Kathryn Hume Brian Donato Sr Risk Specialist CIO Intapp Inc Vorys Sater Seymour and Pease LLP HIPAA LegalSEC Webinar Series What is the minimum necessary standard How does it impact law firm operations ID: 197748
Download Presentation The PPT/PDF document "Complying with the Minimum Necessary Sta..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Complying with the Minimum Necessary Standard of the HIPAA Privacy Rule
Kathryn Hume Brian Donato
Sr. Risk Specialist CIO
Intapp
, Inc.
Vorys
,
Sater
, Seymour and Pease LLPSlide2
HIPAA LegalSEC
Webinar Series
What is the minimum necessary standard?How does it impact law firm operations?What are law firms doing to achieve compliance?Policies and procedures“Reasonable” access control models per firm size/cultureQ & A
AgendaSlide3
Disclaimer
The views expressed are solely those of the presenters and should not be attributed to the presenters’ corporation, firm, or clients.
This presentation is solely intended for educational purposes and in no way constitutes legal advice.Slide4
September 18, 2013HIPAA compliance: What it is, what it means, and what to do about it
September 23, 2013
Omnibus Rule Enforcement DateOctober 04, 2013HIPAA: What law firm employees need to knowHIPAA Law Firm Risk Survey
LegalSEC
HIPAA webinar seriesSlide5
HHS and HHASlide6
What is the minimum necessary standard?Slide7
Poll Question 1Slide8
Protected Health Information
Individually identifiable health information
Maintained in any form (written, oral, electronic)
Past, Present or Future health condition; provision of healthcare; payment of provision of healthcare
Includes names and addresses
Must be associated with Covered EntitySlide9
Three Key HIPAA Rules
Privacy Rule
Business Associates only comply with portionsApplies to all PHI (written, oral and electronic)
Security Rule
Business Associates liable for compliance with entirety
40 Required/Addressable Implementation Specifications for
ePHI
Breach Notification Rule
Business Associate requirements differ from Covered Entity
4-factor risk assessment versus “risk of harm” standardSlide10
§164.502(a) overviews uses and disclosures of PHI
General, Required, Permitted, Prohibited
§164.502(b) presents Minimum Necessary Standard“When using or disclosing PHI or when requesting PHI from another CE or BA, a CE or BA must make reasonable efforts to limit PHI to the minimum necessary to accomplish the use, disclosure or request.”
Minimum Necessary Standard
45 CFR §164.502 (b)Slide11
CEs and BAs must identify which workforce members need access to what kind of PHI to do job functions
CEs and BAs required to define minimum necessary amount of PHI for uses, disclosures, requests
Minimum necessary violations should be investigated and, if appropriate, reported according to the new breach notification rulesCEs may be liable for BAs minimum necessary violations
What does this mean?Slide12
Disclosures to or requests by a health care provider for treatment purposes
Disclosures to the individual who is the subject of the information
Uses or disclosures made pursuant to an individual’s authorizationUses or disclosures required for compliance with the HIPAA Administrative Simplification RulesDisclosures to HHS for enforcement purposesUses or disclosures required by other law
When does this not apply?Slide13
Court Order or Subpoena Signed by a judge
N
o further assurances or notifications to individual requiredSubpoena or Discovery Request Singed by an attorneyRequires either notice/declaration of attempt to provide notice to the individual who is subject of PHIReasonable? Right address/info about litigation/time lapse/no objections
Qualified Protective Order
Prohibits use of PHI for any purpose other than litigation
Return to CE/Destruction of PHI at end of proceeding
When does this not apply?
45 CFR 164.512(e)Slide14
“R
easonable” efforts vary by organization
Each organization must make self-assessment in keeping with business practices and workforceSmall law firm without DMS training of employees may be sufficientMidsize/large law firm with sophisticated systems will need to implement access controls to limit access
Why is this hard?
Reason 1: AmbiguitySlide15
Firm should designate a HIPAA Privacy OfficerPrivacy Officer responsible for identifying who requires access to PHI to carry out duties
List job duties
Identify access rights/frequency based on job roleLimit access to minimum necessaryDocument policy and verify complianceDocument any changes and updates to policy
Why is this hard?
Reason 2: Administrative BurdenSlide16
Poll Question 2Slide17
Shift in information governance approach
Lack of organizational hierarchy impedes change
Professional Responsibility thought to trump data privacy and security Firm management responsible2011: Maine Board of Bar Overseers vs. Warren2012: Mass. Bar Counsel Petitioner v. Kamee
Beth
Vergrager
, Esq.
Why is this hard?
Reason 3: Compliance cultureSlide18
What policies and procedures should law firms develop?Slide19
Poll Question 3Slide20
HIPAA requires different security model than law firms traditionally implement
Matter Security : A Fresh Approach
Classify and Tag
Identify Matters at intake
Identify Clients
Implement Policies
Encryption
Secure Email
Mark PHI
Restrict Access
Secure and Audit
Secure systems
Monitor activitySlide21
Open versus Closed DMS and change in work habits
Educating Workforce
When are medical records PHI and when not?What types of engagements likely to include PHI?Core challenges:
Cultural and EducationalSlide22
Tagging matters and documentsInventory of existing PHI (in open and closed matters)
Fluid nature of matters
PHI arises later in matter lifecycleOver-collection by client (e.g. during litigation)Non-centralized data intakeMultiple attorneys, departments, etc. can handle media with PHI
Core challenges:
OperationalSlide23
Risk-based
– start with core systems and new data
Cautious – When in doubt, treat it like PHIInception – New NBI questions about HIPAA and BAAsStandard
– Attempt to use standard BAA across clients
Training
– Special HIPAA training for lawyers using PHI
Vendors
– Subcontractor contract program
Matter Security
– Matter workspaces/Folders for PHI
Paper
– Specific controls on paper-based PHI
Audits
– Aim for firm, as manpower permits
Method at
VorysSlide24
Example Law Firm Access Control StrategiesSlide25
Poll Question 4Slide26
Compliance Approach
Initially implemented access controls manually
2014 – move to secure using Intapp Wall BuilderResistance from practice groups not used to HIPAACertain administration functions need access for business reasonsIT members, Billing, Floating Secretaries
VorysSlide27
Firm Profile
Most practices involve regular intake of PHI (
eg.) Employment, Personal Injury and Med Mal DefenseNo DMSSmall IT team and part-time General CounselCompliance Approach
House
ePHI
on file shares
Generally
Open access
– extra security implemented manually
Educate All Lawyers and Staff about HIPAA requirements
Focus on Encryption: Desktop + Enforced Transport Layer Security for certain domains
Example 1
25-lawyer single office firmSlide28
Example 2170-lawyer regional firm
Firm Profile
Key firm practices involve regular intake of PHI (Healthcare Litigation, Labor & Employment, Patient Privacy)DMS, File shares,
Sharepoint
Knowledge Management core initiative at firm
Compliance Approach
Healthcare attorney as Chief Privacy Officer
Restrict to matter team
Identify PHI at intake and generate 2 matter workspaces
PHI workspace restricted to matter team; De-identified work available for public and KM re-useSlide29
Example 3500-lawyer national firm
Firm Profile
Select practices involve regular intake of PHI (Healthcare Litigation, Labor & Employment, Personal Injury) House all PHI on DMS
Compliance core initiative at firm – centralized risk management
Compliance Approach
CIO (Security Officer) and Associate GC (Privacy Officer) Drive
Restrict to practice area + office location (with associated staff)
Controlled intake of PHI – Terms of Engagement and BAA
Activity Tracker monitors activity associated with policy to satisfy HIPAA auditing requirements and alert management of breachSlide30
Example 41000+ Lawyer Global Firm
Firm Profile
Full service law firm with multiple offices where HIPAA irrelevant
Complex IT architecture: DMS, Custom Portal, Records, etc.
Swiss
Verein
– Risk Culture
varies per entity
Compliance Approach
Three-tiered access control approach tied with HIPAA training
Matters containing PHI restricted from untrained HIPAA users
Workforce complete online HIPAA training course via web program
Trained Workforce automatically enter group with access rights
Restrict final access to individual matter teams Slide31
Questions and Answers