The Hazards of Using Foreign Medical Scribes

Scribes have long been employed in medical practices as a tool to increase the productivity of physicians and practitioners by lessening the demand on their time for documentation in an electronic health record (EHR). A well trained and competent scribe does exactly that. Given the staffing challenges of recent years, practices are struggling to hire staff for all positions. One of the emerging trends to combat staff shortages is the use of foreign virtual scribes who “observe” the physician and participate in the patient encounter remotely. These services are generally available at a lower cost than a full-time, in-house staff member. While this may seem like the solution to a problem, practices should be aware of the risks associated with this type of relationship.

While the potential for an incorrect entry exists with all scribes, it is heightened in this scenario. English may not always be the first language of a foreign scribe. Even if it is, American colloquialisms vary by region and can be confusing for those not familiar with them. This presents a serious risk to patient safety. Physicians and practitioners are responsible to review and validate the scribe’s documentation. Failure to catch and correct a mistranslation could result in irrevocable patient harm.

One of the greatest risks is the potential HIPAA threat arising from access to the electronic health record. Practices are responsible for ensuring the safety and security of patients’ electronic Protected Health Information (ePHI). That can be difficult to do when all employees are under one roof. Granting access remotely around the globe, given the increasing cybersecurity incidents, requires an even higher level of due diligence. Speaking of cybersecurity, another consideration is the threat to the service provider which may be greater based on their location. The practice must take the relationship and potential threats to the service provider into consideration when conducting the practice’s security risk analysis. Health and Human Services specifically addresses the need for this when utilizing a foreign communication service provider (CSP) and the risk to ePHI in a FAQ found here.

A virtual medical scribe and the company for which they work are considered a business associate to the practice’s role as a covered entity. This means they too have an obligation to safeguard ePHI. Should they fail to implement adequate administrative, physical, and technical safeguards as required by the HIPAA Security Rule, they could face penalties. While they may willingly sign a business associate agreement, the issue becomes one of enforcement of penalties should they fail to meet their obligations. At this point, guidance is not available from the Office of Civil Rights (OCR) regarding how they will manage a foreign actor for violating HIPAA. The OCR’s authority does not extend beyond the United States, and it seems unlikely they would pursue these organizations. The practice, however, is within the OCR’s authority making it much easier to seek recovery from them. Unless the business associate voluntarily pays any imposed fines, the practice may be left responsible even if it was compliant.

SVMIC recommends extreme caution before entering into any agreement that places a practice’s system and information at risk. The agreement should clearly outline the responsibilities and obligations of both parties. For those groups considering a foreign CSP, practices should at least consider the following:

• Determine what the service has done to become HIPAA compliant and how they monitor compliance of their employees. They should be able and eager to provide details.
• Secure a signed Business Associate Agreement (BAA). This is a HIPAA requirement for all covered entities. The BAA must be signed by either the service provider or the individual scribes. Health and Human Services (HHS) requires a BAA to contain the following:
  • A description of the permitted and required uses of ePHI;
  • A provision that the business associate will not use or further disclose the ePHI other than as permitted or required by the contract or as required by law; and
  • A requirement that the business associate use appropriate safeguards to prevent the use or disclosure of ePHI other than as provided for by the contract.
• Conduct and document your own HIPAA training for the virtual scribe(s). Even if the service provides its own staff education, this ensures the appropriate information is conveyed and adds a level of documentation for your records.
• Limit access to the ePHI. Scribes should be able to access only what is absolutely necessary to perform their function. Assign unique usernames and passwords. If possible, control access from the practice’s end to allow EHR system access only when you are actively engaging the scribes. Routinely monitor system access and be prepared to suspend it if anything seems amiss. Prohibit any download of data from your system.

Beyond the risk issues outlined, all scribes, whether in person or virtual, must be qualified and properly trained to perform the job. The American Health Information Management Association (AHIMA) provides excellent guidance on those requirements and best practices here. Regardless of the situation, practices should ensure they are using scribes appropriately which requires review and authentication of the information.

Practices must weigh the perceived benefit of these arrangements against the significant risks associated with these services, understanding they will almost certainly be held responsible for any breaches and penalties arising from these relationships. Given the uncertainty of how a breach, or any legal issue for that matter, might be handled given the lack of US jurisdiction over a foreign actor, SVMIC cannot recommend or suggest the use of a foreign based entity.