New federal health care regulations and state law have made data security for lawyers to whom these rules apply a matter requiring new attention.
by Jett Hanna
Regulations under HIPAA (the Health Insurance Portability and Accountability Act) promulgated by the federal Health and Human Services Department, and effective on September 23, 2013, extend the data security obligations of health care providers and insurers, known as covered entities, to a broad class of business associates, which can include lawyers and law firms. This article will discuss the nature of the obligations and penalties that could affect lawyers under these regulations.
Data Security Obligations without HIPAA
Before examining the new HIPAA regulations, lawyers should understand that data security is, and always has been, an important part of their practice. The rules of ethics impose requirements of confidentiality on lawyers with regard to their client’s privileged and non-privileged information under Rule 1.05 of the Texas Rules of Disciplinary Conduct. Recently, in consideration of changes in the way client data is stored, the ABA amended its similar rule, Rule 1.6, to require lawyers to use “reasonable efforts” to protect client confidences. Such a duty may have been implied by the rule as it existed. Data security is thus an important attorney duty to clients absent any laws applying to data generally or to specific types of data.
In recent years, most states have adopted laws requiring that certain types of data must be protected from disclosure to third parties. These laws typically have extended to personally identifiable and sensitive information of various types, and do not depend upon a fiduciary relationship as do obligations derived from legal ethics. In Texas, businesses must
“implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.”
Texas Business and Commerce Code Section 521.052.
In addition to items such as Social Security numbers, driver license numbers, account numbers, birth dates, and immediate relatives, “sensitive personal information” includes
“the physical or mental health or condition of the individual, the provision of health care to the individual (and) payment for the provision of health care to the individual.”
Texas Business and Commerce Code Section 521.001(2)(B).
The general law also requires notification in the event of breach of security of computerized data. Such notification is required when sensitive personal data “was, or is reasonably believed to have been, acquired by an unauthorized person.” Texas Business and Commerce Code Section 521.053(b). Compromise of encrypted data does not trigger notification requirements unless the person obtaining the data has a key to decrypt the data.
Most other states have similar laws, though the exact requirements of the laws can vary widely.http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx There has recently been some suggestion that a national law is needed in light of recent high profile cases and to prevent the need to comply with 50 different sets of state regulation.http://www.insurancejournal.com/news/national/2014/02/12/320228.htm
HIPAA Application and Requirements
Lawyers qualify as business associates when they receive personal health information (PHI) from covered entity clients in the course of providing legal services. 45 CFR §161.103 subpart (1)(ii). Merely receiving data from a health care provider or insurer who is not a client would not subject a lawyer or law firm to HIPAA regulation, though other law such as the Texas general data breach law does impact use and security of the information.
HIPAA was amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Under the original regulations, covered entities such as health care providers and insurers were required to contract with business associates who receive PHI under a form Business Associate Agreement. This required the business associate to meet the same obligations that the covered entities have under the act. Business Associate Agreements are still required under the final rules, so lawyers who qualify as business associates under the act should make sure that they have such a contract with their covered entity clients. Under the new final rule, business associates are directly responsible for meeting the requirements of the regulations and can be fined for failing to do so, regardless of whether they have the required Business Associate Agreement with their client. Such contracts with clients will need to be rewritten to comply with the new regulations.
It should be understood that the final rule also extends data security obligations to subcontractors. A law firm thus might represent a vendor that deals with a covered entity. If the vendor receives PHI from a covered entity, and the firm receives PHI in the course of providing legal services to the vendor, the firm could be subject to security rules and the client may need to be advised about how to comply with the regulations. One troubling aspect of the regulations is that downstream contractors are less likely to know they have PHI and might not take sufficient precautions under the regulations.
The security rules under HIPAA require planning and implementation of security procedures as well as actions that must occur in the event of a breach of security. Business associates must document that they have conducted a risk analysis to determine the nature of the risks and implement procedures to reduce risks to reasonable levels. The regulations recognize that the amount of data and size of the business associate’s operation may influence the reasonableness of security procedures. A reasonableness standard is very consistent with that noted under the Model Rules, but would be applied to clients as well as non-clients. The rules require appointment of a “security official” who oversees a business associate’s implementation of security rules. The law requires random inspection of business associates, so documentation and appointment of a security official is important.
The rules also detail how PHI can be used and disclosed. This effectively mandates training of employees who will receive and have access to PHI. Law firms which are business associates or subcontractors of business associates thus need training in the particular requirements of use and disclosure of PHI.
In the event of a breach of data security, the new regulations change the way the need to report or disclose the breach is determined. Rather than require reporting only if the breach is considered significant, the new regulations create a rebuttable presumption that breaches are reportable unless the covered entity or business entity demonstrates a low probability of compromise of PHI. 78 Fed. Reg. 5641.
The Texas Extension of HIPAA
Effective September 1, 2012, Texas enacted significant changes in its health care privacy law, Texas Health and Safety Code Chapter 181, known as the Texas Medical Records Privacy Act. In some respects, the Texas law anticipated some of the changes ultimately reflected in the final HIPAA regulations. In others, the law far exceeds the scope of HIPAA. Lawyers and law firms could be subject to the Texas law as a “covered entity” if they merely come “into possession of protected health information.” Section 181.001(b)(2)(B).
Section 181.101 makes specific training requirements that apply to covered entities. A set of penalties and injunctive relief beyond those under the HIPAA regulations is authorized under Section 181.201 of the Texas law. Violation of the law can subject the violator to loss of licenses under Section 181.203. Audits under HIPAA are to be reviewed by the state authorities, and the state can conduct its own audits. The regulations issued pursuant to the Texas Medical Records Privacy Act also point out no less than 40 additional laws that may apply to confidential information. TAC Title 1, Part 15, Chapter 390, Subchapter A, Rule §390.2 (http://info.sos.state.tx.us/pls/pub/readtac$ext.TacPage?sl=T&app=9&p_dir=N&p_rloc=160395&p_tloc=&p_ploc=1&pg=5&p_tac=&ti=1&pt=15&ch=390&rl=2).The Texas Attorney General has promulgated a form for authorizing disclosure of protected health information under the Texas Medical Records Privacy Act. https://www.texasattorneygeneral.gov/files/agency/hb300_auth_form.pdf.
The Future
Legislation is pending in Congress which could further tighten data security requirements for lawyers and other businesses. Congress Moving To Tighten Commercial Data Security in U.S., April 2, 2014,http://philadelphia.cbslocal.com/2014/04/02/congress-moving-to-tighten-commercial-data-security-in-u-s/. Law firms should keep abreast of developments in data security law, and consider ways to strengthen data security regardless of the development of the law.
Conclusion
New federal health care regulations and state law have made data security for lawyers to whom these rules apply a matter requiring new attention. Some aspects of these laws may apply to any lawyer. For the most part, the security procedures and training required by these rules are consistent with traditional legal ethics requirements, but the rules applicable to non-clients require a change of focus to adequately assess the need for data security.