Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

Legal Risks and Ethical Problems for Lawyers under the HITECH

advertisement 
Legal Risks and Ethical Problems
for Lawyers under the
HITECH Business Associate Rules
Washington State Bar Association Health Law Section
Critical Issues in Heatlhcare
June 13, 2013
© 2013 Christiansen IT Law
Presenter CV
John R. Christiansen, J.D. - Christiansen IT Law
•
Special Assistant Attorney General to Washington State Health Care Authority, health care information issues
related to HIPAA, HITECH, and related issues
•
Privacy and Security Expert, ONC/OCR Comprehensive Campaign for Communication and Education About
the HITECH Act (2010 – pres.); Consultant, ONC State Health Policy Consortium (2010 – pres.); Technical
Advisor, ONC Health Information Security and Privacy Collaboration (2005 – 2009)
•
Chair, ABA HITECH Megarule/Business Associates Task Force (2009 – pres.); Committees on Healthcare
Privacy, Security and Information Technology (2004 – 06); on Healthcare Informatics (2000 – 04); and PKI
Assessment Guidelines Health Information Protection and Security Task Group (2000 – 2003)
•
Executive Committee/Secretary, Washington State Bar Association Health Law Section (2012 – pres.)
•
Adjunct Faculty, University of Washington Information School (2008 – 2012); Oregon Health and Sciences
University Division of Medical Informatics and Outcomes Research (2000 – 2003)
•
Publications include State and Federal Consent Laws Affecting Health Information Exchange (Nat’l
Governors Association 2011); Policy Solutions for Advancing Interstate Health Information Exchange (Nat’l
Governors Association 2009); An Integrated Standard of Care for Healthcare Information Security (2005);
Electronic Health Information: Security and Privacy Compliance under HIPAA (2000); etc.
© 2013
Christiansen IT Law Privacy/Security/Compliance
2
Our Agenda
•
•
•
•
Review of HIPAA Business Associate Concepts
HITECH Changes to Business Associate Concepts
Business Associate Compliance for Attorneys
Business Associate Contracting for Attorneys
© 2013
Christiansen IT Law Privacy/Security/Compliance
3
Your Obligation
RPC 1.1: “A lawyer shall provide competent representation to a client.
Competent representation requires the legal knowledge, skill,
thoroughness and preparation reasonably necessary for the
representation.”
• If you work in health law you need to know at least enough about
HIPAA and HITECH to spot potential issues and possible traps, to
avoid compliance failures for both you and your clients
© 2013
Christiansen IT Law Privacy/Security/Compliance
4
HIPAA BA Review
HIPAA Jurisdictional Limitations and the Business Associate
Workaround
•
•
HIPAA Administrative Simplification intent: Require implementation of
electronic health claims transactions
– Privacy and Security Rules: Ancillary trust builders which grew beyond
expectation
Covered Entities (CE):
– Organizations directly involved in health claims transactions
• Any health care provider which gets paid electronically, health
plans, health care clearinghouses
• Directly regulated under HIPAA – subject to regulatory obligations
and penalties
© 2013
Christiansen IT Law Privacy/Security/Compliance
5
HIPAA BA Review
The Business Associate Workaround
•
•
CEs don’t/can’t perform all functions and activities involving use or
disclosure of PHI by themselves
How to protect PHI when non-CEs must access or control it?
© 2013
Christiansen IT Law Privacy/Security/Compliance
6
HIPAA BA Review
Business Associate (BA): A “person” who is not a CE workforce
member and:
•
© 2013
“Performs or assists in the performance of” a function or activity
involving the use or disclosure of PHI on behalf of a CE
•
Official examples: Claims processing or administration; data
analysis, processing or administration; utilization review; billing;
quality assurance; benefit management; practice management,
repricing
•
Any other “function or activity “ regulated under HIPAA
•
My examples: PHI disclosure to other CEs, individuals, public
health, research, marketing, etc.; security management and
administration; etc.
•
Provides legal, actuarial, accounting, consulting, etc. services to
or for CE involving disclosure of PHI to BA.
• 45 CFR § 160.103
Christiansen IT Law Privacy/Security/Compliance
7
HIPAA BA Review
BA status is “definitional,” does not depend on existence of BAC
•
•
•
If it does what a BA does, it’s a BA
Knowledge or intent of CE or BA are irrelevant
Presence or absence of a contract is irrelevant
© 2013
Christiansen IT Law Privacy/Security/Compliance
8
HIPAA BA Review
Business Associate Contracts (BACs)
•
CE may disclose PHI to/allow BA to create or receive PHI on CE’s behalf
upon “satisfactory assurance” BA will “appropriately safeguard” PHI
•
•
45 CFR § 164.502
“Satisfactory assurance” is BAC including required provisions (or equivalent
memorandum of understanding if governmental entities, plan document
provisions if group health plan)
•
© 2013
45 CFR § 164.504(e)
Christiansen IT Law Privacy/Security/Compliance
9
HIPAA BA Review
If you provide legal services as a BA to a CE, you must have a BAC
•
“A complaint alleged that a law firm working on behalf of a pharmacy chain
in an administrative proceeding impermissibly disclosed the PHI of a
customer of the pharmacy chain. OCR investigated the allegation and
found no evidence that the law firm had impermissibly disclosed the
customer’s PHI. However, the investigation revealed that the pharmacy
chain and the law firm had not entered into a Business Associate
Agreement, as required by the Privacy Rule to ensure that PHI is
appropriately safeguarded. Without a properly executed agreement, a
covered entity may not disclose PHI to its law firm. To resolve the matter,
OCR required the pharmacy chain and the law firm to enter into a business
associate agreement.”
– Pharmacy Chain Enters into Business Associate Agreement with
Law Firm, hhs.gov Health Information Privacy website
© 2013
Christiansen IT Law Privacy/Security/Compliance
10
HIPAA BA Review
BAC Penalties
•
CE may be penalized if CE “knew of a pattern of activity or practice” of the
BA “that constituted a material breach or violation” of the BAC, unless:
• The CE took “reasonable steps to cure the breach or end the violation”
and, “if such steps were unsuccessful:”
• Terminated the BAC, if “feasible,” or if not “feasible” reported the
problem to DHHS
• 45 CFR §.504(e)(1)(ii)
•
No jurisdiction to penalize BAs for BAC violation, or any HIPAA regulatory
violation
© 2013
Christiansen IT Law Privacy/Security/Compliance
11
HIPAA BA Review
BA Subcontractor/Agent Workaround
•
•
•
BAs don’t/can’t perform all functions and activities for/on behalf of CEs
involving use or disclosure of PHI by themselves
BAs may also need to permit other parties to have access to, use, disclose
PHI for BA’s own functions and activities
How to protect PHI when non-BAs must access and/or control it?
© 2013
Christiansen IT Law Privacy/Security/Compliance
12
HIPAA BA Review
BA Subcontractor Workaround
•
Mandatory provision: BA may disclose PHI to “any agent, including a
subcontractor” which agrees to:
– “Implement reasonable and appropriate safeguards” for the PHI, and
– “The same restrictions and conditions which apply to” the BA with
respect to the PHI
• 45 CFR §§ 164.314(a)(2)(i)(B), .502(e)(2)(ii)(D)
© 2013
Christiansen IT Law Privacy/Security/Compliance
13
HIPAA BA Review
BA Subcontractor Workaround
•
•
•
•
•
Vaguely articulated concept: BA delegates “subcontractor” performance of
function, activity or service for ultimate benefit or use of CE
No “subcontractor” definition
“Subcontract” is kinda/sorta like BAC, maybe
BA penalty for noncompliance: Potential BAC termination, if CE finds out
and cares enough
No jurisdiction to penalize BA or subcontractor – or CE
© 2013
Christiansen IT Law Privacy/Security/Compliance
14
HIPAA BA Review
HIPAA
BA/Subcontractor Chain
© 2013
Christiansen IT Law Privacy/Security/Compliance
15
HIPAA BA Review
BA Services Provider Workaround
•
Optional provision: BA may disclose PHI for purposes of the BA’s “proper
management and administration” and to “carry out legal responsibilities,” if
recipient provides “reasonable assurances” that:
– It will hold the PHI “confidentially,”
– The PHI will be used or further disclosed only as required by law or for
purposes for which it was disclosed, and
– The recipient will notify BA of any “breach of confidentiality”
• 45 CFR § 164.504(e)(4)
© 2013
Christiansen IT Law Privacy/Security/Compliance
16
HIPAA BA Review
BA Services Provider Workaround
•
•
•
•
•
Even more vaguely articulated concept: BA can use third parties to perform
limited functions, activities or services for benefit or use of BA
No associated definitions
No meaningful detail re “assurances”
BA penalty for noncompliance: Potential BAC termination, if CE finds out
and cares enough
No jurisdiction to penalize BA, services provider – or CE
© 2013
Christiansen IT Law Privacy/Security/Compliance
17
HIPAA BA Review
HIPAA BA/Services
Provider Relationship
© 2013
Christiansen IT Law Privacy/Security/Compliance
18
HIPAA BA Review
When do lawyers “obtain PHI on behalf of a CE?”
•
•
•
•
•
•
•
Privacy/security compliance support for CEs: Probably yes
Some other kinds of compliance support: Sometimes yes
Fraud and abuse/false claims: Probably yes
Healthcare professional discipline: Probably yes
Risk management for CEs: Probably yes
Due diligence for some types of CE transactions
Representing CE in any case involving individual patient diagnosis or
treatment, individual health benefits: Yes
•
Even if PHI is already public record
•
Even if subject individual is plaintiff
•
Even if subject individual has authorized disclosure by CE
•
Not an exhaustive list
© 2013
Christiansen IT Law Privacy/Security/Compliance
19
HIPAA BA Review
When lawyers don’t “obtain PHI on behalf of a CE.”
•
•
•
•
•
Representing any party which is not a CE
•
Including individual plaintiffs
Workers compensation cases
Social Security cases
Employment law matters
•
Except for representation of group health plans
Not an exhaustive list
© 2013
Christiansen IT Law Privacy/Security/Compliance
20
HITECH BA Expansion
Health Information for Clinical and Economic Health Act (HITECH)
•
•
•
HITECH § 13401(a) mandates application of HIPAA Security Rule to BAs
“in the same manner” as to CEs, requires that HITECH security
requirements applicable to CEs apply to BAs, and requires that all such
provisions “shall be incorporated” into the BAC
HITECH § 13404(a) mandates application of HIPAA BAC regulations (45
CFR § 164.504(e)) to BAs as regulatory requirements, requires that
HITECH privacy requirements applicable to CEs apply to BAs, and
requires that all such provisions “shall be incorporated” into the BAC.
“Omnibus Rule” published January 25, 2013
•
Compliance mandatory as of September 23, 2013
© 2013
Christiansen IT Law Privacy/Security/Compliance
21
HITECH BA Expansion
Revised BA Definition (45 CFR § 160.103)
•
A “person” who is not a CE workforce member and (inter alia):
•
Provides legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial services on
behalf of a CE, involving disclosure of PHI for purposes of the services
to the BA by the CE or another BA; and
•
A subcontractor that creates, receives, maintains, or transmits PHI on
behalf of a BA
© 2013
Christiansen IT Law Privacy/Security/Compliance
22
HITECH BA Expansion
New Subcontractor Definition (45 CFR § 160.103)
•
Subcontractor means a person to whom a BA delegates a function, activity,
or service, other than in the capacity of a member of the workforce of such
BA
– If a BA delegates a function involving PHI to a subcontractor, that
subcontractor becomes a BA
– If the subcontractor/BA in turn delegates a function involving PHI to
another subcontractor, that other subcontractor becomes a BA
– And so on, as far as activities, functions and services involving PHI are
delegated
•
A “chain of trust” for PHI
© 2013
Christiansen IT Law Privacy/Security/Compliance
23
HITECH BA Expansion
•
•
•
•
•
© 2013
“Upstream:” CE, or BA delegating
function
“Downstream:” BA to which
function is delegated
“First tier” BA: BA with direct
delegation from CE
“Second tier” BA: BA with direct
delegation from first tier BA (and
third, fourth tier, etc.)
“Lower tier” BAs: BAs below first
tier
Christiansen IT Law Privacy/Security/Compliance
24
HITECH BA Expansion
Subcontractor/BAs do not include recipients of PHI for BA purposes
•
“We also provide the following in response to specific comments.
Disclosures by a business associate pursuant to § 164.504(e)(4) and its
business associate contract for its own management and administration or
legal responsibilities do not create a business associate relationship with
the recipient of the [PHI] because such disclosures are made outside of the
entity’s role as a business associate.”
– Preamble to Omnibus Rule at 5574
– Not limited to “agents” of BA
– Not a regulation, but an interpretation
• BA Services Provider is not a Subcontractor, so is not a BA
© 2013
Christiansen IT Law Privacy/Security/Compliance
25
HITECH BA Expansion
•
•
•
© 2013
BA retains law firm to perform
legal services involving PHI for
purposes of BA
BA Services Provider may use,
disclose PHI for BA purposes
BA Services Provider may use
other parties to provide
support/related services for BA
purposes
– These parties are also not
BAs
Christiansen IT Law Privacy/Security/Compliance
26
HITECH BA Expansion
© 2013
•
Can a law firm be a
Subcontractor?
•
Yes to another law firm
Christiansen IT Law Privacy/Security/Compliance
27
HITECH BA Expansion
© 2013
•
Can a law firm be a
Subcontractor?
•
No to any non-lawyer entity if
providing legal services
Christiansen IT Law Privacy/Security/Compliance
28
HITECH BA Expansion
Analysis:
•
Covered Entity can delegate legal services functions to law firm Business
Associate
– Non-lawyer cannot provide legal services (unauthorized practice of law).
RCW 2.48.140
– Therefore non-law firm Business Associate cannot be delegated legal
services functions
– And, non-lawyer cannot direct legal services of lawyer. RPC 1.8(f);
5.4(b), (d)
© 2013
Christiansen IT Law Privacy/Security/Compliance
29
HITECH BA Expansion
Can lawyers escape regulated status?
•
•
•
•
GLBA litigation: American Bar Association v. Federal Trade
Commission (2005): Gramm-Leach-Bliley Act (GLBA) did not give Federal
Trade Commission (FTC) jurisdiction to regulate licensed attorneys in
“practice of law by GLBA privacy regulations, based on interpretation of key
GLBA term “financial institutions”
FACTA litigation: American Bar Association v. Federal Trade
Commission (2011: Licensed attorneys in “practice of law” are not
“creditors” required to comply with identity theft protection “Red Flags
Rules” issued by FTC under Fair and Accurate Credit Transactions Act of
2003 (FACTA)
No known HIPAA challenge to lawyers included as BAs
Legal theories behind GLBA and FACTA litigation do not apply under
HIPAA or HITECH
© 2013
Christiansen IT Law Privacy/Security/Compliance
30
HITECH BA Compliance Obligations
Direct regulatory obligations
•
•
•
•
•
•
•
•
•
Full compliance with the Security Rule for ePHI
Use and disclose PHI only as permitted by the upstream BAC
Comply with the Minimum Necessary rule
Notify the CE in case of a security breach
Provide access to a copy of PHI they maintain to the CE or individual, as
specified in their upstream BAC
Provide the information needed for an accounting of disclosures
Maintain and provide access to their records to OCR to investigate the BA’s
compliance
Requirement for implementing BACs with any downstream BA
Terminate BAC for breach by CE
© 2013
Christiansen IT Law Privacy/Security/Compliance
31
HITECH BA Compliance Obligations
Key BAC obligations
•
•
•
•
•
•
•
•
•
Full compliance with the Security Rule for ePHI
Use and disclose PHI only as permitted in the BAC, including Minimum
Necessary policies of CE
Notify the CE in case of a security incidents, breaches, unauthorized
use/disclosure
Provide access to a copy of PHI in their possession to the CE or individual
Provide the information needed for an accounting of disclosures
Maintain and provide access to their records to OCR to investigate the CE’s
compliance
Implementing BACs with any downstream BA
Authorize termination of BAC for breach by CE
Require return/destruction/escrow of PHI upon termination of BAC
© 2013
Christiansen IT Law Privacy/Security/Compliance
32
HITECH BA Compliance Obligations
Many BAC requirements are
redundant to direct
regulatory requirements
• Some are not, and not
well coordinated
© 2013
Christiansen IT Law Privacy/Security/Compliance
33
HITECH BA Compliance Obligations
BAs are:
•
•
•
•
•
Exposed to potential federal criminal penalties for violation of HIPAA
Subject to regulatory jurisdiction of OCR and state attorneys general
Required to cooperate with OCR investigations of CE and BAs
Exposed to potential civil monetary penalties for violation of HIPAA
Exposed to private tort actions by individuals harmed by BA failure to
comply with HIPAA
© 2013
Christiansen IT Law Privacy/Security/Compliance
34
HITECH BA Compliance Obligations
Hold on a minute . . . What about that last one???
•
HIPAA doesn’t provide an individual cause of action?
•
True, but see R.K. v. St. Mary’s Medical Center, 735 S.E.2d 715, 723
(2012) cert. den. __ U.S. __ (April 1, 2013) (reviewing multistate caselaw
holding HIPAA provides standard of care supporting negligence per se and
related types of tort action to hold same for West Virginia)
See RCW 5.40.050: A “breach of duty imposed by statute… or
administrative rule… may be considered by the trier of fact as evidence of
negligence[.]”
•
•
So a law firm BA owes a duty of care to and can be sued by any individual
whose PHI it has in its capacity as a BA, if harmed by the law firm’s failure
to comply with HIPAA requirements applicable to BAs
© 2013
Christiansen IT Law Privacy/Security/Compliance
35
Structuring Law Firm Compliance
Can law firms segregate compliance obligations?
•
HIPAA concept: “Hybrid entity”
• “A single legal entity that is a [CE] . . . whose business activities include
both covered and non-covered functions . . . and that designates health
care components[.]”
• 45 CFR § 164.103
• “If a [CE] is a hybrid entity, the requirements of [the Security and Privacy
Rules] apply only to the health care component(s) of the [CE.]”
• 45 CFR § 164.105(a)(1)
• “Health care components” may include organizational “components” to
the extent that they perform “covered [CE] functions” or “activities that
would make the component” a BA of a component which performs
covered functions
• 45 CFR § 164.105(a)(2)(iii)(C)(2)
© 2013
Christiansen IT Law Privacy/Security/Compliance
36
Structuring Law Firm Compliance
Can law firms segregate compliance obligations?
•
Hybrid entity CE “must ensure that a health care component” complies with
the Privacy and Security Rules; in particular • No disclosure of PHI to other components unless such disclosure would
be permitted to separate entity
• Protect PHI with respect to other components “to the same extent” as
required under the Security Rule if they were separate entities
• Comply with the Privacy Rule as if the component were CE or BA, as
applicable
• Workforce members serving both health care and other components
may not use or disclose PHI obtained “in the course of or incident to”
work in the former while providing services to the latter, except as would
be permitted by the Privacy Rule for separate entity
• 45 CFR § 164.105(a)(2)(ii)
© 2013
Christiansen IT Law Privacy/Security/Compliance
37
Structuring Law Firm Compliance
Can law firms segregate compliance obligations?
•
Hybrid entity CE (not the component) is responsible for compliance; in
particular • Documented designation of components, including all performing CE
and BA functions
• Maintenance of all Security and Privacy Rule policies and procedures
documentation
• CE as a whole is subject to compliance, enforcement obligations and
penalties
• 45 CFR § 164.105(a)(2)(iii)
© 2013
Christiansen IT Law Privacy/Security/Compliance
38
Structuring Law Firm Compliance
Can law firms segregate compliance obligations?
•
Can hybrid entity concepts be applied to BAs?
• No specific reference in HITECH
• No guidance on point
• Functional equivalents can be established by policies and procedures,
where appropriate backed by technical architecture
• Example:
• Firm designates “health law component” – lawyers, paralegals,
support staff – using policy documentation
• Possibly include “BAs” in other “components,” where
appropriate
• Firm establishes policies and procedures for “health law (and BA?)
component,” and for interaction with “other components” of firm
• Possibly including physical, technical separation; certainly at
least physical, technical identification and distinction
© 2013
Christiansen IT Law Privacy/Security/Compliance
39
Attorney BA Security Compliance
Security Rule compliance is (not in-) consistent with ethical obligations
to protect confidential information
•
•
RPC 1.6(a): “A lawyer shall not reveal information relating to the
representation of a client unless the client gives informed consent, the
disclosure is impliedly authorized in order to carry out the representation or
the disclosure is permitted by paragraph (b).”
– “A lawyer must act competently to safeguard information relating to the
representation of a client against inadvertent or unauthorized disclosure
by the lawyer or other persons who are participating in the
representation of the client or who are subject to the lawyer’s
supervision.” ABA Ethics 2000, Comment 16 to Model Rules of
Professional Conduct 1.6.
Also implicates obligation to provide competent representation. See RPC
1.1
© 2013
Christiansen IT Law Privacy/Security/Compliance
40
Attorney BA Security Compliance
Anticipated Model Rule updates
•
•
•
“To maintain the requisite knowledge and skill, a lawyer should keep
abreast of changes in the law and its practice, including the benefits and
risks associated with technology.” Comment 6 to Model Rule 1.1
Unauthorized access to/inadvertent or unauthorized disclosure of,
confidential information does not violate Model Rule 1.6 if the lawyer has
made reasonable efforts to prevent the access or disclosure, including
security risk analysis and selection of appropriate safeguards. Comment 16
to Model Rule 1.6.
Client may give informed consent to forego security measures that would
otherwise be required by Model Rule. Id.
© 2013
Christiansen IT Law Privacy/Security/Compliance
41
Attorney BA Security Compliance
•
Attorney required to take “competent and reasonable steps to assure that
the client’s confidences are not disclosed to third parties through theft or
inadvertence” and “competent and reasonable measures to assure that the
client’s electronic information is not lost or destroyed,” and “must either
have the competence to evaluate the nature of the potential threat to the
client’s electronic files and to evaluate and deploy appropriate computer
hardware and software to accomplish that end, or if the attorney lacks or
cannot reasonably obtain that competence, to retain an expert consultant
who does have such competence.”
– State Bar of Arizona, Opinion No. 05-04
© 2013
Christiansen IT Law Privacy/Security/Compliance
42
Attorney BA Security Compliance
•
“Whether an attorney violates his or her duties of confidentiality and
competence when using technology to transmit or store confidential client
information will depend on the particular technology being used and the
circumstances surrounding such use. Before using a particular technology
in the course of representing a client, an attorney must take appropriate
steps to evaluate: 1) the level of security attendant to the use of that
technology, including whether reasonable precautions may be taken when
using the technology to increase the level of security; 2) the legal
ramifications to a third party who intercepts, accesses or exceeds
authorized use of the electronic information; 3) the degree of sensitivity of
the information; 4) the possible impact on the client of an inadvertent
disclosure of privileged or confidential information or work product; 5) the
urgency of the situation; and 6) the client’s instructions and circumstances,
such as access by others to the client’s devices and communications.”
– State Bar of California, Formal Opinion No. 2010-179
© 2013
Christiansen IT Law Privacy/Security/Compliance
43
Attorney BA Use and Disclosure of PHI
Basic Principles
•
•
•
•
•
Scope of PHI which BA may obtain is determined by underlying agreement
between CE and first tier BA
Authorized uses and disclosure of PHI are determined by underlying
agreement
CE may not authorize BA to use or disclose PHI in any way not permitted to
CE
BA must comply with CE minimum necessary policies
BA must pass along restrictions on PHI use or disclosure which no less
stringent than those in its BAC, to downstream BAs and Services Providers
© 2013
Christiansen IT Law Privacy/Security/Compliance
44
Attorney BA Use and Disclosure of PHI
Scope of authorization
•
•
•
CE must ensure that its own policies, notices, PHI use and disclosure
restrictions do not preclude appropriate obtaining, use, disclosure of PHI
First tier and other upstream BACs must allow for full scope of PHI to be
obtained, used, disclosed for purposes of engagement
Upstream BACs must not prohibit obtaining, use, disclosure of PHI for
purposes of engagement
• Attorney BA may want to confirm in some cases, with some clients
• Red flag for downstream attorney BAs, Services Providers: Upstream
BACs must include optional provision allowing Services Providers
to obtain, use, disclose PHI for BA legal services purposes
© 2013
Christiansen IT Law Privacy/Security/Compliance
45
Attorney BA Use and Disclosure of PHI
•
•
•
© 2013
Assume BAC between CE and BA
Health IT Vendor does not include
optional BA services provider
provisions
BA may not authorize law firm to
obtain, use or disclose PHI to
provide legal services to BA
Examples: Dispute with CE
alleging BA misuse of PHI, breach
of BAC, breach response and
notification analysis, etc.
Christiansen IT Law Privacy/Security/Compliance
46
Attorney BA Use and Disclosure of PHI
Minimum necessary rule
•
•
•
•
CE or BA must make reasonable efforts to limit PHI requested, used or
disclosed to the minimum necessary to accomplish the intended purpose of
the use, disclosure, or request.
– 45 CFR § 164.502(b)(1)
Minimum necessary policy requirements include functional workforce
classifications relative to PHI needed for routine functions, criteria for nonroutine disclosures
– 45 CFR § 164.514(d)
CE (or upstream BA?) may rely on documented representations that PHI
requested in minimum necessary for professional services purposes, from
professional providing services
– 45 CFR § 164.514(d)(3)(iii)(C)
Attorney BA should have:
– Minimum necessary policies
– Standard form for representations to clients
© 2013
Christiansen IT Law Privacy/Security/Compliance
47
Attorney BA Breach Notification
CE Has the Obligation to Notify Individuals and OCR
•
•
“A CE shall, following the discovery of a breach of unsecured PHI, notify
each individual whose unsecured PHI has been, or is reasonably believed
by the CE to have been, accessed, acquired, used, or disclosed as a result
of such breach.”
“A CE shall, following the discovery of a breach of unsecured PHI . . . notify
[OCR].”
– 45 CFR §§ 164.404(a), .408(a)
© 2013
Christiansen IT Law Privacy/Security/Compliance
48
Attorney BA Breach Notification
Each BA in a Chain Has an Obligation to Notify the CE
•
•
•
“A BA shall, following the discovery of a breach of unsecured PHI notify the
CE of such breach.”
– 45 CFR § 164.410(a)(1)
Required BAC provision that BA must “report to the CE any security incident
of which it becomes aware, including breaches of unsecured PHI as
required by § 164.410.”
– 45 CFR § 164.314(a)(2)(i)(C)
CE may delegate notification to BA
– Omnibus Rule at 5651.
© 2013
Christiansen IT Law Privacy/Security/Compliance
49
Attorney BA Breach Notification
Each BA in a Chain Has an Obligation to Notify the CE
•
•
No regulatory obligation for lower tier BAs to notify upstream BAs
– Only applicable if provided for in non-required BAC provision
– Does notification of upstream BA count as CE notification?
No regulatory obligation for BA Services Providers to notify CE
– BA “assurances” from Services Providers must include notification of
“breach of confidentiality”
– Is that the same as a “breach” under the Breach Notification Rule?
© 2013
Christiansen IT Law Privacy/Security/Compliance
50
Attorney BA Breach Notification
Each BA in a Chain Has an Obligation to Notify the CE
•
Timing of BA notification to CE
– 60 days if BA is not agent of CE
– ASAP if BA is agent of CE, as breach is deemed “discovered” by CE
upon “discovery” by BA, even if BA has not notified CE
• Either avoid making BA an agent, or hold BA to rapid notification to
allow timely CE notification
• Can a lower tier BA be considered CE’s agent?
© 2013
Christiansen IT Law Privacy/Security/Compliance
51
Attorney BA Breach Notification
When is an attorney an “agent?”
•
Agency determined by federal common law. Preamble to Interim Final Rule
• “Agency is the fiduciary relationship that arises when one person (a
"principal") manifests assent to another person (an "agent") that the
agent shall act on the principal's behalf and subject to the principal's
control, and the agent manifests assent or otherwise consents so to
act.” §1.01 Restatement (Third) of Agency
• “An agent has actual authority to take action designated or implied in
the principal's manifestations to the agent and acts necessary or
incidental to achieving the principal's objectives, as the agent
reasonably understands the principal's manifestations and objectives
when the agent determines how to act.” § 2.02(1) Restatement (Third)
of Agency
© 2013
Christiansen IT Law Privacy/Security/Compliance
52
Attorney BA Breach Notification
Limiting attorney “agency”
• RPC 1.2
• “Subject to paragraph[] (c) . . . a lawyer shall abide by a client's
decisions concerning the objectives of representation and . . . shall
consult with the client as to the means by which they are to be pursued.”
• “(c) A lawyer may limit the scope of the representation if the limitation is
reasonable under the circumstances and the client gives informed
consent.”
• Comment 6: “The scope of services to be provided by a lawyer may be
limited by agreement with the client or by the terms under which the
lawyer's services are made available to the client. . . . In addition, the
terms upon which representation is undertaken may exclude specific
means that might otherwise be used to accomplish the client's
objectives. Such limitations may exclude actions that the client thinks
are too costly or that the lawyer regards as repugnant or imprudent.”
© 2013
Christiansen IT Law Privacy/Security/Compliance
53
Access to PHI Maintained by Attorney BAs
Individual rights to access, get copies, request amendment
•
•
Do not apply to “information compiled in reasonable anticipation of, or for
use in, a civil or administrative action or proceeding.”
• 45 CFR § 164.524(a)(1)(ii), .526(a)(2)(iii)
Apply only to “designated record sets”
– A “group of records maintained by or for” a CE, including (i) medical,
billing, payment, claims, case or medical management, or (ii) “used, in
whole or in part, by or for the [CE] to make decisions about individuals.”
• 45 CFR § 164.501
© 2013
Christiansen IT Law Privacy/Security/Compliance
54
Access to PHI Maintained by Attorney BAs
Individual rights to access, get copies, request amendment
•
•
•
RPC 1.6: Attorney may not disclose confidential information of client
without client’s informed consent
When would legal services include or require development of records “used
by or for a CE to make decisions about individuals,” which were not
compiled in “reasonable anticipation of or for use in a civil or administrative
action or proceeding?”
– Consider issues at start of engagement; if potentially problematic get
client’s informed consent
Does inclusion of required access provisions in BAC waive confidentiality
and privilege?
– Consider specifying that access/amendment are not permitted (if
applicable)
– Require CE approval of any access (should probably be done anyway)
© 2013
Christiansen IT Law Privacy/Security/Compliance
55
Accounting of Disclosures by Attorney BAs
Individual right to accounting of disclosures of PHI
•
•
•
•
Specific exceptions: Disclosures for treatment, payment, health care
operations; to, or as authorized by, individuals themselves; facility directory;
national security, correctional facility or law enforcement; limited data set
No exception for information compiled for use in civil or administrative
proceedings
Not restricted to designated record sets
Must include date of disclosure, name of recipient, description of PHI and
statement of the purpose of the disclosure
© 2013
Christiansen IT Law Privacy/Security/Compliance
56
Accounting of Disclosures by Attorney BAs
Accounting of disclosures may include confidential information
•
•
•
RPC 1.6: Attorney may not disclose confidential information of client
without client’s informed consent
This could include information such as identity of experts consulted,
services obtained, which might be embarrassing or detrimental to client. Cf.
Washington State Bar Association Formal Opinion 183, Disclosure of
Information Relating to the Representation of a Client by a Legal Service
Office to the Legal Service Corporation or Other Third Party
– Consider issues at start of engagement; if potentially problematic get
client’s informed consent
Does inclusion of required access provisions in BAC waive confidentiality
and privilege?
– CE should provide the accounting (should probably be done by CE
anyway)
© 2013
Christiansen IT Law Privacy/Security/Compliance
57
Governmental Access to Attorney BA Records
Access to BA records for compliance investigations
•
•
•
•
Access to investigate BA compliance required by rule
Access to investigate CE compliance required by mandatory BAC provision
Production of records for government agency audit may waive both
attorney-client privilege and work product doctrine protection
• U.S. v. Massachusetts Institute of Technology, 129 F.3d 681 (1st Cir.
1997)(waived for purposes of other governmental agency access),
Westinghouse Electric Corp. v. Republic of Philippines, 951 F.2d 1414
(3d Cir. 1991)(waived for purposes of private litigant access)
Waiver is at time of entry into contract with standard access provision
• U.S. v. Massachusetts Institute of Technology, supra
© 2013
Christiansen IT Law Privacy/Security/Compliance
58
Governmental Access to Attorney BA Records
Suggestions for dealing with potential waiver issues
•
•
•
•
Raise potential issues with CE client (informed consent)
Draft BAC provisions carefully
• Limit, condition OCR access rights to records for investigation of CE
client to minimize risk of waiver
• Limit, condition OCR access rights to investigate BA law firm
BA may disclose records, etc. with respect to its own compliance in general,
without reference to particular clients or matters – may be workable
negotiating position with OCR for informal resolution (or at least show good
faith)
Design practice scope, processes and systems to “firewall” matters
potentially subject to investigation from other matters
© 2013
Christiansen IT Law Privacy/Security/Compliance
59
Governmental Access to Attorney BA Records
Investigation of BA compliance - potential for conflict of interest
•
•
•
RPC 1.7(a): “Except as provided in paragraph (b), a lawyer shall not
represent a client if the representation involves a concurrent conflict of
interest. A concurrent conflict of interest exists if . . . there is a significant
risk that the representation of one or more clients will be materially limited
by . . . a personal interest of the lawyer.”
RPC 1.7(b): “Notwithstanding the existence of a concurrent conflict of
interest . . . a lawyer may represent a client if: (1) the lawyer reasonably
believes that the lawyer will be able to provide competent and diligent
representation . . . and (4) each affected client gives informed consent,
confirmed in writing[.]”
When would a conflict present? When should you get consent?
© 2013
Christiansen IT Law Privacy/Security/Compliance
60
BAC Termination Due to Violation
Mandatory BAC provision allowing either party to terminate BAC (and
therefore engagement if other party violates BAC
•
•
•
•
Omnibus Rule removed specific provision for reporting violator to OCR if
termination not feasible
• Still permissible to report, of course
Failure to terminate if violation or breach is uncured may be grounds for
penalizing non-terminating party
Draft termination provisions carefully
• Allow for cure periods, etc.
• Do not apply to provisions not required in a BAC – e.g. breach
notification specifics
Ensure termination provision allows for “escrow” of PHI instead of requiring
return or destruction
• PHI may be retained under protection if return/destruction not “feasible”
• May need to be retained for risk management, related purposes
© 2013
Christiansen IT Law Privacy/Security/Compliance
61
BAC Termination Due to Violation
Ethical obligations upon discovery of BAC noncompliance by client
•
RPC 1.2(d): “A lawyer shall not counsel a client to engage, or assist a
client, in conduct that the lawyer knows is criminal or fraudulent, but a
lawyer may discuss the legal consequences of any proposed course of
conduct with a client and may counsel or assist a client to make a good faith
effort to determine the validity, scope, meaning or application of the law.”
© 2013
Christiansen IT Law Privacy/Security/Compliance
62
BAC Termination Due to Violation
Ethical obligations upon discovery of BAC noncompliance by client
•
RPC 1.16(b): “If a lawyer for an organization knows that an officer,
employee or other person associated with the organization is engaged in
action, intends to act or refuses to act in a matter related to the
representation that is a violation of a legal obligation to the organization, or
a violation of law that reasonably might be imputed to the organization, and
that is likely to result in substantial injury to the organization, then the lawyer
shall proceed as is reasonably necessary in the best interest of the
organization. Unless the lawyer reasonably believes that it is not necessary
in the best interest of the organization to do so, the lawyer shall refer the
matter to higher authority in the organization, including, if warranted by the
circumstances, to the highest authority that can act on behalf of the
organization as determined by applicable law.”
© 2013
Christiansen IT Law Privacy/Security/Compliance
63
Attorney BA Contracting
Potential points of conflicts in BA contracting
•
•
Does entry into a BAC constitute or create a “business transaction” or
pecuniary interest” potentially adverse to a client? See RPC 1.8 (Conflict of
Interest: Current Clients).
– RPC 1.8 “does not apply to ordinary fee arrangements between client
and lawyer, which are governed by Rule 1.5[.]” Comment 1 on RPC 1.8
• RPC 1.5 deals only with reasonableness of fees – not helpful here
Note that even if there is no conflict at time of entry into BAC, subsequent
events could create conflict
– Compliance failure where both parties may be at fault
– Security breach with attendant costs of notification
– Civil damages action where plaintiffs make both CE and BA defendants
© 2013
Christiansen IT Law Privacy/Security/Compliance
64
Attorney BA Contracting
Potential points of conflicts in BA contracting
•
•
Do mandatory BAC provisions set up potential for conflict in case of BAC
violation or security breach?
– Provisions which do not allocate, limit or shift liability perhaps do not
create a conflict?
Non-mandatory provisions allocating, limiting, shifting liability might?
– “Agreements prospectively limiting a lawyer's liability for malpractice are
prohibited unless permitted by law and the client is independently
represented in making the agreement because they are likely to
undermine competent and diligent representation. Also, many clients
are unable to evaluate the desirability of making such an agreement
before a dispute has arisen . . . “
• Comment 14 on RPC 1.8
• Is failure to comply with a BAC “malpractice?”
– Is attorney indemnification of client defense costs limited by RPC
1.8(e)(1) (attorney may not advance or guarantee litigation costs)?
© 2013
Christiansen IT Law Privacy/Security/Compliance
65
Attorney Services Provider Contracting
Remember: Not a BA if providing services to a BA, for the BA’s own
purposes
•
•
•
How do you identify services for BA purposes?
Is it permitted under the upstream BACs?
Services Provider contract minimum mandatory content:
– “Assurance” that PHI will be held confidentially
– “Assurance” that PHI will only be used or further disclosed by Services
Provider as required by law, or for purpose for which it was disclosed to
the Services Provider
– Services Provider will notify BA of any “security incident” or “instance of
which it is aware in which the confidentiality of the PHI has been
breached”
– Services Provider will “agree to implement reasonable and appropriate
safeguards to protect” PHI
© 2013
Christiansen IT Law Privacy/Security/Compliance
66
Attorney Services Provider Contracting
A few questions about Services Provider contract content
•
•
•
•
•
Is “confidentiality” equivalent to legal ethics definition? Does it matter?
Does full Security Rule compliance apply by contract?
How do “security incident” and “breach of confidentiality” reporting link to
Breach Notification Rule?
Can Services Providers ever use or disclose PHI for their own
management, administration, legal responsibilities (compare to BAC
provision)?
– If not prohibited by law, must it be explicitly authorized in upstream
BACs?
Can Services Providers retain PHI upon termination of engagement (like
BAC “escrow” provision)?
© 2013
Christiansen IT Law Privacy/Security/Compliance
67
Attorney Contracting: Special Problem
Outsourcing to data storage/cloud services
•
•
•
OCR has stated that data storage vendors are BAs, even if:
– The vendor does not have a contractual right or authority to access
stored PHI
– The vendor does not need to and never does access stored PHI
– The vendor cannot access stored PHI because it is encrypted and the
vendor does not have access to the key
I think OCR is wrong, but I’m not the regulatory authority
Some cloud services vendors take the position they are not BAs
– Use of such a vendor as a BA would entail violation of both regulations
and upstream BAC
– Could attorney Services Provider to BA use non-BA data storage
vendor? Should it?
© 2013
Christiansen IT Law Privacy/Security/Compliance
68
Attorney Contracting
Summary: Provisions and perspectives on attorney BACs
•
•
•
•
•
•
•
•
Know your client: CE? First tier BA? Lower tier BA?
Know your engagement: Are you a first tier BA? Lower tier BA? BA Services
Provider?
Know your engagement: Does it involve PHI? Is it an activity not covered by
HIPAA/HITECH?
Know your PHI constraints: Upstream BACs and minimum necessary
policies
Define engagement scope to minimize risk of “agent” status for breach
notification
Draft PHI access, accounting of disclosure and governmental access
provisions carefully to minimize risks of confidentiality, privilege waiver
Avoid risk shifting provisions to minimize conflict potential
Consider if any circumstances or conditions make informed consent to any
provision prudent
© 2013
Christiansen IT Law Privacy/Security/Compliance
69
Attorney Contracting
Compliance timing and BACs
•
•
No “grandfathered” contracts as proposed
Some BACs “deemed compliant” until September 22, 2014
– To be “deemed compliant” a BAC must be:
• In compliance with pre-HITECH HIPAA BAC requirements
• In effect before January 25, 2013,
• Not apply to agreements or arrangements which are renewed (for
evergreen contracts) or amended before September 23, 2013
– In other words, if the underlying agreement of a BAC is
renewed or amended, the BAC is no longer deemed compliant,
even if the BAC is not amended
– “Deemed compliant” status terminates on the earlier of:
• Renewal or amendment of the underlying agreement, or
• September 22, 2014
© 2013
Christiansen IT Law Privacy/Security/Compliance
70
Questions? Thanks!
© 2013
Christiansen IT Law Privacy/Security/Compliance
71
Related documents
PS-from-HIPAA-to-Meaningful-Use
PS-from-HIPAA-to-Meaningful-Use
Risk Assessment
Risk Assessment
A Guide to Compliant Data Management
A Guide to Compliant Data Management
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Federal Law and Student Privacy.ppt
Federal Law and Student Privacy.ppt
Instance Based Social Network Representation
Instance Based Social Network Representation
Download
advertisement