By Daniel Shapiro, Esq.
I received the phone call at 4:30 a.m. on a random Wednesday. It was my wife, a medical resident at a New York City hospital, who began the call by pleading with me to get out of bed and get outside so I could attempt to retrace the steps she took on her walk to the train station. She was convinced that she had dropped a list of patient numbers on the ground.
After she advised me of the potential penalties that could be assessed against her hospital for what she deemed to be a HIPAA violation, I willingly ran out the door in my pajamas hoping that I’d find a slip of paper with unrecognizable medical jargon with indiscernible reference numbers lying on the street. Ten minutes into my search, I received a follow-up text from my wife saying that she had located the document in a separate compartment of her bag.
Although still delirious from lack of sleep, I walked back to my apartment and thought to myself: as a lawyer, what are my obligations under HIPAA?
Who Does HIPAA Govern?
The Health Insurance Portability and Accountability Act (“HIPAA”)[i] governs the confidentiality of medical records and creates national standards for the maintenance, use and disclosure of personal health information. More specifically, HIPAA regulates how and under what circumstances “covered entities” and their “business associates” may use or disclose an individual’s “protected health information.”
“Covered entities” include: (i) health care plans; (ii) health care clearinghouses; (iii) health care providers; and (iv) Medicare prescription drug card sponsors.[ii] A “business associate” is any third party that performs a function for or on behalf of a covered entity and who receives private health information from that covered entity in furtherance of this function.[iii] “Protected health information” (“PHI”) includes all individually identifiable health information maintained or transmitted in any form, and also covers all oral statements made about medical treatment or conditions.[iv]
The United States Department of Health and Human Services (“HHS”) is charged with enforcing HIPAA and penalizing noncompliance. In general, the degree of the sanction imposed depends on whether an individual knowingly violated HIPAA. Where a person “did not know” of the violation, a penalty may be imposed of “at least” $100 for each violation. Where there was “reasonable cause” for the violation, a penalty of “at least” $1,000 for each violation may be imposed. Where a violation was due to willful neglect and not corrected, a penalty of “at least” $50,000 for each violation may be imposed.[v]Additionally, criminal penalties may be imposed where an individual knowingly performed acts which violated HIPAA; whether the individual knew that his actions were a violation of HIPAA is irrelevant.
Prior to 2009, HHS’ efforts to enforce HIPAA focused on the precept that covered entities need to undertake reasonable efforts to limit the disclosure of PHI and should not disseminate more than the “minimum necessary” to perform the function that required such disclosure.[vi] This standard is commonly referred to as the “minimum necessary standard.”[vii]
Things changed in 2009 when Congress passed the Health Information Technology for Economic and Clinical Health Act, (“HITEC”)[viii] which, coupled with the HHS’s Omnibus “Final Rule” (enacted in January 2013[ix]), expands upon HIPAA’s regulation of “business associates” of covered entities. Pursuant to these regulations, business associates (and even their subcontractors) can now be held directly liable for, among other things: (i) the impermissible use or disclosure of PHI; (ii) failing to enter into business associate agreements with subcontractors who receive PHI on their behalves; (iii) failing to adopt the “minimum necessary” safeguards to protect the dissemination or disclosure of PHI; and (iv) failing to notify a covered entity of any security breach involving PHI.[x]
Obligations of Attorneys and Firms Under HIPAA
It is critical for attorneys to realize that, in the aftermath of these legislative developments, lawyers and law firms can be deemed business associates for purposes of HIPAA. Indeed, a business associate includes “[a]ny person who provides…legal…services to or for such covered entity, where the provision of service involves the disclosure of protected health information” qualifies as a business associate under HIPAA.[xi]
Thus, any lawyer or law firm that: (i) represents a covered entity or is retained by a business associate of a covered entity; and (ii) is given access to PHI in connection with that representation, is subject to HIPAA’s far reaching laws. As a result, any attorney who receives, maintains or reviews PHI should consider enacting the following security measures to ensure compliance with HIPAA.
HIPAA provides that: (i) covered entities must have agreements with all their business associates before they disclose any PHI to that business associate; (ii) the agreement must be executed in advance of any disclosure; and (iii) the agreement must contain satisfactory assurances that the business associate will implement appropriate safeguards to protect the information.[xii]
Therefore, in order to comply with the law, any attorney or firm that is retained by a health care client must execute a “business associate agreement” with that covered entity and must comply with the terms set forth therein.
Pursuant to HIPAA, these agreements must contain language that, among other things: (i) sets forth parameters for the business associate’s permitted use of PHI; (ii) requires the business associate to implement certain safeguards to prevent the use or disclosure of PHI other than as provided for in the agreement; and (iii) requires the business associate to report any and all uses of PHI that violate the agreement.[xiii]
Additionally, attorneys should execute similar agreements with any third-party vendor who is provided access to the PHI, as business associates are mandated to ensure that their subcontractors appropriately safeguard PHI in their possession, custody or control.[xiv] As an additional safeguard, attorneys should consider including indemnification language in their business associate agreements with any third-party vendor who would be given access to PHI so as to limit the attorneys’ liability if any acts undertaken by the third party result in the improper dissemination or misuse of PHI.
Attorneys and law firms should also seek to enact written security policies governing their practices’ maintenance and dissemination of PHI. At the very least, the policies should seek to ensure that all PHI in the firm’s custody or control, if stored electronically, be encrypted or password-protected so as to limit the number of individuals who have access to that information to the minimum number necessary to perform the task at hand. If the PHI is maintained in hard copy format, the policy should ensure that these records are maintained in a secure area, with restricted access and, to the extent practicable, in a redacted format to minimize the disclosure of any individually identifiable health information. The security policy should also set forth a “chain of command” and/or a reporting procedure to ensure that any improper use, disclosure, or compromise of PHI is reported in a manner that enables the attorney or firm to most effectively remedy the potential HIPAA violation.
HIPAA in the Courtroom
In the context of a “judicial or administrative proceedings,” a covered entity is permitted to disclose PHI, without expressed written authorization of the patient, in “response to an order of a court or administrative tribunal” or “a subpoena, discovery request, or other lawful process.”[xv] However, HIPAA’s exception for subpoenas and the like is conditioned on there being “satisfactory assurances” that: (i) “reasonable efforts have been made . . . to ensure that the individual who is the subject of the protected health information . . . has been given notice of the request”; and/or (ii) a “qualified protective order” governing the confidentiality of the information has been sought by the requesting party.[xvi]
What happens if an attorney obtains PHI from a covered entity in a manner that is not authorized by HIPAA and subsequently attempts to use that PHI in judicial proceedings? In 2011, the New York Court of Appeals addressed this issue.
In Matter of Miguel M., respondent Dr. Charles Barron, as designee of the New York City Department of Health and Mental Hygiene and New York City Department of Health (“Respondent”) applied for an order pursuant to Mental Hygiene Law 9.60 in an effort to obtain “assisted outpatient” treatment for Miguel M. based on a claim that Miguel was suffering from mental illness.[xvii] At the hearing on the petition, the Respondent offered into evidence hospital records of Miguel’s prior hospitalization, which had been furnished by the hospital in response to a request made by Respondent’s counsel without notice to the patient.[xviii] Moreover, the patient had not authorized the release of the records and no court order for their disclosure had been sought or obtained.[xix]
The court held “that unauthorized disclosure without notice is, under circumstances like those present here, inconsistent with [HIPAA]” and determined that the medical records were thus inadmissible.[xx] In so holding, the Court rejected Respondent’s argument that HIPAA did not expressly provide for suppression of evidence as a remedy for a violation.[xxi] Additionally, the court, in response to Respondent’s citation to cases in other states which had held that HIPAA violations should not result in suppression of evidence in a criminal proceeding, drew the following distinction:
It is one thing to allow the use of evidence resulting from an improper disclosure of information in medical records to prove that a patient has committed a crime; it is another to use the records themselves, or their contents, in a proceeding to subject to unwanted medical treatment a patient who is not accused of any wrongdoing. Using the records in that way directly impairs, without adequate justification, the interest protected by HIPAA and the Privacy Rule: the interest in keeping one’s own medical condition private.[xxii]
Thus, there is now precedent in New York upon which courts can rely in fashioning sanctions against attorneys and parties who fail to comply with HIPAA, whether it be in the form of an evidentiary ruling, or, if the act is deemed egregious enough, in the form of a referral to HHS – the governing body with authority to prosecute HIPAA violations.
Ultimately, if attorneys are to learn just one lesson about HIPAA, it is that they should not request, receive or use PHI until they have carefully reviewed the statute and determined what their obligations are given the circumstances. To do otherwise will expose them to all of HIPPA’s panic-inducing penalties.
[i] 42 U.S.C. 1320d et seq.; 45 C.F.R. Parts 160 and 164,
[ii] See 45 C.F.R. 160.102, 164.104.
[iii] See 45 C.F.R. 160.103.
[iv] See 45 C.F.R. 160.103.
[v] See 42 U.S.C. 1320d-5.
[vi] See 45 C.F.R. 164.502(b)(1)
[vii] Minimum Necessary Requirement, DEP’T. OF HEALTH & HUMAN SERVS., (April 4, 2003), available at http://www.hhs.gov/ocr/privacy/hipaa.
[viii] In 2009, Congress expanded HIPAA’s coverage to include “business associates” of health care providers and health insurers. See Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, 13401, 13404, 123 Stat. 115, 260, 264 (2009); 42 U.S.C. 17931 – 17939. Section 17931 provides that any “business associate” that violates HIPAA is subject to the same penalties as any HIPAA covered entity.
[ix] On January 25, 2013, the HHS enacted certain modifications to HIPAA and HITECH, which is generally referred to as the “Omnibus Final Rule” and which sought to “strengthen the privacy and security protections established under [HIPAA and HITECH].” 78 Fed. Reg. 5566 (January 25, 2013).
[x] C.F.R. 164.410, 164.502(a)(3), 164.502(a)(4), 164.502(b) and 164.504(e)(5).
[xi] 45 CFR 160.103(1)(ii).
[xii] See 45 C.F.R 164.308(b)(1). See also 42 U.S.C. 17931(a).
[xiii] See 45 C.F.R. 164.504(e)(2)(ii)(A) – 164.504 (e)(2)(ii)(C).
[xiv] See 45 C.F.R. 164.502(e)(2)(ii)(D).
[xv] 45 CFR 164.512 (e)(1)(i) and (e)(1)(ii).
[xvi] 45 C.F.R 164.512 (e)(1)(ii)(A) and (e)(1)(ii)(B).
[xvii] 17 N.Y.3d 37, 40–41 (2011).
[xviii] See id.
[xix] See id.
[xx] Id. at 44-45.
[xxi] Id. at 45.
Reprinted with permission by the Nassau County Bar Association