What You Don’t Know, What You Should Know & What You Can Do About It
-By Glenn H. Truitt, Esq. & Malvika Rawal, Ph.D., JD
The Health Insurance Portability and Accountability Act of 1996, best known as “HIPAA,” is sweeping legislation that was originally passed to ensure health insurance coverage for workers and their families when they change or lose their jobs, but has become widely known for establishing national standards for the privacy and security of personal health information.
HIPAA represents one of the largest sources of regulatory liability, and has expanded as the data infrastructure in the healthcare industry has developed. For those businesses and professionals wholly in healthcare, HIPAA is an omnipresent and familiar reality. For many others, including personal injury attorneys, HIPAA represents a material, but often overlooked, liability.
This feature elucidates the duties and associated liabilities of personal injury (PI) attorneys under HIPAA and other, similar regulations.
Health Records Held By PI Attorneys Are Protected Health Information
PI attorneys collect and review evidence to determine the nature and extent of their clients’ injuries caused by a specific incident. This evidence includes the injured party’s medical records. Medical records are considered individually identifiable protected health information (PHI). These medical records, stored in the law offices, can therefore be classified as PHI under the definitions of 45 CFR §160.103.
PI Attorneys Are Business Associates If They Represent a Covered Entity/Business Associate
When a covered entity (CE) shares PHI with PI attorneys during lawsuits involving medical/other professional malpractice (accounting for 15 percent of all such suits)1, it makes them business associates (BA) under 45 CFR §160.103. While some may argue that the confidentiality of the PHI is maintained under the attorney-client privilege, guidance from the Department of Health and Human Services (HHS) requires the CE/BA put a Business Associate Agreement (BAA)2 in place with its attorneys before revealing any PHI.3
The 2013 Final Rule and Business Associate Agreements
Prior to the Final Rule, implemented in 2013, a CE was held liable for civil money penalties for the actions of its agent (the BA), acting under the scope of its agency.4 However, under the Final Rule, if a BA and CE sign a BAA, it changes the agency relationship to a contractual one.5 Therefore, in the event of a breach by the attorney (as an agent of the CE), all liability for civil money penalties would still shift to the CE except when the attorney breaches the BAA and does not take all the required precautions, resulting in the unauthorized disclosure of PHI, where the liability then remains with the attorney.
Duties Under Security Rule
The first duty imposed on both CEs and BAs under the Security Rule is to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) they create, receive, maintain, or transmit.6
This rule requires an entity to implement a plan for security risk management after conducting a cost benefit analysis, of its ability to protect the ePHI.7 The firm must periodically review and modify this plan to continue to provide adequate protection for ePHI.8 The firm must appropriately sanction its employees who fail to comply with the security risk management plan.9 In addition, the firm must appoint a Security Officer who is responsible for the development and implementation of the security risk management plan.10 Employees who have access to the ePHI must only be given the minimum access necessary to complete their jobs.11 Finally, the firm must implement electronic safeguards like password monitoring, anti-virus software, remote/cloud server backups etc. which would assist in protecting the ePHI from cyber-attacks.12
Duties Under the Privacy Rule
The Privacy Rule requires a CE to obtain assurances from its BAs, in the form of a BAA, that they will appropriately safeguard the PHI in their possession.13 This Rule requires the BA to implement physical safeguards, data safeguards, and a ‘minimum necessary’ policy. A “minimum necessary” policy ensures that any use or disclosure of PHI must involve only the ‘minimum necessary’ PHI to fulfill the required task.
Duties Under The Breach Notification Rule
A BA, like a PI firm, must notify the affected persons, the media, the covered entity, and the Secretary of the HHS, in the event of a breach of PHI/ePHI. 45 C.F.R. §164.402 defines “breach” as an unintended or inadvertent disclosure of PHI by a workforce member which compromises the security and/or privacy of the PHI.14 Unauthorized disclosure of the PHI is presumed to be a breach, unless the breached firm can show a “low probability that the PHI has been compromised.”
Enforcement Of Duties
A violation of HIPAA Rules invites an audit by the HHS. If the firm fails the audit, then the HHS proceeds to impose civil money penalties. In the past, civil money penalties were only imposed on CEs, despite the implementation of the Final Rule. On June 29, 2016, OCR announced that it settled potential HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a BA of nursing homes. The alleged violations stemmed from the theft of a mobile device, affecting the electronic protected health information (ePHI) of 412 individuals. The BA agreed to pay a $650,000 resolution amount, and enter a corrective action plan. This settlement is expected to be the first in a long line of enforcement cases from the OCR, in its crackdown on negligent conduct by BAs which has led to widespread PHI breaches in 2016.
PI Attorneys Representing Individuals Are Responsible for Protecting PHI Under State Law and Model Rules of Professional Conduct
PI attorneys who are performing services on the behalf of the patient (here, the personal injury plaintiff (“PIP”)) are not considered business associates under HIPAA/HITECH15, but they are still governed by the Nevada Revised Statues (NRS) and the Model Code of Professional Conduct. Attorneys representing PIPs typically receive PHI from the PIP after the PIP has authorized such disclosure by signing a comprehensive retainer agreement and a HIPAA authorization form.16
Duties of PI Attorneys Under the NRS
As PI attorneys are data collectors under NRS §603A.030, they have a duty to protect the PHI from unauthorized access, acquisition, destruction, use, modification, or disclosure.17 PI attorneys also have the duty to implement reasonable security measures to protect PHI from bad actors.18 If PI attorneys use an outside resource for their data storage, the outside resource must also be contractually obligated to the PI attorneys to implement similar security measures for protection of the PHI.19
The NRS requires that ePHI be encrypted before electronic transmission to ensure its security.20 The PI attorney is liable if the PHI’s security/privacy is breached, either due to their gross negligence or intentional misconduct.21 In the event of a breach, the PI attorney may be liable for civil damages.22 If the PI attorney was either involved in the breach, or profited from it, they may also be liable for restitution.23
Duties Under The Model Rules of Professional Conduct
Both the NRS and the Model Rules of Professional Conduct place an affirmative duty on the PI attorney to not just protect their clients’ PHI, but also to take reasonable steps, including encryption, to prevent unauthorized access to the PHI when it is either at rest, or in transmission. If the attorney is either negligent or malicious, he or she stands to face penalties under both regulations, including disciplinary action levied by the Office of Bar Counsel.
Most attorneys to whom these restrictions apply are wholly unaware of their responsibilities, their risk of breaching them and the penalties and liabilities for doing so. Parsing the black-letter law can be challenging for the PI practitioner. If you have identified liability in the quick summary provided here, or if you are unsure about your liability, a quick chat with healthcare counsel who works on these matters daily will help you understand the scope of your obligations and whether you have any compliance work to do.
Glenn H. Truitt, Esq. is a managing partner at Ideal Business Partners (www.idealbusinesspartners.com), a multidisciplinary professional services firm serving healthcare professionals with state-of-the-art legal, financial, compliance and strategic advice, working together to lift up their practices. IBP consults with ComplyPro (www.mycomplypro.com), a HIPAA compliance services company, serving Nevada and southern California, and employing both traditional and digital compliance tools to develop comprehensive, customized compliance solution for any size practice.
Malvika Rawal, Ph.D., J.D., is a law clerk at Ideal Business Partners. She received her Master of Science at the University of Delhi in Biomedical Sciences and her doctorate degree in Free Radical and Radiation Biology at the University of Iowa. She then received her Juris Doctor at the University of Iowa College of Law in May 2016. Rawal is deeply involved with ComplyPro, a HIPAA compliance services company.
1 Demetrius Cheeks, 10 Things You Want to Know About Medical Malpractice, Forbes, May 16, 2013, http://www.forbes.com/sites/learnvest/2013/05/16/10-things-you-want-to-know-about-medical-malpractice/#1d3ce3a32323
2 A business associate agreement (BAA) is a written contract between a CE and a BA, which helps to assign specific duties and liabilities to the BA.
3 Per a complaint investigated by the Office of Civil Rights (OCR), there was an allegation of unauthorized disclosure of PHI to a law firm during its representation of a pharmacy in an administrative proceeding. The OCR, in its investigation, did not find any impermissible disclosure of PHI, but determined that the pharmacy chain and law firm had not signed a Business Associate Agreement, as required by the Privacy Rule of HIPAA. The OCR required the pharmacy chain and the law firm to enter into a BAA. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html#case20; See Dicta from Wooten v. United States HHS Office of Civil Rights 2011 WL 536448, at 6-7 (S.D.N.Y. February 15, 2011).
4 42 U.S.C. § 1128A(l)
5 78 Fed. Reg. 5565, 5581 (Jan. 25, 2013)
6 45 C.F.R. §164.306(a)(1)
7 45 C.F.R. §164.306(b)
8 45 C.F.R. §164.306(e)
9 45 C.F.R. §164.308 (a)(1)(C)
10 45 C.F.R. §164.308(a)(2)
11 45 C.F.R. §164.308(a)(3)
12 45 C.F.R. §164.308(a)(5)
13 U.S. Department of Health and Human Services: National Institute of Health. HIPAA Privacy Rules: Information for Researchers. To Whom Does the Privacy Rule Apply and Whom Will It Affect? https://privacyruleandresearch.nih.gov/pr_06.asp
14 45 C.F.R. §164.402(1)
15 65 FR 82462, 82476
16 A Sample HIPAA Authorization Form, https://www.athenaeum.edu/pdf/free-hipaa-release-form.pdf.
17 NRS §603A.210.1
19 NRS §603A.210.2
20 NRS §603A.215.2(a)
21 NRS §603A.215.3
22 NRS 603A.900
23 NRS §603A.901