overseas and in March 2016, the FBI warned law firms about potential cyber-attacks as law firms move up the list of cybe
But I Don’t thInk hIPAA APPlIes to Me M by
ost legal professionals have heard of HIPAA (The Health Insurance Portability and Accountability Act of 1996) but unless they have healthcare clients, most view it as simply a nuisance and barrier to obtaining the records and documents they need for discovery. Following HIPAA guidelines can actually help a law firm reduce their risk of a data breach of the personal, sensitive and financial information of its clients and employees. Law firms possess medical, personal and financial information on their clients as well as intellectual property information. This is all valuable information for cybercriminals who use the information for identity theft or other fraudulent activities. According to the FBI, many of the cybercriminals perpetuating these attacks against U.S.-based corporations originate from overseas and in March 2016, the FBI warned law firms about potential cyber-attacks as law firms move up the list of cybercriminals’ targets.
hiPAA
And
hiteCh
Healthcare providers, health insurance organizations and healthcare clearinghouses are all considered covered entities under HIPAA and must comply with the
h e at h e r h u G h e s , J .D. , C hPC
Physical, Technical and Administrative Safeguards of the HIPAA Security Rule. The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 and requires that covered entities also ensure their business associates are compliant with the same regulations and report any breaches. Some of the HIPAA requirements include;
• Policies for storage and destruction of Protected Health Information (“PHI”) in paper form and electronic form (such as paper shredding and proper destruction of computer hard drives) • Training for all employees on privacy and security
• IDs, Auto Log-Off and Passwords on all devices used to access company information (including any device capable of receiving work email) • Utilizing secure connections when accessing client data. Unsecured WiFi (cafes, hotels, airplanes) can be easily hacked by cyber-criminals who access client and firm information.
• Transmission security (email, cloud-based services, FTP sites, etc.) • Encryption of laptops, flash-drives and CDs containing medical or sensitive information
www.uslegalsupport.com
Winter 2016 33
But I Don't Think HIPAA Applies to Me
• Malware protection, firewalls, disaster recovery plans and server redundancy • Physical security of office spaces to ensure no unauthorized access
• Documentation and policies to address security incidents
Law firms that represent covered entities are considered business associates of the healthcare entity and are required to conduct a HIPAA Risk Assessment to determine their compliance with the HIPAA Privacy and Security Rules. In addition, there must be a business associate agreement (BAA) between the law firm and their healthcare client as well as between the law firm and all outside vendors and experts. The BAA must comply with 45 CFR 164.504(e) and should be signed by all vendors and experts who assist the legal team and may be accessing PHI on their behalf. This includes; court reporting firms, record retrieval companies, legal copy companies, cloud based storage companies, outsourced IT consultants and medical experts. BAAs should be
signed by all vendors and consultants to ensure they are also following all of the required safeguards. Without a BAA, a corporation or law firm may be liable if their vendor or consultant has a breach of information. A breach occurs when an impermissible use or disclosure compromises the security or privacy of PHI and notice must be provided to the individual and, in some instances, the Secretary of Health and Human Services (HHS) and the media. Some examples of breaches include: a lawyer’s unencrypted laptop is lost or stolen, a briefcase containing case medical information is left on an airplane, a file containing medical information is thrown into the trash instead of a locked shred-bin, an iPhone with no password or timeout is stolen or a server is hacked. HHS conducts audits on both covered entities and their business associates and can impose fines of up to $1.5 million per violation. Phase Two of the HHS audits began in March 2016 and law firms may be included as well as other types of business associates. HITECH gave power to the states’ attorney general offices to also audit for HIPAA compliance and impose fines and penalties.
dAtA breACh notifiCAtion lAWs
National Presence. Local Expertise. Heather Hughes, J.D., CHPC HIPAA Privacy Officer U.S. Legal Support, Inc.
[email protected] 832.971.6753 At U.S. Legal Support, we believe in providing personalized services tailored to fit the needs of our clients. As one of the largest full service legal support companies in the nation, we provide local specialists with national resources. Contact us to learn more about our custom solutions.
800.567.8757 Download the USLS Mobile App
Over 60 Offices Serving You Nationwide
www.uslegalsupport.com
Court Reporting | Record Retrieval | eDiscovery | Trial Services 34 National Paralegal Reporter®
Forty seven states now have data breach notification laws that are much broader than HIPAA. Data breach laws require businesses and law firms to maintain the security of personal, sensitive and financial information. Depending on the state, this can include: credit and debit card information, income tax information, social security numbers, driver’s license numbers, insurance policy numbers and other types of personal information obtained by law firms and corporations during the regular course of business. Attorney-client privileged communications can also be at risk if proper data security safeguards are not implemented. Data breach laws follow the state law where the individual resides, not only where the business or law firm is located and it does not matter if the individual is a client. This impacts law firms as well as corporations like insurance providers that may have plaintiffs, policy holders or claimants in many different states. One unencrypted laptop could contain sensitive information on individuals in 10 different
Court Reporting | Record Retrieval | eDiscovery | Trial Services
But I Don't Think HIPAA Applies to Me
states and the attorneys would need to research the data breach notification laws in each of those states. All 47 states require that businesses notify the individual of a breach. Some require that businesses notify credit reporting agencies and the attorney general depending on the number of individuals involved. Some states have set time periods for notification to individuals; others require notification within “reasonable time” or “the most expedient time possible and without unreasonable delay.” • Florida: The Florida Information Protection Act (FIPA) requires notification to individuals within 30 days of discovery of the breach and businesses are fined $1000 per day after 30 days • Ohio, Rhode Island, Vermont, Washington & Wisconsin: must notify individuals within 45 days of discovery of the breach • Connecticut: must notify individuals within 90 days of discovery of the breach Sixteen states allow for a private cause of action for data breach notification violations, some under the state’s unfair or deceptive trade practices act and some under the state’s consumer protection act. It is important that businesses and law firms discuss breach protocols with their vendors and experts to ensure prompt notification of any suspected breach. Several large scale data breaches have occurred because of a third party vendor’s lack of security. Encryption is a safe harbor for data breach notification laws in several states and the statute does not apply to information that is encrypted or redacted, so long as the encryption key was not accessed or acquired. This is another reason to encrypt all hard
drives on computers and laptops as well as any flash-drives or CDs that contain personal, sensitive, medical or financial information. This also includes leased equipment like copy and scanning machines, facsimile machines, etc. Those hard drives should be removed and destroyed or electronically “wiped clean” when the equipment is no longer in use. Cybercriminals are constantly improving their techniques to acquire medical, personal and financial information. Businesses and law firms are at risk of violating HIPAA, data breach notification laws and their own Bar rules on client confidentiality by not ensuring that their data is secure. In addition, many clients are now requiring that their outside counsel prove that they have taken the required steps to protect their data in order to continue representing them. Reviewing the HIPAA Security Rule Safeguards requirements should be a starting point for any law firm’s data security team. Data security should become a top priority for all law firms as well as their vendors and experts. Heather L. Hughes, J.D., CHPC is the HIPAA Privacy Officer for U.S. Legal Support. Heather is certified in Healthcare Privacy Compliance and she has over twenty years’ experience in HIPAA compliance. She has been an author and presenter on HIPAA, HITECH and Data Breach for numerous national and local legal organizations over the past ten years and she also presents CLEs for law firms across the country. Heather can be reached at:
[email protected] www.uslegalsupport.com
www.uslegalsupport.com
Winter 2016 35
