Law firms with access to protected health information likely will find themselves classified as “business associates” under new HIPAA rules and therefore subject to new privacy, security, and breach-notification requirements governing their handling of such information.
On January 25, 2013, final rules implementing changes to HIPAA Privacy, Security and Breach Notification Rules were published in the Federal Register.1 The final rules are a wake-up call for lawyers and law firms that qualify as business associates of covered entities to determine whether they are able to comply with both existing and pending regulatory requirements that now apply directly to them;2 the violation of which can end in fines, penalties and chains.3
HIPAA is an acronym for the Administrative Simplification provisions of the Health Insurance Portability & Accountability Act of 1996.4 HIPAA provides a framework under its Privacy and Security Rules for the protection of patient confidentiality, security of electronic systems, and standards and requirements for the use, disclosure and electronic transmission of what is defined as “Protected Health Information”5 or PHI. The Breach Notification Rule outlines notice and mitigation requirements when unsecured PHI is acquired, accessed, used, or disclosed in violation of the Privacy and/or Security Rules.
Organizations and individuals originally required to comply with the HIPAA rules were and are called “covered entities.” Many lawyers and law firms have entered into “business associate” contracts with covered entities to provide legal advice knowing there was a contractual commitment to assure the privacy and security of the protected health information provided and to notify the covered entity in the event of a data breach.
Major revisions to HIPAA were made under the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”)6 making the Privacy and Security Rules explicitly applicable to the “business associates” of covered entities, including law firms. Among the sections changed were:
- Section 13401 – Application of Security Provisions and Penalties to Business Associates
- Section 13402 – Notification in the Case of Breach
- Section 13404 – Application of Privacy Provisions and Penalties to Business Associates
- Section 13410 – Improved Enforcement
Under the statutory and regulatory changes, business associates are now directly liable:
- for impermissible uses and disclosures of protected health information;
- for a failure to provide breach notification to the covered entity when unsecured protected health information is lost or inappropriately accessed;
- for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement);
- for a failure to disclose protected health information where required by the Secretary of the Centers for Medicare & Medicaid Services (“CMS”) to investigate or determine the business associate’s compliance with the HIPAA Rules;
- for a failure to provide an accounting of disclosures of protected health information, and last, but far from least, for a failure to comply with the requirements of the Security Rule.
With respect to this last part, it is not without irony that the final rule commentary notes: “[w]e acknowledge that some business associates, particularly the smaller or less sophisticated business associates that may have access to electronic protected health information for limited purposes, may not have engaged in the formal administrative safeguards such as having performed a risk analysis, established a risk management program, or designated a security official, and may not have written policies and procedures, conducted employee training, or documented compliance as the statute and these regulations would now require.”7 In fact, it is likely that this is a gross understatement about the true state of HIPAA readiness of law firms throughout Minnesota and the country.
Given the above, every lawyer and law firm needs to determine first, are they business associates under HIPAA, and if the answer is yes, what do they need to do (or should have been doing) to assure their compliance with the new HIPAA regulatory regime.
The Business Associate
For lawyers, the critical question is whether they fall within the definition of business associate. The answer is yes if the lawyer “[p]rovides, other than in the capacity of a member of the workforce of such covered entity, legal … services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.”8 In plain English, if your firm represents a covered entity or a business associate of one and it needs to have access to PHI to do its job, such as defending a malpractice claim, business associate status attaches regardless of whether the firm signed a business associate agreement. As noted in commentary to the final rule, “a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.”9
Accordingly to the extent you work with independent contractor consultants or others who will have access to PHI as part of the representation, then you
need to make sure they adhere to the HIPAA privacy and security requirements as well.
Security Rule Requirements
As stated in the Security Rule preamble, [t]he purpose of this final rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability (CIA) of electronic protected health information (electronic PHI).”10
The Security Rule requires business associates to ask and answer the following basic questions about their required security risk management program:
- What administrative safeguards (policies, procedures and related training) are in place to protect the confidentiality, integrity, and availability of electronic protected health information?
- What physical safeguards are in place to protect the confidentiality, integrity and availability of electronic protected health information?
- What technical safeguards are in place to protect the confidentiality, integrity and availability of electronic protected health information?
- Who is responsible for assuring the safeguards are adequate?
The beauty of the HIPAA Security Rule is the fact that it recognizes that business associates come in all forms and sizes and that the CIA of electronic PHI will be maintained in a wide variety of ways. The Security Rule introduced the concept of required and addressable implementation specifications under each of the regulatory standards to address this reality.11 However, allowing for security safeguards to account for the scale of organizations does not mean that small business associates get a free pass in terms of implementing appropriate safeguards.
A core required implementation specification of the Security Rule, that the business associate must document,12 is to conduct a risk analysis determining the types of safeguards that are needed, given the scale and scope of the business associate’s operations. This means that a business associate must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the … business associate.”
A business associate’s risk management program has to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).13
Another Security Rule standard is the identification of a “security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the … covered business associate.” This is the lucky person at your firm who gets to actually read, understand, and oversee the implementation of various Security Rule requirements and safeguards and makes sure the i’s are dotted and t’s crossed with respect to the required documentation. This will also be the person the government will interview in the event it ever conducts an audit of your practice since HITECH requires the government to randomly audit business associates to determine if they are complying with the HIPAA Privacy, Security and Breach Notification Rules.
Privacy Rule Requirements
If a law firm has previously entered into business associate agreements with its health care clients, it is already aware of the limitations placed on it relative to the use or disclosure of protected health information.14 What is different, however, is that by being explicitly included in the HIPAA regulatory regime under the final rules, law firms will need to have in place the appropriate polices and procedures to demonstrate compliance with the applicable provisions of the Privacy Rule.15
Law firm business associates will also need to demonstrate that workforce members with access to protected health information have been appropriately trained. For example, a new requirement imposed on business associates is the extension of the “minimum necessary” standard.16 Under this standard, when using, disclosing or requesting protected health information from a covered entity or another business associate a business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request unless an exception applies.
Breach Notification Requirements
As a business associate, a law firm will have to notify a covered entity if unsecured protected health information is acquired, accessed, used, or disclosed in violation of the Privacy and/or Security Rules. In real life, this means an unencrypted laptop computer with protected health information that is stolen out of a trunk would require a disclosure and in the current environment may lead to a hefty fine.17
The consequences of a breach can be significant in terms of costs, both in terms of money and reputation. If the breach were large enough, affecting 500 or more individuals, the odds are good it would be publicized in the local press since section 13402(e)(4) of the HITECH Act requires public posting. At a minimum, a law firm will need to have a breach notification policy that outlines how breaches are handled. As noted in the commentary to the final rule, “an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable,
demonstrates that there is a low probability that the protected health information has been compromised.”18
A Phased Approach
Lawyers and law firms that are business associates under HIPAA need to get started now to develop an internal plan for assuring compliance with the new HIPAA requirements. Although the actual deadline for compliance may be a moving target depending on whether there are existing business associate contracts in place, it makes more sense to be fully compliant by September 23, 2013.19
The first step on the path to compliance is to recruit the right people within or outside of your firm to develop, implement, and eventually monitor the firm’s HIPAA compliance efforts. It will be essential to gain an understanding of the applicable HIPAA privacy, security and breach-notification requirements that is more thorough than the overview provided in this article. Ideally, this knowledge can be developed in house, if not, it may be time to seek outside assistance. A lead should be designated who will drill down into the details, map the requirements, and oversee the process. This should include the lawyer or lawyers who are familiar with the nature of the firm’s business associate relationships, IT professionals who understand the firm’s IT infrastructure, and staff who understand the flow of PHI or electronic PHI within the firm. It will be this group that will have to address the details of compliance. Of course, if you are a solo practitioner like the author, most of these people will be looking you in the mirror each morning.
The second step is conducting a gap analysis to determine what your firm does now in handling PHI and what it will need to do in the future.
The gap analysis may possibly expose some glaring inadequacies and for that reason, there is something to be said for hiring an outside law firm and consultants to oversee the gap analysis process and bring it under the attorney-client privilege.
The third step will be to address the “gaps” identified in the gap analysis, whether technical or administrative. At the end of the day, legal business associates will need to be in a position to demonstrate to internal and external stakeholders that the firm meets HIPAA business associate requirements.
A final step should be a review of the firm’s engagement letter for health care clients to set out the boundaries relative to becoming a business associate. For example, a small firm may decide that the only access to electronic PHI that it is willing to have is on site at the client’s facility or through limited secure remote access to the client’s IT system that is arranged by the client. In other words, the firm would refuse to put itself in the position of maintaining, disclosing, or transmitting electronic PHI and thus limit the potential liability created by the business associate relationship.
Getting up to speed on current HIPAA requirements and going down the path to full implementation will prove to be a challenge for many lawyers and firms that either are or agree to become business associates of health care clients. Lawyers would do well to remember Murphy’s Law as a reminder of why this is so important. “If there are two or more ways to do something, and one of those ways can result in a catastrophe, then someone will do it.” Nobody wants to be that someone.
Gordon Apple is an attorney in St. Paul and is admitted in Minnesota, Wisconsin and Washington. He focuses his practice on health law including regional and national representation and consultation. He can be reached through his website at Healthlawgeek.com. Copyright © 2013, Gordon J. Apple, All Rights Reserved.
1 78 Fed. Reg. 5566 (01/25/2013).
2 The final rule is effective on March 26, 2013. Covered entities and business associates have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, i.e., by September 23, 2013. Note that breach notification requirements already exist and were effective in 2009.
3 The reality is that law firms already faced some of these potential consequences after the effective date of the HITECH amendments in 2009. However, now that final rules have been published implementing these changes, the likelihood of enforcement is greatly increased.
4 Pub. L. 104-191 110 Stat. 1936 (1996).
5 The Privacy Rule applies to protected health information in any form whereas the Security Rule applies to protected health information in electronic form only. Protected health information (as defined in 45 CFR 160.103) means individually identifiable health information:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable health information:
(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USC §1232g;
(ii) In records described at 20 USC §1232g(a)(4)(B)(iv); and
(iii) In employment records held by a covered entity in its role as employer; and
(iv) Regarding a person who has been deceased for more than 50 years.
6 The Health Information Technology for Economic and Clinical Health (HITECH) Act, Division A, Title XIII, Subtitle D of the American Recovery and Reinvestment Act (ARRA) of 2009.
7 78 Fed. Reg. 5589.
8 45 CFR §161.103 subpart (1)(ii) of business associate definition.
9 78 Fed. Reg. 5598.
10 68 Fed. Reg. 8834 (02/20/2003).
11 In this final rule, we adopt both “required’’ and “addressable’’ implementation specifications … .
In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: (a) Implement one or more of the addressable implementation specifications; (b) implement one or more alternative security measures; (c) implement a combination of both; or (d) not implement either an addressable implementation specification or an alternative security measure. In all cases, the covered entity must meet the standards…
The entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.
12 See §164.316 for Policies and procedures and documentation requirements related to the Security Rule and the fact that business associates will have to maintain documentation for six years and be able to produce it for the government, if requested.
13 What is needed is both quantitative and qualitative risk analysis. In quantitative risk analysis potential losses are estimated by identifying and quantifying both assets and threats to the assets. For example, the computer servers at a law firm are assets. A threat to the servers could involve physical destruction by a tornado. Qualitative risk analysis is best described as a common sense subjective approach to identifying assets, threats, and vulnerabilities. For example, common sense dictates that computer workstations that are password protected do not have the password posted to the monitor.
14 45 CFR §164.502, “Uses and disclosures of protected health information,” outlines the general rules that a law firm business associate will have to adhere to.
15 The commentary to the final rule contains a listing of the Privacy Rule requirements applicable to Business Associates – See 78 Fed. Reg. 5591. However, it’s also important to note that “any privacy rule limitation on how a covered entity may use or disclose protected health information automatically extends to a business associate.” 78 Fed. Reg. 5597.
16 45 CFR §162.502(b).
17 Lost laptops containing protected health information have cost covered entities from $1.5 million for a large data breach to $50,000 for a small one.
18 78 Fed. Reg. 5641; the demonstration requires a four-factor risk assessment. See 78 Fed. Reg. 5642.
19 45 CFR §164.532(d) and (e) allow covered entities and business associates (and business associates and business associate subcontractors) to continue to operate under certain existing contracts for up to one year beyond the compliance date of the revisions to the Rules.