Complying with the Minimum Necessary Standard of the HIPAA

Complying with the Minimum
Necessary Standard of the
HIPAA Privacy Rule
Kathryn Hume
Sr. Risk Specialist
Intapp, Inc.
Brian Donato
Vorys, Sater, Seymour and Pease LLP
HIPAA LegalSEC Webinar Series
What is the minimum necessary standard?
How does it impact law firm operations?
What are law firms doing to achieve compliance?
• Policies and procedures
• “Reasonable” access control models per firm size/culture
• Q&A
• The views expressed are solely those of the presenters and should
not be attributed to the presenters’ corporation, firm, or clients.
• This presentation is solely intended for educational purposes and
in no way constitutes legal advice.
LegalSEC HIPAA webinar series
• September 18, 2013
• HIPAA compliance: What it is, what it means, and what to
do about it
• September 23, 2013
• Omnibus Rule Enforcement Date
• October 04, 2013
• HIPAA: What law firm employees need to know
• HIPAA Law Firm Risk Survey
What is the minimum
necessary standard?
Poll Question 1
Protected Health Information
• Individually identifiable health information
• Maintained in any form (written, oral, electronic)
• Past, Present or Future health condition; provision of healthcare;
payment of provision of healthcare
• Includes names and addresses
• Must be associated with Covered Entity
Three Key HIPAA Rules
Privacy Rule
• Business Associates only comply with portions
• Applies to all PHI (written, oral and electronic)
Security Rule
• Business Associates liable for compliance with entirety
• 40 Required/Addressable Implementation Specifications for ePHI
Breach Notification Rule
• Business Associate requirements differ from Covered Entity
• 4-factor risk assessment versus “risk of harm” standard
Minimum Necessary Standard
45 CFR §164.502 (b)
• §164.502(a) overviews uses and disclosures of PHI
• General, Required, Permitted, Prohibited
• §164.502(b) presents Minimum Necessary Standard
• “When using or disclosing PHI or when requesting PHI from
another CE or BA, a CE or BA must make reasonable efforts
to limit PHI to the minimum necessary to accomplish the use,
disclosure or request.”
What does this mean?
• CEs and BAs must identify which workforce members need
access to what kind of PHI to do job functions
• CEs and BAs required to define minimum necessary amount
of PHI for uses, disclosures, requests
• Minimum necessary violations should be investigated and, if
appropriate, reported according to the new breach
notification rules
• CEs may be liable for BAs minimum necessary violations
When does this not apply?
• Disclosures to or requests by a health care provider for
treatment purposes
• Disclosures to the individual who is the subject of the
• Uses or disclosures made pursuant to an individual’s
• Uses or disclosures required for compliance with the HIPAA
Administrative Simplification Rules
• Disclosures to HHS for enforcement purposes
• Uses or disclosures required by other law
When does this not apply?
45 CFR 164.512(e)
• Court Order or Subpoena Signed by a judge
• No further assurances or notifications to individual required
• Subpoena or Discovery Request Singed by an attorney
• Requires either notice/declaration of attempt to provide notice
to the individual who is subject of PHI
• Reasonable? Right address/info about litigation/time lapse/no
• Qualified Protective Order
• Prohibits use of PHI for any purpose other than litigation
• Return to CE/Destruction of PHI at end of proceeding
Why is this hard?
Reason 1: Ambiguity
• “Reasonable” efforts vary by organization
• Each organization must make self-assessment in keeping
with business practices and workforce
• Small law firm without DMS  training of employees may
be sufficient
• Midsize/large law firm with sophisticated systems  will
need to implement access controls to limit access
Why is this hard?
Reason 2: Administrative Burden
• Firm should designate a HIPAA Privacy Officer
• Privacy Officer responsible for identifying who requires
access to PHI to carry out duties
List job duties
Identify access rights/frequency based on job role
Limit access to minimum necessary
Document policy and verify compliance
Document any changes and updates to policy
Poll Question 2
Why is this hard?
Reason 3: Compliance culture
• Shift in information governance
• Lack of organizational hierarchy
impedes change
• Professional Responsibility thought to
trump data privacy and security
• Firm management responsible
• 2011: Maine Board of Bar Overseers
vs. Warren
• 2012: Mass. Bar Counsel Petitioner v.
Kamee Beth Vergrager, Esq.
What policies and
procedures should law
firms develop?
Poll Question 3
Matter Security : A Fresh Approach
• HIPAA requires different security model than law firms
traditionally implement
Classify and Tag
Identify Matters at
Identify Clients
Implement Policies
Secure Email
Mark PHI
Restrict Access
Secure and Audit
Secure systems
Monitor activity
Core challenges:
Cultural and Educational
• Open versus Closed DMS and change in work habits
• Educating Workforce
• When are medical records PHI and when not?
• What types of engagements likely to include PHI?
Core challenges:
• Tagging matters and documents
• Inventory of existing PHI (in open and closed matters)
• Fluid nature of matters
• PHI arises later in matter lifecycle
• Over-collection by client (e.g. during litigation)
• Non-centralized data intake
• Multiple attorneys, departments, etc. can handle media
with PHI
Method at Vorys
Risk-based – start with core systems and new data
Cautious – When in doubt, treat it like PHI
Inception – New NBI questions about HIPAA and BAAs
Standard – Attempt to use standard BAA across clients
Training – Special HIPAA training for lawyers using PHI
Vendors – Subcontractor contract program
Matter Security – Matter workspaces/Folders for PHI
Paper – Specific controls on paper-based PHI
Audits – Aim for firm, as manpower permits
Example Law Firm
Access Control
Poll Question 4
• Compliance Approach
Initially implemented access controls manually
2014 – move to secure using Intapp Wall Builder
Resistance from practice groups not used to HIPAA
Certain administration functions need access for business
• IT members, Billing, Floating Secretaries
Example 1
25-lawyer single office firm
• Firm Profile
• Most practices involve regular intake of PHI (eg.) Employment,
Personal Injury and Med Mal Defense
• No DMS
• Small IT team and part-time General Counsel
• Compliance Approach
House ePHI on file shares
Generally Open access – extra security implemented manually
Educate All Lawyers and Staff about HIPAA requirements
Focus on Encryption: Desktop + Enforced Transport Layer Security
for certain domains
Example 2
170-lawyer regional firm
• Firm Profile
• Key firm practices involve regular intake of PHI (Healthcare
Litigation, Labor & Employment, Patient Privacy)
• DMS, File shares, Sharepoint
• Knowledge Management core initiative at firm
• Compliance Approach
Healthcare attorney as Chief Privacy Officer
Restrict to matter team
Identify PHI at intake and generate 2 matter workspaces
PHI workspace restricted to matter team; De-identified work
available for public and KM re-use
Example 3
500-lawyer national firm
• Firm Profile
• Select practices involve regular intake of PHI (Healthcare
Litigation, Labor & Employment, Personal Injury)
• House all PHI on DMS
• Compliance core initiative at firm – centralized risk management
• Compliance Approach
CIO (Security Officer) and Associate GC (Privacy Officer) Drive
Restrict to practice area + office location (with associated staff)
Controlled intake of PHI – Terms of Engagement and BAA
Activity Tracker monitors activity associated with policy to satisfy
HIPAA auditing requirements and alert management of breach
Example 4
1000+ Lawyer Global Firm
• Firm Profile
• Full service law firm with multiple offices where HIPAA irrelevant
• Complex IT architecture: DMS, Custom Portal, Records, etc.
• Swiss Verein – Risk Culture varies per entity
• Compliance Approach
Three-tiered access control approach tied with HIPAA training
Matters containing PHI restricted from untrained HIPAA users
Workforce complete online HIPAA training course via web program
Trained Workforce automatically enter group with access rights
Restrict final access to individual matter teams
Questions and Answers

similar documents