Corporation, Securities & Business Law Forum
September 2003 VOL. 49, NO. 1
Statements or expressions of opinion or comments appearing herein are those of the editors or contributors, and not necessarily those of the association or section.
Contents
* Use document technology to comply with Sarbanes-Oxley: A practice tip
By A. Jay Goldstein and Jocelyn F. Cornbleet, FagelHaber LLC
On April 2003, the "Privacy Rule" promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") went into effect.1 HIPAA's Privacy Rule requires actors in the health care industry, as well as those serving the health care industry, to implement safety mechanisms and protocols that assure the confidentiality of patients' protected health information ("PHI") remains confidential.2 While the majority of discussions have focused on the impact of HIPAA on those in the health care industry, HIPAA's implications on those who serve the health care industry ("Business Associates") are just as considerable. The requirement that Business Associates either comply with HIPAA or risk losing a health care industry contract creates a financial dilemma for Business Associates, for whom compliance costs may outweigh the expected income. Attorneys need to understand the exact nature of their client's business or service and advise them accordingly, taking into consideration the financial implications that each decision will have and approach compliance in a cost-effective manner.
This article provides a brief background of HIPAA, as well as identifying its impact on Business Associates. (For example, what does your client, who provides janitorial services to a medical practice, and has no access to PHI, do when presented with a HIPAA compliance agreement?). Next, we will explore the various implications HIPAA may have on a business's decision to provide products or services when faced with this situation. Finally, we will focus on what terms and conditions a Business Associate can expect to see in its contractual agreement.
HIPPA, generally
It is essential to first understand HIPAA and what it generally requires. The primary portion of HIPAA was created to secure a patient's PHI or "any individually identifiable health information, whether maintained or transmitted on paper, in electronic format or orally created or received by a health care provider, health plan, employer or health care clearinghouse 3 ("Covered Entity") that may permit the identification of an individual whether by itself or with a combination of other accessible information."4 All patient information pertaining to a mental or physical condition and any information concerning a patient's health care provision is protected under HIPAA. As a general rule, PHI cannot be disclosed without a patient's written authorization.5 A Covered Entity must implement procedural steps to prevent unauthorized access and avoid dissemination of such information.6
The primary aspects of HIPAA consist of three separate parts.7 The first part, the Transaction Rule, is aimed at reducing the administrative costs and burdens in the health care industry. Compliance was requested by October of 2002; however, automatic one year extensions were granted.8 The second part, the Privacy Rule, provides for comprehensive federal protection of PHI, and compliance was required by April of 2003.9 The Transaction Rules require the use of standardized, electronic transmission of administrative and financial data. Finally, the Security Rule, which became effective April of 2003, requires confidentiality throughout transmission and storage of the health care information.10
HIPAA's impact on non-health care businesses
The implications of HIPAA trickle down to a wide range of individuals and entities that perform tasks on behalf of Covered Entities. Attorneys should be aware that any business that has access, uses, or discloses PHI to perform one or more functions from or on behalf of a health plan or other covered entity is classified as a Business Associate.11 Business Associates are not directly subject to HIPAA, but must provide Covered Entities with assurances that they will protect PHI through a signed Business Associate Agreement ("Agreement").12 Business Associates are often subcontractors or service/material providers for the Covered Entity, and can range from software vendors, billing and collection services, and those providing janitorial services, just to name a few. Covered Entities are required to enter into Agreements with Business Associates.
As the compliance deadline drew near, many Covered Entities performed an internal audit to determine who actually had access to or generated PHI and sent Agreements out to those businesses they had contracted with during a certain timeframe. There are some Covered Entities, however, who merely sent Agreements out to all businesses with whom they had dealings, whether the Business Associate had access to PHI or not. Agreements between the Covered Entity and Business Associate were to commence in April of 2003, or on the anniversary of their yearly Agreement, but no later than April of 2004.13 Legal representatives should confirm that their corporate clients are properly organized to minimize any potential for individual liability and prepare their clients before signing such Agreement to ensure their compliance with HIPAA.
Not all businesses that contract with Covered Entities need to take measures to be HIPAA-compliant. Parties should be aware that they can only be subjected to HIPAA if they create, receive, or have access to PHI.14 Attorneys should be informed of their client's exact relationship with a Covered Entity and whether this relationship warrants an Agreement to be created. Businesses, however, may be pressured to choose between either signing an Agreement, even if they do not create or receive or have access to PHI, or risk losing the profits earned from a Covered Entity contract. When presented with such an ultimatum, many parties simply cannot afford the loss of revenue and are just signing such Agreement hoping for the best.
The good news is that as a general rule, an Agreement containing provisions which are not applicable may be moot and therefore not enforceable.15 If the provisions are inapplicable to your client they cannot be binding on him. Therefore, if your corporate client is contracting with a medical office, has no access to PHI, and is confronted with the ultimatum to "sign the Agreement or we will take our business elsewhere," many clients are electing to sign the Agreement in order to prevent loss of revenue from the Covered Entity, subject to the defense that the HIPAA assurances made are moot because the client did not create, receive or have access to PHI. It is also crucial that businesses understand their relationship with a Covered Entity to prevent the installation of costly security systems and other modifications when they actually are not producing or creating any PHI.
Covered Entities are not permitted to disclose PHI to any business that is not HIPAA-compliant. While a business working for a Covered Entity may feel obligated to sign an Agreement to prevent the potential of losing the business of the Covered Entity and resulting loss of revenue, there are other considerations when evaluating whether a client should sign. One such consideration is the financial obligation of implementing a system which can be very costly for a small business.
There are also certain requirements a Business Associate must comply with in addition to the Agreement, such as creating an employee manual containing HIPAA compliance policies and practices and then training employees on them.16 For those businesses that subject themselves to an Agreement, preparation for HIPAA compliance should stem from understanding the information that they possess and all transactions that relate to the producing, processing, and storing PHI in their facility. For those entities that receive or have access to PHI, database safety mechanisms should be properly installed to provide protection to electronically transmitted PHI. Attorneys should be knowledgeable about applicable state laws, because each state is allowed to create a more stringent policy than HIPAA which may necessitate different protective measures to be taken beyond what the federal law mandates.
Contract provisions Business Associates can expect in an agreement
Now that your client has decided to sign a Business Associate Agreement because your client either creates, receives or has access to PHI, or simply does not want to lose revenue, what terms and conditions can the client expect to see? In most cases, a Covered Entity will send out its standard Agreement to all businesses they contract with leaving, little room for revisions. The following terms and conditions must be contained in an Agreement as required by the Privacy Rules in 45 C.F.R. §164.504(e) (2003):17
* The specification of the permitted and required uses and disclosures of PHI by the Business Associate.
* The prohibition of the Business Associate to use or further disclose PHI other than what is permitted under the Agreement.
* The requirement that the Business Associate will use appropriate safeguards to prevent prohibited uses or disclosures of PHI.
* The requirement that the Business Associate will ensure that their subcontractors/agents receiving PHI will abide by the same restrictions as the Business Associate.
* The requirement that the Business Associate will provide information regarding their internal practices to the Secretary of Health and Human Services for compliance determination.
* The requirement that when the Agreement terminates, all PHI will be destroyed if feasible. If not feasible, the Business Associate will implement protections to ensure the safekeeping of all PHI.
* The requirement that the Business Associate will incorporate all legally required amendments when notified.
* The requirement that if a pattern of material breach of the Agreement occurs, parties will take reasonable steps to cure the violations. When these steps fail to cure the breach, termination of contract by the covered entity is permitted when feasible.
Business Associates can expect, at a minimum, to see all of the above provisions in an Agreement.
Attorneys representing Business Associates should be skeptical of additional provisions in the Agreement that are not statutorily required to be included. As Covered Entities are held responsible for any Business Associate violations of HIPAA, Covered Entities may include provisions that alleviate some of their responsibility, such as indemnity clauses. The penalties to a Covered Entity for a HIPAA violation range from imprisonment up to a year with a $50,000 fine when PHI is disclosed to imprisonment for 10 years with a fine of $250,000 if PHI is disclosed with an intent to sell it for commercial profit.18 Fearful of losing revenue from the Covered Entity, the Business Associate may agree to such provisions that unnecessarily increase costs or possibly expose them to unwarranted liability. The Business Associate should be aware that while they are not required to subject themselves to additional provisions that increase their risk in order to form a valid agreement, they most likely will not have much leverage to change or eliminate any such terms and conditions. The Business Associate will have to decide whether they want to assume liability, or risk losing the Covered Entity's business. In reality, the Covered Entity has the ability to go elsewhere with their Agreement and will most likely find someone else who is willing to accept such risk and sign.
There are many valuable resources available for both attorneys and their clients that can further assist them with HIPAA questions and advise them with the determination of whether they are a Business Associate and what that requires. Numerous Web sites have been sponsored providing basic factual information regarding HIPAA and its vast provisions. Specifically, the Department of Health and Human Services Web site, <http://www.hhs.gov/ocr/hipaa/>, has a variety of summaries that explain the various provisions of the statute. They additionally provide a vast array of educational material beginning with an explanation of HIPAA generally to fact sheets providing answers to specific questions.19 Both attorneys and clients should be aware that HIPAA is relatively new and untested. Accordingly, there is not much history or precedent in its interpretation, application, and enforcement.
Conclusion
The implementation of HIPAA's Privacy Rule has affected both the health care industry actors and outside businesses in contractual relationships with the health care industry. Business Associates will be presented with Agreements, and they must decide whether they should sign or face the threat of lost revenues from the Covered Entity. Business Associates need to be aware of their position, including the options they have and the implications of their decisions. Business Associates who create, receive or have access to or generate PHI may simply decide to sign such Agreement and attempt to assent that such Agreement contains inapplicable terms and should be held unenforceable. In every situation, however, Business Associates should have the proper knowledge and be aware of the potential consequences and implications of their actions before they enter into an Agreement.
_______________
1. Health Insurance Portability and Accountability Act, 104 P.L. 191 (1996).
2. 104 P.L. 191 §1173(d)(2)(B).
3. Health Insurance Portability and Accountability Act of 1996, 104 P.L. 191, §160.501 (1996).
4. Id.
5. United States Department of Health & Human Services, "Protecting the Privacy of Patient's Health Information," (2002) at <http://www.hhs.gov/news/facts/privacy.html>.
6. United States Department of Health & Human Services, "Modifications to the Standards For Privacy of Individually Identifiable Health Information--Final Rule," (2002), at <http://www.hhs.gov/news/press/2002pres/20020809.html>.
7. Erin Madigan, States Find New Medical Privacy Rules Costly, Confusing, (2003), at <http://www.stateline.org>.
8. Worklaw Network, HIPAA's Client Alert: Electronic Transaction Standards Deadline is October 15th, 2002, at <http://www.worklawnetwork.net/pdf/HIPAA1.pdf>.
9. Id.
10. Department of Health and Human Services, "HIPAA Administrative Simplification-Security," (2003) at <http://www. cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp>.
11. 104 P.L. 191 §1173(d)(2)(D).
12. 45 C.F.R. §164.502(e)(2) (2003); Ned Othman, "The Long Reach of HIPAA's Privacy Rules," Health Care Lawyer, 7, 8 Vol. 19, No. 3 (ISBA, April 2003).
13. United States Department of Health & Human Services, "Protecting the Privacy of Patient's Health Information," (2002) at <http://www.hhs.gov/news/facts/privacy.html>.
14. Department of Health and Human Services, Office of Civil Rights- For Smaller Providers and Other Small Businesses, (2003) at <http://www.hhs.gov/ocr/hipaa/guidelines/businessassociates.rtf>.
15. Granby Ctr. Assocs. Ltd. Partnership. v. Mayock, 2001 Conn. Super. LEXIS 419, (Conn. Super. Ct., 2001) (stating that provisions that are not applicable to a party cannot be enforceable).
16. 104 P.L. 191 §1173(d) (explaining the security measures that must be taken by parties).
17. 45 C.F.R. §164.504(e) (2003).
18. 104 P.L. 191 §1177(b).
19. Department of Health and Human Services, "Medical Privacy-National Standards to Protect the Privacy of Personal Health Information" (2003) at <http://www.hhs.gov/ocr/hipaa/>.
Use document technology to comply with Sarbanes-Oxley: A practice tip
By John Ellsworth of John Ellsworth & Associates
Sarbanes-Oxley makes clear that whoever alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record with the intent to impede, obstruct, or influence the investigation of any matter within the jurisdiction of any department or agency of the United States or any case under Title 11 shall be fined and imprisoned not more than 20 years, or both.
Mission-critical document management considerations such as Sarbanes-Oxley have firms searching for risk remediation solutions. The goal: the storage and safeguarding within a secure environment of all documents which by firm policy potentially fall within the Sarbanes-Oxley dragnet. The document archive term: minimally, seven years, as Sarbanes-Oxley mandates. The document format: paper, digital, scanned images, e-mail, voicemail, billing data, and the like. The remediation best practice: audit trail, whereby all document metadata is logged.
Law firms opting for Sarbanes-Oxley risk remediation via computer technology would extend further than document audit trail to document management if they would get the most for their consulting and build dollar. These firms would address even more of the challenges faced by law firms today. Such challenges include client satisfaction, cost control, community-building, and knowledge management. The consultant who considers your tomorrows and how your needs might evolve will suggest that while you're implementing Sarbanes risk remediation by audit trail, you should look at other snap-ins that seamlessly interface with audit trail technology. This is because the practice of law is changing dramatically day-by-day and yesterday's tools and methods do not keep pace in many ways.
Consider the changes engendered by firm consolidations, mergers and the dispersal of vital legal expertise across geographically distributed offices. Increasingly, national and multi-national firms have become routine, while the mechanics of law practice--with special emphasis on documents, the currency of our profession--have been made still more complex. It becomes easy to see why distributed law firms have fallen under significant pressure from many sides; they must efficiently manage vital legal assets on the national and global level.
States, Continent and Asia, LLP (an imaginary, multinational law practice), is a merged firm with offices in four countries. Acknowledging that a lack office automation has inflated its overhead and that Sarbanes-Oxley poses a risk it must remediate, States Continent is looking to consolidate Web-based audit trail, document management, collaboration, portal access, and knowledge management modules in an integrated suite.
Moreover, States Continent knows it must somehow create a feeling of community between its clients and the responsible attorneys with whom they will work side-by-side, if only in a virtual sense. There will be many times when the nearest flesh and blood client in Ireland will ever get to the IP attorney in Chicago is the video-conference screen.
Accordingly, States Continent wants to be able to efficiently manage their work product and create virtual workspaces where there can be secure collaboration between colleagues and clients via their Extranet or Internet solution. Firm management calculates that by the adoption of such docu-collab-technology the firm will enjoy significant cost savings while building stronger and more profitable client relationships and services. Likewise, States Continent will meet the ever-increasing pressure faced by law firms to provide a single unified face to clients who demand higher levels of service while controlling legal fees and costs.
Because it is the era of market-savvy purchasers of legal services, States Continent's marketing team also likes what docu-collab-technology will offer in terms of increasing profits by attracting new business; the faster a law firm can publish its best work product to its clients, the happier and more competitive is the client. Axiomatically, a happy client is always the best referral source. In today's Economy of Crunch, Marketing has been scrambling for new ways to increase revenues by cross-selling services and by building high-value practice areas and client relationships yielding higher profits while not increasing costs to the client. Finally, States Continent means to create itself in the style of a front-runner and a front-earner--the bottom line--in this, the 21st Century. States Continent wants to know, will extant docu-collab-technologies enable it to reach its goals? Its RFP blueprints the firm's goals:
* Document storage, indexing, and retrieval
* Full-text document search
* Keyword search
* Wildcard search
* Calendar dates search
* Audit trail (retrievable document metadata such as date and time of document creation, creator identification, reviser identification, recipient identification, means of transmission, confirmation of receipt, revision history, revision notes, document type [paper, email, voicemail, scanned images, billing data and so forth])
* Site, Storage and transmission security
* Collaboration facilitation attorney-client, attorney-attorney, attorney-other
* Portal access
* Web-based interface
* Knowledge management
* Client data driven "screen pops" to give the attorney a quick update on a client matter when a phone call is received
* Administrative pages capable of broadcasting messages to any group of firm employees (secretarial, professional, administrative, all), setting global site and security features, logging of attempts on security, logging of all site events selected by site administrator