Business Associate, Civil Fines, HIPAA, HIPAA privacy policies, HIPPA Final Omnibus Rule, HITECH Act, Individually-Identifiable Health Information, Legal Malpractice, PHI, State Bar Discipline, The San Diego County Bar Association
Ethics in Brief – HIPAA Omnibus Final Rule: One Year Anniversary and Impact on Attorneys as Business Associates, by Linda Hunt Mullany, Ofer Barley, and Charles Berwanger, of Gordon & Rees LLP, for Ihe San Diego County Bar Association
January 25, 2014 marks the one year anniversary of the publication of the long-awaited omnibus final rule (“Final Rule”) by the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”). The Final Rule implemented many proposed regulations, and addressed other provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) in accordance with the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). This article addresses the most pertinent changes affecting attorneys as business associates who receive protected health information (“PHI”) from a covered entity. Please note that additional requirements by state-specific privacy laws may apply.
* * *
What This Means to Attorneys as Business Associates Going Forward
The extension of the covered entity’s responsibilities to business associates now brings possible civil and criminal liability to the forefront. HIPAA civil fines for noncompliance can be up to $50,000 per violation (or a maximum of $1.5 million for repeated violations) depending on the degree of culpability, and criminal penalties may result in up to ten years in prison. When combined with state penalties, these numbers may be even higher, and land an unwary attorney with front-page publicity of the wrong kind. Anyone can file a complaint with the OCR if he or she believes that a violation occurred since the complainant need not be an actual victim. The federal government will then decide whether to investigate and impose a fine or penalty. Separately, noncompliance may also involve state bar discipline for attorney misconduct or causes for legal malpractice and, in California, individual patients can bring private lawsuits when their PHI has been negligently released in violation of state law.
Attorneys as business associates must immediately comply with the HIPAA Security and Privacy Rules. That means that they will need to conduct a security risk assessment and draft a security policy for handling client electronic files that contain PHI. Further, attorneys will need to implement HIPAA privacy policies regarding the use, disclosure, maintenance and destruction of PHI in any form. Finally, if attorneys have not done so already, they are advised to audit their existing BAAs and come into compliance with the updated provisions, especially if they use subcontractors.