Most of us are familiar with the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. While digital discovery and electronic transfer of records is no new thing, COVID stomped on the accelerator pushing lawyers into technology and e-practice. A lot of us are stumbling into the digital realm and safeguarding the Protected Health Information (PHI) we have in our possession probably isn’t the first thing on our to do list. Unless you want to risk the potential of fines between $119 and $59,522 per violation, you’re going to want to pay attention.
To understand if your practice falls under the regulations of HIPAA, you first need to look at the Texas Medical Records Privacy Act (TMRPA). The TMRPA’s definition of a covered entity is broader than the Federal Law. If you create, receive, store, or work for someone that creates, receives, or stores PHI, you fall under TMRPA. Texas Health and Safety Code §181.001(b)(2)(A-D) Essentially, if you come into contact with PHI, you’re a covered entity and will need to comply with the requirements protecting that information.
What is Protected Health Information (PHI)? PHI is information, including demographic information, which relates to an individual’s past, present, or future physical or mental health condition, healthcare, or payment for the healthcare information that identifies the individual. 45 C.F.R. §160.103 This includes information transmitted by electronic media, maintained in electronic media, or “Transmitted or maintained in any other form or medium.” Id. So, if it’s medical information that can be tied to a specific person, it’s probably PHI.
As criminal defense attorneys there is a really good chance we’ll end up being covered entities regulated by HIPAA and TMRPA because of the information that we come to possess regarding our clients: from the mental health records we receive for a mitigation packet or for a grand jury presentation, to the TDCJ records that include infirmary trips, to the SAFPF records that include counseling information, to the UA results for a pre-trial check in, or to the discovery with EMT or blood draw records, the potentials are pretty limitless. Remember too that it does not have to just be our client’s PHI. Records we receive on third parties like witnesses or family members still fall under HIPAA and TMPRA regulations.
What does it mean then that we are covered entities maintaining confidentiality of PHI? Obviously secondary possessors of PHI like attorneys were not the main focus of HIPAA or the TMRPA. PHI is not our main focus, but we are still required to protect medical privacy. Big picture is two things: 1) We cannot release PHI without a proper release; and 2) we have to comply with other provisions of HIPAA and TMRPA for safeguarding, training, and notice requirements.
Under what circumstances can a party re-disclose PHI that we have received? The first is to have a valid court release such as a subpoena signed by the Judge, a Grand Jury subpoena, or an administrative subpoena that authorizes a covered entity to re-disclose PHI in their possession. However, that is not the most likely scenario for when we will re-disclose PHI. Usually, those subpoenas are going to go to the people creating the PHI. We will need a valid release to re-disclose PHI.
A valid release is more than just a set of initials on your intake contract saying you can use a client’s medical records for anything we need. Texas Health and Safety Code 181.154(d) tasked the Attorney General with creating a standardized form to comply with signed releases to comply with TMRPA and HIPAA. The 2013 form has some specific requirements like designating who the documents are being released to (not just “anyone who wants them”), the purpose of the release, a description of the information to be used or disclosed, and a specific expiration date. Additionally, there must be a separate statement for release of mental health records, drug or alcohol information, or HIV records that are to be released. The Attorney General’s standardized form is available at https://www.texasattorneygeneral.gov/sites/default/files/files/divisions/consumer-protection/hb300-Authorization-Disclose-Health-Info.pdf. Your releases are allowed to be in written or electronic format, or even orally given as long as properly documented. Tex. Health &Safety Code 181.154(b) Best practices though: GET IT IN WRITING.
What constitutes a valid signature? It’s easy enough when a client is in person with a State ID to verify who is signing your release. But gone are the days of ink and pen, and an electronic signature is acceptable as long as it is valid under applicable law. The touchstone is the ability to verify that the signature is valid, and the person signing has the authority to do so. There are some programs, SIGNiX, eSignLive by Vasco, and Adobe Sign have been found to comply with HIPAA requirements of verification.
What about just safeguarding the records in our file? Is your USB drive encrypted? Can you use your Hotmail account to e-mail the records to another attorney or the Judge? How complex is your password? These are all things that HIPAA and through it the TMRPA expect you to have considered and made a plan for. The TMRPA adopts the standards of HIPAA at Texas Health and Safety Code 181.004. HIPAA lays out standards to ensure confidentiality, protect against reasonably anticipated threats, protect against reasonably anticipated non-permitted uses or disclosures, and ensure compliancy by your workforce. 45 C.F.R. §164.306 It does not make a list of “do this and don’t do that” but requires that any covered entity assess the level of risk to accidental disclosure, make a plan, and justify what choices were made and why. The goal is that if there ever is a breach, we can show we did everything we could to avoid it. Here are some highlights of best practices:
Encryption renders PHI unreadable and undecipherable. The data can only be read if a key or code is applied to decrypt the data. While encryption is not required for all ePHI data, HIPAA-covered entities should conduct a risk analysis to determine the level of risk and if encryption is not used what other safeguards are used in its place. There are many options for encryption programs out there, both free and paid. Before you go drop off that USB for the District Attorney, take a look at https://www.techradar.com/best/best-encryption-software for some ideas.
Even though passwords are usually the front line to prevent unauthorized access to data, the only requirement in HIPAA is that covered entities create “Procedures for creating, changing, and safeguarding passwords.” The National Institute of Standards and Technology (NIST) recommends a password be between 8 – 64 characters, using passphrases instead of previously recommended complex passwords that people forget or write down to remember. So instead of using a complex sequence of numbers, letters, and symbols, use something only you would know as a passphrase like “Mywifesbirthday!JanuaryFirst1980”.
Third Party Storage
Are you using another company to maintain your files? If so you’re going to need a business associates agreement. 45 CFR §164.308(b) A business associates agreement is simply a written agreement that the third party you are paying is going to take all of the necessary steps to protect your data instead of you doing it yourself.
Not all e-mail is created equal. Using your 45 hours of free AOL access to send ePHI documents to your expert or the judge is not secure. If you’re e-mailing ePHI you need to make sure your e-mail is HIPAA compliant. To do that you need a few things: 1) End to end encryption; 2) a business associates agreement with your email provider; 3) make sure to configure your e-mail correctly; and 4) have policies and training for your staff for e-mailing ePHI. Talk to your e-mail provider about making your e-mail HIPAA compliant on how to set up your account to send HIPAA compliant e-mails.
If you’re not a solo practitioner, you have to make sure that you’re training your associates too. Texas Health and Safety Code 181.101 requires training of employees on both State and Federal law regarding any PHI they may come into contact with. That training must be done within 90 days of hire, and the employee is required to sign a statement verifying the training. Tex. Health &Safety Code 181.101(a) & (d)
And why are we doing all of this? Because we want to avoid the enforcement arm of HIPAA and the TMRPA. The TMRPA in addition to injunctive relief provides for civil penalties: $5,000 per violation for negligent violations and $25,000 per violation for intentional or knowing violations up to $1.5 MILLION per year. Texas Health and Safety Code §181.201. As noted above, the Department of Health and Human Services published a final rule increasing the civil penalties for 2020. For violations the covered entity did not know about, fines can be between $119 and $59,522 per violation. If the violation is due to willful neglect the penalty jumps to between $11,904 and $59,522 per violation.
These are not nebulous threats. In May 2017 HHS levied a $2.4 million civil penalty against Texas Health Systems after they released the name of a patient who had presented fraudulent identification and was subsequently arrested. Concentra Health Services in Addison, Texas was fined $1.7 million after an unencrypted laptop was stolen from its facilities. The largest HIPAA fine to date has been against Anthem Health in 2019 for $16 million dollars for failing to protect patient data.
So what do we take away from this? It is to remember that as we implement new technology and new ways of doing business into our practices we be aware of steps to make sure private client information stays private. A lot of us may be old hat to encrypted transfers and two step verification, but there are lot of lawyers (and their staff) who are not. Take the time to learn about the new technology you’re using, and how to use it better to comply with privacy of all kinds.