Protecting Health care Privacy, Court Reporters and the Potential for a HIPAA Violation.
HIPAA is probably not the first thing you think about when scheduling a court reporter. However, the need for HIPAA compliance (especially during medical depositions) is a very important issue in the industry. The National Court Reporters Association recently released a guideline to help assist court reporters in understanding their obligations under the new HIPAA regulations. In her article “The HIPAA Regulations — What Has Changed and What You Need to Know,” attorney Melodi Gates attempts to explain how the new regulations handed down by the U.S. Department of Health and Human Services, Office for Civil Rights, impact the court reporting industry. Based on her analysis, it is important for us to discuss certain obligations that both attorneys and court reporters have under the new regulations. Full disclosure: We are not providing you with any legal analysis of the regulations and we are not special HIPAA court reporters (although we’ve been called “hip court reporters.”) That said, the NCRA’s guideline suggests that attorneys could face financial liability for Protected Health Information (PHI) that they disclose or allow to be disclosed by their court reporters.
Obligations of Attorneys and Court Reporters Under the New Rules.
As explained by Ms. Gates, the HIPAA regulations apply to health care providers, health plans, and health care clearinghouses. Additionally, the regulations also apply to service providers (attorneys and court reporters) who create, receive, transmit, or maintain PHI on behalf of covered entities. Such service providers are called “business associates.” For example, court reporters that work with health care providers and receive or interact with PHI would generally be considered business associates. An attorney who works for a covered entity is clearly a business associate. Likewise, a court reporter who is taking a deposition that includes questioning about a witness’ health or health-related issues would be considered a business associate if they were hired by an attorney working on behalf of a health care provider. So when an attorney who works for a covered entity hires a court reporter and discloses PHI to them, the attorney must ensure that court reporter follows the applicable HIPAA regulations. In other words, a covered entity needs to ensure that its attorneys handle PHI appropriately, and attorneys need to ensure that their agents and court reporters handle PHI appropriately. Thus, a HIPAA violation caused by a court reporter could create financial liability on the part of an attorney who did not have a Business Associate Agreement with the court reporter.
What Assurances Must an Attorney Receive From Their Court Reporter?
The HIPAA regulations require that covered entities have a Business Associate Agreement (“BAA”) in place with each of their business associates, and the BAA must include a number of specific provisions. According to NCRA’s informational paper, an attorney should, by way of a written agreement, do as follows:
1. Establish the ways that the court reporter is permitted to use and disclose PHI.
2. Provide that the court reporter may not use or disclose PHI in any other manner.
3. Require that the court reporter implement safeguards, consistent with The Security Rule.
4. Require the court reporter to report any unauthorized use or disclosure of PHI, including breaches.
5. Ensure that the court reporter supports patient rights, including accounting of disclosures (with proper data collection) and PHI access and amendment under the Privacy Rule.
6. Obligate the court reporter to comply with the applicable requirements if it is carrying out any of the covered entity’s duties or obligations under the Privacy Rule.
7. Require the court reporter to make its internal practices, books, and records regarding its PHI-related activities and compliance with the HIPAA regulations available to HHS in the event of a request or investigation.
8. Call for the court reporter to either destroy or return any PHI at the BAA’s termination, or, if destruction is not feasible, to continue to safeguard the PHI.
9. Require that the court reporter ensure any of its subcontractors agree to the same restrictions and conditions regarding PHI (i.e., execute a BAA that flows down substantially similar provisions).
10. Authorize termination of the BAA if the court reporter violates a material term.
Milestone Has Already Taken Steps to Safeguard PHI.
As discussed above, HIPAA imposes regulations directly on attorneys and attorneys are responsible for ensuring that PHI is handled correctly by their Business Associates. We have signed Associate Agreements and will certainly continue to do so in the future. In addition, Milestone has taken unilateral steps to ensure that we protect all PHI and that our contractors and employees act accordingly. In an attempt to follow the recent regulations, MIlestone now defines “Confidential Information” so as to include:
(1) The names, addresses, Social Security numbers, and personal financial information of individuals, including bank account, credit card, insurance, and similar information;
(2) Medical and health information of individuals, including patients’ protected health information as defined by the U.S. Government’s HIPAA Privacy and Security Rules;
(3) Commercial information, such as companies’ financial information, personal information, trade secrets, inventions, business plans, and similar information;
(4) Information about publicly traded companies which could be important to investors or considered “insider information” under the securities laws; and
(5) Information subject to a court’s confidentiality or protective order or a similar agreement between parties to litigation.
With respect to Confidential Information, our court reporters will, at a minimum, (1) not use or disclose any Confidential Information obtained by or through our clients to any third party, except as strictly necessary in order to fulfill their duties to the client and the court; (2) will not possess or retain any Confidential Information obtained by or through its clients, except as strictly necessary in order to fulfill their duties to the client, the court, and their retention obligations under the applicable Rules of Civil Procedure; (3) Our court reporters will take all appropriate steps to safeguard any Confidential Information obtained through our clients at all times it is in our possession or under our control; and (4) will immediately report any improper disclosure of any Confidential Information obtained by or through any clients, whether intentional or unintentional, and will assist in any resulting investigation.
From a Practical Standpoint, What Does All of this Mean?
First and foremost, all of our transcripts, videos and PHI is stored on secure servers. We have purchased top-of-the-line firewalls and anti-viral software for all laptops, computers, servers and handheld devices. From a physical standpoint, our court reporters immediately deliver all documents containing PHI to our Corporate Headquarters In Orlando. Your client’s medical records are not sitting on a kitchen counter, a garage or in the backseat of a car. Our offices are protected by a dedicated security guard and 24-hour video monitoring. We believe that protecting your information justifies the effort. Likewise, we require our employees to sign confidentiality agreements so that the information they hear during a deposition is not discussed or disclosed to any third-parties. In short, when you share PHI with Milestone Reporting Company, you can be sure that it is not being shared with anyone else. We welcome Business Associate Agreements and readily follow the requirements of our clients when it comes to handling PHI.
If you have any questions or concerns about how medical records may be handled after a deposition, give us a call.