Hiring Virtual Medical Scribes: What Healthcare Providers Need to Know

Executive Summary 

The push to develop electronic health records and more detailed patient documentation has led to the use of virtual medical scribes. Although virtual medical scribes offers healthcare providers many benefits, this shift comes with challenges and risks. Healthcare organizations must know how to utilize them appropriately to minimize liability.   

Recommended Actions: 

• Ensure that your healthcare practice has an up-to-date Business Associate policy or consider implementing MagMutual’s sample policy.   
• Train all healthcare providers on how to use the medical scribes’ services effectively and appropriately.  
• Consider conducting regular cybersecurity training for all medical scribes hired.  

Medical scribes are professionals who document patient encounters and physician dictation into a patient’s medical records. Using a medical scribe can significantly reduce the amount of time a physician spends documenting a patient’s electronic health record (EHR). Traditionally, medical scribes would physically accompany physicians to their appointments to document the patient’s records. While many healthcare organizations still use traditional medical scribes who accompany the physician, some organizations now are employing virtual medical scribes who observe physicians remotely. 

Although the cost benefits and flexible schedules of virtual medical scribes are attractive to many healthcare organizations, some may wonder whether such benefits are outweighed by the potential HIPAA and liability risks that might arise from granting a virtual scribe access to their patients’ EHR, which contains electronic Protected Health Information (ePHI).  

This article highlights the potential HIPAA and cybersecurity liability risks associated with employing virtual medical scribes and outlines the measures healthcare organizations can take to mitigate such risks.  

HIPAA and Liability Risks Associated with Virtual Medical Scribes  

Because virtual medical scribes qualify as a business associate (BA) of a covered entity (CE), virtual scribes are required to adequately safeguard ePHI under HIPAA. That means virtual scribes, like any other BA, can face penalties if they fail to implement adequate administrative, physical and technical safeguards as required by the HIPAA Security Rule. 

However, CEs also can be penalized for a BA’s HIPAA violations if it is determined that the CE failed to duly vet or monitor the BA. To avoid such HIPAA risks, it is imperative that healthcare organizations confirm before hiring that the scribe or scribe service has implemented adequate safeguards to protect ePHI. 

In addition to HIPAA concerns, healthcare organizations also should be aware of the unique liability risks that virtual medical scribes may pose. Before choosing a service, it is important to understand the level of supervision that will be required and the tasks that scribes can and can’t perform.  

Healthcare organizations can use the following risk management tips when selecting a virtual medical scribe to reduce their chances of being penalized for a scribe’s HIPAA violation and to reduce liability exposures.  

Virtual Scribe HIPAA Compliance Tips  

Determine the steps the scribe service has taken to become HIPAA compliant. 

Review the scribe service’s website to see what, if any, measures the vendor has implemented to comply with HIPAA. If a scribe service claims it is HIPAA-compliant but provides no details on how it maintains compliance, it may be unwise to use that service without first receiving satisfactory assurances that it will adequately safeguard your patients’ ePHI.  

Obtain a Business Associate Agreement with the scribe or the scribe service. 

HIPAA requires that a CE have a Business Associate Agreement (BAA) in place with any BA that has access to ePHI. Therefore, healthcare providers must have either the scribe service provider or each individual scribe sign a BAA before granting access to any ePHI. At a minimum, the BAA should:  

• Contain a description of the permitted and required uses of ePHI  
• State that the business associate will not use or further disclose the ePHI other than as permitted or required by contract or by law 
• Require the business associate to use appropriate safeguards to prevent a use or disclosure of ePHI other than as allowed by the contract.  

If a scribe service provider uses proprietary software to connect with the physician or receives ePHI at any point, the scribe service provider must sign a BAA to ensure that its platform is HIPAA-compliant. But if the service supplies scribes who will work exclusively on your healthcare organization’s EHR and no ePHI is transmitted to the service provider, then only the individual scribe would be required to sign a BAA.  

Document a scribe’s HIPAA training certificate before onboarding. 

If a scribe service claims its scribes have completed HIPAA training, healthcare providers should receive and document their HIPAA training certificates before allowing them to access ePHI. If a scribe has not been trained on HIPAA compliance, consider having them complete your organization’s own HIPAA compliance training.  

Limit the virtual scribe’s access to ePHI.  

Healthcare providers should restrict the scribe’s access to ePHI by requiring a unique username and password for each scribe that will grant access to your EHR during times when the individual is expected to be working. The scribe should only be authorized to access the portion of the EHR necessary for the individual to document the notes dictated by the physician.  

Furthermore, if the scribe is working exclusively through your EHR, ePHI should never be available for download directly to the scribe’s device. If the scribe can’t download any ePHI, the risk of the individual losing ePHI is limited.  

In addition, the healthcare organization should immediately suspend the scribe’s access to ePHI in the event of a cybersecurity breach to mitigate additional exposures.  

Maintain and monitor logs of scribe access to ePHI. 

Logs detailing each time a scribe logs in and accesses ePHI should be kept and reviewed periodically. If it is discovered that a scribe has accessed ePHI unnecessarily or without authorization, the individual’s access should be suspended immediately while the practice investigates.  

Additional HIPAA Risks Associated with Virtual Scribes Located Outside the U.S.  

Because overseas virtual medical scribes are a relatively recent innovation, it is unclear how the Office of Civil Rights (OCR) — the department that enforces HIPAA — will address non-compliant virtual scribes located outside the United States. It is unlikely OCR will pursue foreign BAs because the OCR’s jurisdiction is limited to the U.S. and the chances that overseas vendors will voluntarily pay their fines are slim. Rather, it is likely the OCR will pursue the domestic covered entity (CE) that hired the foreign BA, even if the CE remained compliant with HIPAA at all times.  

So how can healthcare organizations ensure that they do not become liable for the HIPAA violations of their overseas virtual scribes? In short, they can’t. Because the OCR is unlikely to pursue offenders located outside its jurisdiction, healthcare organizations will in all probability be liable for the HIPAA violations of the overseas scribes they hire.  

In addition, because foreign vendors may be more susceptible to certain types of cyber threats, HHS requires that CEs take such risks into account when conducting the risk analysis and risk management required by the HIPAA Security Rule. To that end, healthcare organizations contracting with overseas scribes should be aware of the particular cyberthreats common in the region where the scribe is located. They should include provisions in the BAA that require the scribe or scribe service to take specific precautions to mitigate such threats.  

Virtual Scribe Liability Risk Management Tips  

Clearly define the scribe’s duties in the employment contract. 

The employment contract should make it clear that the scribe’s job is to document patient encounters and the physician’s dictation into the EHR. The employment contract also should expressly forbid the scribe from performing any clinical tasks such as diagnosing the patient or ordering medication.  

Provide scribes with adequate EHR training at orientation.  

Most virtual scribes will be unfamiliar with your EHR platform. For that reason, each scribe should be sufficiently trained on your organization’s EHR system before beginning documentation. Such training should include instructions on how the scribe should sign in and out of the system, notify physicians of system alerts and sign and date entries.  

Develop a scribe performance audit policy. 

Healthcare providers should consider establishing a scribe performance audit policy before hiring a virtual medical scribe. The scribe’s performance should be audited periodically by the healthcare organization to confirm compliance with the organization’s guidelines, including confirmation that the scribe is not performing any clinical tasks. Performance audits also will give the healthcare organization an opportunity to provide constructive feedback directly to the scribe. 

Review all scribe entries for accuracy.  

Because liability for any errors in the EHR will ultimately rest with the healthcare provider, the physician that dictated the notes to the scribe should carefully review entries for any errors or inaccuracies. While all scribe entries in a patient’s EHR should be reviewed carefully, special attention should be paid to the accuracy of entries that may affect the patient’s course of treatment. After the scribe’s entries have been reviewed, the physician should electronically sign and date the EHR to confirm that the physician was present at the patient visit and that the scribe’s entries are accurate.  

Ensure that scribes are up-to-date on all training.  

In addition to the initial EHR training, healthcare organizations should provide ongoing training for virtual scribes since organizational policies as well as federal and state regulations change over time.  

Notify  patients of the scribe’s presence.  

If a virtual scribe will be observing the physician during appointments, the physician should notify patients that the scribe will be listening to and/or viewing the visit and explain the scribe’s role beforehand. The physician also should explain that the patient may refuse to have the scribe present during all or certain parts of the appointment.  

Lessons Learned  

• Ensure that your practice has a HIPAA-compliant Business Associate Agreement in place with your medical scribe or use MagMutual’s sample form before sharing any patient PHI.   
• Vet any potential medical scribes before choosing one by consulting with at least two other providers who use that same vendor. 
• Ensure that the medical scribe notifies the healthcare provider of any alerts in the EHR. The provider must address alerts. 

Potential Damages 

The inappropriate use of medical scribes could mean that a healthcare provider faces a HIPAA violation and thus the associated fines and financial penalties. The frequency of such violations is relatively low; however, this could be because the implementation of medical scribes is still relatively new.