February 17, 2010, was a significant date if you represent healthcare industry clients. Starting on that date, you and your health care clients have new statutory obligations to maintain the privacy of electronically transmitted or stored patient information. Fail to meet these requirements, and you face substantial financial penalties.
These new requirements collectively are the oh-so-cutely named Health Information Technology for Economic and Clinical Health Act – or HITECH Act. HITECH is one part of last year’s economic stimulus legislation, the American Recovery and Reinvestment Act of 2009.
Who’s covered?
The HITECH Act applies to attorneys who represent doctors, hospitals, health insurance companies, or any other person or entity considered under the HIPAA patient privacy rules to be a "covered entity" (as defined in 45 C.F.R. §160.103). If your representation involves access to patient identifying information, the HITECH Act considers you to be your client’s business associate.
HITECH’s rules don’t apply to attorneys who merely interact with healthcare insurers or providers to represent clients who are not themselves healthcare insurers or providers. If you’re a personal injury lawyer and you subpoena someone’s medical records, an estates lawyer drafting a medical power of attorney, or a business lawyer negotiating a deal between a non-healthcare client and a hospital or health insurance company, the business associate label doesn’t apply.
Generally, it’s safe to assume that any healthcare industry client is a covered entity under HIPAA. HIPAA regulations (at 45 C.F.R. § 160.103) require covered entities to enter into a business associate (BA) agreement with any non-employee who "provides … legal … services to or for such covered entity where the provision of the services involves disclosure of individually identifiable health information….”
Many sophisticated providers (such as hospitals and health insurance companies with in-house counsel) have previously taken the steps necessary to comply with HITECH’s requirements; your firm may already have several business associate agreements somewhere in your files. However, for your smaller clients who may be unaware of HITECH, it’s worth your while to check into their compliance. If you don’t have a business associate contract with these clients, unless your representation of the client is severely limited, you should advise them of their HITECH obligations.
Before, if BA law firms didn't live up to contractual obligations in their handling of patient information, the worst thing they would face would be being fired by the client and defending a breach of contract action. Now, regardless of whether private information is actually compromised, BAs are directly liable to the federal government for having inadequate safeguards in place – and the penalties for non-compliance can be stiff. The Department of Health and Human Services’ Office of Civil Rights ("OCR") is the primary enforcer.
So what do business associates have to do now?
First, pull out and review any existing BA agreements you may have with your clients to ensure you’re compliant with all of your obligations. Since healthcare lawyers mindful of adhering to HIPAA’s privacy requirements generally have drafted these agreements, they should contain all the privacy requirements, enumerated in 45 C.F.R. § 164.504(e), that may now be enforced directly against you.
Familiarize yourself with the requirements of 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316. These are the core security regulations that apply directly to BAs under the HITECH Act.
Three of these regulations describe administrative, physical, and technical safeguards aimed at safeguarding patient information; the fourth requires BAs to adopt security policies and procedures and to document their activities. A fifth regulation, 45 C.F.R. § 164.306, states the underlying purpose of the HIPAA Security Regulations and explains some of the terminology used in the core regulations.
Next, make a note of where to find the breach notification regulations, so that if your firm should experience a breach of security of its electronic records, you can lay your hands on them easily. You can download them at http://edocket.access.gpo.gov/
2009/pdf/E9-20169.pdf.
Fortunately, the regulations consider that safeguards appropriate for a large health insurance company or hospital, with hundreds of employees and its own IT staff, could be impractical or prohibitively expensive for a one-doctor physician practice or other small entity. Section 164.306(b) permits a covered entity, and by extension a BA, to "use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications" of the core regulations. |
Ensure that your firm is meeting the requirements of the core regulations and prepare your compliance documentation. The core regulations mandate three areas of protection: physical, technical, and administrative, and you are required to develop policies and procedures for each area.
Physical safeguards:
Facility access controls. Limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that you allow properly authorized access.
Workstation use. Specify the physical attributes of the surroundings of a specific workstation or class of workstations from which users may electronically access protected health information. Designate acceptable functions to be performed the manner in which those functions may be performed.
Workstation security. Implement physical safeguards for all workstations that restrict access to authorized users who electronically access protected health information.
Device and media controls. Control your receipt, removal, and intra-facility movement of hardware and electronic media containing electronic protected health information.
Technical safeguards:
Access control. For electronic information systems containing patient information, allow access only to persons or software programs that have been granted access rights. More on this later.
Audit controls. Implement hardware, software, and/or procedural mechanisms to record and examine activity for information systems that contain or use patient information.
Integrity. Protect patient information from improper alteration or destruction.
Person or entity authentication. Implement procedures to verify the identity of a person or entity seeking access to electronic patient information.
Transmission security. Use security measures to prevent unauthorized access to patient information that is being transmitted over an electronic communications network.
Administrative safeguards:
Security management process. Take steps to prevent, detect, contain, and correct security violations.
Assigned security responsibility. Identify the security official to be responsible for the development and implementation of HIPAA security policies and procedures.
Workforce security. Restrict access to patient information to prevent those workforce members who are not permitted access to patient health information from obtaining access to protected information.
Information access management. Your policies and procedures for access to patient information must be consistent with applicable HIPAA privacy regulations.
Security awareness and training. Have a security awareness and training program for all workforce members, including management. Note: Before the thought of this causes dangerously high blood pressure in any senior partners, go back and reread the discussion of flexibility in administration of these regulations.
Security incident procedures. Ensure you have a policy in place to address security incidents.
Contingency plan. Have a protocol for responding to an emergency or other occurrence (fire, vandalism, system failure, natural disaster) that damages systems containing electronic protected health information.
Evaluation. Perform a periodic technical and nontechnical evaluation to establish the extent to which your security policies and procedures meet HIPAA security requirements.
Business associate contracts and other arrangements. A "covered entity, in accordance with Sec. 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with Sec. 164.314(a) that the business associate will appropriately safeguard the information." It’s not clear at this point how this applies to business associates such as lawyers, but absent clarifying regulations from OCR, the prudent course would be to substitute your firm's name for “covered entity” and proceed from there.
So what’s “reasonable and appropriate” for me?
In developing standards, a covered entity and its business associates must take into account the following factors:
-
The firm's size, complexity, and capabilities.
-
The firm's technical infrastructure, hardware, and software security capabilities.
-
The costs of security measures.
-
The probability and criticality of potential risks to electronic protected health information.
|
Subject to this flexibility, BAs must comply with the core regulation standards. The implementation specifications have two classes: required and addressable. For addressable specifications, the law firm must "assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information….”
If you decide that any implementation specification is not “reasonable and appropriate” you can’t stop there. You must document why the process wouldn’t be reasonable and appropriate, and if there’s an equivalent reasonable and appropriate alternative measure, you must take that action.
Documentation requirements
To a large extent, the security requirements I’ve mentioned reflect IT professionals' consensus on what’s required to protect the security of any electronically stored or transmitted information. Given that we lawyers have our own ethical standards for client confidentiality, you may find that your firm already has safeguards in place. If so, that's terrific – but you're still not in compliance with the HITECH Act until you adopt policies and procedures and fulfill the documentation requirements under 45 C.F.R. § 164.316.
You’ll have to maintain the written policies and procedures you have implemented to comply with the HIPAA Security Regulations (maintenance in electronic form is fine). Where regulations require documentation of an action, activity, or assessment, maintain a written record in each case.
There are three required implementation specifications:
Time limit. Retain the required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.
Availability. Make documentation available to those responsible for implementing the document maintenance.
Updates. Review documentation periodically and update as needed in response to environmental or operational changes affecting the security of the electronic information.
Wow – that’s a lot to do for a small part of our practice. What if we just let it slide?
Not a good idea. The HITECH Act (also known to the cognoscenti as "HIPAA on Steroids") substantially increases enforcement penalties and activities. Ignore it at your peril.
Before, there was no proactive government enforcement of the HIPAA patient-privacy and security requirements – only OCR investigation of complaints. Where a complaint investigation found a violation, fines were limited to $100 per incident, with a maximum annual total of $25,000 for violations of the same requirement. The patient whose private information was compromised? No monetary compensation.
But now, under HITECH, civil penalties may be as much as $50,000 per violation, up to $1.5 million per year. Starting next year, OCR will be required to impose civil penalties if a violation is due to "willful neglect." Plus OCR keeps the penalty money, to be plowed back into enforcement activities (talk about incentives!). OCR is also required to conduct periodic audits of covered entities and business associates to evaluate HIPAA compliance.
State Attorneys General now have authority to bring civil enforcement actions. Connecticut’s AG brought the first such action in mid-January against a managed care company that lost a non-encrypted external hard drive containing personal information for 1.5 million past and present customers. Articles on this case are here and here.
The Government Accountability Office is to issue a report by August 17, 2012 recommending a methodology for affected individuals to share in penalties collected for HIPAA violations. Once implemented, this will increase patient incentives to file privacy and security complaints, similar to the effect of the False Claims Act's "whistle-blower" provisions.
Side benefits of compliance
The HITECH Act requirements require protection of electronically stored or transmitted information. Law firms, more than most businesses, should already have taken steps to protect their data because of our ethical obligations relating to confidentiality, so there’s a decent possibility that you’ve already done much of what the HIPAA Security Regulations require.
Working through the regulatory requirements, making sure that they’re are appropriately addressed, can be a useful exercise to help us all bring our data security into line to handle the real risks of exposure with electronic data storage.  I’ve only scratched the surface of HITECH’s requirements in this article; for a more detailed discussion, visit my website at http://www.healthregs.com/HITECH-HIPAA-BusinessAssociateRules.
Jennifer A. Stiller has more than thirty years of experience in health and hospital law, having concentrated her practice in that area since 1975. In 1999, she was named one of the best lawyers in Philadelphia by Philadelphia Magazine. In 2005, she was named to the inaugural class of AHLA Fellows. A member of our Pennsylvania Bar Association’s Solo & Small Firm Section Council, Jennifer is an active participant in national, state, and local level health law activities and committees. |
