The Privacy Police

You might be getting an unwelcome telephone call soon. 

This summer the Department of Health and Human Services will likely begin conducting audits to assess compliance with the privacy, security and breach notification rules of a mouthful of a law known as the Health Insurance Portability and Accountability Act.

If your firm gets the call, will you be ready?

If your firm touches “protected health information” (any personally identifiable health information) of your clients or any other third party, you are subject to the law’s privacy, security and breach notification regime. Because of the vagaries of the law’s language, it’s not clear whether insurance brokerages constitute “covered entities” or “business associates.” Either way, the law’s obligations clearly apply. Most importantly, if your firm creates, receives, transmits or maintains an individual’s personally identifiable health information, you are required to have a compliance policy and a privacy security officer to oversee compliance.

Your policy must require your firm to:

• Conduct an annual risk assessment to determine current compliance and associated risks
• Document assessment results and steps taken to alleviate identified risks
• Maintain a system to track and record the receipt, storage, transmission and disclosure of identifiable information.

The assessment should include technical measures, such as ensuring the information is encrypted.

We also recommend your assessment include a review of your:

• Privacy notices and practices
• Document retention and destruction procedures
• Business associates’ and subcontractors’ HIPAA compliance contracts (to ensure legal compliance but also to address cyber security risks, breach notification obligations and indemnification for cyber incidents)
• An incident response plan (to ensure your firm is prepared to deal effectively with a breach and to provide required notices).

If an attorney assists you with the risk assessment, the assessment and the associated findings and recommendations stand a better chance of being protected by the attorney-client privilege from mandated disclosure to third parties.

You also should be aware of the following rule modifications:

• Business associate redefined: The law requires covered entities that engage business associates to create, receive, transmit or even maintain private information on their behalf. The entities also must have contracts to ensure the business associates safeguard protected health information. The privacy rule dictates how they use and disclose the information. Business associates and all of their subcontractors are subject to the law’s security rule provisions and much of the privacy rule. That makes them subject to the same penalties as covered entities.
• Privacy rule changes: Privacy restrictions on improper use and disclosure of information now apply to business associates and subcontractors. They can be found liable for noncompliance. Business associates are now required to report their subcontractors’ breaches and will be liable for any failure to report.
• Security rule changes: HIPAA’s security rule applies only to protected health information in electronic form. It requires covered entities, business associates and subcontractors to implement certain safeguards to protect it. These include written workplace policies and procedures, a security risk analysis, an emergency contingency plan, reporting procedures for responding to breaches, and training for employees.
• Breach definition: The rule requires reporting a breach if there is any impermissible access, use or disclosure of protected information, even if there is little or no known risk of harm. The rule provides a safe harbor for entities that utilize HHS-endorsed best practices to secure the information. This includes use of encryption and secure destruction. Use of the safe harbor relieves entities of the breach notification obligation.

In addition to the administrative headaches the audits can pose, the new rules include an increased and tiered civil penalty structure, with a maximum penalty of $1.5 million for the most egregious violations. Whether your firm has made a good faith effort to implement a reasonable compliance and security program, based on a risk assessment, can be an important part of your firm’s defense in potential litigation and enforcement proceedings.

The privacy police are coming. Are you ready?