publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/503802
ILTA WHITE PAPER: APRIL 2015 WWW.ILTANET.ORG 16 ΦΔΙΓ: TIPS ON RUSHING THE HIPAAST LAW FIRM FRATERNITY were compromised. In today's competitive market, where most firms seek to promote the quality of their data security and privacy efforts, such an act could jeopardize an existing relationship. Advertising HIPAA- compliant information security and privacy practices, on the other hand, is a strong marketing tool to win new business during RFP reviews. SUCCESSFULLY RUSH ΦΔΙΓ The HIPAA rules are deliberately general, as they are intended to apply to organizations as diverse as hospitals, small clinics, Fortune100 enterprises and law firms. Many law firms struggle to decide what "reasonable" measures really look like as they map HIPAA compliance requirements to legal-specific business processes, procedures and technologies. As your law firm embarks upon, refines or finalizes a HIPAA compliance program, consider these top 10 activities: Revise Information Security and Data Privacy Policies: Law firm business associates should document the firm's policies regarding lawyer and staff responsibilities to protect PHI and other sensitive personal or confidential information. Policies should stipulate acceptable use of firm technologies and mention disciplinary consequences for noncompliance. Firms should also draft a business associate agreement defining their terms of use and disclosure of PHI for subcontractors and third parties. HIPAA. In 2015, we might see new cases where HIPAA baselines are used as a standard of care underlying data breach lawsuits. Given that law firms process so much less patient data than hospitals, it is debatable whether this standard of care reasonably holds for law firm business associates. So the question becomes, how should clients set the bar for law firm standard of care to protect their confidentiality following Rule 1.6 of the Model Rules for Professional Conduct? If a breach of client data occurred, when would they have the right to sue their legal counsel? As the many panels at ILTA's LegalSEC conferences have shown, current clients — particularly from regulated industries like financial services and health care — include stringent requirements on law firm information security practices in their outside counsel guidelines. A firm could therefore be sued for breach of contract for not satisfying these contractual requirements. The same logic holds for the terms set forth in a HIPAA business associate agreement. Tarnished Reputation: The stakes, however, need not reach the heights of malpractice to cause concern for firm management. The third and perhaps primary reason law firms should do whatever it takes to comply with HIPAA requirements is to protect and even promote their reputations. The Breach Notification Rule requires that business associates notify affected covered entities of any suspected breach of PHI within 60 days of discovery. This would entail a law firm notifying its client that sensitive data Tort Litigation: Another cause for concern arises from new litigation theories for HIPAA violations that appeared across federal and appellate courts in late 2014. Like many privacy and data security laws, "HIPAA lacks a private cause of action," explains Professor Dan Solove in his article "Lawsuits for HIPAA Violations and Beyond: A Journey Down the Rabbit Hole." This means it is technically impossible for a person to sue a covered entity or business associate for a HIPAA violation since "these laws are enforced by agencies." But 2014 saw two significant cases where courts held that HIPAA rules could be used as a basis in establishing the standard of care for negligence under tort law. In Byrne v. Avery Center for Obstetrics & Gynecology, P.C., the Connecticut Supreme Court accepted a patient's lawsuit against their health care provider for acting "negligently by failing to use proper and reasonable care in protecting her medical file." The tort in question was not a violation of the HIPAA Privacy Rule per se, but rather negligence and a breach of the duty to protect patient confidentiality. As Solove explains, "HIPAA comes in not to provide the cause of the action — that's supplied by the common law — but instead to define the standard [of care] used by the common law." HIPAA rules set the bar for the patient's expectations of how his or her data should be handled. The Indiana Court of Appeals used similar logic in Walgreen Co. v. Hinchy to uphold a $1.4 million verdict against Walgreen Co. relating to a pharmacist's misuse of personal data protected by