Last fall, I attended a HIPAA seminar at a law firm in Southeast Michigan. The seminar was titled, ‘Are You HIPAA-Notized Yet?’, and it featured the latest insights and developments regarding HIPAA from this firm’s attorneys to their clients.
As the seminar progressed we were all asked who we worked for and what our responsibility was. When they got to me, I told them I worked in the court reporting industry and that we had become HIPAA compliant. Almost unanimously all the attorneys in the room shook their heads ‘yes’ and said ‘good idea, I didn’t think about court reporters’. Further conversation made me think that the overall guiding principles of HIPAA privacy and security apply to both attorneys and court reporters alike when it comes to protecting people’s personal and health records.
Although there is no case precedents that states the Court Reporting industry are just as liable as HIPAA covered entities, business associates or subcontractors (mainly hospitals, doctors and lawyers), it may still be prudent to consider ourselves either business associates or subcontractors as we are hired by lawyers in cases that handle PHI.
One of the main topics covered, and something all law and court reporting firms handling PHI should be aware of, is a “covered entity (CE) (i.e. doctors, hospitals, therapists, etc.” and a “business associate (BA) (i.e. any doing business with or on a covered entity’s behalf” cannot disclose “protected health information (PHI)” unless an exception applies. Translation: If you are a covered entity or business associate, treat patient information as confidential. This means any subcontractors to CEs or BAs as well.
So basically, Covered Entity > Business Associate > Subcontractor which translate to Hospital/doctor > Law Firm > Court Reporter (in most cases)
Now the above may sound like pie in the sky common sense to anyone reading this but make no mistake; both the government and the individuals whose PHI was breached (which is what HIPAA refers to as an unauthorized disclosure) will make it painful. By painful I mean security, privacy and business associate audits along with both civil and possibly criminal fines. The bottom line is as of 9.23.14, business associates and subcontractors now have direct liability under HIPAA and covered entities remain liable for the actions of their business associates and subcontractors.
Why you may ask is there so much focus on protecting PHI? Because PHI is black market gold!
So why would hackers bother with health insurance when they could get a direct line to your pocketbook via credit cards or financial accounts? “It’s very lucrative,” says Ann Patterson, senior vice president and program director at the Medical Identity Fraud Alliance. “Stolen protected health information can be monetized for a much greater value than traditional financial account information.”
A complete medical identity — including name, address, phone number, Social Security number, medical insurance information and access to medical records — is worth about $50 on the black market, says Michael Bruemmer, vice president of Experian’s Data Breach Resolution group. “Without medical or insurance information, that drops to about $10 for someone’s stolen information.”
To learn more about becoming HIPAA Compliant please click here.