means that NTS is 
subject to HIPAA penalties, including fines that can total many millions of dollars.  In 
addition, if NTS violates HIPAA, it will also generally be liable to the covered entity 
customer for damages for breach of the Business Associate Agreement.  In some 
circumstances, such as a criminal theft of PHI or snooping in PHI, an individual 
employee could be subject to HIPAA penalties or even imprisonment.

8
PHI: Strictly Confidential
As a business associate, NTS must:
 Keep all PHI strictly confidential
 Use reasonable security measures to protect
the confidentiality of PHI
 Not disclose PHI to anyone except:
 Others within NTS, but only if needed to
perform services for the customer
 To the customer, when we deliver
transcribed reports or if needed to solve
customer problems.

© 2018 Nuance Communications, Inc. All rights reserved. 9

PHI must be kept strictly confidential.  NTS has adopted security policies, procedures 
and technologies to protect PHI and to help you to protect PHI as well.  You must 
follow NTS’ policies and procedures to make sure we keep our customer’s trust and 
keep PHI confidential and secure.  

When using or disclosing PHI we must try to limit our use and disclosure as much as 
possible.  Here at Nuance Transcription Services, we only use PHI to do our jobs.  This 
includes viewing and processing PHI, including the patient name, account/visit 
number, medical record number, date of birth, and medical report, as needed to 
provide transcription services to our customers.  Sometimes, NTS personnel need to 
view past reports on patients. This is allowed if it is necessary to provide
service to our customers, although we should always limit the amount of
information accessed as much as is practical.

9
Integrity and Availability of PHI

As well as protecting
confidentiality, NTS must adopt
safeguards to protect:

- Integrity of PHI – meaning

correction of any errors in
PHI we process

- Availability of PHI – meaning

we must make sure our
systems will provide reliable
service to our customers.

© 2018 Nuance Communications, Inc. All rights reserved. 10

As well as protecting confidentiality of PHI, HIPAA is designed to make sure 
that PHI remains available to healthcare providers so that it can be used for 
treatment.  Also, covered entities and business associates must ensure that 
PHI retains its integrity – meaning that we must ensure that PHI has not 
become corrupted or otherwise erroneous.  

10
Security Procedures
You will be provided with access to NTS’ security
policies and procedures:
 Review all policies and follow them
 Ask questions if you are unsure
 If you fail to follow policy, you risk creating a
‘security incident’ that has to be reported.
 Tracking and reporting incidents is a time
consuming and expensive business.

© 2018 Nuance Communications, Inc. All rights reserved. 11

You must follow NTS’ security procedures to protect PHI.  These safeguards include:

1. Using passwords to protect computers and locking computers when they are 
unattended.
2. Keeping PHI secure at workstations when working from home.
3. Not transmitting PHI by insecure methods, such as email.
4. Not working in public or where others could see your screen.
5. Following all other NTS security procedures provided to you. 

11
 Incidents and Breaches
NTS has an obligation to notify the customer of:
• Any security incident, including:
• Lost laptop, if unencrypted
• Hacking incident or malware
• Unauthorized use or disclosure of PHI, including
breaches
All potential incidents and breaches are investigated
internally, tracked and recorded by NTS privacy and
security personnel

If needed, we report to the customer

© 2018 Nuance Communications, Inc. All rights reserved. 12

As everybody working with personal data knows, security incidents and breaches are 
a fact of life.  We work very hard to minimize them and avoid them.  But if they 
happen, we follow our internal breach reporting procedure:

1. We report the incident internally.
2. We investigate it promptly and stop the incident ASAP.
3. We mitigate the harm.  If necessary, we recover or delete any PHI that was 
transmitted incorrectly.
4. We report to the customer as required by our Business Associate Agreement.
5. We document the incident in our internal records. 

12
Is it an Incident or Breach?
 If at any time you suspect a security incident or
data breach, you must report it immediately
 Examples:
 Report sent to wrong physician or facility
 Carbon copy sent to wrong physician or
facility
 You lose your laptop
 You suspect your computer has been
hacked or infected with a virus

If in doubt – report!

Email incidents to:

nuancetranscriptionservicesincidents@nuance.com
© 2018 Nuance Communications, Inc. All rights reserved. 13

It is not your place to classify security incidents or breaches, or to determine whether 
or not a security incident or breach has occurred.  If you suspect a problem, report it 
to your manager immediately.  They will then work with Nuance privacy and security 
teams to investigate, correct, track and report as needed.

13
Thank You for Your Attention!
We look forward to working with you to protect our customer’s
patient information.

Incidents: Report to your manager or to

NuanceTranscriptionServicesIncidents@nuance.com

For privacy complaints or questions, contact:

Holly Woemmel, Senior Manager for Privacy &
Compliance
holly.woemmel@nuance.com
321-752-3675

© 2018 Nuance Communications, Inc. All rights reserved. 14

Corporate Policies for Healthcare & Contact Information

Thank you for attending the Privacy and Security education for NTS.  Nuance 
corporate privacy and security policies are posted in ENRICH under content 
Compliance & HIPAA.

If you have a privacy complaint, please contact the following:
Holly Woemmel at 321‐752‐3675 or e‐mail her at holly.woemmel@nuance.com
If you have claims such as disagreement with managers, interpersonal 
communication issues, employee relation issues, performance issues, termination 
claims, etc., these should be reported to your Human Resources Manager.

14
Thank you.

© 2018 Nuance Communications, Inc. All rights reserved. 15

15