Magnifying glass magnifying the word HIPAA on a document

Healthcare Data Privacy and Dragon Medical

Dragon Medical Practice Edition 2 is designed to be an efficient, flexible, and accurate method for surgeons, nurses, general practitioners, and specialists to produce the necessary documentation to complete their patient note or encounter.

Given the changes urged forward by Meaningful Use, this happens, more and more, within the confines of an Electronic Health Record (EHR). Thus, healthcare professionals have to extend their concern for personal medical data and the privacy of the patient to the digital realm.

If you work in medicine, you likely already know how important it is to have software that supports your workflow and enables you to build a data stream that can be secured from end to end.

Dragon Medical is just that kind of software.

But before we dive head-first into an exploration of how the application works to secure your dictations, let’s talk a little bit about HIPAA itself, as well as what it requires when it comes to Protected Health Information, commonly referred to as PHI.


HIPAA Regulates PHI Access

HIPAA stands for the Health Insurance Portability and Accountability Act. It was created, in part, to protect people from having their personal health information released to or viewed by anyone who shouldn’t have access to it.

HIPAA, originally put in place in 1996, was fully implemented by 2003—although it wasn’t until the recent HITECH Act that EHRs became subject to HIPAA. These acts essentially work together to prevent personally identifiable patient data from being shared without the patient’s consent.

In general, though not exclusively, the patient decides who should access their PHI—healthcare providers and insurance companies, notwithstanding. That’s why they have you sign a Notice of Privacy Practices form when you visit the doctor’s office. You have to acknowledge you understand how your PHI may be shared.

The parts of HIPAA that you really need to concern yourself with, for the purposes of Dragon Medical, are what’s known as the Privacy Rule and the Security Rule. One says that you have to protect patient data; the other tells you what standards you need to meet to protect it.


How Does Dragon Medical Protect PHI?

So, what does all of this mean? What does Dragon Medical Practice Edition 2 have to protect, specifically? Is the program considered HIPAA compliant?

Let me address that last question first.

HIPPA requires that Covered Entities and Business Associates handle PHI properly. Even if an application helps them do this, it is—in no way—a substitute for or a solution to the question of compliance.

That being said, Dragon Medical does support HIPAA compliance. That means that the engineers at Nuance thought about healthcare providers when they were building the application, and they included features that they knew would make it possible to secure PHI while documenting patient encounters.

Now, there’s really no practical way for Dragon Medical to know whether a clinician happens to be dictating what would be considered individually identifiable health information, or just a friendly letter to a colleague. That means that the software has to assume that everything being dictated is sensitive and needs to managed accordingly.

Tracing Speech and Text Through Dragon Medical

In order for us to understand how Dragon Medical Practice Edition 2 supports HIPAA compliance, let’s follow the voice and text data as it travels throughout the program. Keep in mind that the only part of your workflow that the software can affect is the part that it’s involved in.

What follows represents a standard workflow for clinicians dictating into an EMR.

Stage One

When you begin to dictate into any program, Dragon Medical creates audio and text files. These are known as “session files,” and they are temporary.

Stage Two

If you make corrections, they get put into .enwv files. These are used for optimization, and are encrypted before being saved to the profile.

Stage Three

When the session is over, your temporary Stage One files get put into a new .DRA file. This is then encrypted and saved to the local profile, or the local copy of the roaming profile.

Stage Four

During optimization, Dragon Medical Practice Edition 2 will use the still-encrypted .DRA and .enwv files to try and improve your local profile. Roaming profiles may transfer these files to the network roaming directory when synchronization occurs, where they can then provide data for optimization.

All of the above encrypted files must be opened by Dragon Medical. The DragonPad can’t access them, because it’s a feature present in non-medical versions of the software.

Potentially Unprotected Data

Now, let’s talk about where you might need to shore up your defenses with regard to Dragon Medical and PHI.

  1. First, have a look at Tools > Administrative Settings > Miscellaneous. “Encrypt patient health information” should be checked, but you’ll want to verify this.
  2. Next up, take note that audio files you save on purpose—when dictating into a word processing application—aren’t encrypted. You’ll know whether or not this is happening by navigating to Tools > Options > Data > “Save recorded dictation with document.” If the setting is “Never,” you’re in the clear. If it’s “Ask Me” or “Always,” you’re either being prompted to save unencrypted data, or you’re saving it automatically. Make sure your PHI is protected.
  3. If you want to stop creating .DRA files (the encrypted kind described in Stage Three), go to Tools > Options > Data again and check “Conserve disk space required by user profiles (for portability).”
  4. Finally, make sure to uncheck “Store corrections in archive” in the same Tools > Options > Data window we’ve been working in. Otherwise, you could be creating unencrypted .nwv files when you make corrections. We don’t want that.This last change may somewhat limit your ability to optimize your Dragon Medical profile. If this is a concern, we recommend running profile optimization more often.


Just In Case

Please remember that HIPAA compliance is the responsibility of Covered Entities and their Business Associates. We’re just arming you with information that you can use to help meet your Privacy and Security Rule obligations as you operate Dragon Medical Practice Edition 2. And this information only applies to that particular version.

For more information, go to Help > Help Topics from the DragonBar, and search for “Securing the privacy of patient data.”

Need Help With Dragon Medical?

Let us show you how it protects patient data

We’d love to consult with you on how Dragon Medical Practice Edition 2 helps protect PHI when a clinician dictates. Click the button below to get more training on HIPAA support in Dragon—or other features and functions of the application.