Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Why Lawyers? Why Now?
New HIPAA regulations go into effect September 23, 2013
Expands HIPAA safeguarding and breach liabilities for “business associates” (BAs)
Lawyer is considered a “business associate” of a client if client discloses protected health information (PHI) to the lawyer
Current privacy and confidentiality practices and procedures as lawyers likely not sufficient
The Bottom Line
Failure to properly secure, store, maintain, process, transmit, or destroy PHI can be costly and potentially damaging to individual lawyers and their firms
– Civil and criminal liability
– Significant monetary penalties
– Loss of clients
– Damage to professional reputation
Causes For Concern
Business associates account for an increasing number of HIPAA breaches
– 42% according to a 2009 study
– Use of contractors and subcontractors increases risk
Enforcement on the rise by DHHS Office for Civil Rights (OCR)
State Attorneys General can now enforce and impose civil penalties
HIPAA does not create a federal law private cause of action
Are You a “Business Associate”?
Do you provide services to or on behalf of a client who is covered entity?
Covered Entity = health care provider, health care clearinghouse, health plan (e.g., Medicare plans, private insurance, employer-sponsored plans, etc.)
Do you create, receive, maintain or transmit PHI while providing those services?
What is PHI?
Individually identifiable health information that is created or received by healthcare provider, health plan, public health authority, employer, life insurer, school or university and relates to: past, present or future physical or mental health; provision of health care; or payment for provision of health care
Individually identifiable = some combination of name, address, date of birth, SSN, account numbers, fax numbers, or other demographic information
What is not PHI?
Information created or maintained by an employer for employment purposes, such as FMLA requests, fitness for duty examination reports, etc.
Employers are not covered entities under HIPAA but are obligated to maintain confidentiality of such information under other state and federal laws
However, an employer sponsor of health plan has obligations under HIPAA regarding its use and disclosure of plan information
PHI Use By Lawyers
Advise and defend hospitals, physicians, and nursing homes in lawsuits, payment appeals, billing issues, regulatory compliance matters
Advise and defend insurance companies and health plans in lawsuits, coverage issues, payment appeals
Advise or defend health care clearinghouses
Obligations As Business Associate
Enter into Business Associate Agreement with client and comply with it
Implement safeguards for PHI in paper or verbal form
Directly comply with HIPAA Security Rule for ePHI
Enter into BAA with subcontractors
Report to client: impermissible uses and disclosures, security incidents and breaches
Disclose records to HHS/OCR in an investigation or compliance review
What Is a Breach?
Breach is the acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA
Under new rule, any acquisition, access, use or disclosure of PHI in manner not permitted is presumed to be a breach unless covered entity or BA demonstrates there is a low probability that PHI has been compromised based on risk assessment
Previously, no presumption; required determination of “significant risk of harm”
Breaches Waiting to Happen
Even when you think you’re covered, breaches can still occur:
– Your laptop is stolen from your home, office or car
– You leave hard copies in the conference room
– You fax documents without confirming receipt by the intended recipient
– You email an unencrypted file to your home computer or smartphone
– You download a file to an unencrypted thumb drive
– You throw client documents in trash without shredding
OCR Civil Penalties Violation Minimum Penalty Maximum Penalty
Covered Entity/Business Associate did not know (and would not have known by reasonable diligence) that it violated HIPAA
$100 per violation; annual maximum of $25,000
$50,000 per violation; annual maximum of $1.5 million
Due to reasonable cause and not willful neglect
$1,000 per violation; annual maximum of $100,000
$50,000 per violation; annual maximum of $1.5 million
Willful neglect, but violation corrected within 30 days
$10,000 per violation; annual maximum of $250,000
$50,000 per violation; annual maximum of $1.5 million
Due to willful neglect and is not corrected within 30 days
$50,000 per violation; annual maximum of $1.5 million
$50,000 per violation; annual maximum of $1.5 million
DOJ Criminal Penalties
Violation Maximum Penalty
Maximum Imprisonment
Individual “knowingly” obtains or discloses individually identifiable information
$50,000 One year
Offenses committed under false pretenses
$100,000 5 years
Offenses committed with the intent to sell, transfer or use information for commercial advantage, personal gain, or malicious harm
$250,000 10 years
$1.7 Million Mistake
Managed care company Wellpoint agrees to pay $1.7 million to settle potential HIPAA violations
PHI of 612,402 individuals exposed on internet
HIPAA breach resulted from software upgrade done by business associate hired by Wellpoint
Had this occurred on or after September 23, the liability would have extended to the technology vendor doing upgrade
$1.2MM for “Doing Nothing”
Affinity Health Plan agreed in August 2013 to pay $1.2 million to settle potential HIPAA violations
PHI of 344,579 individuals exposed on copier hard drive
HIPAA breach resulted from hard drive not being purged prior to returning leased copier to lessor
Had this been Affinity’s outside law firm, the new HIPAA rules could have caused direct liability for both entities
You Say “Glitch,” HIPAA Says “Breach”
PHI, financial and employment data of nearly 188,000 clients of the Indiana Family and Social Services Administration compromised
Included some Social Security numbers
Breach attributed to a computer programming “glitch” caused by a vendor, whereby documents containing PHI and sensitive information were duplicated and mailed to the wrong clients
This is the second breach for Indiana FSSA. Last year’s involved a stolen laptop containing PHI
Your Action Plan
#1 - Enter into BAAs and subcontractor BAAs
#2 - Determine how you receive, disclose and maintain PHI
#3 - Implement safeguards to protect PHI and limit use and disclosure
#4 - Educate lawyers and staff
#5 - Conduct risk analysis for ePHI
#6 - Adopt policies and procedures
#1-Business Associate Agreements
Between you and your clients
Between you and your subcontractors/vendors
– Applies to all downstream vendors that handle your firm’s PHI (such as records storage, online backup, Cloud vendors, document destruction)
– Applies to expert witnesses and consultants you use in a particular case or matter
– Conduit exception
HIPAA liability attaches even in absence of BAA
Why You Need an Updated BAA
New requirements included in HIPAA omnibus regulations published in January 2013
If you had a BAA that was fully compliant as of January 2013 and has not been renewed or modified between March 26, 2013 and September 23, 2013, you have one more year to get new BAA (until September 22, 2014)
OCR form of BAA: http://www.hhs.gov/ocr/privacy/hipaa/understanding/ coveredentities/contractprov.html
Caution : Liability for Subcontractors
BA has liability if knew of pattern of activity or practice of subcontractor constituting a material breach, unless takes reasonable steps to cure or terminate contract
Law firm as business associate is liable, according to common law of agency, for HIPAA violations based on acts or omissions of agents
Include language in subcontractor BAA that subcontractor is independent contractor, not agent; cannot bind law firm; and law firm does not have right or authority to control conduct of subcontractor
Before You Execute a BAA…
Develop your own form of BAA that complies with HIPAA, but limits your exposure
A client’s BAA often includes obligations to avoid:
– Indemnification
– Limitation on damages
– Insurance requirements
– Audit and monitoring by covered entity
– Other risk shifting or risk sharing provisions
#2 - Determine How PHI Flows
Receipt of PHI
– Paper (mail, fax, print jobs)
– Electronic (email, CDs, USB drives)
Disclosure of PHI
Maintenance of PHI
– Physical files (on and off site)
– Electronic files
– Offices and work stations
HIPAA Security Rule
Lawyers as BAs must comply with HIPAA Security Rules (electronic PHI):
– Ensure confidentiality, integrity of ePHI
– Protect against any reasonably anticipated threats or hazards to security and integrity
– Protect against any reasonably anticipated uses or disclosures that are not permitted or required by HIPAA
– Ensure compliance by members of workforce
HIPAA Security Rule - Specifics
Standards are addressable or required
Administrative, technical and physical safeguards
Security awareness training
Breach investigation procedures
Written reasonable and appropriate policies and procedures implementing safeguards
Retain documentation for at least 6 years from date it was last effective
#3 – Implement Safeguards
Administrative/organizational safeguards
– Limit access to all forms of PHI
– Terminate access upon termination of employment
– Review electronic access rights
– Provide electronic security training
– Password management
– Protection from malware and viruses
– Reporting of security incidents
– Document contingency plans if damage to IT systems
#3 – Implement Safeguards
Physical safeguards
– Facility access controls
– Facility security procedures
– Workstation use and security
– Device and media controls
– Inventory and control of hardware and electronic media
– Wiping of hard drives and electronic media
– Restricting use of laptops and portable devices
#3 – Implement Safeguards
Technology safeguards
– Prohibit sharing of user IDs and passwords
– Encryption for data at rest
– Encryption for transmission
– Automatic log-off
– Protect ePHI from alteration or destruction
#3 – Implement Safeguards
Significant risk related to use of mobile devices
– Loss and theft
– Malware and viruses
– Sharing with others
Safeguards
– Strong password
– Firewall protection and encryption
– Auto-off and locking of device
– Unique user ID
– Keep with person
– Use a secure Wi-fi connection
#4 – Educate Lawyers & Staff
What is HIPAA
How it applies to law firm
Obligations to limit uses and disclosures
Sanctions for failure to comply
Appoint HIPAA Officer as point of contact
Obtain help from your IT director or consultant
Use OCR training materials
#5 – Conduct Risk Analysis
Conduct risk assessment of ePHI that you maintain: an “accurate and thorough assessment of potential risks and vulnerabilities to confidentiality, integrity, and availability of ePHI”
Guidance: http://www.hhs.gov/ocr/privacy/hipaa/administrative/ securityrule/rafinalguidance.html
Implement security measures sufficient to reduce risks and vulnerabilities to reasonable level
Apply sanctions against personnel who fail to comply
Implement procedures to regularly review IS activity
#6 – Develop Written Policy and Procedures
In event of complaint in investigation, you must have a written policy to submit to OCR
Track HIPAA Security Rule safeguards
Include breach investigation provisions
OCR and ABA resources available
McAfee & Taft Case Study
Formed HIPAA task force in 2009 and resurrected this year; appointed HIPAA officer
Attorneys, IT director, HR director, records management, ancillary businesses
Identified BAs, developed database, tracked and filed BAAs
Analyzed flow of PHI
Mandated “one paper file, one electronic file” per matter
Restricted access to electronic file
Case Study
Additional level of security for paper files
Require encryption for emails and mobile devices
Developed written policy and procedures
Conducted lawyer training
Conducted staff training
Troubleshoot as questions arise
Conducting risk analysis
Support of managing director and IT director is critical
Resources Office for Civil Rights – Health Information Privacy
http://www.hhs.gov/ocr/privacy/index.html
OCR Form of BAA http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Summary of HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Combined Text of All HIPAA Regulations http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
ABA Materials: http://search.americanbar.org/search?q=HIPAA&client=default_frontend&proxystylesheet=default_frontend&site=default_collection&output=xml_no_dtd&oe=UTF-8&ie=UTF-8&ud=1
More Resources
Mobile Device Security http://www.healthIT.gov/mobiledevices
OCR Training Materials
http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/index.html
OCR’s YouTube Channel
www.youtube.com/USGovHHSOCR
Electronic Security Guidance – Presentations from May 2013
meeting http://www.nist.gov/itl/csd/upload/hipaa-final-agenda-052013.pdf