Why Lawyers? Why Now?

Transcription

1

2 TODAY S PRESENTERS

3 Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business associate of a client if client discloses protected health information (PHI) to the lawyer Current privacy and confidentiality practices and procedures as lawyers likely not sufficient

4

5 The Bottom Line Failure to properly secure, store, maintain, process, transmit, or destroy PHI can be costly and potentially damaging to individual lawyers and their firms Civil and criminal liability Significant monetary penalties Loss of clients Damage to professional reputation

6 Causes For Concern Business associates account for an increasing number of HIPAA breaches 42% according to a 2009 study Use of contractors and subcontractors increases risk Enforcement on the rise by DHHS Office for Civil Rights (OCR) State Attorneys General can now enforce and impose civil penalties HIPAA does not create a federal law private cause of action

7 Are You a Business Associate? Do you provide services to or on behalf of a client who is covered entity? Covered Entity = health care provider, health care clearinghouse, health plan (e.g., Medicare plans, private insurance, employer-sponsored plans, etc.) Do you create, receive, maintain or transmit PHI while providing those services?

8 What is PHI? Individually identifiable health information that is created or received by healthcare provider, health plan, public health authority, employer, life insurer, school or university and relates to: past, present or future physical or mental health; provision of health care; or payment for provision of health care Individually identifiable = some combination of name, address, date of birth, SSN, account numbers, fax numbers, or other demographic information

9 What is not PHI? Information created or maintained by an employer for employment purposes, such as FMLA requests, fitness for duty examination reports, etc. Employers are not covered entities under HIPAA but are obligated to maintain confidentiality of such information under other state and federal laws However, an employer sponsor of health plan has obligations under HIPAA regarding its use and disclosure of plan information

10 PHI Use By Lawyers Advise and defend hospitals, physicians, and nursing homes in lawsuits, payment appeals, billing issues, regulatory compliance matters Advise and defend insurance companies and health plans in lawsuits, coverage issues, payment appeals Advise or defend health care clearinghouses

11 Obligations As Business Associate Enter into Business Associate Agreement with client and comply with it Implement safeguards for PHI in paper or verbal form Directly comply with HIPAA Security Rule for ephi Enter into BAA with subcontractors Report to client: impermissible uses and disclosures, security incidents and breaches Disclose records to HHS/OCR in an investigation or compliance review

12 What Is a Breach? Breach is the acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA Under new rule, any acquisition, access, use or disclosure of PHI in manner not permitted is presumed to be a breach unless covered entity or BA demonstrates there is a low probability that PHI has been compromised based on risk assessment Previously, no presumption; required determination of significant risk of harm

13 Breaches Waiting to Happen Even when you think you re covered, breaches can still occur: Your laptop is stolen from your home, office or car You leave hard copies in the conference room You fax documents without confirming receipt by the intended recipient You an unencrypted file to your home computer or smartphone You download a file to an unencrypted thumb drive You throw client documents in trash without shredding

14

15 OCR Civil Penalties Violation Minimum Penalty Maximum Penalty Covered Entity/Business Associate did not know (and would not have known by reasonable diligence) that it violated HIPAA Due to reasonable cause and not willful neglect Willful neglect, but violation corrected within 30 days Due to willful neglect and is not corrected within 30 days $100 per violation; annual maximum of $25,000 $1,000 per violation; annual maximum of $100,000 $10,000 per violation; annual maximum of $250,000 $50,000 per violation; annual maximum of $1.5 million $50,000 per violation; annual maximum of $1.5 million $50,000 per violation; annual maximum of $1.5 million $50,000 per violation; annual maximum of $1.5 million $50,000 per violation; annual maximum of $1.5 million

16 DOJ Criminal Penalties Violation Individual knowingly obtains or discloses individually identifiable information Offenses committed under false pretenses Offenses committed with the intent to sell, transfer or use information for commercial advantage, personal gain, or malicious harm Maximum Penalty Maximum Imprisonment $50,000 One year $100,000 5 years $250, years

17 $1.7 Million Mistake Managed care company Wellpoint agrees to pay $1.7 million to settle potential HIPAA violations PHI of 612,402 individuals exposed on internet HIPAA breach resulted from software upgrade done by business associate hired by Wellpoint Had this occurred on or after September 23, the liability would have extended to the technology vendor doing upgrade

18 $1.2MM for Doing Nothing Affinity Health Plan agreed in August 2013 to pay $1.2 million to settle potential HIPAA violations PHI of 344,579 individuals exposed on copier hard drive HIPAA breach resulted from hard drive not being purged prior to returning leased copier to lessor Had this been Affinity s outside law firm, the new HIPAA rules could have caused direct liability for both entities

19 You Say Glitch, HIPAA Says Breach PHI, financial and employment data of nearly 188,000 clients of the Indiana Family and Social Services Administration compromised Included some Social Security numbers Breach attributed to a computer programming glitch caused by a vendor, whereby documents containing PHI and sensitive information were duplicated and mailed to the wrong clients This is the second breach for Indiana FSSA. Last year s involved a stolen laptop containing PHI

20 Countdown to September 23, 2013 Immediate Next Steps for Lawyers

21 Your Action Plan #1 - Enter into BAAs and subcontractor BAAs #2 - Determine how you receive, disclose and maintain PHI #3 - Implement safeguards to protect PHI and limit use and disclosure #4 - Educate lawyers and staff #5 - Conduct risk analysis for ephi #6 - Adopt policies and procedures

22 #1-Business Associate Agreements Between you and your clients Between you and your subcontractors/vendors Applies to all downstream vendors that handle your firm s PHI (such as records storage, online backup, Cloud vendors, document destruction) Applies to expert witnesses and consultants you use in a particular case or matter Conduit exception HIPAA liability attaches even in absence of BAA

23 Why You Need an Updated BAA New requirements included in HIPAA omnibus regulations published in January 2013 If you had a BAA that was fully compliant as of January 2013 and has not been renewed or modified between March 26, 2013 and September 23, 2013, you have one more year to get new BAA (until September 22, 2014) OCR form of BAA: coveredentities/contractprov.html

24 Caution : Liability for Subcontractors BA has liability if knew of pattern of activity or practice of subcontractor constituting a material breach, unless takes reasonable steps to cure or terminate contract Law firm as business associate is liable, according to common law of agency, for HIPAA violations based on acts or omissions of agents Include language in subcontractor BAA that subcontractor is independent contractor, not agent; cannot bind law firm; and law firm does not have right or authority to control conduct of subcontractor

25 Before You Execute a BAA Develop your own form of BAA that complies with HIPAA, but limits your exposure A client s BAA often includes obligations to avoid: Indemnification Limitation on damages Insurance requirements Audit and monitoring by covered entity Other risk shifting or risk sharing provisions

26 #2 - Determine How PHI Flows Receipt of PHI Paper (mail, fax, print jobs) Electronic ( , CDs, USB drives) Disclosure of PHI Maintenance of PHI Physical files (on and off site) Electronic files Offices and work stations

27 HIPAA Security Rule Lawyers as BAs must comply with HIPAA Security Rules (electronic PHI): Ensure confidentiality, integrity of ephi Protect against any reasonably anticipated threats or hazards to security and integrity Protect against any reasonably anticipated uses or disclosures that are not permitted or required by HIPAA Ensure compliance by members of workforce

28 HIPAA Security Rule - Specifics Standards are addressable or required Administrative, technical and physical safeguards Security awareness training Breach investigation procedures Written reasonable and appropriate policies and procedures implementing safeguards Retain documentation for at least 6 years from date it was last effective

29 #3 Implement Safeguards Administrative/organizational safeguards Limit access to all forms of PHI Terminate access upon termination of employment Review electronic access rights Provide electronic security training Password management Protection from malware and viruses Reporting of security incidents Document contingency plans if damage to IT systems

30 #3 Implement Safeguards Physical safeguards Facility access controls Facility security procedures Workstation use and security Device and media controls Inventory and control of hardware and electronic media Wiping of hard drives and electronic media Restricting use of laptops and portable devices

31 #3 Implement Safeguards Technology safeguards Prohibit sharing of user IDs and passwords Encryption for data at rest Encryption for transmission Automatic log-off Protect ephi from alteration or destruction

32 #3 Implement Safeguards Significant risk related to use of mobile devices Loss and theft Malware and viruses Sharing with others Safeguards Strong password Firewall protection and encryption Auto-off and locking of device Unique user ID Keep with person Use a secure Wi-fi connection

33 #4 Educate Lawyers & Staff What is HIPAA How it applies to law firm Obligations to limit uses and disclosures Sanctions for failure to comply Appoint HIPAA Officer as point of contact Obtain help from your IT director or consultant Use OCR training materials

34 #5 Conduct Risk Analysis Conduct risk assessment of ephi that you maintain: an accurate and thorough assessment of potential risks and vulnerabilities to confidentiality, integrity, and availability of ephi Guidance: securityrule/rafinalguidance.html Implement security measures sufficient to reduce risks and vulnerabilities to reasonable level Apply sanctions against personnel who fail to comply Implement procedures to regularly review IS activity

35 #6 Develop Written Policy and Procedures In event of complaint in investigation, you must have a written policy to submit to OCR Track HIPAA Security Rule safeguards Include breach investigation provisions OCR and ABA resources available

36 McAfee & Taft Case Study Formed HIPAA task force in 2009 and resurrected this year; appointed HIPAA officer Attorneys, IT director, HR director, records management, ancillary businesses Identified BAs, developed database, tracked and filed BAAs Analyzed flow of PHI Mandated one paper file, one electronic file per matter Restricted access to electronic file

37 Case Study Additional level of security for paper files Require encryption for s and mobile devices Developed written policy and procedures Conducted lawyer training Conducted staff training Troubleshoot as questions arise Conducting risk analysis Support of managing director and IT director is critical

38 Resources Office for Civil Rights Health Information Privacy OCR Form of BAA actprov.html Summary of HIPAA Security Rule Combined Text of All HIPAA Regulations ABA Materials: oxystylesheet=default_frontend&site=default_collection&output=xml_no_dt d&oe=utf-8&ie=utf-8&ud=1

39 More Resources Mobile Device Security OCR Training Materials OCR s YouTube Channel Electronic Security Guidance Presentations from May 2013 meeting