Why Lawyers? Why Now?

TODAY’S PRESENTERS

Why Lawyers? Why Now?

 New HIPAA regulations go into effect September 23, 2013

 Expands HIPAA safeguarding and breach liabilities for

“business associates” (BAs)

 Lawyer is considered a “business associate” of a client if client discloses protected health information (PHI) to the lawyer

 Current privacy and confidentiality practices and procedures as lawyers likely not sufficient

The Bottom Line



Failure to properly secure, store, maintain,

process, transmit, or destroy PHI can be costly

and potentially damaging to individual lawyers

and their firms

– Civil and criminal liability

– Significant monetary penalties – Loss of clients

– Damage to professional reputation

Causes For Concern

 Business associates account for an increasing number of HIPAA breaches

– 42% according to a 2009 study

– Use of contractors and subcontractors increases risk

 Enforcement on the rise by DHHS Office for Civil Rights (OCR)

 State Attorneys General can now enforce and impose civil penalties

 HIPAA does not create a federal law private cause of action

Are You a “Business Associate”?



Do you provide services to or on behalf of a

client who is covered entity?



Covered Entity = health care provider, health

care clearinghouse, health plan (e.g., Medicare

plans, private insurance, employer-sponsored

plans, etc.)



Do you create, receive, maintain or transmit PHI

while providing those services?

What is PHI?



Individually identifiable

health information that is created or received by healthcare provider, health plan, public health authority, employer, life insurer, school or university and relates to: past, present or future physical or mental health; provision of health care; or payment for provision of health care



Individually identifiable

= some combination of name, address, date of birth, SSN, account

numbers, fax numbers, or other demographic information

What is not PHI?

 Information created or maintained by an employer for

employment purposes

, such as FMLA requests, fitness for duty examination reports, etc.

 Employers are not covered entities under HIPAA but are obligated to maintain confidentiality of such

information under other state and federal laws

 However, an employer sponsor of health plan has obligations under HIPAA regarding its use and

disclosure of plan information

PHI Use By Lawyers

 Advise and defend hospitals, physicians, and nursing homes in lawsuits, payment appeals, billing issues, regulatory compliance matters

 Advise and defend insurance companies and health plans in lawsuits, coverage issues, payment appeals

 Advise or defend health care clearinghouses

Obligations As

Business Associate

 Enter into Business Associate Agreement with client and comply with it

 Implement safeguards for PHI in paper or verbal form

 Directly comply with HIPAA Security Rule for ePHI

 Enter into BAA with subcontractors

 Report to client: impermissible uses and disclosures, security incidents and breaches

 Disclose records to HHS/OCR in an investigation or compliance review

What Is a Breach?

 Breach is the acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA

 Under new rule, any acquisition, access, use or disclosure of PHI in manner not permitted

is

presumed to be a breach

unless covered entity or BA demonstrates there is a low probability that PHI has been compromised based on risk assessment

 Previously, no presumption; required determination of “significant risk of harm”

Breaches Waiting to Happen



Even when you think you’re covered, breaches

can still occur:

– Your laptop is stolen from your home, office or car – You leave hard copies in the conference room

– You fax documents without confirming receipt by the intended recipient

– You email an unencrypted file to your home computer or smartphone

– You download a file to an unencrypted thumb drive – You throw client documents in trash without shredding

OCR Civil Penalties

Violation Minimum Penalty Maximum Penalty Covered Entity/Business

Associate did not know (and would not have known by reasonable diligence) that it violated HIPAA

$100 per violation;

annual maximum of

$25,000

$50,000 per violation;

annual maximum of

$1.5 million

Due to reasonable cause

and not willful neglect $1,000 per violation;

annual maximum of

$100,000

$50,000 per violation;

annual maximum of

$1.5 million Willful neglect, but violation

corrected within 30 days $10,000 per violation;

annual maximum of

$250,000

$50,000 per violation;

annual maximum of

$1.5 million Due to willful neglect and is

not corrected within 30 days

$50,000 per violation;

annual maximum of

$1.5 million

$50,000 per violation;

annual maximum of

$1.5 million

DOJ Criminal Penalties

Violation Maximum

Penalty Maximum

Imprisonment

Individual “knowingly” obtains or discloses individually

identifiable information

$50,000 One year

Offenses committed under

false pretenses $100,000 5 years

Offenses committed with the intent to sell, transfer or use information for commercial advantage, personal gain, or malicious harm

$250,000 10 years

$1.7 Million Mistake



Managed care company Wellpoint agrees to pay

$1.7 million to settle potential HIPAA violations



PHI of 612,402 individuals exposed on internet



HIPAA breach resulted from software upgrade

done by business associate hired by Wellpoint



Had this occurred on or after September 23, the

liability would have extended to the technology

vendor doing upgrade

$1.2MM for “Doing Nothing”

 Affinity Health Plan agreed in August 2013 to pay

$1.2 million to settle potential HIPAA violations

 PHI of 344,579 individuals exposed on copier hard drive

 HIPAA breach resulted from hard drive not being purged prior to returning leased copier to lessor

 Had this been Affinity’s outside law firm, the new HIPAA rules could have caused direct liability for both entities

You Say “Glitch,”

HIPAA Says “Breach”

 PHI, financial and employment data of nearly 188,000 clients of the Indiana Family and Social Services Administration compromised

 Included some Social Security numbers

 Breach attributed to a computer programming

“glitch” caused by a vendor, whereby documents containing PHI and sensitive information were duplicated and mailed to the wrong clients

 This is the second breach for Indiana FSSA. Last year’s involved a stolen laptop containing PHI

Immediate Next Steps

for Lawyers

Countdown to September 23, 2013

Your Action Plan

#1 - Enter into BAAs and subcontractor BAAs

#2 - Determine how you receive, disclose and

maintain PHI

#3 - Implement safeguards to protect PHI and

limit use and disclosure

#4 - Educate lawyers and staff

#5 - Conduct risk analysis for ePHI

#6 - Adopt policies and procedures

#1-Business Associate

Agreements



Between you and your clients



Between you and your subcontractors/vendors

– Applies to all downstream vendors that handle your firm’s PHI (such as records storage, online backup, Cloud

vendors, document destruction)

– Applies to expert witnesses and consultants you use in a particular case or matter

– Conduit exception



HIPAA liability attaches even in absence of BAA

Why You Need an Updated BAA

 New requirements included in HIPAA omnibus regulations published in January 2013

 If you had a BAA that was fully compliant as of January 2013 and has not been renewed or

modified between March 26, 2013 and September 23, 2013, you have one more year to get new BAA (until September 22, 2014)

 OCR form of BAA:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/

coveredentities/contractprov.html

Caution :

Liability for Subcontractors

 BA has liability if knew of pattern of activity or practice of subcontractor constituting a material breach, unless takes reasonable steps to cure or terminate contract

 Law firm as business associate is liable, according to common law of agency, for HIPAA violations based on acts or omissions of agents

 Include language in subcontractor BAA that

subcontractor is independent contractor, not agent;

cannot bind law firm; and law firm does not have right or authority to control conduct of subcontractor

Before You Execute a BAA…



Develop your own form of BAA that complies

with HIPAA, but limits your exposure



A client’s BAA often includes obligations to

avoid:

– Indemnification

– Limitation on damages – Insurance requirements

– Audit and monitoring by covered entity

– Other risk shifting or risk sharing provisions

#2 - Determine How PHI Flows



Receipt of PHI

– Paper (mail, fax, print jobs)

– Electronic (email, CDs, USB drives)



Disclosure of PHI



Maintenance of PHI

– Physical files (on and off site) – Electronic files

– Offices and work stations

HIPAA Security Rule



Lawyers as BAs must comply with HIPAA

Security Rules (electronic PHI):

– Ensure confidentiality, integrity of ePHI

– Protect against any reasonably anticipated threats or hazards to security and integrity

– Protect against any reasonably anticipated uses or disclosures that are not permitted or required by HIPAA

– Ensure compliance by members of workforce

HIPAA Security Rule - Specifics

 Standards are addressable or required

 Administrative, technical and physical safeguards

 Security awareness training

 Breach investigation procedures

 Written reasonable and appropriate policies and procedures implementing safeguards

 Retain documentation for at least 6 years from date it was last effective

#3 – Implement Safeguards



Administrative/organizational safeguards

– Limit access to all forms of PHI

– Terminate access upon termination of employment – Review electronic access rights

– Provide electronic security training – Password management

– Protection from malware and viruses – Reporting of security incidents

– Document contingency plans if damage to IT systems

#3 – Implement Safeguards



Physical safeguards

– Facility access controls

– Facility security procedures – Workstation use and security – Device and media controls

– Inventory and control of hardware and electronic media

– Wiping of hard drives and electronic media

– Restricting use of laptops and portable devices

#3 – Implement Safeguards



Technology safeguards

– Prohibit sharing of user IDs and passwords – Encryption for data at rest

– Encryption for transmission – Automatic log-off

– Protect ePHI from alteration or destruction

#3 – Implement Safeguards

 Significant risk related to use of mobile devices

– Loss and theft

– Malware and viruses – Sharing with others

 Safeguards

– Strong password

– Firewall protection and encryption – Auto-off and locking of device

– Unique user ID – Keep with person

– Use a secure Wi-fi connection

#4 – Educate Lawyers & Staff



What is HIPAA



How it applies to law firm



Obligations to limit uses and disclosures



Sanctions for failure to comply



Appoint HIPAA Officer as point of contact



Obtain help from your IT director or consultant



Use OCR training materials

#5 – Conduct Risk Analysis

 Conduct risk assessment of ePHI that you maintain: an

“accurate and thorough assessment of potential risks and vulnerabilities to confidentiality, integrity, and

availability of ePHI”

 Guidance:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/

securityrule/rafinalguidance.html

 Implement security measures sufficient to reduce risks and vulnerabilities to reasonable level

 Apply sanctions against personnel who fail to comply

 Implement procedures to regularly review IS activity

#6 – Develop Written Policy

and Procedures



In event of complaint in investigation, you must

have a written policy to submit to OCR



Track HIPAA Security Rule safeguards



Include breach investigation provisions



OCR and ABA resources available

McAfee & Taft Case Study

 Formed HIPAA task force in 2009 and resurrected this year; appointed HIPAA officer

 Attorneys, IT director, HR director, records management, ancillary businesses

 Identified BAs, developed database, tracked and filed BAAs

 Analyzed flow of PHI

 Mandated “one paper file, one electronic file” per matter

 Restricted access to electronic file

Case Study

 Additional level of security for paper files

 Require encryption for emails and mobile devices

 Developed written policy and procedures

 Conducted lawyer training

 Conducted staff training

 Troubleshoot as questions arise

 Conducting risk analysis

 Support of managing director and IT director is critical

Resources

 Office for Civil Rights – Health Information Privacy http://www.hhs.gov/ocr/privacy/index.html

 OCR Form of BAA

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contr actprov.html

 Summary of HIPAA Security Rule

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

 Combined Text of All HIPAA Regulations

http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa- simplification-201303.pdf

 ABA Materials:

http://search.americanbar.org/search?q=HIPAA&client=default_frontend&pr oxystylesheet=default_frontend&site=default_collection&output=xml_no_dt d&oe=UTF-8&ie=UTF-8&ud=1

More Resources

 Mobile Device Security

http://www.healthIT.gov/mobiledevices

 OCR Training Materials

http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/index.html

 OCR’s YouTube Channel

www.youtube.com/USGovHHSOCR

 Electronic Security Guidance – Presentations from May 2013 meeting

http://www.nist.gov/itl/csd/upload/hipaa-final-agenda-052013.pdf