In September of 2013, the HIPAA Omnibus Rule became effective. The purpose of the Omnibus Rule was to strengthen the privacy and security of patients' Protected Health Information (PHI) by, among other things, expanding the HIPAA privacy and security obligations of healthcare organizations to business associates of healthcare organizations. Business associates are those outside entities that create, receive, maintain or transmit protected health information in the course of performing functions on behalf of a covered entity. 45 CFR §161.103 Subpart (1)(ii).
Lawyers and law firms become business associates when they receive PHI from covered entity clients or organizations in the course of providing legal services. Examples of PHI are medical history or records, laboratory results, and insurance information, many of which are received, shared and stored electronically.
HIPAA requires planning and application of security procedures as well as action that must be implemented if a breach of security does occur. Organizations covered by HIPAA must conduct a risk analysis to determine the nature of the potential risks and implement procedures to reduce them. This includes training employees on how PHI can be used and disclosed. This analysis should be documented. Organizations should be able to monitor when, where and how their employees are accessing PHI. Business associates must also be able to demonstrate that they have a tested breach response. HIPAA requires the appointment of a "security official" who oversees the implementation of these security protocols. The implementation of the Omnibus Rule means business associates must also follow these procedures.
The Omnibus Rule also changed the way an incident becomes a breach. Organizations have to determine the probability that PHI was compromised, regardless of whether or not it would cause harm to affected individuals. A breach now also must be reported to the Department of Health and Human Services simultaneous to notifying the individuals that their PHI was exposed.
The Omnibus Rule imposes stiff penalties for violations. First-time violators will face fines of up to $50,000 per violation, per year. Organizations with multiple offenses and history of violations can face a punishment of $1.5 million. Under the Omnibus Rule, business associates will face the same fines and penalties as healthcare organizations.
Despite these stiff penalties for violations, many law firms remain indifferent to the requirements of the Omnibus Rule. From 2015 to 2016, Legal Workspace (a cloud hosting service) surveyed 240 law firms that most often handle HIPAA regulated information. The results of this survey revealed that only 13% of law firms said they had implemented the technology necessary to ensure compliance with HIPAA regulations.
Some areas of concern highlighted by the survey were:
- Cybersecurity — 55% of law firms had either not implemented email encryption or were unaware if their email server encrypted data. Only 39% used two-factor authentication, and just 45% used an intrusion detection system.
- Vendor and sub-contractor HIPAA compliance — Only 6 out of 10 law firms had a current Business Associate Agreement (BAA) in place with sub-contractors ensuring they have proper training on the handling of PHI. Only 58% said their off-site data backups complied with HIPAA regulations. Under the Omnibus Rule, business associates will be held responsible for the actions of their vendors and sub-contractors.
- PHI access controls — Just under half of the law firms (48%) said they kept PHI access logs. Only 46% reviewed and maintained PHI logs on remote devices and ensured data was securely erased when no longer needed. Without knowing where and when PHI is accessed, firms cannot conduct the appropriate risk analysis required under the rules.
The best way to save money is to avoid a fine in the first place. In the event of a violation, law firms can save money by responding quickly and demonstrating they have complied with other security rules. The Department of Health and Human Services will take into account how quickly an organization worked to resolve a violation when assessing a fine. It will also take into account the actions organizations take to mitigate other incidents and the other security controls put in place. If a law firm is not taking any steps to follow HIPAA's security regulations, it risks being subject to a more significant fine.
If an employee's negligence is the cause of a violation, the Department of Health and Human Services requires that an organization impose sanctions against that individual. If a firm does not monitor employee access to PHI, the firm will have a tough time determining whose negligence caused the violation. The inability to do so puts the firm out of compliance.
The Omnibus Rule means that business associates, specifically law firms who handle PHI, need to become savvier about safeguarding electronically stored medical information. Law firms need to take every precaution to try and prevent a breach. With the new regulations imposed on law firms, better preparation can mean avoiding a breach in the first instance, avoiding a fine or at least minimizing the financial impact to the firm in the event of a breach and regulatory inquiry.