By Karen Darnall and Carol Mack
On May 31, the Office of Civil Rights proposed new HIPAA Privacy rules that will make it easier for patients to investigate persons who viewed their medical records within the last three years.
The Office of Civil Rights derives authority for its new rules from a portion of the HITECH Act. HITECH aims to digitize all “protected health information” by Jan. 1, 2014.
Proposed rules for access reports will require “covered entities” and “business associates” to identify specific persons who accessed their protected health information. The accounting of disclosures rules requires covered entities to provide detailed information (a ‘‘full accounting’’) for certain disclosures that are most likely to impact the individual.
The proposed rule increases penalties and enforcement for HIPAA violations. The Office of Civil Rights is directed to conduct periodic audits of covered entities and business associates to evaluate compliance. To enforce the rules, the OCR is increasing the number of investigators in ten regional offices. State attorneys general will be authorized to file civil actions to recover statutory damages on behalf of state residents.
Parties cannot avoid penalties by claiming they had no knowledge of the violation. Under the proposed rule, the lowest penalty range, where the violator “did not know (and by exercising reasonable diligence would not have known)” is $100 to $50,000 in a calendar year. Higher levels of culpability include “reasonable cause” to know and “willful neglect” (characterized by intentional failure or reckless indifference to the need to comply) and could result in penalties of up to $1.5 million per calendar
year, increased from the $25,000 limit for identical violations regulated under previous rules.
HIPAA rules apply directly to covered entities and broadly to business associates. Federal jurisdiction touches business associates because HIPAA requires covered entities to obtain “satisfactory assurance” (in writing) that each business associate agrees to safeguard the protected health information from misuse. The Office of Civil Rights’s proposed rules will expand business associates’ obligations to help ecovered entities comply with accounting/reporting obligations. (The Department of Health and Human Services publishes templates for BA Contracts on the web.)
Definitions of business associate activities are listed in 45 CFR §160.103. Attorney services are not specifically listed; however any law firm that accessed personal health information electronically within the last three years could be included in the covered entities’ audit trail.
California LawLawyers often get copies of medical records by submitting signed authorizations (Civ.Code, §56.11) to clients’ health care providers. But what happens if a doctor responds by emailing a copy of the client’s
protected health information? Does the attorney automatically become a business associate if medical records are disclosed electronically?
The answer is no. Once a client waives confidentiality for disclosing medical records, then California law (not HIPAA) establishes the attorney’s standard of care. The lawyer has discretion to “use” client medical records to prosecute or defend lawsuits. Discovery statutes also protect “consumers” when medical records are subpoenaed. Conversely, if the attorney is retained to examine protected health information belonging to non-clients, then a business associate contract should be executed. For example: A medical malpractice defense lawyer might ask a physician to provide copies of the complainant’s protected health information so the lawyer can evaluate the merits of a pending or threatened lawsuit.
If the business associate’s examination of protected health information occurs within the covered entity’s business activity, HIPAA law considers it a “use” of protected health information. If business associate access goes beyond the scope of the Business Associates Contract, such access becomes a “disclosure.”
Avoid Disclosing Unsecured Personal Health Information
The easiest way for lawyers to avoid HIPAA problems is to identify the source of electronic health records. If the electronic health record was not obtained by legal process (subpoena or client authorization) the record might be protected health information subject to HIPAA rules. The lawyer should store such files in an encrypted format pending further instructions.
Protected health information is presumed “secure” whenever it is encrypted (45 CFR § 164.304). Complying with new HIPAA privacy rules is not tricky if the lawyer avoids disclosing unsecured PHI. This is not as difficult as it sounds.
Encryption software is inexpensive to purchase. Shareware such as TrueCrypt (free) can be downloaded and installed within minutes. The user may partition an encrypted area on the computer’s hard drive, or encrypt a flash drive plugged into the USB port. Once the encrypted folder is mounted, the user selects a password (at least 20 characters) and transfers all of the protected health information files into the encrypted folder. After the folder is dismounted (by closing the folder or removing the flash drive), the protected health information cannot by accessed unless the user re-enters the password. If the user forgets the password, the data will be encrypted forever (essentially lost).
If a laptop or flash drive is lost and someone else tries to access encrypted files, the protected health information will be “secure” because the finder does not know the password.
Karen Darnall practices in Camarillo, where she focuses on health and hospital and insurance matters.
Carol Mack handles elder law and estate planning from her Ventura office. She is also a registered nurse and teaches nursing