On October 10, 2011, there was a report in the Baltimore Sun, “Law firm loses hard drive with patient records: Attorneys represent St. Joseph cardiologist sued for malpractice.”
I posted about the report to one of the LinkedIn groups I participate in, pointing out that this is yet one more example of the need to ensure ALL types of business associates (BAs) have effective security controls in place, and are being followed by all their workers.
It has been interesting to have some lawyers recently tell that they don’t have to follow HIPAA. However, the HHS has various statements indicating that lawyers are indeed BAs, based upon the type of legal activities they are providing to covered entities (CEs). (For example, see this link; from 2005, so it does not include consideration of HITECH requirements.)
In response, one of my LinkedIn friends in the group then asked some great questions based around a hypothetical scenario:
- I’m the Chief Information Security Officer (CISO) at a hospital and I receive a subpoena duces tecum for protected health information (PHI) records from an attorney at Dewey, Screwem, and Howe, LLC and the subpoena is duly signed and executed by a court of law.
- How can you ensure that the attorneys have adequate security controls in place? Most subpoenas don’t get into the legal elements/requirements governing the safeguarding of information, but are issued to legally compel an action.
- I can’t imagine that requiring the attorneys to sign a certification/attestation letter that they have controls in place would be sufficient, without being supported by substantive testing that provides a reasonable assurance that the certification/attestation is factual and correct. What security assurances can be obtained?
I love these types of scenarios and questions! So, what about subpoenas, HIPAA, and safeguards?
First let’s look at what you can do based upon HIPAA requirements. When you receive a subpoena for PHI, you should first determine if the lawyer is acting on behalf of a CE, such as was the case in the initial reported breach at the beginning of this post.
If so, then according to the HHS’s published guidance, the lawyer would likely be a BA of that CE, and so would be already legally obligated under HIPAA/HITECH to have all the associated safeguards in place for the PHI. True, this doesn’t mean the lawyer actually has safeguards, but you would know that they are supposed to.
Of course, it wouldn’t hurt if you, as the CISO, would also ask them, prior to turning the PHI over, if they are indeed in compliance with HIPAA/HITECH requirements. Calling the CE to confirm a BA Agreement is in place may also be a good idea. In a contentious situation they may clam up and refuse to tell you. You should document this. Documenting your actions, and reasoning for them, is a key aspect of all types of information security compliance situations.
Second, you should determine whether the subpoena was issued under a judicial or administrative order. HIPAA (Privacy Rule, §164.12(e)) lists circumstances for when a CE may disclose PHI without patient authorization for judicial and administrative purposes. Under the rule, CEs may disclose PHI in response to a court or administrative order, provided that only the PHI expressly authorized by the court or administrative order is disclosed.
CEs may also disclose PHI in response to a subpoena, discovery request, or other lawful process without a court or administrative order, but only if the CE “receives satisfactory written assurances that the party seeking disclosure has made reasonable efforts to ensure that the individual has been notified of the request or that reasonable efforts have been made by the party seeking the information to secure a qualified protective order.” (See more information at 45 C.F.R. §164.512(e))
Third, if you determine that releasing the PHI is appropriate and/or necessary, then it will be a good practice to take steps to ensure to the extent possible that the lawyer you’re giving the information to has appropriate safeguards in place for the PHI. As the Baltimore law firm privacy breach shows, you don’t want them getting sloppy with the PHI you provided to them!
I have a different point of view about attestations. While they may not be “active” preventive controls, they *DO* establish responsibility on the part of the individual signing them that what they are attesting to is actually going on. If an auditor then in fact perform an audit, and found that those controls were not in place, then the individual who signed the attestation may then likely be liable for not keeping their contract/word.
Something I’ve learned over the years it that you cannot always feasibly obtain substantive proof that an organization does indeed have sound and reasonable safeguards in place. Especially if your organization has hundreds, or even thousands, of BAs!
However, requiring each of the BA leaders to attest that they do indeed have such safeguards in place, and are in compliance with HIPAA/HITECH, puts some skin in the game for those BA executive leaders by making them personally responsible.
I’ve spoken to many business leaders over the years, and most have gotten pretty darn serious about ensuring safeguards are in place when they were putting their signatures on attestations and other types of legally binding documents.
So, you need to have documented procedures in place, and consistently followed throughout the organization, to deal with this type of situation. Here are some very high level actions I suggest you take:
- Assign an individual or position with the responsibility of handling and managing all subpoenas for PHI. This should be the individual that everyone in the organization knows to involve right away for all situations involving subpoenas and PHI requests. The go-to point person.
- Document procedures to follow for such situations. The procedures should include the following:
A. Determine if the request is valid
B. If valid, determine the specific PHI items that need to be released.
C. Where appropriate request that the party issuing the subpoena provide evidence of authorization from the individual whose records are requested.
D. If no authorization accompanies the subpoena (discovery request or other lawful process), determine if you should disclose PHI based upon the situation. Ensure the following:
i. There is satisfactory assurance from the party seeking the PHI that reasonable efforts have been made to ensure that the individual who is the subject of the requested PHI has been given notice of the request. If they cannot provide such assurance, you can either make reasonable efforts to provide notice to the individual yourself, or object to the PHI disclosure.
ii. There is satisfactory assurance from the party seeking the PHI that reasonable efforts have been made by the party to secure a qualified protective order, as appropriate.
E. If you decide PHI should be disclosed, determine the best way to provide those items, and no PHI beyond those items, to the requestor. You must make reasonable efforts not to disclose more information than is requested.
F. Ask for some assurance that the party requesting the PHI has appropriate safeguards in place for the PHI. This can be done in a number of ways, a few of which include:
a) Ask the CEO, law office partner, or other executive within the requesting organization to sign an attestation indicating safeguards meeting the requirements of the HIPAA Security Rule and Privacy Rule are in place.
b) Ask to see verification of a recent information security audit and/or risk assessment that finds security is satisfactory.
c) Ask for proof of third party information security certification for the requesting party.
3. Ensure everyone in the organization is aware of the procedures and receives some type of training for them.
I’m not a lawyer, and the above should not be construed as legal advice, but advice to practitioners who have responsibilities to actually put into place everything that must meet those unending legal requirements, while at the same time trying to make them truly effective with regard to information security and privacy.
You should go over all the above issues with your organization’s legal counsel and determine the specifics involved to incorporate into your own documented policies and procedures.
Cross-posted from The Privacy Professor