PRIVACY: What Lawyers Must Do to Comply with HIPAA

Accountability Expanded for Law Firms Acting as Business Associates

The Department of Health and Human Services (HHS) published the long-awaited “Omnibus Rule” earlier this year, implementing a wide range of amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[1] While these amendments raise significant compliance issues for health care providers and other entities traditionally associated with HIPAA, they also raise major concerns for the “business associates” of these entities, which often include law firms. In particular, effective Sept. 23, 2013,[2] the Omnibus Rule expanded the accountability of law firm business associates by making them directly responsible for complying with large parts of HIPAA.

If your firm acts as a business associate, then hopefully policies and procedures addressing the handling of protected health information[3] (PHI) are already in place. If this is not the case, however, the time to act is now. Firms that fail to achieve and maintain compliance face the threat of substantial monetary penalties and potential indemnification claims from clients when PHI entrusted to the firm is lost, mishandled, or stolen. To put the potential significance of non-compliance in perspective, consider the following: Your firm represents a physician group appealing a post-payment audit involving several hundred patients. After copying the medical records of almost 600 patients to a personal flash drive, you ask your assistant to deliver the records to a billing consultant. But your assistant has dinner plans, so she drops the flash drive in her purse, intending to deliver it before work the next day. Unfortunately, your assistant forgets her purse at the restaurant. The purse and the flash drive are never recovered.

So what would this mean for your firm? Your client, likely your former client now, must contact each of the affected patients, publish notice of the incident in the media, and notify HHS. Additionally, your client may seek reimbursement from your firm for any government fines and the substantial costs it incurred in sending the notifications and hiring new counsel to advise it on the incident. Further, HHS may elect to impose an additional fine on your firm. And the HIPAA insurance policy your firm carries probably excludes personal devices.

Given the potential consequences of non-compliance, lawyers and their staff must recognize when their firm is acting as a business associate and understand their compliance obligations. This article addresses these issues directly by providing practical guidance on: (1) recognizing when HIPAA applies; (2) understanding your firm’s HIPAA obligations; (3) the consequences of non-compliance; and (4) identifying steps to take to prepare for compliance.

Regulatory History

For the most part, the Omnibus Rule implements amendments to HIPAA contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. These amendments mark the most comprehensive set of changes to HIPAA since it was enacted. A brief overview of HIPAA before and after the HITECH Act helps put the significance of these changes in perspective.

Congress passed HIPAA in response to a rapidly evolving health care marketplace. HIPAA’s two main rules protecting health information, the Privacy Rule and Security Rule, were the result of what Congress perceived as a lack of uniform baseline protections for health information under state laws. While the Privacy Rule[4] set standards for the use and disclosure of PHI, the Security Rule[5] established standards and procedures for securing electronic PHI from unauthorized access. Prior to the HITECH Act, HIPAA relied heavily on self-policing to enforce the requirements of the Privacy and Security Rules. In fact, the regulations did not even include a requirement to report significant violations to affected patients or HHS.[6] Additionally, the Privacy and Security Rules applied directly only to “covered entities,”[7] such as health care providers and health care plans. To protect PHI in the hands of third parties, covered entities were required only to enter into “business associate agreements” with their business associates.[8]

The HITECH Act built on this framework with several changes that significantly reinforced the Privacy and Security Rules. First, Congress strengthened enforcement by creating a tiered system of monetary penalties for violations[9] and established a notification requirement for serious violations, known as the Breach Notification Rule.[10] Under the Breach Notification Rule, covered entities must notify affected individuals, HHS, and, in some cases, the media following a “breach” of unsecured PHI. Next, Congress extended protections of PHI by making business associates and their subcontractors directly responsible for complying with the Security Rule,[11] many aspects of the Privacy Rule,[12] and the new Breach Notification Rule.[13] As a direct consequence, this means that in addition to contractual liability under the terms of their business associate agreements, business associates and their subcontractors also face the threat of substantial monetary penalties for non-compliance. Finally, the Omnibus Rule extended liability to covered entities for the non-compliance of their business associates when acting as an agent for the covered entity, while similarly making business associates liable for the non-compliance of their subcontractors.[14]

Recognize When Hipaa Applies

For lawyers, the key question will always be whether their firm is acting as a business associate. While the business associate relationship frequently arises in the practice of health law, the relationship often forms when lawyers represent covered entities in other areas of the law, such as employment law and litigation defense. This presents a potentially dangerous trap for the unwary. Accordingly, you should always ask whether you are providing legal services to or for a covered entity, organized health care arrangement in which a covered entity participates,[15] or to or for another business associate of a covered entity. If the answer is “yes,” you should next ask whether your representation involves receiving PHI from your client. If you affirmatively answer both questions, your firm meets the definition of a business associate.[16]

Understand Your Firm’s HIPAA Obligations

The HITECH Act significantly expanded the obligations of a business associate beyond the basic terms of their business associate agreement. In addition to complying with the Security and Breach Notification Rules, under the Privacy Rule business associates:

  • Must not use or disclose PHI, except as permitted under the Privacy Rule, including the obligation to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure;
  • May use or disclose PHI only as permitted or required by its business associate agreement or as required by law;
  • May not, subject to certain very narrow exceptions, use or disclose PHI in any way that would violate the Privacy Rule if done by the covered entity;
  • Must provide access to a copy of electronic PHI to the covered entity, individual patient, or the individual patient’s designee (whichever is specified in the business associate agreement) in response to an individual’s request for an electronic copy of electronic PHI;
  • Must disclose PHI where required by the Secretary of HHS to investigate or determine compliance with HIPAA;
  • Must provide information about disclosures of PHI made to third parties in response to an individual’s request for an accounting of disclosures;
  • Must not sell PHI, except as otherwise permitted by the Privacy Rule; and
  • Must directly enter into business associate agreements with subcontractors that create, receive, maintain, or transmit PHI on the business associate’s behalf.[17]


While implementing policies and training employees on these obligations presents a difficult enough challenge, the bigger obstacle for law firm business associates will be complying with the Security and Breach Notification Rules. Generally, the Security Rule requires administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. The HITECH Act subjects law firm business associates to each administrative, physical and technical safeguard requirement, and requires firms to maintain policies, procedures, and documentation of their security practices.[18] The specifics of the Security Rule go beyond the scope of this article, but lawyers unfamiliar with HIPAA should understand the Rule’s basic structure, which consists of 18 core standards, each of which includes one or more implementation specifications.[19] The regulations classify each implementation specification as “required” or “addressable.”[20] Addressable implementation specifications offer important flexibility by allowing firms to determine whether the implementation specification is practical and warranted given the size and nature of their operations.[21] If not, the firm can adopt reasonable and appropriate alternative measures designed to accomplish the corresponding security standard.[22]

With respect to the Breach Notification Rule, law firm business associates must report a “breach”[23] of “unsecured” PHI[24] to the client with whom the firm has a business associate relationship with respect to the PHI.[25] Ultimate responsibility for sending required notifications falls to the covered entity.[26] As simple as this sounds, however, determining when a breach occurs and the mechanics of how and when to notify the client are complicated, to say the least. Consequently, HHS encourages the use of business associate agreements to detail the “how” and “when” of providing notification, and law firms will need to be familiar with, and possibly negotiate, the terms of their business associates agreements with clients and their own subcontractors.

Consequences of Non-Compliance

Failure to achieve or maintain compliance can lead to harsh consequences. From an enforcement standpoint, the HITECH Act established four tiers of monetary penalties.[27] Each tier corresponds to a different degree of culpability, and the Secretary of HHS assesses penalties on a per incident basis, subject to an annual cap of $1.5 million for violations of the same provision. Law firm business associates face the risk of penalties for their own violations, as well as potential liability for violations committed by their subcontractors. [See chart below.]

Penalty Tier Business Associate’s Culpability Level Penalty Per Incident
Tier 1* Did not know and could not have known of the HIPAA violation. $100 – $50,000
Tier 2* Knew, or would have known through reasonable due diligence that an act or omission violates HIPAA, but did not act with willful neglect. $1,000 – $50,000
Tier 3 Acted with willful neglect, but corrected the violation within 30 days $10,000 – $50,000
Tier 4 Acted with willful neglect and took no corrective actions within 30 days. $50,000
*Timely corrective action is an affirmative defense to Tier 1 and Tier 2 violations.[28]

The consequences of non-compliance do not stop with civil penalties. In addition to contractual liability under the terms of their business associate agreements, a major violation would likely cause significant reputational damage to a law firm and result in clients looking elsewhere for legal services, particularly since clients may face liability for the actions of their lawyers.

Prepare for Compliance

If your firm provides legal services as a business associate and has not taken appropriate measures to ensure compliance with HIPAA, the time to act is now. Compliance begins with getting organized and involving the right people. For some firms, this may mean forming a committee or taskforce, while smaller firms may consider engaging outside counsel or qualified consultants. Additionally, as required by the Security Rule, business associate law firms should appoint a Security Officer responsible for overseeing compliance with HIPAA’s security provisions.[29] Once the right people are in place, firms should begin developing and implementing a compliance program while preparing for the unique ways HIPAA impacts client relationships.

What should law firm business associates do to comply with the Security Rule? The first action item should be conducting a risk assessment to identify vulnerabilities to electronic PHI and implementing any measures necessary to reduce identified vulnerabilities to a level that is reasonable and appropriate in light of the regulatory standards.[30] After completing this process, attention should turn to developing written policies and procedures tailored to the core standards and implementation specifications, including adopting a policy for sanctioning employees for non-compliance.[31] Finally, firms should ensure personnel receive training and understand the firm’s obligations under the Security Rule.

With respect to the Privacy Rule, law firms should similarly develop, implement, and train personnel in policies and procedures addressing the use and disclosure of PHI. Training programs should emphasize the minimum necessary standard, which requires firm personnel to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of a use or disclosure. Additionally, while law firm business associates are not required to appoint Privacy Officers, firms should consider identifying one person as responsible for addressing Privacy Rule concerns with clients and the firm’s subcontractors. Finally, firms will need to make sure required business associate agreements are in place and comply with the new requirements of the Omnibus Rule. While firms can generally decide whether to wait until September 22, 2014, to update existing business associate agreements entered into before January 24, 2013, all other business associate agreements should comply with the Omnibus Rule.[32]

To prepare for compliance with the Breach Notification Rule, law firms should first become familiar with the risk analysis required upon discovering a potential breach, then develop policies that address how to investigate and respond appropriately. Law firms should also consider implementing policies that mitigate the possibility of a breach occurring, such as requiring encryption of PHI maintained electronically. Once these policies are in place, personnel training should focus on identifying and reporting potential breaches to the firm’s Security Officer so that the firm can conduct a breach analysis and fulfill any reporting obligations. Lastly, given the potential costs associated with a significant breach, law firms should seek to clearly define their obligations and liability in their business associate agreements and consider purchasing insurance protecting against losses associated with a security breach.

Finally, law firms must prepare for the unique ways their HIPAA obligations impact client relationships. One example, which raises clear ethical and privilege issues, is the requirement that law firms must agree in their business associate agreements to make their books and records available to HHS for compliance audits.[33] Similarly, when entering into business associate agreements, lawyers and their clients act as independent, adverse parties. Depending on the client’s sophistication and the firm’s desire to negotiate specific terms, such as risk allocation in the event of a security breach, negotiating against a client creates an uncomfortable situation that challenges the underlying confidences that comprise the lawyer-client relationship. Most clients, for example, will find it discomforting if your firm refuses to accept the same indemnification clause you drafted and advised it to require in its other business associate agreements. While there is no easy solution to these issues, law firms should consider including specific language in their business associate agreements that attempts to mitigate these issues.

Conclusion

Law firm business associates face significant obligations under HIPAA as a result of the HITECH Act. If your firm provides services as a business associate and has not started the process of developing and implementing a compliance program, the time to act is now. While achieving and maintaining compliance is a difficult challenge, firms that fail to act may find that overcoming the consequences of non-compliance presents an even greater challenge.

Notes

  1. Omnibus Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013) (codified at 45 C.F.R. pts. 160 & 164). The rule is known as the “Omnibus Rule” because it finalizes four interim or proposed rules amending HIPAA.
  2. Id.
  3. See 45 C.F.R. § 160.103 (defining “PHI” as individually identifiable health information that (i) is created or received by a HIPAA-covered entity and (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payments for the provision of health care to an individual).
  4. Id. at pts. 160 & 164, subpts. A & E.
  5. Id. at pts 160, 162 & 164.
  6. But see id. § 164.530(f) (imposing a duty to mitigate harm caused by a privacy violation, which may include giving the affected patient notice depending on the circumstances).
  7. See id. § 160.103 (defining a “covered entity” to include health care providers that conduct certain transactions in electronic form, health care clearing houses, and health plans).
  8. Id. § 164.504(e).
  9. HITECH Act §13410(d), 42 U.S.C. § 1320d-5.
  10. HITECH Act § 13402, 42 U.S.C. § 17932.
  11. HITECH Act § 13401, 42 U.S.C. § 17931.
  12. HITECH Act § 13404(a), 42 U.S.C. § 17934(a).
  13. HITECH Act § 13402, 42 U.S.C. § 17932.
  14. 42 C.F.R. § 160.402(c).
  15. See id. § 160.103 (defining an “organized health care arrangement” to include a clinically integrated care setting in which individuals receive care from more than one provider, certain types of organized health care delivery systems, and certain types of group health plans (including health insurance issuers and HMOs with respect to such group health plans).
  16. See id. § 160.103.
  17. HITECH Act § 13404(a), 42 U.S.C. §17934(a) (stating the general Privacy Rule standard applicable to business associates and incorporating by reference specific privacy standards).
  18. HITECH Act § 13401(a), 42 U.S.C. § 17935(d).
  19. 45 C.F.R. §§ 164.308–164.314.
  20. Id § 164.306(d).
  21. Id.
  22. Id.
  23. See HITECH Act § 13400, 42 U.S.C. § 17921 (defining “Breach” to mean the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information and outlining several exceptions). See generally Omnibus Rule, 78 Fed. Reg. at 5641 (discussing when the privacy or security of unsecured PHI is “compromised”).
  24. See HITECH Act § 13402(c), 42 U.S.C. § 17932(h)(1) (defining “unsecured protected health information” to mean PHI that is not secured through the use of a technology or methodology specified in HHS guidelines).
    See generally Guidance on Rending Protected Health Information Secured, 74 Fed. Reg. 19006 (April 27, 2009) (detailing technologies and methodologies approved by HHS to render PHI secured).
  25. 45 C.F.R. § 164.410(a)(1).
  26. HITECH Act § 13402(b), 42 U.S.C. § 17932(b) (establishing the business associate’s obligation to report to the covered entity); see also Omnibus Rule, 78 Fed. Reg. at 5650 (noting that ultimate responsibility for reporting falls to the covered entity).
  27. See HITECH Act § 13410(d), 42 U.S.C. § 1320d-5.
  28. 45 C.F.R. § 160.410(c) (providing that violations not due to willful neglect may be corrected during: (i) the 30-day period beginning on the first date the business associate knows, or, by exercising reasonable diligence, would have known that the violation occurred; or (ii) such additional period as the Secretary of HHS deems appropriate under the circumstances).
  29. 45 C.F.R. § 164.308(a)(2).
  30. Id § 164.308(a)(ii)(A)–(B).
  31. Id. § 164.308(a)(ii)(C).
  32. Omnibus Rule, 78 Fed. Reg. at 5602 (providing that grandfathering only applies to business associate agreements in place by January 24, 2013, provided that such agreements comply with “old” HIPAA standards and are not renewed or amended between March 26, 2013, and September 23, 2013, and noting that any changes to grandfathered agreements made after September 23, 2013, but before September 22, 2014, must meet the standards contained in the Omnibus Rule).
  33. See 45 C.F.R. §§ 164.502 (a)(4) and 164.504(e)(2)(ii)(I).

John V. Arnold JOHN V. ARNOLD practices in the health care practice group at Rainey, Kizer, Reviere & Bell PLC. He joined the firm after graduating with honors from St. Louis University School of Law, where he earned a certificate in health law from the nation’s top-ranked health law program. Arnold’s practice focuses on transactional matters and regulatory compliance, including advising clients on HIPAA, the Stark Law, the Anti-Kickback Statute, Medicare/ Medicaid reimbursement issues and other state and federal health care laws.

The author would like to thank Todd D. Siroky of Siroky Law PLC in Jackson for his editorial assistance with this article.