By: N. Nedim Halicioglu

Neil, Dymott, Frank, McFall & Trexler APLC

San Diego, CA

            Health information privacy changes that take effect February 17, 2010 will require business associates of healthcare providers, including law firms who represent health care professionals, to reevaluate how they handle medical records.           

            The American Recovery and Reinvestment Act of 2009, also known as the “Stimulus Package,” was intended to provide a boost to the US economy.  The Stimulus Package also included approximately $147 billion in funding for various healthcare-related programs in the form of the “Health Information Technology for Economic and Clinical Health Act (HITECH).”  Section 13401of the Stimulus Package explicitly applies the security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to “business associates” of healthcare providers.

            HIPAA defines a business associate as any entity that performs any function involving protected health information (PHI) on behalf of a healthcare provider.  This definition can include not only law firms, but also retained medical experts, court reporting services and accounting firms that come into contact with PHI.  The Stimulus Package provisions will specifically affect the legal representation of medical professionals and dealing with medical records.  What does this mean for business associates?  Under HITECH, the Security Rule of HIPAA no applies to business associates.   The Security Rule deals with only electronic PHI (ePHI).  Electronic PHI is any personal health information that is in electronic form, whether that be on a CD-ROM, a hard drive, or flash drive.   The Security Rule focuses on three main types of safeguards for ePHI: administrative safeguards, technical safeguards and physical safeguards.  It is important that business associates implement these safeguards in order to ensure they are compliant with the HITECH act.  All business associates are expected to be compliant as of February 17, 2010.

Administrative Safeguards

            The goals of the administrative safeguards are to ensure that an entity has the proper policies and procedures in place to ensure that ePHI are protected.  The first requirement is that a thorough risk analysis assessment be conducted.  There is no mandatory format for the risk assessment, only that one be carried out to assess the vulnerability of ePHI.  The second is that risk management measures be in place.  Essentially, this is a documentation of measures to implement security standards.  The third is a sanctions policy that has appropriate sanctions against workforce members who violate security policies, and must apply to all workforce members equally.  The fourth specification is that information system activity reviews be conducted regularly.  This requirement acts as a security auditing and monitoring requirement and is something that can be conducted quarterly.

Technical Safeguards

            The technical safeguards will likely be the most burdensome measures for business associates to implement.  These are rules for workplace security of health information. These regulations require a formal authorization process for employees accessing ePHI, as well as policies to be in place regarding employees who leave the workplace.  The security rule requires that a business associate implement security awareness and training programs for members of its workforce.  This must include periodic security updates in the form of a quarterly newsletter or email reminding workforce members of important rules to follow in order to maintain security of protected information.  Business associates must also now implement “log-in monitoring.”  Essentially, some procedure must be in place to monitor unsuccessful log-in attempts to any electronic network that includes ePHI.  Typically, after 3 to 5 unsuccessful log-in attempts, a user’s access should be disabled at least temporarily.  There are no specific rules as to how many log-in attempts are too many.  The rules merely require that some procedure be in place to monitor unsuccessful log-in attempts and to track discrepancies.  Finally, HIPAA requires that there be some procedure in place for creating, changing and safeguarding passwords.  There are obvious measures an organization can take such as requiring passwords be changed every 90 days, and/or requiring fairly robust passwords.        

Physical Safeguards

            These measures are aimed at protecting against inappropriate access to ePHI.  They include specific regulations regarding workstations that have access to ePHI.  Specifically, a business associate is required to implement policies and procedures specifying what functions a workstation can be used for.  Further, there must be regulations in place restricting access to workstations to authorized individuals.  HIPAA also outlines some general rules for devices and media used to store ePHI.  Specifically, a business associate must have policies in place regarding the proper way to dispose of electronic hardware and media.  These policies must be designed to render any ePHI inaccessible to anyone else.  Further, a business associate must implement procedures regarding: re-using media, maintaining accountability of hardware and electronic media, and maintaining a data backup system.

            Many of these regulations may already be addressed in a company’s employee handbook, however, it is important to review your current handbook to ensure compliance with these new regulations.

              In addition, these security requirements now must be incorporated into business associate agreements between the business associates and covered entities.  This requirement makes it necessary to reevaluate existing business associate contracts to ensure that they cover all of the required HIPAA security regulations that must be implemented by the business associate. 

            Finally, the HITECH act also included provisions requiring business associates to comply with the new reporting rules in the event of a breach of PHI covered in section 13402 of the Stimulus Package.  These rules require a business associate to immediately report a breach of PHI to the covered entity health care provider.  Violations of these new rules can result in penalties to business associates of up to $50,000 per violation.  The Department of Health and Human Services (HHS), who enforces the rules of HIPAA, has identified that properly encrypted data is not subject to the breach notification required under the HITECH act.  One feasibly encryption scenario for your firm may be working towards encrypting any ePHI data that routinely leaves your office, for instance, when storing backup database information at offsite locations. However, encrypting all of your firm’s ePHI may not be feasible, and is not required under the HITECH act.

            Whether or not HHS will begin auditing business associates for compliance remains to be seen.  However, even with the obvious privilege conundrums such audits would cause, the new rules appear to allow HHS the authority to conduct such audits. For now, covered entities and business associates must ensure they are compliant with these new specifications.  What this means for business associates, including law firms handling ePHI, is that now is the time to implement the security features required under HIPAA and to take a look at existing contracts with healthcare providers and other business associates.  The following is a sample of just some of the kinds of questions you may want to take into consideration when reviewing your firm’s compliance with the HIPAA Security Rule.:

For more information on Neil Dymott, visit the International Society of Primerus Law Firms or neildymott.com.