Attorneys often find the need to obtain medical records during the prosecution of their case. In addition to complying with state laws concerning patient privacy, counsel also must comply with federal regulations found in the Health Insurance Portability and Accountability Act of 1996 (HIPPA).
Last year, the U.S. Department of Health and Human Services published several amendments to HIPAA, known as the “Omnibus Rule,” which incorporated mandated security requirements of the Health Information Technology for Economic and Clinical Health Act, or the HITECH.
Before the new Omnibus Rule, HIPAA required a contract with a covered entity to identify business associates; however, the new rule expands the definition to include organizations, including law firms, that do not have explicitly executed contracts with a covered entity. The broadened definition allows HHS to hold law firms directly liable for HIPAA violations.
Most of the new Omnibus Rules deal with traditional health care providers and entities; however, greater responsibly was placed on “business associates,” which HIPAA defines as those who conduct business “that involves the use or disclosure of individually identifiable health information.”
Attorneys working with protected health information need to familiarize themselves with HIPAA’s requirements; however, the mere possession of protected health information does not make an attorney a business associate.
For example, if a plaintiff-patient gives her medical records to her attorney, the plaintiff’s attorney does not become a business associate. If, on the other hand, the doctor gives his attorney protected health information, the defense attorney becomes a HIPAA business associate, because the doctor is a covered entity and he is sharing protected health information outside of his practice.
Under the updated federal HIPAA rule, as mandated by the HITECH Act, attorneys who represent or work for a protected entity must, among other things, comply with the Security and Breach Notification Rules. The Security Rule sets out safety standards to ensure security of protected health information.
The rules characterize these safety standards as “required” or “addressable.” The “addressable” standards allow firms to create their own policies and determine how they will deal with security standards; however, the “required” standards are uniform, and must be strictly followed.
The Breach Notification Rule poses the largest potential problem for attorneys. Under the Breach Notification rule, a business associate must report a breach of unsecured protected health information to the client, and then the client must disclose the breach to the patient.
For example, say a lawyer represents a covered entity and maintains protected health information on her laptop and loses that laptop at the airport. She must disclose the breach to her client. The client then bears the responsibility for relaying the breach to each affected patient.
Aside from the headache and reputational tarnish that comes with informing clients of a breach of their protected health information, HHS can impose penalties. Under the HITECH Act, which Congress incorporated into HIPAA under the Omnibus Rule, a four-tier system penalizes HIPAA breaches, with a maximum penalty of $1.5 million per year for violations. Attorneys not only face potential penalties for their own violations, they may also face liability for violations committed by their subcontractors, such as record retrieval companies.
In addition to the federal requirements, Texas attorneys have additional security requirements to follow, as found in Texas House Bill 300, effective September 1, 2012.
HB 300, among other things, significantly expanded the definition of a “covered entity” to include any person who is in the practice of using, evaluating, storing or transmitting protected health information; any person who comes into possession of protected health information; any person who stores protected health information; or any person employed by any of the above.
Unlike the federal regulation, which seems to exclude the plaintiff’s attorney, the Texas standard directly applies to the plaintiff’s attorney as well.
Aside from expanding the definitions, the Texas law requires employee training on federal and state patient health privacy and security laws. Covered entities and their employees must complete training every two years, or within 60 days of hire.
The Texas law also requires covered entities to expand their notices to clients and patients as to how they will use and disclose their protected health information.
As with the HIPAA requirements, the Texas law requires a disclosure of any breach of a client or patient’s protected health information. Depending on the severity of the breach, the Texas law allows for civil penalties ranging from $5,000 to $1.5 million. In imposing penalties, the Texas Attorney General and Texas Health and Human Services Commission will take into account the severity of the breach, the entity’s compliance with the training requirements, and the entity’s efforts in correcting the breach. In addition to civil penalties, it is possible for the attorney general to classify a data breach of protected health information as a felony for criminal prosecution.
Attorneys working with protected health information need to be proactive about ensuring compliance with federal and state requirements. To ensure compliance with applicable laws, conduct a risk assessment to identify any potential security vulnerabilities. First, the lawyer must analyze whether he and his firm are considered a covered entity or business associate, as defined by federal or state law. If their practice falls within these definitions, the practitioner then must evaluate how they utilize and transmit protected health information.
To ensure compliance, draft a clear internal policy that outlines how to handle protected health information and employee sanctions for noncompliance. Additionally, review all existing contracts with subcontractors to ensure compliance with federal and state standards. The state holds all subcontractors of a covered entity to the same level of responsibility as the covered entity itself; therefore, all contracts must express this requirement.
Lastly, regardless of the law, lawyers should train their employees on the importance of maintaining security and privacy standards regarding protected health information.
Compliance with HIPAA and applicable state laws is not optional. Lawyers should thoroughly research HIPAA requirements, do an honest evaluation of their firm’s compliance, and implement necessary changes. Firms have 1.5 million reasons to make HIPAA compliance a high-level business priority.
Raymond L. Panneton is an associate with the Talaska Law Firm in Houston. His email address is firstname.lastname@example.org