publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/503802
ILTA WHITE PAPER: APRIL 2015 WWW.ILTANET.ORG 15 ΦΔΙΓ: TIPS ON RUSHING THE HIPAAST LAW FIRM FRATERNITY While OCR has yet to report a law firm incurring HIPAA CMPs, the new leadership appointed in 2014 promises to change its audit approach, which could result in increased attention on business associates. If a violation were found, a law firm would be subject to the tiered penalty structure of the Omnibus Rule, which can amount to $1.5 million in CMPs per HIPAA violation per calendar year. Penalty tiers are based upon knowledge and culpability, with levels of awareness ranging from unknowing ($100 to $50,000 per violation) to uncorrected, willful neglect (at least $50,000 per violation), as noted in the McGuire Woods LLP legal alert "HIPAA Omnibus Final Rule Implements Tiered Penalty Structure for HIPAA Violations." Given the legal vertical's current focus on privacy and security, a firm would be hard pressed to defend ignorant bliss. PENALTIES FOR BAD RUSHEES Three primary drivers should motivate even skeptics to do what it takes to satisfy HIPAA compliance requirements: • Civil money penalties (CMPs) • Tort litigation • Tarnished reputation CMPs: The HHS website reports that 109,722 Privacy Rule Complaints were filed between 2003 and 2015. The site highlights select cases where organizations paid steep CMPs to settle potential violations of HIPAA rules: New York Presbyterian Hospital joined Columbia University in a $4.8 million settlement following a data breach; Concentra Health Services agreed to pay OCR over $1.7 million to settle potential violations involving stolen laptops. • The Breach Notification Rule requires notification to individuals within 60 days of discovery if a breach occurs affecting their PHI. The Omnibus Rule adds that any use or disclosure not permitted by the Privacy Rule is presumed a breach unless an organization demonstrates low probability using a four-factor risk assessment. Compliance with these rules often requires that law firms modify multiple information governance, security and risk management policies and procedures. Particularly challenging for law firms are requirements to: • Restrict access to matters containing PHI saved on the document management system (DMS) and other information repositories • Discover and manage PHI that enters the firm via litigation support • Manage risks affiliated with HIPAA subcontractors (third-party service providers) Given such steep operational hurdles, is it worthwhile for law firms — especially those that process minimal amounts of PHI — to make the effort to meet compliance requirements? Given such steep operational hurdles, is it worthwhile for law firms — especially those that process minimal amounts of PHI — to make the effort to meet compliance requirements?