Posted: Wed Jun 24, 2009 01:50 pm Post subject: HIPPA, law firms, and your liability
The steady conversion from file drawers full of medical records related to social security cases, to hard drives full of the same kinds of records, poses some new problems for law firms. What happens when the bad guys break in and steal your computers? What happens when your power supply fails, you buy a new computer, and the computer tech walks out the door with the old "broken" computer, takes it home, and sells the perfectly good hard drive on E-bay? What happens when your server gets hacked? What happens when your office stupidly uses WIFI to create a network and the neighbor across the street hacks in? Let's not forget about the after-hours cleaning crew using your computers for Craigslist and browsing though your client files
What happens? You are screwed. How screwed? It depends upon a few things. Were client sensitive data encrypted on your computer? Were you covered by the penalties of HIPPA? Will the identity thefts be traced back to you? These are questions that you should begin considering.
One of the reasons I've been hawking Linux ( http://www.ubuntu.com/ ) as a free replacement for Microsoft in law firms is the ease of directory encryption and backup encryption. Take a look at this article from Linux Journal, and then read the comments at the end of the article.
I doubt that any of you have your client data encrypted. Some of you might even be recklessly using off-site commercial backup systems without encrypting the backup before it leaves your office. You may already be in trouble.
Quote:
The majority of people in the United States probably have no idea what is contained in the Health Insurance Portability and Accountability Act (HIPAA). Similarly, most people are clueless about the Payment Card Industry (PCI) standards. Despite this, most of us who work in those fields are expected to not only know about them, but understand the security ramifications behind them. This gets to be even more complicated when you have to take into account that a number of the systems that are part of HIPAA or PCI based purchases are connected to the web.
We can pretty much all agree that web servers, regardless of the underlying OS, are vulnerable to attack. Further, we can also agree that once breached, there is a gold mine of data behind these web servers that the bad guys are just salivating to get their hands on. What most people forget, or more correctly seem to over look, is that the majority of data breaches in the United States in recent memory have not been from the outside in, but from the inside out. As architects and administrators, security specialists and day-to-day users, it is our responsibility to ensure that the data we use daily in our jobs is stored as securely and as safely as possible.
Let’s review. In my last post, I mentioned the break in at the Commonwealth of Virginia’s Prescription Monitoring program. This was probably an attack from the outside and the bad guys managed to get the data and encrypt it, thus holding it for ransom. What I find strange is that they were able to get any data at all. Under the rules of HIPAA, that data should have been encrypted already.
If I were to take a survey, and maybe we will see if we can get the Linux Journal to whip one up for us, how many of you encrypt the data on your laptops as a general practice? If you are in the US Federal Government, all of you should have your hands up, regardless of operating system. The issue of wandering laptops came to a head in 2006 when one was stolen from an employee of the Department of Veterans Affairs. Not to belittle the issue, but other than bad luck, the employee had not really done anything wrong, according to my sources at the Department. He was in a position where he was entitled to access and use the data.
How many of you encrypt the data on your servers? I expect there are fewer hands in the air, after all, servers are generally locked away in a building somewhere, and most people never get access to them - except in the case of the data theft at TXJ. Again, however, the data was stolen by people with a legitimate need to access the data as a part of their jobs. Perhaps better screening of employees who have access to data that is supposed to fall under the PCI standards is needed. I believe it is fairly safe to say most of us have never had a hard disk go walking.
A law firm is not considered a covered entity under the HIPAA medical privacy rule. The standards, requirements, and implementation specifications adopted under the rule, therefore, do not directly apply to the law firm. (See definition of covered entity in section 160.103 of the rule and the rule applicability statement in section 160.102.)
Under the privacy rule, however, when a provider discloses a medical record to the law firm that is representing the provider in a malpractice case, the law firm would be acting as a business associate of that provider. (See section 160.103 for the definition of business associate.) Before the disclosure can be made, the provider and the law firm must enter into a written business associate agreement or arrangement. (See section 164.502(e)(1) and (2) for general standards for disclosure to a business associate and requirements for written agreements or arrangements.)
The business associate agreement defines how the law firm may use the medical record it receives from the provider. (See section 164.504(e)(2) for implementation specifications related to business associate contracts.) Under the rule, the business associate agreement must establish the required and permitted uses and disclosures of any protected health information (PHI) received by the business associate. The agreement cannot authorize the business associate to use or further disclose information in any way that would violate the requirements of the privacy rule if done by the provider.
HIPAA Protection of Medical Records in a Malpractice Case, at http://www.medscape.com/viewarticle/462439 (last visited June 24, 2009). _________________ David Traver
Attorney
Traver & Traver, S.C.
P.O. Box 459
Eagle, WI 53119
262-594-2096 (work)
403[at]traverlaw.com
Posted: Wed Jun 24, 2009 07:54 pm Post subject: Wait until a law firm gets hit with a big judgment.
This a huge issue. It has concerned me for quite some time mostly because I value my privacy and feel I should value my client's privacy in the same way.
However, human nature being what it it, I suspect most law firms will get real serious about protecting this kind of data only after one gets hit with a big judgment or fine.
I had a practical problem with this recently. My laptop hard drive became inoperable. It was under warranty. Unfortunately, it had about 20 client files on it (I use it at hearings) so I could not lose possession of the hard drive. The folks at Best Buy were good about it...they tested the machine and took the drive out in front of me and allowed me to keep it. I now use a flash drive for client files and erase them after the hearing. No client files will reside on the new hard drive. I also downloaded a free program called revo uninstaller which allows a full wipe of free space. _________________ Crescent City a/k/a Troll
You can post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Traverlaw, Traver Law, Traver Law Offices, S.C., Traver & Traver, S.C.,
Traverlaw.com, SSAConnect,
Attorneys for the disabled and disadvantaged in all areas of Social Security
disability law, http://traverlaw.com,
http://ssaconnect.com, Connect, SSA Connect, Think Bigger,
Social Security Advice Connect, Social Security Disability Advice Connect,
"Social Security Disability Advocacy, Debate, and Professional News,"
the yellow and orange swoosh image, and the square favicon.ico image,
are trademarks and service marks of Attorney David F. Traver.
For information the about use of our copyrighted and trademarked material please call
262-594-2096.
CONNECT
FAQ
Search
Register
Log in
