TODAY’S PRESENTERS

Why Lawyers? Why Now?

New HIPAA regulations go into effect September 23, 2013

Expands HIPAA safeguarding and breach liabilities for “business associates” (BAs)

Lawyer is considered a “business associate” of a client if client discloses protected health information (PHI) to the lawyer

Current privacy and confidentiality practices and procedures as lawyers likely not sufficient

The Bottom Line

Failure to properly secure, store, maintain, process, transmit, or destroy PHI can be costly and potentially damaging to individual lawyers and their firms

– Civil and criminal liability

– Significant monetary penalties

– Loss of clients

– Damage to professional reputation

Causes For Concern

Business associates account for an increasing number of HIPAA breaches

– 42% according to a 2009 study

– Use of contractors and subcontractors increases risk

Enforcement on the rise by DHHS Office for Civil Rights (OCR)

State Attorneys General can now enforce and impose civil penalties

HIPAA does not create a federal law private cause of action

Are You a “Business Associate”?

Do you provide services to or on behalf of a client who is covered entity?

Covered Entity = health care provider, health care clearinghouse, health plan (e.g., Medicare plans, private insurance, employer-sponsored plans, etc.)

Do you create, receive, maintain or transmit PHI while providing those services?

What is PHI?

Individually identifiable health information that is created or received by healthcare provider, health plan, public health authority, employer, life insurer, school or university and relates to: past, present or future physical or mental health; provision of health care; or payment for provision of health care

Individually identifiable = some combination of name, address, date of birth, SSN, account numbers, fax numbers, or other demographic information

What is not PHI?

Information created or maintained by an employer for employment purposes, such as FMLA requests, fitness for duty examination reports, etc.

Employers are not covered entities under HIPAA but are obligated to maintain confidentiality of such information under other state and federal laws

However, an employer sponsor of health plan has obligations under HIPAA regarding its use and disclosure of plan information

PHI Use By Lawyers

Advise and defend hospitals, physicians, and nursing homes in lawsuits, payment appeals, billing issues, regulatory compliance matters

Advise and defend insurance companies and health plans in lawsuits, coverage issues, payment appeals

Advise or defend health care clearinghouses

Obligations As Business Associate

Enter into Business Associate Agreement with client and comply with it

Implement safeguards for PHI in paper or verbal form

Directly comply with HIPAA Security Rule for ePHI

Enter into BAA with subcontractors

Report to client: impermissible uses and disclosures, security incidents and breaches

Disclose records to HHS/OCR in an investigation or compliance review

What Is a Breach?

Breach is the acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA

Under new rule, any acquisition, access, use or disclosure of PHI in manner not permitted is presumed to be a breach unless covered entity or BA demonstrates there is a low probability that PHI has been compromised based on risk assessment

Previously, no presumption; required determination of “significant risk of harm”

Breaches Waiting to Happen

Even when you think you’re covered, breaches can still occur:

– Your laptop is stolen from your home, office or car

– You leave hard copies in the conference room

– You fax documents without confirming receipt by the intended recipient

– You email an unencrypted file to your home computer or smartphone

– You download a file to an unencrypted thumb drive

– You throw client documents in trash without shredding

OCR Civil Penalties Violation Minimum Penalty Maximum Penalty

Covered Entity/Business Associate did not know (and would not have known by reasonable diligence) that it violated HIPAA

$100 per violation; annual maximum of $25,000

$50,000 per violation; annual maximum of $1.5 million

Due to reasonable cause and not willful neglect

$1,000 per violation; annual maximum of $100,000

$50,000 per violation; annual maximum of $1.5 million

Willful neglect, but violation corrected within 30 days

$10,000 per violation; annual maximum of $250,000

$50,000 per violation; annual maximum of $1.5 million

Due to willful neglect and is not corrected within 30 days

$50,000 per violation; annual maximum of $1.5 million

$50,000 per violation; annual maximum of $1.5 million

DOJ Criminal Penalties

Violation Maximum Penalty

Maximum Imprisonment

Individual “knowingly” obtains or discloses individually identifiable information

$50,000 One year

Offenses committed under false pretenses

$100,000 5 years

Offenses committed with the intent to sell, transfer or use information for commercial advantage, personal gain, or malicious harm

$250,000 10 years

$1.7 Million Mistake

Managed care company Wellpoint agrees to pay $1.7 million to settle potential HIPAA violations

PHI of 612,402 individuals exposed on internet

HIPAA breach resulted from software upgrade done by business associate hired by Wellpoint

Had this occurred on or after September 23, the liability would have extended to the technology vendor doing upgrade

$1.2MM for “Doing Nothing”

Affinity Health Plan agreed in August 2013 to pay $1.2 million to settle potential HIPAA violations

PHI of 344,579 individuals exposed on copier hard drive

HIPAA breach resulted from hard drive not being purged prior to returning leased copier to lessor

Had this been Affinity’s outside law firm, the new HIPAA rules could have caused direct liability for both entities

You Say “Glitch,” HIPAA Says “Breach”

PHI, financial and employment data of nearly 188,000 clients of the Indiana Family and Social Services Administration compromised

Included some Social Security numbers

Breach attributed to a computer programming “glitch” caused by a vendor, whereby documents containing PHI and sensitive information were duplicated and mailed to the wrong clients

This is the second breach for Indiana FSSA. Last year’s involved a stolen laptop containing PHI

Immediate Next Steps for Lawyers

Countdown to September 23, 2013

Your Action Plan

#1 - Enter into BAAs and subcontractor BAAs

#2 - Determine how you receive, disclose and maintain PHI

#3 - Implement safeguards to protect PHI and limit use and disclosure

#4 - Educate lawyers and staff

#5 - Conduct risk analysis for ePHI

#6 - Adopt policies and procedures

#1-Business Associate Agreements

Between you and your clients

Between you and your subcontractors/vendors

– Applies to all downstream vendors that handle your firm’s PHI (such as records storage, online backup, Cloud vendors, document destruction)

– Applies to expert witnesses and consultants you use in a particular case or matter

– Conduit exception

HIPAA liability attaches even in absence of BAA

Why You Need an Updated BAA

New requirements included in HIPAA omnibus regulations published in January 2013

If you had a BAA that was fully compliant as of January 2013 and has not been renewed or modified between March 26, 2013 and September 23, 2013, you have one more year to get new BAA (until September 22, 2014)

OCR form of BAA: http://www.hhs.gov/ocr/privacy/hipaa/understanding/ coveredentities/contractprov.html

Caution : Liability for Subcontractors

BA has liability if knew of pattern of activity or practice of subcontractor constituting a material breach, unless takes reasonable steps to cure or terminate contract

Law firm as business associate is liable, according to common law of agency, for HIPAA violations based on acts or omissions of agents

Include language in subcontractor BAA that subcontractor is independent contractor, not agent; cannot bind law firm; and law firm does not have right or authority to control conduct of subcontractor

Before You Execute a BAA…

Develop your own form of BAA that complies with HIPAA, but limits your exposure

A client’s BAA often includes obligations to avoid:

– Indemnification

– Limitation on damages

– Insurance requirements

– Audit and monitoring by covered entity

– Other risk shifting or risk sharing provisions

#2 - Determine How PHI Flows

Receipt of PHI

– Paper (mail, fax, print jobs)

– Electronic (email, CDs, USB drives)

Disclosure of PHI

Maintenance of PHI

– Physical files (on and off site)

– Electronic files

– Offices and work stations

HIPAA Security Rule

Lawyers as BAs must comply with HIPAA Security Rules (electronic PHI):

– Ensure confidentiality, integrity of ePHI

– Protect against any reasonably anticipated threats or hazards to security and integrity

– Protect against any reasonably anticipated uses or disclosures that are not permitted or required by HIPAA

– Ensure compliance by members of workforce

HIPAA Security Rule - Specifics

Standards are addressable or required

Administrative, technical and physical safeguards

Security awareness training

Breach investigation procedures

Written reasonable and appropriate policies and procedures implementing safeguards

Retain documentation for at least 6 years from date it was last effective

#3 – Implement Safeguards

Administrative/organizational safeguards

– Limit access to all forms of PHI

– Terminate access upon termination of employment

– Review electronic access rights

– Provide electronic security training

– Password management

– Protection from malware and viruses

– Reporting of security incidents

– Document contingency plans if damage to IT systems

#3 – Implement Safeguards

Physical safeguards

– Facility access controls

– Facility security procedures

– Workstation use and security

– Device and media controls

– Inventory and control of hardware and electronic media

– Wiping of hard drives and electronic media

– Restricting use of laptops and portable devices

#3 – Implement Safeguards

Technology safeguards

– Prohibit sharing of user IDs and passwords

– Encryption for data at rest

– Encryption for transmission

– Automatic log-off

– Protect ePHI from alteration or destruction

#3 – Implement Safeguards

Significant risk related to use of mobile devices

– Loss and theft

– Malware and viruses

– Sharing with others

Safeguards

– Strong password

– Firewall protection and encryption

– Auto-off and locking of device

– Unique user ID

– Keep with person

– Use a secure Wi-fi connection

#4 – Educate Lawyers & Staff

What is HIPAA

How it applies to law firm

Obligations to limit uses and disclosures

Sanctions for failure to comply

Appoint HIPAA Officer as point of contact

Obtain help from your IT director or consultant

Use OCR training materials

#5 – Conduct Risk Analysis

Conduct risk assessment of ePHI that you maintain: an “accurate and thorough assessment of potential risks and vulnerabilities to confidentiality, integrity, and availability of ePHI”

Guidance: http://www.hhs.gov/ocr/privacy/hipaa/administrative/ securityrule/rafinalguidance.html

Implement security measures sufficient to reduce risks and vulnerabilities to reasonable level

Apply sanctions against personnel who fail to comply

Implement procedures to regularly review IS activity

#6 – Develop Written Policy and Procedures

In event of complaint in investigation, you must have a written policy to submit to OCR

Track HIPAA Security Rule safeguards

Include breach investigation provisions

OCR and ABA resources available

McAfee & Taft Case Study

Formed HIPAA task force in 2009 and resurrected this year; appointed HIPAA officer

Attorneys, IT director, HR director, records management, ancillary businesses

Identified BAs, developed database, tracked and filed BAAs

Analyzed flow of PHI

Mandated “one paper file, one electronic file” per matter

Restricted access to electronic file

Case Study

Additional level of security for paper files

Require encryption for emails and mobile devices

Developed written policy and procedures

Conducted lawyer training

Conducted staff training

Troubleshoot as questions arise

Conducting risk analysis

Support of managing director and IT director is critical

Resources Office for Civil Rights – Health Information Privacy

http://www.hhs.gov/ocr/privacy/index.html

OCR Form of BAA http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Summary of HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Combined Text of All HIPAA Regulations http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

ABA Materials: http://search.americanbar.org/search?q=HIPAA&client=default_frontend&proxystylesheet=default_frontend&site=default_collection&output=xml_no_dtd&oe=UTF-8&ie=UTF-8&ud=1

More Resources

Mobile Device Security http://www.healthIT.gov/mobiledevices

OCR Training Materials

http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/index.html

OCR’s YouTube Channel

www.youtube.com/USGovHHSOCR

Electronic Security Guidance – Presentations from May 2013

meeting http://www.nist.gov/itl/csd/upload/hipaa-final-agenda-052013.pdf