HIPAA Liability

by Stephen K. Phillips

Two personal injury defense lawyers agree to go out for drinks after work. They decide to travel in one car and proceed to stash their laptops in the trunk. While they are at the bar, someone breaks into the car and steals both laptops, which contain client emails with patients' medical information attached. Although both laptops are password protected, only one has an encrypted hard drive.

After filing a police report and an insurance claim, the lawyers replace their stolen computers. What's missing from this picture?

HIPAA compliance, that's what.

Under the Health Insurance Portability and Accountability Act (Pub. Law 104-191), the owner of the unencrypted laptop must promptly notify each client whose patients' medical records were stored on it. The clients, in turn, must promptly tell each affected patient - and perhaps federal and state authorities - about the security breach. Even with notification, the attorney and clients could face up to hundreds of thousands of dollars in civil fines, and potential lawsuits from affected patients. The attorney may also face breach of contract claims from the client.

What about the attorney with the encrypted laptop? No worries: No action is required.

This Means You
Health care providers have been subject to HIPAA since 1996. The idea behind the law is to ensure that patients' medical records stay private. But now, if your law firm handles medical records in connection with its practice, the headaches of the attorney with the unencrypted laptop are a very real possibility. On February 17, a new set of HIPAA patient privacy requirements took effect as part of the Obama Administration's stimulus package, formally titled the American Recovery and Reinvestment Act of 2009 (ARRA). (Follow-up federal rules were published as "Breach Notification for Unsecured Protected Health Information; Interim Final Rule," 74 Fed. Reg. 42740 (Aug. 24, 2009) (Breach Notice Rule).)

Embedded within ARRA is the Health Information Technology for Economic and Clinical Health Act (Pub. Law 111-005). Under this law, commonly referred to as HITECH, attorneys who access patient information in the course of client services are, for the first time, directly subject to two key HIPAA requirements: the Privacy Rule and the Security Rule.

Rules to Follow
The Privacy Rule regulates the use and disclosure of "protected health information" (PHI), which includes certain individually identifiable health data stored by health care plans, clearinghouses, and providers that engage in certain types of electronic transactions. (See 45 C.F.R. Parts 160 and 164, Subparts A and E.)

The Security Rule requires these "covered entities" to implement administrative, technical and physical safeguards to secure PHI in electronic form. (See 45 C.F.R. Parts 160 and 164, Subparts A and C.) (Similar requirements have long applied to physical records.)

Covered entities may disclose PHI to business associates without patient authorization if the disclosure is needed in performing HIPAA-covered functions - provided the business associates give appropriate assurances that they will safeguard the information. This scenario can include a lawyer providing legal services to a client that is a covered entity. A typical example would be a defense lawyer representing a hospital in a medical malpractice case.

The assurances must be documented in a written contract called a business associate agreement. Under HIPAA, but prior to HITECH, the rules required covered entities to impose certain requirements on business associates, but business associates themselves were not regulated directly, either by the Department of Health and Human Services (HHS) or its Office of Civil Rights (OCR).

Now, with HITECH in place, most of the requirements in HIPAA's Privacy and Security Rules apply directly to business associates, subjecting them to direct regulation by OCR. HITECH also creates new enforcement tools and imposes enhanced penalties for HIPAA violations. Among other things, HITECH requires a business associate to: (1) implement written policies and procedures, (2) develop a system for identifying breaches and notifying covered entities after discovery of a breach of unsecured PHI, (3) mitigate any harms from the inappropriate use or disclosure of PHI, (4) train its workforce, (5) develop a sanctions policy, (6) establish security safeguards, (6) appoint a privacy officer, and (7) develop and implement a complaint system. For a law firm that deals with PHI, these requirements are onerous; but make no mistake: They are real.

Safeguards Required
Business associates must comply with provisions of the Security Rule that require safeguards to protect the confidentiality, integrity, and availability of electronic PHI received from or on behalf of covered entities. In addition, they must implement written policies and procedures documenting those safeguards.

The Security Rule contains dozens of specific safeguards for securing electronic PHI - including a sanctions policy, a complaint system, and training programs. Some of these standards are "addressable," meaning they must be considered for implementation, and if not implemented, the covered entity or business associate must document why not. Other standards are required without exception, although the means of implementation are flexible. If a business associate uses any subcontractors - such as expert witnesses - to perform functions with client PHI, the subcontractors should implement similar safeguards, given the liability that mishandled PHI can create for the attorney business associate.

For attorneys, this means: (1) assessing the ways in which client medical information can be lost, stolen, or improperly accessed; (2) determining how to reasonably protect against such risks using the Security Rule's safeguards; (3) documenting those efforts in written policies and procedures; (4) training all your personnel on the policies and procedures; and (5) enforcing the policies and procedures.

Notice of Security Breaches
The statutes combine to require lawyers (who would be considered business associates) to notify their clients (who would be covered entities) following discovery of a breach of unsecured PHI. (Breaches involving "secured" PHI do not trigger the notice requirement.) If notice is required, it must be given to the clients without unreasonable delay and in no case later than 60 calendar days after the breach is discovered. (See 42 U.S.C. § 17932(d); 45 C.F.R. § 164.404(b).) Affected attorneys must, to the extent possible, identify each individual whose unsecured PHI was breached, and any other available information that the covered entity (the lawyer's client) will need to notify all the affected individuals.

But what constitutes a breach? Under HIPAA and HITECH, the term means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of PHI. Although theft of a laptop certainly qualifies as a breach, unauthorized access by an entity's personnel (snooping, for example) can also be a breach. (42 U.S.C. § 17921(1); 45 C.F.R. § 164.402.)

On the other hand, the law excludes an inadvertent or unintentional disclosure of PHI that occurs in good faith by employees acting within the scope of employment duties - as long as the PHI is not further used or disclosed improperly. To comply with the statute, it's essential that you understand the proper ways to access and use PHI - and also that you train your workforce.

A breach is considered to be discovered once someone other than the person committing the breach - but who is also an employee, officer, or agent of the covered entity or business associate - knows, or should have reasonably known, of the breach (42 U.S.C. § 17932(c); 45 C.F.R. § 164.410(a)(2)). Law firms (and covered entities) must train their workforce to report any breaches to management.

Case in Point
What about those two lawyers with stolen laptops? Here's how HIPAA, as amended by HITECH, affects them.

Remember that a breach involving secured PHI does not trigger the notice rule (42 U.S.C. § 17932(a); 45 C.F.R. § 164.410(a)). PHI may be secured either by proper encryption, or by using certain approved destruction technologies and processes. The acceptable methods of encryption and destruction were explained last year in an HHS guidance document (published in 74 Fed. Reg. 19006 (April 27, 2009)). Access controls - such as passwords, firewalls, and biometric controls - are not equivalent to encryption; they are not sufficient, standing alone, to secure PHI. Thus, the laptop in our example that is only password-protected was not considered secure under HIPAA. Although it's not specifically required by law, the best practice is to use encrypted computers and other devices for storing and transmitting electronic PHI. In addition, attorneys should periodically destroy unneeded PHI to prevent future privacy breaches.

An unsettled issue involves the portion of the statute that requires reporting of a breach that 'compromises the security or privacy of the protected health information.' (42 U.S.C. § 17921(1); 45 C.F.R. § 164.402.) Just how do you know when reporting is required? To provide guidance, HHS has articulated the "significant harm" test. The agency also suggests performing a risk assessment to determine whether the circumstances call for notification. The assessment involves documenting answers to these three questions:

- Has there been an impermissible use or disclosure of PHI under the Privacy Rule?

- Does the impermissible use or disclosure compromise the privacy or security of the PHI by creating a significant risk of financial, reputational, or other harm to the individual?

- Is the incident excluded from the statutory definition of breach (see 45 C.F.R. § 164.402; 74 Fed. Reg. at 42744?45).

The validity of the significant harm test, however, is in question after the authors of HITECH declared that the HHS interpretation does not reflect legislative intent and should be rescinded. (See October 1, 2009, Letter to HHS Secretary Kathleen Sebelius from U.S. Rep. Henry Waxman et al. at http:// energycommerce.house.gov/Press_111/ 20091001/sebelius_letter.pdf.)

Reporting Client Breaches
What if your client breaches the business associate agreement (BAA)? In a provision perilous to attorneys, HITECH requires business associates to take reasonable steps to cure any known BAA breaches by covered entities. If such steps prove unsuccessful, the business associate (that's you) must terminate the BAA; and if termination is not feasible, the business associate must report the breach to the HHS secretary. (42 U.S.C. § 17934(b).) This new "snitch" rule potentially obligates lawyers to report clients' transgressions to the federal government - no small ethical dilemma.

Attorneys who deal with PHI thus face a double bind: They risk violating rules of professional conduct if they report a client (see Cal. Rules of Prof. Conduct, Rule 3-100 & Cal. Bus. & Prof. Code § 6068(e)(1)), but they risk violating HIPAA if they don't.

There is no clear solution to this dilemma. Some attorneys have attempted one by adding a provision to their BAAs stating that they will not be obligated to take any action which conflicts with the Rules of Professional Conduct.

Enhanced Penalties
HITECH also ups the ante for HIPAA violators. A business associate is now liable for violations in the same manner as a covered entity (42 U.S.C. §§ 17931(b), 17934(c)). Criminal fines for a knowing and improper HIPAA violation continue to range from $50,000 to $250,000, and jail time ranges from one to ten years (42 U.S.C. § 1320d-6). However, HITECH extends the scope of the criminal penalties, and it drastically increases potential civil penalties, allowing fines of up to $1.5 million per calendar year for wrongful disclosure of PHI. The statute also requires the HHS secretary to formally investigate HIPAA complaints, and to impose civil penalties in cases of willful neglect. (See 42 U.S.C. § 1320d-5(c).)

Audits and the AG
Under HITECH, the HHS secretary must conduct periodic audits (which can be random) to ensure that covered entities and business associates are complying with the law. Because the HIPAA requirements are so extensive, an audit is likely to turn up evidence of noncompliance, and this may well lead to more enforcement actions. Within HHS, the OCR now has authority to enforce both the Privacy Rule and the Security Rule (42 U.S.C. § 17939(c)).

In addition, state attorneys general who believe that residents of their state have been affected by violations of HIPAA or HITECH can bring a civil action in federal court to enjoin further violations, and they can seek statutory damages. A court may award the state costs and reasonable attorneys fees in any successful action (42 U.S.C. § 1320d-5(c)).

In January, Connecticut's attorney general sued Health Net of Connecticut for failing to secure the private information of roughly 446,000 enrollees, and to promptly notify them of the security breach. Expect more such suits under the new law.

Minimum Necessary Rule
HIPAA requires covered entities to use reasonable efforts to limit the access, use, and disclosure of PHI to the "minimum necessary" to accomplish a legitimate purpose (45 C.F.R. § 164.502(b)). HITECH applies this rule to business associates. HHS has emphasized recently that an unnecessary disclosure could be a breach requiring notification (42 U.S.C. § 17934(a); 74 Fed. Reg. at 42744).

Applying the minimum necessary rule can be challenging, because lawyers often instinctively request all information from a client related to a matter. But such requests may be at odds with the minimum necessary requirement. Indeed, the rule is affected by other HIPAA requirements specifically governing the disclosure of PHI in litigation. In such cases, disclosures by a lawyer may be permissible or not, depending on whether the disclosures are affirmative, responsive, or pursuant to a court order or subpoena. (Compare 45 C.F.R. § 164.506 with 45 C.F.R. § 164.512(e).) Depending on the circumstances, a litigator may have to redact PHI supplied during discovery, strip it of information that identifies a specific patient, or seek a protective order.

Staying Current
Since the enactment of HITECH in 2009, HHS has issued two major regulatory issuances that affect attorney business associates: the April 17, 2009, guidance mentioned above, and the Breach Notice Rule. Many more are on the way. This trend marks a major shift, for HHS issued no security guidances during the first ten years under HIPAA (from 1996 to 2006). Because of constant regulatory developments in privacy, attorneys must monitor changes both in HIPAA and in state privacy laws. Fortunately, each HHS regional office has a privacy advisor to guide and educate covered entities, business associates, and individuals. (Information on California's is available at www.cms.hhs.gov/RegionalOffices/Downloads/ SanFranciscoRegionalOffice.pdf.)

Caution and Vigilance
HITECH vastly expands HIPAA's potency and requires intensive and ongoing compliance efforts by covered entities and their business associates. Law firms handling patient information maintained by clients should institute a formalized HIPAA compliance program with detailed written policies, training programs, dedicated personnel, and management oversight. Although such programs are time-consuming and burdensome, they are a must for anyone who desires to mitigate (and hopefully avoid altogether) the extensive liability risks posed by HIPAA and HITECH.

Stephen K. Phillips is a partner at Hooper, Lundy & Bookman. He specializes in health care law.

---