Under the Health Insurance Privacy and Accountability Act of 1996 (“HIPAA”)1, health plans, health care clearinghouses, and most health care providers (collectively, “Covered Entities”) must protect the privacy and security of patient data (“PHI”). Failure to do so subjects Covered Entities to criminal penalties of up to $250,000 and 10 years’ imprisonment2, and civil monetary penalties starting at $100 per violation, up to $1.5 million per year3. Covered entities also may be liable, under the Federal common law of agency, for violations of their agents, including their Business Associates.4
Business Associates are vendors and others who use PHI to provide certain services (including legal services) to Covered Entities5. Initially, Covered Entities had to execute agreements with their Business Associates, pushing downstream certain HIPAA obligations. Business Associate Agreement (“BAA”) parameters are detailed in the regulations implementing HIPAA (the “Rules”).6
In 2009, the law changed, and Business Associates now are subject to direct regulation by HIPAA and the Rules7. Importantly, this means that Business Associates also are now subject to criminal and civil penalties for noncompliance.8
The Omnibus Final Rule, which amended the Rules to incorporate these changes, was published on January 25, 2013, with a compliance date of September 23, 2014.9 Attorneys who use patient information in client representations must determine if they are Business Associates. If an attorney is a Business Associate, and has not yet operationalized HIPAA compliance, the time to do so is now.
Eight Steps Toward HIPAA Compliance:
1. Assess Business Associate Status.
Not all patient data is PHI, and not every health-care-provider representation triggers HIPAA. Attorneys are not Business Associates when representing the plaintiff-patient in a malpractice lawsuit, despite obtaining the client’s medical records, or when representing a hospital in a transaction that does not involve PHI.
Some Covered Entities seek a BAA for every legal representation, whether or not PHI is involved. And some law firms include their form BAA with every engagement letter sent to a health-care-provider client. Such blanket contracting practices are not ideal. Rather, attorneys should carefully identify the representations that make them a Business Associate, in order to (1) comply with the Rules when necessary, and (2) not agree to unnecessary obligations and liability.
2. Appoint a Privacy & Security Officer.
As required by the Rules, a firm representative should be responsible for initial compliance and ongoing monitoring.10 Larger organizations also should appoint a committee to assist the Privacy and Security Officer.
3. Conduct a Risk Analysis and a HIPAA Inventory.
At a minimum, “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic PHI is required.11 In addition, review the manner in which patient data is handled and protected. These assessments should include:
Electronic Data Security: In addition to the steps attorneys usually take to protect client data (firewalls, password protection, encryption), consider additional protections for PHI, such as using secure email to transmit medical records, and limiting access to networked electronic files to those personnel who actually need it.
Physical Security: Client files, which may include PHI, are often kept in attorneys’ offices. Store medical records in locked cabinets rather than desktops. Likewise, “war rooms” with boxes of PHI-laden documents should be locked when not in use.
Inventory Covered Entity Clients: Keep lists of Covered-Entity clients and ensure that all BAAs are up to date. Task someone with reviewing all BAAs before they are signed, and keeping a central repository of executed agreements.
Inventory Subcontractor Relationships: Third-parties that assist in a representation, such as expert witnesses, document storage companies and litigation support specialists, may be Subcontractors. Keep track of these relationships and execute Subcontractor BAAs as needed.
Consider Intake Processes: Establish a mechanism for noting that PHI may be involved when opening a new matter, and to ensure that a BAA is included with engagement letters for new clients or is sent to current clients, as appropriate.
Document Assessment Activity: Even if no changes to current practices result, keep a record of the assessment process, in case decisions are questioned in the future.
4. Update Policies and Procedures.
Some law firms establish a HIPAA Policy Manual. Others identify current policies that satisfy the Rules, and supplement them as necessary. In that case, prepare a “crosswalk” of the policies and the requirements they fulfill.
5. Prepare Form BAAs and Subcontractor BAAs.
The Rules define basic BAA requirements, but a number of items are subject to negotiation, such as the manner in which a Business Associate may use PHI, timeframes for a Business Associate to respond to certain requests, assignment of responsibility for breach notification, and mitigation and indemnification provisions (not required, but often included in a Covered Entity’s form-BAA–consider the impact of such provisions on any professional liability insurance).
Even if an attorney intends to always use a Covered Entity’s form BAA, it is beneficial to draft these forms. Doing so (1) provides an understanding of what provisions actually are required, (2) identifies negotiable provisions, and (3) ensures a compliant Subcontractor BAA form.
6. Develop a Plan for Handling Breaches.
If data is mishandled, resulting in a breach of PHI,12 the client must be notified, likely very quickly (the Rules permit notification within 60 days,13 but many Covered Entities insist on a much shorter period). Develop a plan for (1) immediately identifying potential breaches, (2) informing the Privacy & Security Officer, (3) conducting an investigation, and (4) notifying the client. Some BAAs require notification of all suspected breaches, so that the Covered Entity may decide whether a breach actually occurred.Z
7. Workforce Training.
Workforce training is required by the Rules,14 and everyone in the organization should understand the responsibility to protect PHI. Offer attorney training as Continuing Legal Education.
8. Consider Cybersecurity/Data Breach Insurance.
General liability and professional liability insurance typically do not cover cybersecurity incidents or data breaches. Obtain a policy that does, and include “notify the carrier” in the data breach plan.
In sum, because attorneys are responsible for protecting the confidentiality of all of their clients’ information, they may believe that the PHI they obtain is fully protected, and nothing else need be done. To the contrary, the Rules make it clear that HIPAA compliance cannot rely solely on the principles governing the attorney-client relationship, and these and other steps must be taken to ensure full compliance.