HIPAA Legal & Compliance
Guidance
Guidance
Our HIPAA Legal Team counsels clients on federal and state law confidentiality, privacy and security healthcare needs. Our legal services include:
Customizing HIPAA Policies and Procedures For Your Practice or Enterprise
Determining Whether HIPAA Applies To Your Practice
Developing HIPAA Policies and Procedures for Mobile Apps or Telemedicine
Drafting Business Associate Agreements
Responding to HIPAA Complaints
Reviewing Arrangements for HIPAA Violations
Contact our HIPAA attorneys for questions regarding your HIPAA privacy and security obligations, or to discuss compliance in the event of a HIPAA breach that could result in federal and state enforcement and significant penalties. Or find out more about online HIPAA compliance training.
Recently, our attorneys advised two clients, each of whom is developing a mobile medical application, on HIPAA privacy and security issues. Representing these clients involved developing customized solutions to ensure that the client was protected from unwarranted liability in its position as a Web portal to a healthcare practitioner. In each case, we designed the company’s Terms of Use and Privacy Policy, as well as its contract with practitioners, to comply with HIPAA as well as state law privacy and confidentiality rules, and related laws governing telemedicine practices.
Let us know whenever HIPAA issues arise, whether you are a startup technology (and possibly a business associate under HIPAA), an established medical group or practice, or a consultant or vendor involved in telemedicine or a mobile application through which protected health information (PHI) is transmitted.
HIPAA establishes civil money penalties and criminal penalties for violations. HHS enforces the civil money penalty provision, while the U.S. Department of Justice enforces the criminal penalties. HIPPA’s civil money penalty provision authorizes a civil penalty of up to $100 per violation, up to $25,000 per year. HIPAA authorizes criminal penalties according to the level of culpability, up to $1.5 million.
Portions of HIPAA have been amended by a subsequent federal statute, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
HIPPA and HITECH
Under federal law, the Health Insurance Portability and Accountability Act (“HIPAA”) regulates the electronic data exchange of health care information. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. The Administration Simplification provisions also address the security and privacy of health data.
Under Title II of HIPAA, HHS has promulgated five sets of implementing regulations, which are variously known as the Privacy Rule, the Security Rule, the Unique Identifiers Rule (National Provider Identification (“NPI”), the Transactions and Code Sets Rule, and the Enforcement Rule. But our clients are primarily concerned with the Privacy Rule and the Security Rule, both of which address protecting the confidentiality and privacy of patients’ healthcare information.
State Privacy and Confidentiality Laws
States also have their own privacy and confidentiality laws, portions of which apply notwithstanding HIPAA’s preemption provisions. In addition, providers who do not fall under HIPAA will nonetheless be bound by state laws and regulations.
For example, in California:
California privacy standards are contained in the Confidentiality of Medical Information Act (“CMIA”).
- The Health & Safety Code (sections 123100 et seq.) govern patient access to health records. (Among other things, special considerations apply to psychotherapy notes and mental health records).
- California law also establishes a State Office of Health Information Integrity, dedicated to informing about rights and responsibilities relevant to health information, as well as the role of electronic health information exchanges (“HIEs”) in transmitting patients’ health information.
- California’s Department of Health Care Services also has a Privacy Office, which sits within the Department’s Office of HIPAA Compliance, and works to protect PHI, including investigating privacy breaches and complaints involving unauthorized access or disclosure of PHI.
- California further has an Office of Privacy Protection, which provides information on privacy topics for individuals and consumers.
HIPAA Requirements
HIPAA applies to “Covered Entities” and to their “Business Associates.”
Covered entities include:
(1) Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
(2) Most Health Care Providers — who transmit any health care information in electronic form to health insurance companies. Such health care providers can include doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists, or any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
(3) Health Care Clearinghouses — entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
A Business Associate is a person not in the workforce of a Covered Entity, who uses individually identifiable health information claims processing or administration; data analysis, processing or administration.
The U.S. Department of Health of Human Services (HHS) summarizes the major administrative procedures a Covered Entity must have under HIPAA, as follows:
- Privacy Policies and Procedures. A Covered Entity must develop and implement written privacy policies and procedures that are consistent with HIPAA.
- Privacy Personnel. A Covered Entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the Covered Entity’s privacy practices.
- Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not the entity pays them). A Covered Entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions, and must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or HIPAA.
- Mitigation. A Covered Entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or HIPAA.
- Data Safeguards. A Covered Entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure under otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with a lock and key or a pass code, and limiting access to keys or pass codes.
- Complaints. A Covered Entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The Covered Entity must explain those procedures in its privacy practices notice. Among other things, the Covered Entity must identify to whom individuals can submit complaints at the Covered Entity and advise that complaints also can be forwarded to the Secretary of HHS.
- No Retaliation and Waiver. A Covered Entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A Covered Entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
- Documentation and Record Retention. A Covered Entity must maintain, until six years after the later of the date of its creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
Contact our HIPAA Legal Team for legal advice related to patient privacy, confidentiality, and data security.
FAQ
Great! Let us know and we’ll do a conflicts check and then send you an engagement letter. Typically we want to know if we are going to represent you as an individual, or your entity (corporation or LLC); we’ll also want to know your website and some basic contact information.
Review our legal services to see some of the areas we like to work in; check our testimonials, client roster, and experience; read some of our blog posts; check out our Linked In community; or just call or email us to explore. Put simply, we represent health and wellness products, technologies, practices and ventures that accelerate health and healing.
We are very comfortable working with clients via phone and email. You can sign, scan and email the engagement letter, and submit the advance by check or online.
The answer depends on the complexity of the project. Each client’s situation is different. We want every client to receive the best possible advice, and so we want to be in a position to devote as much time as is required to do that. Look to our testimonials, client roster, and experience. We work with our clients effectively and efficiently and build long-term relationships based on mutual trust. We bill hourly and do not offer project or flat fees. Lawyering is an art, not a science – we’re intuitive as well as skilled lawyers.
Yes, like most law firms, we require an advance against fees and costs. Our typical advance ranges from $3,500 – $10,000. We offer our expertise and savvy and work hand-in-hand with you toward your goals. Occasionally, we will offer you a one-hour consult as a way to jump-start our work together, and give you an overview of critical issues, with guidance on the critical business cross-roads you’re facing. We do not take equity or deferred compensation.
Our Firm doesn’t quite “quotes” or answer “how much does it cost.” Through long experience, we’ve found that the answer is pretty much meaningless. Some lawyers and law firms give quotes, but if you read the accompanying disclaimer, you’ll see that the disclaimer basically says that you can’t depend on the quote for anything. In our long experience, “how much it costs” depends on a lot of variables, including:
- What the client is asking for
- What the client really needs
- What the client doesn’t know they don’t know
- What we discover as we dive into the legal research and analysis
- How complicated the problem really turns out to be
- How much client will want to do on their own
- Whether we can find some elegantly simple solutions to sub-parts of the puzzle
- What decisions we make together, and separately, as we explore the puzzle and put solutions and strategies together
In many cases, we might think a project is very complex but then as dig in, we can make executive decisions and recommendations that save the client dozens of hours of lawyer time and tens of thousands of dollars. This happens a lot with our clients. In other cases, the client might think the problem is simple but as we start to review it, the puzzle is much larger; sometimes the client throws in extra facts and complications at the last minute, and that will increase the expense and work; sometimes we’ll give the client “homework” so they can DIY a piece, taking it outside the need for lawyer time.
One thing we do is get our clients frequently on the phone. We find that the Legal Strategy Session often cuts through the fog. Where we need to do a chunk of written legal work, we’ll do so and let you know that’s what we think is needed. Where we can be more efficient with a call, we’ll tell you that as well.
Many clients come us after having wasted tens of thousands of dollars with other lawyers. Read our testimonials. We’re here to provide a lot more value than the retainer—our business model and Firm policy is to provide at least 3-5 times the value back to you. That’s our model and we’re sticking to it. We’re not trying to sell you on a “cheap retainer” or promise of discounts. We’re here to solve a big hairy problem and get you where you need to go, as efficiently and productively as we can.
Typically, assessing feasibility involves legal and strategic advice, which we provide in the 45-minute consult, in a way that is appropriate to the time we have together there.
The only way to know is to jump into the process. If you want to know more about us and how we work, browse our testimonials, look at our client rolodex, or review our experience on our website.
Work with us and find out how efficient and engaged we are with your business. We like to work with clients for life. It is a deep and trusting relationship.
Michael’s bio is online here. He has written books on healthcare law and policy, taught healthcarelaw as a faculty member at Harvard Medical School, garnered NIH and other medical research grants, and published over 100 articles in legal and medical journals. Michael speaks all over the world on healthcare topics.
