By Jonathan R. Villien
The Health Information Technology for Economic and Clinical Health (HITECH) Act, effective September 23, 2013, modified HIPAA to impose direct liability on business associates (BA) of entities subject to HIPAA (covered entities) for certain violations associated with HIPAA’s Security and Privacy Rules. 42 U.S.C. §§ 17931, 17394; 45 C.F.R. §§ 164.302, 164.502. Law firms providing legal services to covered entities, such as hospitals or physicians, requiring the use of protected health information (PHI), referred to as “law firm BAs,” are now considered business associates of those covered entities. Thus, if you practice in the area of healthcare professional liability defense or compliance and require the use of PHI to perform services, you are likely considered a “BA” under HIPAA and HITECH and must directly comply with those regulations.
But HITECH goes further than that; the Act also requires the Office of Civil Rights (OCR) to conduct periodic audits of covered entities and business associates for compliance. 42 U.S.C. § 17940. Thus, healthcare attorneys, as BAs, will also be potential audit targets in addition to covered entities. In the coming year (from October 2014 to June 2015), OCR intends to conduct an audit of 350 covered entities. Those covered entities will be required to disclose the identity of their BAs; from there, OCR will randomly select 50 of the disclosed BAs for auditing. See Marianne McGee, HIPAA Audits: Round 2 Details Revealed, Heathcare Info Security (April 11, 2014), http://www.healthcareinfosecurity.com/hipaa-audits-round-2-details-revealed-a-6747/op-1.
If the law firm BA is not currently HIPAA/HITECH compliant, the following identifies and briefly expounds upon the primary steps (though not necessarily an exhaustive list) that a law firm BA should take to comply with HIPAA and HITECH ahead of the proposed 2015 BA audits.
Conduct a Risk and Gap Analysis
One of the first steps in assuring that the law firm BA is HIPAA/HITECH compliant is by conducting an initial risk analysis to identify HIPAA violations or other obvious problem areas as well as the gaps in policies and procedures that should theoretically be in place. 45 C.F.R. § 164.308. The firm must take reasonable steps to minimize incidental disclosures of protected patient health information (PHI). When dealing with medical records, it is all about using “reasonable safeguards” to protect PHI, but these safeguards may vary depending on whether the health information is electronic or not. 45 C.F.R. § 164.502. In any event, an initial assessment of whether such safeguards are in place is essential to evaluating what the law firm BA needs to do going forward.
Develop a Security Risk Management Program
Law firm BAs are expressly subject to HIPAA’s Security Rule, so development and implementation of a security compliance plan is another essential step towards compliance. If a law firm BA maintains electronic PHI, or “ePHI,” then “administrative, technical, and physical safeguards” are required to ensure that the ePHI is securely maintained. 45 C.F.R. §§ 164.308-212. So the question becomes: What is the law firm BA doing to reasonably protect PHI and ePHI from unauthorized uses or disclosures, and what do they need to do in the future?
Appointment of a Security Official
The HIPAA Security Rule requires the law firm BA to appoint a “security official” to ensure security compliance who will be responsible for the development and implementation of the aforementioned policies and procedures, said person likely being the Office of Civil Rights’ (OCR) point of contact in the event of an HIPAA audit. 45 C.F.R. § 164.308.
While HIPAA/HITECH compliance will need a person in charge, it will ultimately require involvement of all lawyers and personnel who are familiar with the nature of the firm’s medical record system, business associate relationships, IT professionals who are versed in the firm’s document management system, and anyone else who handles PHI or ePHI as a regular part of their job.
As part of the security compliance program, law firm BAs will need to formulate policies setting forth those “administrative, technical, and physical safeguards” necessary to protect the confidentiality, integrity, and availability of ePHI insofar as they are currently not in place, and put those policies into practice. See 45 C.F.R. §§ 164.308-312. Those safeguards include the following:
Administrative Safeguards – security and risk management plans; protections from malicious software; password management; contingency plans. 45 C.F.R. § 164.308.
Physical Safeguards – facility access controls; maintenance records; workstation security; device and media controls; data backup and storage. 45 C.F.R. § 164.310.
Technical Safeguards – access controls; audit controls; data encryption. 45 C.F.R. § 164.312.
Development of Policies and Procedures
Regardless of whether the PHI is maintained in hard copy or electronically, law firm BAs must also comply with HIPAA’s Privacy Rule, which requires that the law firm BA make reasonable efforts to limit use, disclosure, and requests of PHI to the “minimum necessary” to accomplish an intended purpose. To do so, the law firm BA should formulate information security policies that delineate the necessary access limitations on documents – whether hard copy or electronic – containing PHI. Because one can easily envision a breach of the Privacy Rule – for example, a non-BA attorney or staff member from the firm inadvertently accessing and viewing a medical bill or record on the firm’s electronic filing system – the law firm BAs should also develop a policy incorporating the breach determination risk assessment. 45 C.F.R. §§ 164.316, 164.502, 164.530.
In developing policies and procedures, the law firm BA should reexamine the substantive language contained in their business associate agreements for compliance with HIPAA. 45 C.F.R. §§ 164.504, 164.314. The law firm BA should also address the standard HIPAA Privacy Rule concerns, such as (but not limited to) patient access to PHI, accounting of disclosures of PHI, permissible uses/disclosures of PHI, document return/destruction, storage of PHI, and contracts for independent contractor relationships. See 45 C.F.R. § 164.500.
Regarding BA independent contractor contracts, the law firm BA will need to ensure that all independent contractors are also HIPAA/HITECH compliant, since the law firm BA may have potential vicarious liability for HIPAA civil penalties under the federal common law of agency for the acts of their agents with the scope of the agency. See 45 C.F.R. § 160.402; see also 45 C.F.R. § 164.504.
Development of a Breach Notification Policy
The law firm BA’s HIPAA/HITECH obligations will require them to notify the covered entity for whom they are a business associate if unsecured PHI is acquired, accessed, used, or disclosed in violation of HIPAA. 45 C.F.R. § 164.410. The law firm BA should institute a breach notification policy that outlines how breaches are handled. 45 C.F.R. § 164.414.
Staff Training Requirements
Additionally, the law firm BA will need to demonstrate that their staff with access to ePHI has been appropriately trained. Thus, the law firm BA should develop or adopt a staff training policy and manual that will set forth the required training for employees relative to their function and role. 45 C.F.R. § 164.308.
Of course, the law firm BAs will need to properly maintain documentation regarding all medical record policies and procedures, training programs, breach notification policy, etc. HIPAA requires such documentation to be maintained for at least six years. 45 C.F.R. § 164.316.
The above represents a general framework that the law firm BA should construct so that they can assure HIPAA compliance in the future and avoid a finding of noncompliance during the OCR BA audits. Business associates, including most attorneys representing healthcare professionals, will no longer receive special treatment, but rather are expected to comply to the same extent as covered entities.