New Rules for Lawyers as Business Associates Under HIPAA and the New HITECH Act
By Teresa Meinders Burkett
HIPAA stands for the Health Insurance Portability and Accountability Act, originally enacted in 1996 to facilitate the continued health insurance coverage of individuals who moved between employers that provide health insurance. This original premise of HIPAA likely has faded in importance with passage of the Patient Protection and Affordable Care Act (ACA) that now includes a “guaranteed issue” provision which prohibits insurers from denying coverage to individuals due to pre-existing conditions, whether covered by health insurance in the past or not.
MEDICAL PRIVACY UNDER OKLAHOMA LAW
Long before the ACA came about, HIPAA expanded into an omnibus law that included new health care fraud provisions, added standards for electronic transactions for health care claims and spawned new regulations, principally the now broadly recognized HIPAA privacy rule and security rule. The Department of Health and Human Services expected these rules to provide “all Americans with a basic level of protection” for their personal medical information, allowing the states to set more stringent protections if they preferred.1
Since 1988, early in the AIDS crisis, Oklahoma has had laws in place that are more protective of medical information privacy than that offered by HIPAA. Section 1-502.2 of Title 63 of the Oklahoma Statutes provides that “…information and records of any disease which are held or maintained by any state agency, health care provider or facility, physician, health professional, laboratory, clinic, blood bank, funeral director, third-party payor or any other agency, person, or organization in the state shall be confidential.” This statute goes on to require that “such information shall not be released” except under specific circumstances, including upon a court order, with the written authorization of the person whose health information is to be disclosed or among health care providers for purposes of providing treatment to the person. Similarly, records of mental health treatment may be disclosed only upon the written authorization of the patient or upon a court order. A subpoena by itself is not sufficient to disclose such information.2
HANDLING MEDICAL INFORMATION
The HIPAA term for medical information is “protected health information” (PHI) and is generally defined as all individually identifiable health information created, received, maintained or transmitted by a health care pro-vider or health plan with respect to an individual’s past, present or future physical or mental health care. Typically, PHI may be used by health care providers and private or governmental health plans for treatment, payment and medical business purposes called “health care operations” without a patient’s specific authorization. There are a few other limited ways PHI may be used without patient authorization, such as reporting child abuse or public health reporting. In most other instances, HIPAA requires individuals to “authorize” the use or disclosure of their PHI. PHI is “used” when it is shared or relied on within the entity that created or maintains it, and it is “disclosed” when it is shared with third parties outside the entity’s workforce.3 A health care provider cannot use or disclose PHI except as permitted by the privacy rule.
Under the “original HIPAA,” only “covered entities” were required to comply with the privacy and security rules. Those covered entities include health care providers, health plans and data clearinghouses. The privacy rule requires covered entities to enter into a business associate agreement (BAA) with third parties outside their workforce with whom they enter into arrangements to provide services to the covered entity that requires the use or disclosure of PHI. Common examples of business associates are medical transcription services, accountants, outside staffing agencies and lawyers. The BAA effectively extended, by contract, the regulations found in the privacy and security rules that did not apply directly to those who participate in the health care industry but do not fall within the definition of a covered entity. These agreements, in effect, closed the gap in the law that left some who regularly come in contact with medical information outside the ambit of HIPAA.
THE ‘NEW’ HIPAA UNDER THE HITECH ACT
The HIPAA privacy rule has now been in effect a full 10 years, and the security rule has existed almost that long. The first major revisions to the law were made in 2009, when the Health Information Technology for Economic and Clinical Health (HITECH) Act was included in the American Recovery and Reimbursement Act. The HITECH Act makes the privacy and security rules explicitly applicable to business associates, including law firms and other professionals who provide services on behalf of health care providers and health plans and who require access to PHI of these covered entities’ patients or customers to do their jobs. The final rules implementing the HITECH Act required compliance as of Sept. 23, 2013. Now, all business associates have a statutory obligation to comply with both HIPAA and HITECH, and are subject to enforcement audits and potential civil and criminal penalties for noncompliance.
The HITECH Act and its Impact on Lawyers
As a threshold matter, attorneys must determine whether they fall into the category of a business associate. If a lawyer encounters PHI in the course of representing a client that is a covered entity, the lawyer is typically a business associate. If a lawyer encounters PHI when representing a client who is not a covered entity, the lawyer may not fall within the definition of a business associate. For example, a lawyer representing an individual who is suing a health care provider in a malpractice claim is probably not a business associate. The patient’s lawyer will have access to the client’s PHI, but that access is based on the client signing an authorization for disclosure of PHI form which gives the attorney access to the information. However, in the same lawsuit, the lawyers representing the covered entities (e.g., the physician or hospital) acquire access to the plaintiff’s PHI as a result of their relationship to the covered entity, and thus they are business associates. By further example, a lawyer who is on either side of a personal injury dispute such as a motor vehicle accident or premises liability claim will obtain medical records of the individuals who are seeking damages for their injuries, but that access will be based on the individuals’ signed authorizations or a court order requiring the medical data to be produced. These lawyers do not fall within the definition of a business associate.
Litigation is, of course, not the only practice area where a law firm may become a covered entity client’s business associate. Lawyers who handle employee benefits issues for health plans or employers who sponsor self-insured health plans may encounter PHI of the plan participants and thereby become business associates. Lawyers who represent a health care provider in the sale or purchase of a covered entity or a business associate may encounter PHI in reviewing accounts receivable or patient lists and become a business associate as a result. A business associate relationship arises when a lawyer represents a covered entity or a business associate in a governmental investigation or audit that requires access to PHI. It is important that a law firm consider its possible role as a business associate in any representation that will involve health information, and that a firm ensure that a BAA is in place before receiving any documents or media from the client that include PHI.
Another type of representation that may impose business associate obligations on a lawyer arises when the lawyer represents an entity that is a business associate, and the lawyer requires access to PHI that the client received from the covered entity. The lawyer in this example is an agent or subcontractor of the original business associate. Under the new HITECH rules, the duty to comply with HIPAA flows not only to business associates, but also to “agents or subcontractors” of business associates if the agent or subcontractor will encounter PHI in the course of providing services to the associate. Each subcontractor must sign a contract that includes all of the provisions of a BAA, agreeing to maintain the privacy and security of that PHI.
Another more likely way this subcontractor business associate concept will impact law firms is when a lawyer who is a business associate hires an expert witness, a court reporter or even a copy shop to duplicate documents that include PHI the law firm received from its client. Carrying through one example, when the law firm that is a business associate hires a court reporter to transcribe a deposition that will require the use or disclosure of PHI, the court reporter must be asked to sign a “subcontractor BAA.” If the court reporter service does not make its own copies of the exhibits to a deposition transcript, the court reporter will need to ask the copy shop hired to copy exhibits containing PHI to sign a subcontractor BAA, as well. The entire chain of contractors or agents of any business associate will fall within the requirements of the privacy and security rules as a result of the HITECH provisions, and all of these businesses will need to develop the policies and practices for HIPAA compliance. Thus, the number of new businesses that will require HIPAA compliance policies has expanded exponentially under HITECH, and lawyers are just one of many kinds of service providers impacted by these new rules.
Business Associate Agreements and Lawyers
Not all agreements are alike, although there are mandatory provisions common to all of them. Most covered entities would prefer to have all of their vendors sign the same form BAA. However, lawyers have unique duties and should be wary of signing any stock form of an agreement.
Lawyers have ethical obligations to their clients that many vendors do not, such as maintaining the attorney-client privilege, so law firm agreements should be carefully tailored to protect the privilege to the extent possible. The privacy rule requires that all business associates allow the secretary of the Department of Health and Human Services to have access to their books and records to ensure compliance with HIPAA. This permission is typically included in a standard BAA. The law firm’s agreement should have appropriate carve-outs for privileged data to avoid unintentionally waiving the attorney-client privilege. In addition, many form agreements include indemnification language that could effectively void an attorney’s professional liability insurance coverage. Finally, attorneys must be sensitive to the ethical conflicts inherent in negotiating a contract with their client who they are required to protect. Some clients that are covered entities may wish to engage separate counsel to advise them with respect to the terms of the law firm’s BAA.
Business Associate Agreement Provisions
The HIPAA privacy rule contains most of the requirements for a compliant BAA; however, the security rule includes several requirements related to the maintenance of electronic PHI (ePHI). The agreement must restrict the business associate’s use and disclosure of PHI to those set forth in the BAA, in order to carry out the duties related to the parties’ business relationship. While the law firm business associate may use the client’s PHI for its own administrative and legal responsibilities, it otherwise may not use or disclose the PHI in any way that the covered entity itself could not use the data. The specific ways the covered entity/client may use the PHI will be set forth in its notice of privacy practices, so if there is any doubt as to how the client may be permitted to use or disclose the PHI, the law firm may wish to review the notice to be certain its acts are compliant. In addition, the BAA must state that the business associate will:
1) Use appropriate safeguards to prevent inappropriate use or disclosure of PHI
2) Report to the covered entity any discovered uses or disclosures of PHI not permitted
3) Report any security incidents involving ePHI and breaches of unsecured PHI
4) Make PHI available for access to the individual it pertains to and for amendments and accounting of disclosures
5) Be sure that subcontractors or agents who will access PHI agree to the same terms as the BAA in writing
6) Agree to destroy or return PHI at the end of the underlying service arrangement or, if it is infeasible to do so, maintain it under the same protections
7) Make its books and records open to the secretary of the Department of Health and Human Services to confirm compliance with the HIPAA requirements.
The covered entity has the obligation to present a BAA to its service providers, including law firms, before the entity discloses PHI to the vendor. When presented with the document, the lawyer should review the agreement for the required elements and then ask to tailor the agreement so the aspects unique to the attorney-client relationship may be preserved. Whether or not a BAA is signed, the relationship exists, and the legal obligations are present as soon as the lawyer receives PHI from the covered entity/client or the client allows the law firm to create, receive, maintain or transmit ePHI electronically on its behalf. Engaging in these acts in the absence of a signed BAA is a violation of HIPAA that carries possible penalties.
Under the HITECH Act, all business associates, including law firms, are now directly subject to enforcement of the HIPAA requirements and can be fined for impermissible uses and disclosures of PHI; for failure to notify the covered entity when unsecured PHI is inappropriately accessed or lost; for failure to provide access to ePHI to the covered entity or the individual who is the subject of the PHI; and other failures to comply with the HIPAA privacy rule or security rule. The minimum penalty for “willful neglect” of these HIPAA obligations is $10,000 per violation, if the violation is corrected within 30 days, and $50,000 per violation if it is not. Lesser penalties may be imposed for negligent violations, and greater penalties for intentional bad acts. Violations are calculated on a per person, per day, per standard basis. Annual liability under each HIPAA standard is capped at $1.5 million, but it is likely that a breach or violation will implicate more than one standard.
Commentators predict that the next action by the Office of Civil Rights for HIPAA enforcement will include rules for whistleblower actions that will allow whistleblowers to share in a portion of the fines and settlements when they expose wrongdoing.
Law Firm Compliance with the HIPAA Privacy Rule
Lawyers have always had an obligation to maintain secure files and keep their clients’ data confidential. However, the policies that give effect to this obligation may not be in writing. In order to demonstrate HIPAA compliance under the HITECH Act, a law firm should implement and document policies and procedures to protect the confidentiality, availability and integrity of the PHI and ePHI it receives from its clients. All law firm staff that will have access to the PHI within the firm must be trained on compliance with the policies and procedures put in place. Many firms who serve in the role as business associate for their clients designate a specific individual as the “privacy officer” who will be responsible for ensuring compliance with the new obligations under HIPAA and for responding to questions that members of the firm may have as they strive to maintain compliance. Failure to take these mandated steps risks penalties as a HIPAA violation.
Breach Notification Requirements
As a business associate, a law firm will have to notify its client, the covered entity, if unsecured PHI is acquired, accessed, used or disclosed in violation of HIPAA. This requirement is found in the new breach notification rule under HITECH, 45 CFR 164.402. Under this new rule, “unsecured PHI” is either PHI maintained in paper form, or unencrypted ePHI. In the event unsecured PHI is misused or improperly disclosed, such as by the loss of a file or a stolen laptop, the firm will need to determine the likelihood that the data has been “compromised.” HIPAA presumes that the data is compromised unless the business associate can document that it was not. This may occur if a medical record is sent to an unintended individual but the recipient recognizes that it was sent in error and immediately returns it or notifies the sender that it was immediately destroyed. In that case, there is a low probability that the data was compromised. If, however, there is no way to determine whether the data was compromised, the firm will have to notify the covered entity of the breach in a time frame set forth in the parties’ BAA. That agreement will also specify which party has to pay for the notification and possible protections needed to mitigate any risk, such as credit protection for a period of time. The cost to accomplish these tasks will depend on the number of individuals whose data is involved. If more than 500 people are affected, notice of the data breach must be provided to local media and prominently displayed on the firm’s website. This size of loss could easily occur if a laptop with unencrypted data is misplaced.
Possibly the best protection a firm can have for its information system is encryption. Encryption must meet certain standards, set by the National Institute of Standards and Technology, to be sufficient to deem the data protected under HIPAA. Most technology experts tend to recommend that encryption is used to protect data both in motion and at rest. While encryption may involve significant upfront costs, if it protects the firm from a single data breach, or unfavorable audit outcome, it is likely to be a wise investment.
Special care must be taken with mobile devices, because they seem to be the source of a significant number of data breaches reported in industry publications. Many businesses have adopted technology that allows a lost or stolen mobile device to be remotely “wiped” of all data as soon as a loss is reported. This may help reduce the risk that data will be compromised if all data is removed before it could likely be accessed or copied.
As part of compliance with HIPAA, business associates must adopt a breach notification policy. The requirements of that policy must match what the firm agrees to do in its BAA with respect to handling breaches of PHI. The other specific provisions to include in a breach notification policy are set forth in the HITECH breach notification rule.
While lawyers with health care and health plan clients have learned to adapt to the requirements of acting as a business associate, the HITECH Act imposes new requirements with which those lawyers need to become familiar. With the HITECH Act imposing HIPAA’s obligations directly on business associates, many lawyers are now subject to direct enforcement, and noncompliance can lead to steep fines. New written policies, security assessments, staff training, getting new subcontractor agreements in place are only a few of the challenges ahead for law firms that must comply with HIPAA and the HITECH Act.
1. 65 Fed.Reg. 82,462-4
2. 43A Okla. Stat. §1-109.D. (2013)
3. 45 C.F.R. §164.501
ABOUT THE AUTHOR
Teresa Meinders Burkett, a former cardiac care nurse, is a leader in the health care practice group at Conner & Winters. Ms. Burkett has led organizations across the state in their compliance efforts and addressing complex legal issues. Her practice focuses on advising health care providers about HIPAA compliance, Medicare and Medicaid reimbursement, medical staff concerns, employment law and corporate compliance issues.
Originally published in the Oklahoma Bar Journal
- Oct. 4, 2014 - Vol. 85, No.26