ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
2013 HIPAA Omnibus Rules Increase Risks for Law Firms
Law Technology News
Important new rule changes to the Health Insurance Portability and Accountability Act of 1996 now force law firms that come into contact with protected health information to revisit internal policies and practices, and enforce information security controls, protect confidential information, monitor workforce information access and track compliance.
Until now, the U.S. Department of Health and Human Services never made the move to audit or penalize law firms for lack of compliance with HIPAA data privacy and security rules, choosing instead to focus regulatory efforts on health care providers and related health care organizations. But the game is about to change. The HIPAA Omnibus Rule, which took effect on March 26, finalizes multiple revisions to previous HIPAA regulations. For the first time, business associates, such as law firms, are directly liable for multiple provisions of HIPAA rules.
The central goal of HIPAA regulations is to protect the security and privacy of information pertaining to an individuals health records, known as protected health information (PHI), throughout the intricate network of health care providers, insurers, and service providers that interact with this information. The first step in solving that equation, as effected in the 2009 Health Information for Economic and Clinical Health Act, was to promote the widespread adoption and standardization of health information technology amongst health care organizations and business associates, third parties that perform functions or services for health care organizations involving the use of PHI.
The second step was to fortify the technology with an equally widespread set of data privacy and security requirements. HHS solved step two gradually. At first, it held only health care providers and other covered entities directly liable for HIPAA Privacy and Security Rules, and regulated downstream business associates through agreements stipulating that firms reasonably and appropriately protect PHI. The new Omnibus Rule goes one step further and increases enforcement scope to include the whole chain of third-party business associates and subcontractors that interact with PHI. Many firms, therefore, have no choice but to enhance their confidentiality controls and to adopt more stringent security measures to prevent unauthorized disclosure of any information protected under HIPAAs rules.
Certain provisions of the Omnibus Rule, such as restrictions upon the marketing and sale of PHI, are unlikely to affect law firms. There are, however, three key portions of the new rule for which law firms will be held directly liable and to which they should pay the most attention.
The Omnibus Rule applies select provisions of the Privacy Rule governing uses and disclosures of PHI directly to law firm business associates. The requirement most directly applicable to and important for law firms is the minimum necessary standard, which states that business associates must make reasonable efforts to limit uses, discloses, requests, or provisions of PHI to the minimum necessary to accomplish an intended purpose. In practice, compliance would require information governance policies that limit workforce access to documents containing PHI exclusively to those lawyers who need it to carry out work for a given matter. When working on a matter, moreover, lawyers must request only the PHI needed to defend a case and no more than that.
2. BREACH NOTIFICATION
The 2009 HITECH Act enacted the first federal data breach notification requirement, and the Omnibus Rule extends the requirement to business associates. Under the rule, law firm business associates are required to notify the covered entity within 60 days following the discovery of a breach of unsecured PHI. A breach is treated as discovered the first day on which such breach is known or should reasonably have been known. Failing to take reasonable steps to detect a breach may have devastating consequences for firm and client alike.
The 2013 Omnibus Rule also creates even tougher breach notification requirements by assigning the burden of proof to law firms and their clients. Previously, a breach was defined as a use or disclosure that caused a significant risk of financial, reputational or other harm to an affected individual. Under the Omnibus Rule, any impermissible acquisition, access, use or disclosure of PHI including violations of the minimum necessary standard is presumed to be a breach unless a firm can demonstrate, through a documented assessment, low probability that the information has been compromised. The risk assessment requires consideration of: the nature and extent of PHI involved; report of the unauthorized person who used the PHI or to whom the disclosure was made; documentation of whether PHI was actually acquired or viewed; and assurances that the risk to PHI has been mitigated. Firms should therefore constantly monitor and log information access to prepare defenses to rebut the presumption of a breach should a question arise.
3. THE SECURITY RULE
The Security Rule includes more than 40 standards, intended as national standards to safeguard the confidentiality, integrity, and availability of electronic PHI, or ePHI (electronic data). Unlike with the Privacy Rule, law firm business associates are liable for failure to comply with the requirements of the entire Security Rule, just as it applies to covered entities.
The Security Rule requires business associates to designate a security official, ensure workforce compliance, and develop a comprehensive written set of policies and procedures to protect ePHI. The rule specifies a list of administrative, physical, and technical safeguards, some of which must be explicitly implemented and some of which are merely addressable, or can be satisfied through reasonable, defensive alternative measures. Required technical safeguards include access control software, to limit access to ePHI to authorized lawyers and staff, and audit control software, to record and examine access and activity in information systems that store ePHI. Because the Security Rule originally dates back to 2003, encryption remains an addressable rather than required standard. Still, what required encryption only rarely in 2003 might be the subject of constant encryption in a current web-based, information storage environment.
To build compliance, law firms should revisit contractual agreements with covered entities and/or relevant subcontractors, educate lawyers and staff about the changes, and implement the information security policies and protocols required by the rules. In a January commentary, Adam Greene, co-chair of the health information practice at Davis Wright Tremaine, advised law firms and businesses to start by focusing compliance efforts on the Security Rule because compliance with this rule will likely take the longest. The rule of thumb is to tackle low-hanging fruit, establishing and executing reasonable actions that HHS will recognize and reward in the event of an audit or investigation.
One clear place to start is to implement the access control and auditing technical safeguards required by the Security Rule. HHS tends to focus investigations on compliance with the minimum necessary standard, so firms should take steps to minimize possible disclosure within their firm systems. Still, compliance efforts may require a cultural adjustment in many firm environments, where lawyers and staff are often granted open access to client information to promote collaboration and knowledge management.
With the right access control security technology, however, firms can minimize the cultural impact of achieving compliance. Software that automates access control rights based upon business rules and regulatory needs can reduce the investment required to address culture shock and frustrations. Coupled with a directed effort to promote firmwide awareness of the changes, a reliable and intelligent access control tool is a solid step towards achieving full compliance.
For more information about how the new Omnibus rule impacts law firms and steps firms are taking achieve compliance, see a recent webinar sponsored by IntApp Inc., featuring presentations from Hunton & Williams and industry security experts: http://bit.ly/ltnHIPAA.
Kathryn Hume is a risk practice specialist at IntApp Inc., based in Palo Alto, Calif. Email: firstname.lastname@example.org. Patrick Archbold is the head of IntApp's risk practice group, based in Minneapolis. Email: email@example.com.
This article originally appeared in Law Technology News.