2013 HIPAA/HITECH AMENDMENTS: HOW THE CHANGES IMPACT THE ediscovery PROCESS

Transcription

1 2013 HIPAA/HITECH AMENDMENTS: HOW THE CHANGES IMPACT THE ediscovery PROCESS Brian Brown Danny Tijerina RenewData, an LDiscovery Company Austin, TX Introduction Maintaining compliance with government regulations has become more complicated due to the final omnibus regulations that implement the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) amendments of the Health Information Technology for Economic and Clinical Health ( HITECH ) Act. These rules not only impact companies generally, but they also affect ediscovery efforts, as law firms are responsible for subcontractors performing discovery tasks on behalf of their healthcare organization clients. In order to mitigate risk, firms need to understand the various components of ediscovery, the role protected health information ( PHI ) plays in this process and whether their ediscovery providers are compliant with the regulations. This article will explore how The HITECH Act and changes to HIPAA affect legal organizations and their ediscovery efforts. Business Associates and Liability for Non- Compliance The key element of the HITECH Act and regulations implementing it is the expanded obligations around management of individuals PHI by law firms and others that handle information of healthcare providers. The biggest change involves expansion of direct government oversight from previously regulated covered entities (such as health plans and healthcare providers) to now include business associates of those covered entities and their subcontractors. This means that organizations such as law firms (as well as the vendors they utilize in representing healthcare clients) are now directly subject to HIPAA as business associates and the litigation efforts (including collection of electronically stored information ( ESI ) and processing supported by ediscovery providers) are now under the purview of federal HIPAA and HITECH rules. Defining Business Associates A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Services include legal, consulting or accreditation services. A function or activity performed by a business associate includes those such as billing, benefit management or claims processing. 1 The regulations expand the universe of individuals and companies that must be treated as business associates to include all downstream contractors of a business associate that create, receive, maintain, or transmit PHI on behalf of a covered entity. 2 This means that any subcontractors or vendors working in conjunction with law firms (including forensic investigators, ediscovery providers, and managed review companies) on a matter for a covered entity must meet these same information security obligations. While ediscovery providers may be engaged directly by the covered entity and as a result are direct business associates of the covered entity in the category of providing services, they are often engaged by the law firm, and thus considered downstream business associates of the firm. These changes create far-reaching implications for law firms that represent healthcare organizations and other providers. The regulations extend liability of law firms to outside organizations such as ediscovery companies that provide critical external services for law firms, including collecting, receiving, storing, processing, and analyzing PHI on their behalf. While there are differences between the HIPAA Privacy Rule 3 and the HIPAA Security Rule, 4 it is incumbent upon law firms to understand that they must take protection of PHI into account when selecting ediscovery providers. This includes investigating security standards of providers and how they measure up to the requirements of HIPAA and HITECH regulations given the risks of exposure, alteration, or other manipulation of data that can occur during the ediscovery process. Otherwise, these firms will risk liability for these providers failure to protect PHI. Breach Notification The obligation to notify patients if there is a breach of their PHI is expanded and clarified under the rules. 5 Law firms and ediscovery providers must conduct a risk analysis 6 in the event they have suffered a breach and should put a process in place to assess and mitigate any potential breaches as quickly as possible. Required Security Protocols, Standards There are multiple layers of security protocols required under the regulations, including administrative, 7 technical 8 and physical 9 safeguards, as well as general organizational requirements. 10 Some of these specifications are required and others are addressable 11 to provide some flexibility to covered entities and business associates. Under the Final Rule implementing most of the HITECH Act, a continued on page 22 21

2 2013 HIPAA/HITECH Amendments: How the Changes Impact ediscovery continued from page 21 Business Associate must also comply with HIPAA s minimum necessary standard, meaning that when business associates use, disclose, or request PHI from a covered entity, they must limit PHI to the minimum necessary to accomplish the intended purpose. This creates a special set of problems for ediscovery providers, as courts impose varying expectations on what the true scope of discovery should be. There is a balancing act between this minimum necessary standard under HIPAA/HITECH and the courts desire for full, open, and reasonable disclosure of relevant data in legal matters. As there have been few, if any, instances of widespread data breaches involving ediscovery that have been made public, there is not yet a robust body of case law or government enforcement actions to illustrate how liability may be shared among healthcare organizations, law firms, and ediscovery providers. This area will likely evolve quickly as data breaches become more and more common through a combination of inadvertent errors and malicious attacks on the IT infrastructure of various organizations. Mapping Security Practices to the Electronic Discovery Reference Model 12 Understanding the EDRM and Its Role ediscovery presents a number of challenges related to securing PHI, especially when considering the evergrowing volumes of data being collected, processed, and transmitted during the litigation process. As such, it is helpful to evaluate appropriate measures that should be taken at each stage of the discovery lifecycle to ensure compliance with HIPAA and HITECH standards. EDRM as a Map for HIPAA & HITECH Issues The Electronic Discovery Reference Model ( EDRM ) is regarded as the gold standard in mapping the ediscovery process and provides a conceptual framework for the iterative steps used by law firms, ediscovery providers, and others engaged in the litigation process. Established in 2006 by a coalition of ediscovery consumers and providers, the EDRM addresses the lack of standards and guidelines in the ediscovery market. Since creating the EDRM, the EDRM group, comprised of 268 organizations, including 172 service and software providers, 68 law firms, three industry groups and 24 corporations involved with ediscovery and information governance, have developed additional standards and frameworks that guide the industry on the various stages of ediscovery. Using the EDRM as a foundation, an analysis of each stage of the EDRM will illuminate various administrative, physical, and technical controls that may impact compliance with HIPAA and HITECH standards. 1. Information Management The first stage in the EDRM is understanding and organizing ESI, thus reducing costs and mitigating risk when litigation, regulatory, or compliance matters arise. This includes understanding data across the entire data lifecycle from creation, communication and Electronic Discovery Reference Model / 2009 / v2.0 / EDRM (edrm.net) 22

3 storage to data remediation and destruction as well as recognizing what types of information constitute electronic protected health information ( ephi ). Understanding which combinations of information rise to the level of ephi will play a significant role in developing processes and standards to minimize the risk of compromising such data. Critical to HIPAA and HITECH compliance is the establishment of data classification systems that help organizations recognize PHI and attach labels (or classifications) that allow key controls to be applied to ensure the security and integrity of such data. Using a data classification system, an organization can proactively tag various types of data being ingested into its information technology architecture and apply certain rules to those tag classifications to enable differing levels of control. This means that data that is classified as PHI may be subject to different internal standards and access controls from information that is classified as Business Strategy or Financial Projections. Data classification is an emerging technology trend that is still being refined and included in data archiving solutions; it also requires advance planning and strategic discussion of which classifications are going to be incorporated, as it must be implemented at the onset of launching the classification system in order to catalog all information passing through the organization s IT infrastructure. 2. Identification The second stage of the EDRM occurs when various sources of ESI are located and the scope and breadth of potential data are established. The custodians of relevant information are identified, as well as the potentially responsive documents. While this step typically focuses on specific timeframes, custodians, and business units within a larger organization, from a HIPAA perspective it is important to recognize key data sources that may contain PHI so that law firms and ediscovery providers can understand which types of administrative, physical, and technical controls to apply in the following stages of the discovery process. 3. Preservation Preservation primarily involves protecting ESI and data sources from being accidentally altered, modified, or destroyed during the discovery process. During this stage, data that has been identified as potentially relevant during the Identification phase is placed on a litigation hold, 13 ensuring that data is not modified or accidentally destroyed. Preservation is the first stage in continued on page 24 Type Information Access Management Access Authorization Device and Media Controls Accountability Notes Preservation (a)(4)(ii)(B) ediscovery service providers utilize archiving databases and automated litigation hold technologies for the purposes of preservation and litigation hold. These platforms, which typically consist of large software systems and ESI databases, store huge volumes of data and prevent spoliation. Policies and procedures for granting access to the potential ephi stored in these databases need to exist in order for the service providers to consider themselves meeting the intent of the HIPAA access authorization standard. This authorization standard includes evaluation of which workforce personnel may be provided access to the ESI/ePHI in question and the type and extent of access authorized to information systems, as well as an overall risk analysis for each trained workforce member or business unit within the organization that has a need to access such info to accomplish a legitimate task (d)(2)(iii) ediscovery Service providers also need to maintain detailed chain of custody logs 14 to record any movement of hardware or electronic media and any person responsible for such under state and federal rules of evidence that apply to the litigation and criminal legal process. This is especially important during the archiving process because the physical media holding the potential ephi must be safeguarded and audit tracking capabilities must be enabled in case of a physical security breach. Access Control Emergency Access Procedure (a)(2)(ii) HIPAA standards require the availability of archived, preserved data. 15 HIPAA requires logs, authorizations, and requests for restrictions, access, copies, etc. to be retained for a minimum of six years, although in some cases the HITECH Act has limited certain archival retention to three years. 16 This includes the ability to access the data during an emergency situation. It is important for organizations to develop emergency access procedures, along with the appropriate compensating access controls, so that data remain protected even during emergency situations. 23

4 2013 HIPAA/HITECH Amendments: How the Changes Impact ediscovery continued from page 23 the EDRM where organizations, law firms, and ediscovery providers are actually handling data, and thus where specific steps to ensure HIPAA compliance must be enforced. The overall goal of preservation is to provide a defensible process to avoid spoliation of data, but the EDRM does not provide any specific direction on how to protect PHI from being inadvertently exposed. Organizations should consider the following safeguards during the Preservation process to ensure compliance with HIPAA and HITECH regulations. 4. Collection The next phase of the discovery lifecycle is capturing the identified ESI that will be examined and culled down during the ediscovery process. Collection operates hand-in-hand with Preservation, and depending on where data resides in an organization these steps may take place in succession or simultaneously. Whether data is collected in the form of physical documents, extracted from electronic databases, or downloaded from cloudbased platforms, collection is a critical step in the discovery process and security is impacted in numerous aspects of data collection. Organizations should consider the following safeguards during the Collection process to ensure compliance with HIPAA and HITECH regulations. 5. Processing Once relevant sources of ESI have been preserved and collected, the next stage in the discovery process involves filtering large volumes of data down to a more manageable subset so it can be more closely examined for relevance and responsiveness. This phase of ediscovery may also involve converting data from one form or format into a more standardized format to facilitate review and analysis. This phase often involves the extraction of text and metadata from native files, as well as tools that de-duplicate redundant files or remove extraneous non-relevant system files. Modern processing tools can also employ advanced analytic tools to further reduce the data set prior to attorney review to save time and money. Key security considerations around processing stem from the use of software tools or even cloud-based platforms that support the culling of data to more manageable subsets. Organizations should consider the following safeguards during the Processing stage to ensure compliance with HIPAA and HITECH regulations. Type Workforce Security Authorization/ Supervision and Workforce Clearance (a)(3)(ii)(A) & (a)(3)(ii)(B) Notes Collection Collection must be performed by a qualified and competent person, whether completed on site or remotely. Key considerations include a documented process for hiring competent individuals by carefully examining prior experience and technical competency. On-boarding procedures should include processes to vet potential hires for criminal history and the signing of protective contracts such as non-disclosure agreements. Additionally, organizations need to have procedures regarding who has the authority to grant permission to perform collections. Device and Media Controls Media Disposal and Media Re-Use (d)(2)(i) & (d)(2)(ii) Service providers that perform collections need to have processes and procedures in place for the receipt, logging, and handling of electronic media that may contain ephi. This should include complete chain of custody documentation and documentation of physical safeguards in place for management of the media when it is in the service provider s possession. Transmission Security Encryption (e)(2)(ii) All data should be protected via encryption 17 in transit to and from the collection site. This safeguard should be in place whether potential PHI is transferred on portable media, traditional hardware, or over the Internet and has been considered a best practice across the IT, legal, and financial industries for more than a decade. In each case, proper encryption controls need to be in place to guard against unauthorized access while in transit. 24

5 Type Business Associate Contracts and Other Arrangements Notes Processing (b)(1) ediscovery service providers typically use complex software to handle ESI processing. Since the vendors who create these platforms often support them by remotely accessing the active database to help resolve technical issues, they are now potentially accessing PHI on behalf of the service provider. These software vendors who provide and license the platforms installed at and operated by ediscovery providers are now considered business associates as well and, as such, a business associate agreement needs to be in place. The growth of cloudbased processing software has added a layer of complexity to the ediscovery process, although in most cases the software licensing agreement between software vendor and ediscovery provider will be subsumed within the law firm s business associate agreement with the ediscovery provider. Facility Access Controls Facility Security Plan and Access Control Procedures (a)(2)(ii) & (a)(2)(iii) ediscovery providers need to have appropriate policies and procedures in place to safeguard the facility and equipment processing potential PHI. This includes access controls as well as validation procedures for anyone accessing equipment that maintains, transmits, stores, or processes PHI. Examples of these controls may include biometric access controls, proximity card-based access controls, or cameras. Transmission Security Integrity Controls (e)(2)(i) Processing data requires that vendors have auditing procedures in place to ensure the integrity of data. Thousands of files are modified as a result of the manipulation that occurs during processing. Service providers should maintain appropriate data integrity controls to confirm that PHI is not improperly modified without detection during processing. 6. Review During the review phase, attorneys will evaluate the reduced pool of ESI for relevance and privilege. This typically includes attaching legal issue tags to documents or groups of documents for use in developing strategies during settlement negotiations or trial. Modern review is most often conducted using cloud-based review platforms that are accessed remotely by teams of external contract attorneys. Given the combination of offsite, proprietary, web-based review platforms and the frequent utilization of thirdparty reviewers, organizations should consider the following safeguards during the Review process to ensure compliance with HIPAA and HITECH regulations. 7. Production Production involves delivering the final reviewed dataset to either opposing counsel or the court based on agreed-upon specifications. This production may take different forms (from native files to image files such as TIFF 18 to specific load file formats), as the recipient s document review platform may not mirror the platform used by the producing party. Key security considerations here include similar precautions as during the preservation and collection process, because all data needs to be protected in transit. Transfer may take place over the Internet or by FTP or may be burned onto physical media such as DVD/CD and delivered by overnight mail or courier service. In any case, proper encryption controls need to be in place to guard against unauthorized access while in transit via or on physical media, and chain of custody documentation must be completed. 8. Presentation Presentation involves using the processed and reviewed data at depositions, hearings, or trials as part of the litigation process to uncover further information to be evaluated, prove or disprove elements of a matter, or to persuade an audience. To the extent possible under the rules of court or other venue, care should be taken to minimize exposure of ephi unless necessary in the arguments of the case. If details are being presented in law offices, arbitrator s facilities, or the courtroom, reasonable measures should be implemented to ensure that ephi is not discussed in front of unauthorized personnel and that any ephi physically present should be removed from the premises at the conclusion of such presentation activities. Comparing/Contrasting HIPAA & ISO Standards For Data Security In addition to HIPAA, a number of other protocols and standards exist for protecting data of various types. One such protocol is ISO 27001, continued on page 26 25

6 2013 HIPAA/HITECH Amendments: How the Changes Impact ediscovery continued from page 25 Type Security Management Process Activity Review (a)(1)(ii)(D) Notes Review Review typically takes place on third-party software platforms that are accessible via the Internet. These software platforms log user authentication, data modification, and other actions that occur during the software s use. Service providers are bound by HIPAA to implement procedures to regularly review these records for discrepancies or security concerns. Facility Access Controls Contingency Operations (a)(2)(i) Service providers need to have physical security measures in place to ensure that unauthorized individuals do not have access to the review platform or the underlying database being reviewed. Additionally, in the event of emergency, providers should have contingency plans and alternate access procedures. This includes allowing facility access in support of restoration of lost data under a disaster recovery plan or implementing emergency operations plan. Access Control Unique User Identification (a)(2)(i) All reviewers should be identified in audit logs and each reviewer should be provided a unique username and password combination. Additionally, ediscovery providers who host review software should consider implementing an automatic log out mechanism after a set period of inactivity. These two processes assure accountability in the event of a security incident. Additional steps may include the use of tokens or rotating access codes that require an additional layer of authentication for reviewers to access the database. which is the international standard describing best practice for an Information Security Management System. Developed by the International Organization for Standardization ( ISO ) in October 2005 and updated in September 2013, the objective of the ISO standard itself is to provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System. 19 ISO is not a single rigid standard; rather it is a continuous quality control process that requires an organization to develop comprehensive written policies and procedures addressing all aspects of information security within the organization. There are several key differences between HIPAA-compliant security standards and ISO-issued certifications for data security, the primary element being that HIPAA focuses exclusively on healthcare related information while ISO is focused on data as a whole and varies from organization to organization in how the practical elements of policy are defined and implemented. ISO 27001, while not required, provides additional assurances to law firms and corporations that the data they are entrusting to their ediscovery provider is secure. Questions to Ask ediscovery Providers In order to assist attorneys in managing their newly expanded liability under HIPAA and HITECH, below is a list of questions to ask ediscovery providers to ensure they are in compliance and minimize potential risk for the attorney representing the healthcare organization. These questions should be viewed as a general roadmap that will require balancing risk and cost. There are no clear cut answers that meet a defined minimum threshold to eliminate liability, so each attorney should consider his/her level of risk aversion and evaluate answers to the questions below through that prism. What experience do you have working with and representing healthcare organizations? Can you provide formal documentation on physical security parameters of your data processing facility? Do you have formal policies for data security and management? What certifications do you have pertaining to data security? Have you undertaken any specific efforts to comply with the regulations implementing HIPAA and the HITECH Act? Have you hired a third party to evaluate your data security and/or compliance with applicable regulations, including HIPAA and the HITECH Act? Is your processing center ISO certified? How often are your security policies reviewed and updated? 26

7 Have you had any security breaches or incidents involving potential exposure of PHI in the last three years? If so, please list them. Do you have a data security team or data security officer on site at your facility? How many people within your organization are specifically tasked with managing and maintaining the security and integrity of client data? What levels of security are enacted for physical access to your data processing facility? Key Card? Man Trap? Biometric Access? Video Surveillance? Will work be completed entirely onsite, will data be transmitted physically or electronically to a processing/hosting facility, or will all collections be performed remotely? Is data going to be hosted in a specific physical environment or on a cloud-based server? What contract provisions related to data privacy and specifically PHI are included in contracts, especially those related to indemnification, liability limitations, and insurance requirements? Conclusion The regulations implementing HIPAA and the HITECH Act have created a brave new world for business entities that work with, represent, or handle PHI on behalf of healthcare organizations. For law firms representing healthcare providers and healthcare organizations, this creates a substantial administrative burden as well as a newly-realized liability for the actions (or omissions) of contractors such as ediscovery providers who assist firms with handling PHI as part of legal matters. In order to minimize risk, attorneys should be aware of the liability potential and carefully screen ediscovery providers and other contractors to ensure that anyone working as an agent of the attorney and law firm is fully compliant with the regulations under HIPAA and the HITECH Act. Brian Brown, vice president of technology and security for RenewData, an LDiscovery Company, is an innovator and industry leader with more than fifteen years of experience architecting solutions for technology companies. He currently leads strategic technological roadmap efforts for the company, leveraging his experience handling massive data volumes (30PB+), as well as his background with enterpriselevel software development, information architecture, and data center and security convergence. Additionally, Brown uses his expertise in computer forensics, ediscovery, and information security to assist clients in cases requiring the extensive review of relevant case data by a fully trained and certified investigator. Brown is also responsible for the design, construction, and management of RenewData s 43,000 square-foot, secure, state-of-the-art facility. He may be reached at brian.brown@renewdata.com. Danny Tijerina is a Certified Information Systems Auditor, Certified Information Systems Security Professional, and licensed private investigator in the state of Texas. He has over five years experience in information security operations, security research, and compliance with laws and standards like HIPAA, PCI-DSS, and ISO Tijerina s responsibilities at RenewData, an LDiscovery Company, have included overseeing and enhancing the company s Information Security Management System and maintaining its ISO certification. He may be reached at danny.tijerina@renewdata.com. Endnotes 1 Health Information Privacy, HHS.gov, accessed January 20, privacy/hipaa/understanding/coveredentities. 2 Reece Hirsch, A Little Privacy, Please, Corporate Counsel, May 2013, Summary of the HIPAA Privacy Rule, HHS. gov, accessed January 20, ocr/privacy/hipaa/understanding/summary/ index.html. 4 Summary of the HIPAA Security Rule, HHS. gov, accessed January 20, ocr/privacy/hipaa/understanding/srsummary. html C.F.R The Final Rule implementing most of the HITECH Act, also known as the omnibus rule, is at 78 Fed. Reg (Jan. 25, 2013) C.F.R C.F.R C.F.R C.F.R C.F.R What is the difference between addressable and required implementation specifications in the Security Rule?, accessed January 20, rule/2020.html. 12 Electronic Discovery Reference Model, accessed January 20, Zubulake v. UBS Warburg ( Zubulake IV ), 220 F.R.D. at 217 (S.D.N.Y. Oct. 22, 2003). Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a litigation hold to ensure the preservation of relevant documents. 14 Chain of Custody, accessed January 20, chain-of-custody. 15 HIPAA Final Omnibus Rule 2013, accessed January 20, FR /pdf/ pdf C.F.R Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, accessed January 20, privacy/hipaa/administrative/breachnotification rule/brguidance.html. 18 TIFF is a file format that is commonly used in ediscovery. Typically, other file types are converted to TIFFs because they are easy to redact and searchable across the collection of TIFFs. 19 International Organization for Standardization, accessed January 20, iso/home/standards/management-standards/iso htm. 27