On February 17, 2009, President Obama signed The American Recovery and Reinvestment Act of 2009, better known as the “Stimulus Bill.”1 The Stimulus Bill amended the Health Insurance Portability and Accountability Act (“HIPAA”) mandating that Business Associates of covered entities now comply with the several provisions of HIPAA, including those relating to security and privacy. The Stimulus Bill further provides a stricter enforcement provision for compliance failures. This means that more entities than ever before now have to deal with HIPAA issues during litigation. Proper preparation will provide the tools necessary to overcome the potential obstacles.
Changes to HIPAA that Affect Business Associates
A “business associate,” as defined under HIPAA, includes a person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to a covered entity (e.g., a health plan, a health care clearinghouse, or a health care provider), where the terms of service involve the disclosure of individually identifiable health information.2 Therefore, under this definition, attorneys, accountants, actuaries and others representing a health insurer, health care provider, or other covered entity qualify as Business Associates. Before the Stimulus Bill, Business Associates were not subject to most HIPAA provisions such as those relating to security, privacy, and notification. However, the Stimulus Bill significantly changed the responsibilities of Business Associates by making several key HIPAA provisions applicable to them.
Formerly under HIPAA, provisions relating to security and privacy of protected health information (PHI) only applied to covered entities. Business Associates merely had to comply with the written business agreements with the covered entity, which may or may not have contained privacy and security measures that met HIPAA standards. However, under the Stimulus Bill effective on February 17, 2010, the HIPAA security and privacy provisions were extended to Business Associates.3 Therefore, for the first time, Business Associates must take measures to protect PHI and failure to comply with either the security or privacy provisions will subject the Business Associate to civil and criminal penalties.4
The Stimulus Bill extended several security provisions to Business Associates. The specific security provisions that now apply to Business Associates include: (1) administrative safeguards contained in 45 C.F.R. § 164.308; (2) physical safeguards contained in 45 C.F.R. § 164.310; (3) technical safeguards contained in 45 C.F.R. § 164.312; and, (4) policies, procedures, and documentation requirements contained in 45 C.F.R. § 164.316.5 These new requirements place a substantial burden on Business Associates. For example, Business Associates, among other things, now have to:
• Conduct an accurate and thorough risk analysis to identify the potential risks and vulnerability to the confidentiality, integrity, and availability of electronic PHI;6
• Implement procedures to systematically review records of information system activity, such as access reports and security incident tracking reports;7
• Implement physical safeguards for all workstations that access PHI and restrict such access to authorized users;8
• Assign a unique number or name for identifying and tracking user identity;9
• Implement hardware, software, and/or procedural devices that record and examine activity in information systems that contain or use electronic PHI.10
Currently, a considerable amount of confusion exists regarding what technologies and methodologies should be used to protect PHI (i.e., is e-mail required to be encrypted? if so, what software programs are adequate?). Fortunately, under the Stimulus Bill, the Secretary of the Health and Human Services (HHS) is required to issue annual guidance on the specific technical safeguards that a covered entity or Business Associate should employ to secure PHI.11
The Stimulus Bill also extended HIPAA privacy provisions to Business Associates. Under the Stimulus Bill, Business Associates that obtain or create PHI pursuant to a written agreement now have a legal duty to ensure that their use and disclosure of PHI is in compliance with 45 C.F.R. 164.504(e).12 Section 164.504(e) provides the terms that must be in a contract between a covered entity and a Business Associate.13 For example, the provision requires that contracts between Business Associates and covered entities establish the permitted and required uses and disclosures of PHI.14 In addition, Business Associates for the first time have a duty to monitor the cover entity’s compliance with the contact between it and the covered entity. Under the Stimulus Bill, Business Associates are not in compliance with HIPAA standards if they are aware of a pattern of activity or practice of the covered entity that constitutes a material breach or violation of the covered entity’s obligation under the agreement, unless the Business Associate has taken reasonable steps to cure the breach or stop the violation.15 If the reasonable steps taken by the Business Associate are unsuccessful, then the Business Associate must either terminate the contract with the covered entity (if feasible) or report the problem to the Secretary of HHS.16
Before terminating the contract with the covered entity or reporting the problem to HHS, an attorney who qualifies as a Business Associate should review the Illinois Rules of Professional Conduct to ensure that such actions do not violate his or her professional responsibilities. In particular, Rules 1.6, 1.13 and 1.16 should be reviewed. Under Rule 1.6, a lawyer is generally prohibited from revealing information relating to the representation of a client.17 However, a lawyer is permitted to reveal confidential information that the lawyer reasonably believes is necessary to comply with “other law.”18 Rule 1.13 relates to the representation of an organization as a client. If a lawyer for an organization is aware of a matter “that is a violation of a legal obligation to the organization and that is likely to result in substantial injury to the organization,” then the lawyer must take actions that he or she believes to be in the best interest of the organization, which may include referring the matter to the highest authority that can act on behalf of the organization.19 Finally, under Rule 1.16, a lawyer must withdraw from the representation of a client if the representation will result in the violation of “other law.”20 However, court approval or notice to the court may be required before a lawyer withdraws from pending litigation.21
The privacy and security rules newly applicable to Business Associates must be incorporated into the business associate agreement.22 Covered entities and Business Associates will need to identify all existing business associate agreements and incorporate these privacy and security rule obligations if they are not already included in the agreement. If a business association agreement is not already in place, then the Business Associate and covered entity will need to carefully draft such an agreement to ensure that the necessary privacy and security requirements are included. Moreover, any additional requirements of the Stimulus Bill that relate to security and privacy that are applicable to covered entities are also applicable to Business Associates, and must be incorporated into the business associate agreement between the Business Associate and the covered entity.23
The Stimulus Bill also expanded the notification requirements for a security or privacy breach and has extended them to Business Associates. Previously, a covered entity was not required to notify individuals of such breaches unless it determined that notification was necessary to mitigate damage to the individual. Under the Stimulus Bill, both covered entities and Business Associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose “unsecured” PHI must now provide notice to certain parties in the event of a breach.24 Additionally, if the breach involves 500 or more individuals, notice of the breach must be immediately given to the Secretary of HHS, which will post information relating to the breach on its Web site.25 Media outlets must also be contacted if the breach affects more than 500 residents of a particular state or jurisdiction.26
Another change that affects Business Associates is a new obligation of certain organizations that provide data transmission services for protected PHI to a covered entity or a Business Associate to enter into a written agreement with the covered entity or Business Associate.27 The agreement between the organization and covered entity or Business Associate must meet all of the applicable HIPAA requirements.28
The Stimulus Bill also contains several enhanced enforcement provisions, which are applicable to Business Associates. For example, the Secretary of HHS must formally investigate any complaint of a privacy or security violation if the preliminary investigation indicates that the alleged violation is due to willful neglect, and if such violation is found, civil penalties will be imposed.29 Furthermore, an individual who is harmed by a security or privacy violation may be entitled to receive a percentage of any civil monetary penalty or settlement collected, giving individuals more reason to claim harm.30 Another enforcement change is a tiered increase in the amount of the civil monetary penalties based on whether the violation was (1) triggered by a person who did not know (and by exercising reasonable diligence would not have known) that he caused a violation, (2) due to reasonable cause and not to willful neglect, or (3) due to willful neglect,31 with the civil penalties per violation ranging from $100 to $50,000, respectively.32 Further, state Attorneys General now have the authority to bring a civil action in U.S. District Court on behalf of a resident who has been threatened or adversely affected by a person who caused a violation.33 Moreover, the Secretary of HHS is required to conduct periodic audits to ensure that covered entities and Business Associates are in compliance with HIPAA.34
Another change mandated by the Stimulus Bill is that the Secretary of HHS must issue a new “minimum necessary” standard.35 The general rule under HIPAA is that if a covered entity is using PHI for any purpose other than for treatment purposes, e.g., litigation, then it must provide only the “minimum necessary” information to accomplish the purpose of the use or disclosure.36 Until a new “minimum necessary” standard is issued, standard practice for covered entities or Business Associates should be to limit PHI, to the extent possible, to a “limited data set.” A “limited data set” is PHI that excludes indentifying information such as name, telephone number and street address (including town/city, state and zip code is allowed).37 If it is not possible to limit the use or disclosure to the limited data set, then the covered entity or Business Associate must apply the minimum necessary standard. The new “minimum necessary” standard is required to be issued within eighteen months of enactment.38 Moreover, the Stimulus Bill does not affect the use, disclosure or request of de-identified health information.39
The Effect on Litigation
During litigation, a litigant may be required to use such things as marketing materials, health care records or health care forms to support its case.40 All these forms of evidence, however, may contain PHI, which must be protected under HIPAA.41
Under the Stimulus Bill, attorneys representing health insurers, health care providers, or other entities covered under HIPAA now share in the responsibility of keeping PHI secure and private. These new responsibilities add greater obstacles for attorneys to overcome during trademark litigation.
Methods for Overcoming HIPAA’s New Obstacles
Although much more is now expected from attorneys who fall under the definition of Business Associate, it is still possible to comply with the new changes to HIPAA while engaging in effective representation.
First, attorneys representing health insurers, health care providers, or other covered entities must ensure that new and existing business associate agreements are HIPAA compliant. In addition, business associate agreements are now required for clients that are third party vendors that provide data transmission of PHI. For example, an attorney must enter into business associate agreements with a third party vendor that is hired to assist with the collection and transmission of electronically stored data in response to an e-discovery request.
Perhaps the biggest burden now on Business Associates is the new security and privacy requirements. Attorneys will need to carefully review the internal practices and policies of not only their clients but also their own law firms to make sure they meet the applicable HIPAA standards or face potential penalties.
When disclosing documents during discovery, Business Associates have a duty to ensure that only the “minimum necessary” is disclosed. If paper document discovery is requested then the attorney should ensure that the documents provided to opposing counsel contain only a limited data set. Alternatively, the attorney could provide summary health information or documents containing de-identified health information to opposing counsel. Summary health information is information that provides a summary of claims or treatment but does not contain any identifying information.42 Similarly, de-identified health information does not identify or provide a reasonable basis to identify an individual.43 The greatest advantage to using de-identified health information is that there are no restrictions on its use or disclosure.44
It is increasingly likely, however, that e-discovery is requested by opposing counsel. The most straightforward way to comply with HIPAA and still provide access to electronically stored information during discovery is for the attorneys to meet during a Rule 26 conference and narrow the scope of “relevant information.”45 This way the electronically discoverable information would exclude information that is subject to security and privacy provisions of HIPAA.46 As noted above, however, this may be difficult to do as in many cases, the pertinent evidence may well contain PHI.47
Because it may not be possible to completely exclude information subject to the security and privacy provisions of HIPAA from e-discovery, other approaches may be needed. Another possible method is to agree not to produce materials in their electronic form but rather produce redacted hard copies of the documents or in a form that eliminates identifying data yet preserves the remainder of the electronically stored documents.48 A further option would be for the parties agree that the metadata of the electronically stored documents is not important and allow the documents to be produced in paper format with the appropriate redactions.49 These approaches would also reduce the need for assistance from a third-party vendor.50
Finally, because implementation of HIPAA compliant security and privacy measures will be costly and time consuming, methods that avoid HIPAA should be utilized. Attorneys representing covered entities only fall under the definition of Business Associates when the terms of service involve the disclosure of individually identifiable health information. Thus, unless clearly necessary for a matter, a covered entity should not disclose PHI to its attorney so the attorney does not qualify as a Business Associate under HIPAA.
The Stimulus Bill has placed a greater burden on attorneys that serve as Business Associates for covered entities by extending several HIPAA provisions to them. Because many of the changes require considerable action on the part of the Business Associate, Business Associates should identify and address potential HIPAA issues sooner rather than later. Finally, attorneys and others who deal with personal injury and malpractice issues should become familiar with the new responsibilities placed on Business Associates as such provisions are also applicable to them. ■