If any of your clients are involved with health care, you know how highly regulated the field is. You may think you are complying with all the regulations and have lock-tight security measures in place at your firm. But you could be wrong.
Consider that there have been 92 breaches involving personal health information (PHI) so far this year, according to the U.S. Department of Health and Human Services Office for Civil Rights’ database. Thirty-two percent of those breaches were caused by IT incidents or hacking. Either due to lax security practices or cyberattacks, personally identifiable information such as medical records and payment history was open to unauthorized third parties.
When you work with PHI, you need to keep your firm steps ahead of hackers and away from accidental data breaches — and be aware of your responsibilities. As a law firm “business associate” handling PHI, you need to understand what the government expects of you, and where you may be vulnerable.
Security for PHI is governed under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Omnibus Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH). Under these rules, “covered entities” such as health plans, health care clearinghouses and medical providers can share PHI with their business associates, including law firms.
If your firm receives any personal health information from a client who is a covered entity, you become a business associate. When that happens, you need to execute a business associate agreement (BAA) that guarantees your firm will keep the information safe and only use it for the purposes for which you were engaged. BAAs carry very high expectations and severe penalties for failure to comply.
For example, imagine that you have a support issue with your document management system, which contains electronic patient health information. Your first instinct may be to call the solution provider’s support line, but allowing any access to that information — even in a support capacity — can mean noncompliance with HIPAA.
What’s more, data can be lurking in all sorts of places, including copy machines. And if you’re ever tempted to step away from your laptop in a public place — no matter how safe — doing so can violate HIPAA.
Here are three steps that business-associate law firms should take when handling personal health information.
Step 1: Conduct a Risk Assessment
Once you become a business associate, you need to identify risks in your current practices, technology and controls. Fortunately, you don’t need to reinvent the wheel. The Department of Health and Human Services Office for Civil Rights offers some basic information about HIPAA, including summaries of the act’s privacy and security requirements and sample contracts for business associates.
Independent third parties can review your policies, procedures and technical environment. Some cloud-based providers also offer environments that are already HIPAA-compliant and can supplement your controls and policies. Cloud-based providers may be a lower-cost, yet secure, alternative to third-party reviewers.
Whichever approach you take, your auditor will look at three specific areas to identify the potential risks in each one:
- Physical safeguards. This involves limiting access to facilities and electronic information at offices. It also includes protecting servers and backup data.
- Technical safeguards. Business associates need to protect electronic PHI through IDPS (intrusion detection and protection systems), encryption and key management, HIPAA-level security auditing, two-factor identification, passwords and other methods.
- Administrative safeguards. Your firm will need to designate a security officer, responsible for maintaining privacy and security policies, procedures and systems. You will also need to develop policies limiting access to PHI, and an emergency response plan in case of accidental or deliberate incidents that can compromise data such as a natural disaster or data breach.
Step 2: Create the Necessary Documentation
Once the risk analysis highlights gaps, it’s time to shore up those weaknesses and codify processes and procedures. You may be able to adapt current policies and procedures, or you may need to create new ones. Every law firm is unique, so these documents can’t be completely cut and pasted from other sources.
Your documents should lay out the processes involved in maintaining the confidentiality, integrity and availability of electronic PHI. This includes the physical, technical and administrative safeguards. It should explicitly describe processes for creating passwords and encrypting data, maintenance, access logs, security audits and other factors.
The policies should include a plan for steps to take when the firm suspects or knows that a data breach has occurred, such as notifying the covered entity. You will also need procedures for responding to emergencies: system failures, natural disasters and other incidents.
Step 3: Conduct Compliance Training for the Firm
Training should offer an overview of HIPAA, as well as the act’s Omnibus Rule. It should also include information on HITECH, which was enacted to promote the adoption and meaningful use of health information technology. In part, Subtitle D of HITECH addresses privacy and security concerns associated with electronically transmitting health information.
Along with outlining legal requirements, training should clarify what the firm expects from attorneys and staff in terms of ensuring privacy and security.
The training doesn’t need to be burdensome or expensive. Some courses can be done online in about an hour. It may make sense to work with a third party that has developed HIPAA-specific compliance training programs.
Training isn’t something you can do once and forget about, though. As long as you remain a business associate, you should conduct a risk assessment every year and periodically train and refresh users on their obligations and best practices.
When it comes to government standards around security and privacy, HIPAA ranks among the most stringent. And the penalties for failing to comply can be severe. Fines can reach $1.5 million per year.
Combined with the need to maintain attorney-client privilege and other obligations, you may face significant compliance burdens with HIPAA. Planning ahead, understanding your obligations and finding the right partners can go a long way toward avoiding problems.
Joe Kelly is founder and CEO of Legal Workspace, a cloud-based work environment designed specifically for law firms. He is also CEO of Denver-based Business Network Consulting, Ltd. Splitting his time between Dallas and Denver, Joe is a passionate entrepreneur who is constantly looking to leverage technology to make it easier for law firms and other organizations to do business.