Clients Legal Needs in HIPAA Security Compliance

Transcription

1 Clients Legal Needs in HIPAA Security Compliance Robyn A. Meinhardt, JD, RN FOLEY & LARDNER LLP 2004 Preserving Attorney-Client Privilege and Work Product Protections 1

2 Relevance to Security Compliance Audits and Internal Investigations To encourage parties to seek legal advice freely and to communicate candidly with an attorney during consultations about specific matters without fear that confidential information will be disclosed. Elements Necessary for Protection Privilege protects confidential communications between a client and attorney for the purposes of securing legal advice. Communications must be with either an attorney acting in a legal capacity or with the attorney s subordinate or agent. 2

3 Elements, con t Communications must be made to secure legal advice. Matters discussed with employees relate only to the scope of their duties. Communications are ordered to be kept confidential by employees. Documents are marked as privileged and attorney work product (as appropriate) and segregated from regular business materials. Potential Limitation on Attorney- Client Privilege While the privilege protects communications between the attorney and a client, information contained in the communication to an attorney may not be privileged. 3

4 Legal Advice vs. Business Advice The primary purpose of the consultation must be to obtain legal advice. If using in-house counsel, must clearly show advice was given in a professional legal capacity. If documentation is used by both legal and nonlegal personnel, a court may conclude that the primary purpose was not to secure legal advice. The Attorney Work Product Privilege? Protects documents prepared in anticipation of litigation by a party or the party s representative. In anticipation of litigation is broadly interpreted, and can include potential government investigations. Protects the mental impressions, conclusions, or opinions of the attorney contained in any document. 4

5 Attorney Work Product Privilege, con t May protect documents and communications other than those between an attorney and a client. Only extends to documentation prepared in anticipation of or during litigation. Compliance Investigations / Audits under Attorney-Client Privilege Performing audits in participation with and under engagement of legal counsel is a viable method for identifying risks while protecting the confidentiality of that information. 5

6 Legal Counsel s Responsibilities Related to Procuring Agents Engage vendor through verbal communications, and confirm engagement with a formal engagement letter that defines the vendor s scope of work, reporting responsibilities to legal counsel, and method of payment. Approve the work plan/audit program developed for the investigation. Direct the vendor regarding communication protocols and report distribution. Legal Counsel s Responsibilities, con t Review vendor s audit work papers as deemed appropriate. Review and approve vendor s audit reports. Distribute or approve distribution of audit reports to appropriate parties. 6

7 Important Notes: There are no absolute guarantees that communications and documentation will be fully protected from disclosure. Legal counsel represents the client, not the client s employees. Therefore, the privilege only extends to the client, and not their employees. More Important Notes: If the client chooses to waive its privilege, information provided by employees may be disclosed. Employees must be informed of this prior to interview. 7

8 Additional sources of Security Obligations Comprehensive computer security requirements are currently mandated by statute or regulation in three industries: Financial services (G-L-B) Health care (HIPAA security regulations) Activities under jurisdiction of the Food and Drug Administration (21 C.F.R. Part 11) Legal Sources of Security Obligations FOLEY & LARDNER LLP

9 Sources of Security Obligations: FTC FTC: Pursuing enforcement actions against companies that promise privacy but fail to deliver due to infrastructure vulnerabilities (FTC asserts this is an unfair or deceptive trade practice ). FTC also enforces COPPA (Children s Online Privacy Protection Act Includes a requirement for reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Sarbanes-Oxley Act Publicly Traded Companies (for now) The Act requires the SEC to prescribe rules requiring annual reports to contain an internal control report. Imposes management responsibility for establishing, maintaining and assessing the effectiveness of an adequate internal control structure. CEO and CFO certifications of material information are to address the effectiveness of internal controls for ensuring information accuracy. 9

10 Sarbanes-Oxley Act The Act s internal controls mandate will: Require assessment of the company s information systems and associated business processes for security Make a secure information infrastructure necessary, in order to provide accurate financial reporting California s Database Protection Act Also known as SB 1386; Civil Code etc. seq. Applies to any person or business doing business in California. Requires notification to data subjects who are California residents, whenever their name plus either: Social Security Number; Driver s license or California ID card number; or Financial account, credit or debit card number and any related PIN has been accessed without authorization (unless that information was encrypted). 10

11 Fiduciary Duties of Corporate Directors Recent Corporate Law Developments regarding Fiduciary Obligations three examples of this growing field of law Pereira v. Cogan, 2003: Federal district court decision focused on breach of the fiduciary duties of the directors of a private company. Holding: Directors who purposefully remain ignorant of issues, without regard to their fiduciary obligations, will be held liable. Fiduciary Duties of Corporate Directors In re The Walt Disney Co. Derivative Litigation (May, 2003: Delaware Chancery Court decision regarding executive compensation). Shareholders allegation was that directors nonparticipation in selection and compensation of president resulted in $138 million loss. The court determined that if this allegation was true, the directors would not have acted in good faith, and so would not be protected by the business judgment rule i.e., would be personally liable. 11

12 Worldcom Bankruptcy WorldCom bankruptcy case: bankruptcy examiner s Thornburgh Report of 2003: Discusses lapses in fiduciary judgment with respect to financial affairs, strategic planning and oversight of senior management; and Comments on the unwillingness of WorldCom counsel (inside and outside) to advise the Board about its fiduciary obligations related to corporate decision-making. International Sources of Security Obligations Council of Europe s Draft Convention on Cybercrime (2001). Article 12: Corporate liability for lack of supervision or control of its agents. European Union s Data Privacy Directive: Controls processing of personal information Each EU country enacts implementing legislation. (ABA s International Guide to Combating Cybercrime: 12

13 Computer Fraud and Abuse Act 1. Computer Fraud and Abuse Act of 1986 (as amended) 18 U.S.C. Section 1030: criminalizes acts against protected computers - those used in government, financial services, or in interstate or foreign commerce. Crimes defined include intentionally accessing a computer without authorization or in excess of authorized access. Electronic Communications Privacy Act 2. Electronic Communications Privacy Act of 1986, 18 U.S.C. Sections : Addresses allowance of and limits on network monitoring Amended by the 2002 Homeland Security Act (Pub. L. No ): Included the Cyber Security Enhancement Act which expanded cybercrime definitions and penalties. 13

14 PATRIOT Act 3. US PATRIOT Act of 2001 (Pub. L. No ): Addressed communications tracing and interception; Protected disclosures to law enforcement; Expanded search warrants; Enhanced cybercrime/cyberterrorism penalties; And more. Trade Secret Offenses 5. Economic Espionage Act of 1996, 18 U.S.C. Sections : Describes a number of crimes that fall under the theft of trade secrets and economic espionage headings. May apply to conduct outside the U.S. Penalties include forfeiture of property. 14

15 Other Federal Criminal Statutes related to Computer Crime 18 U.S.C. Section 1029 (Fraud and Related Activity in Connection with Access Devices) 18 U.S.C. Section 1362 (Communication Lines, Stations or Systems) US Child Pornography Prevention Act of 1996 PROTECT Act 18 U.S.C