Law Firms, HIPAA and the “Minimum Necessary Standard” Rule


TMI blogThe HIPAA Omnibus Rule became effective on March 26, 2013. Covered entities and Business Associates had until September 23, 2013 to become compliant with the entirety of the law including the security rule, the privacy rule and the breach notification rule. Law firms that do business with a HIPAA regulated organization and receive protected health information (PHI) are considered a Business Associate (BA) and subject to all regulations including the security, privacy and breach notification rules. These rules are very prescriptive in nature and can impose additional procedures and additional cost to a law firm.

Under the HIPAA, there is a specific rule covering the use of PHI by both covered entities and Business Associates called the “Minimum Necessary Stand” rule or 45 CFR 164.502(b), 164.514(d). The HIPAA Privacy rule and minimum necessary standard are enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Under this rule, law firms must develop policies and procedures which limit PHI uses, disclosures and requests to those necessary to carry out the organization’s work including:

  • Identification of persons or classes of persons in the workforce who need access to PHI to carry out their duties;
  • For each of those, specification of the category or categories of PHI to which access is needed and any conditions appropriate to such access; and
  • Reasonable efforts to limit access accordingly.

The minimum necessary standard is based on the theory that PHI should not be used or disclosed when it’s not necessary to satisfy a particular job. The minimum necessary standard generally requires law firms to take reasonable steps to limit the use or disclosure of, PHI to the minimum necessary to represent the healthcare client. The Privacy Rule’s requirements for minimum necessary are designed to be flexible enough to accommodate the various circumstances of any covered entity.

The first thing firms should understand is that, as Business Associates subject to HIPAA through their access and use of client data, firms are subject to the Minimum Necessary Standard, which requires that when a HIPAA-covered entity or a business associate (law firm) of a covered entity uses or discloses PHI or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Law firm information governance professionals need to be aware of this rule and build it into their healthcare client related on-boarding processes.

Advertisements

You Don’t Know What You Don’t Know


Blog_06272014_graphicThe Akron Legal News this week published an interesting editorial on information governance. The story by Richard Weiner discussed how law firms are dealing with the transition from rooms filled with hard copy records to electronically stored information (ESI) which includes firm business records as well as huge amounts of client eDiscovery content. The story pointed out that ESI flows into the law firm so quickly and in such huge quantities no one can track it much less know what it contains.  Law firms are now facing an inflection point, change the way all information is managed or suffer client dissatisfaction and client loss.

The story pointed out that “in order to function as a business, somebody is going to have to, at least, track all of your data before it gets even more out of control – Enter information governance.”

There are many definitions of information governance (IG) floating around but the story presented one specifically targeted at law firms: IG is “the rules and framework for managing all of a law firm’s electronic data and documents, including material produced in discovery, as well as legal files and correspondence.” Richard went on to point out that there are four main tasks to accomplish through the IG process. They are:

  • Map where the data is stored;
  • Determine how the data is being managed;
  • Determine data preservation methodology;
  • Create forensically sound data collection methods.

I would add several more to this list:

  • Create a process to account for and classify inbound client data such as eDiscovery and regulatory collections.
  • Determine those areas where client information governance practices differ from firm information governance practices.
  • Reconcile those differences with client(s).

As law firms’ transition to mostly ESI for both firm business and client data, law firms will need to adopt IG practices and process to account for and manage to these different requirements. Many believe this transition will eventually lead to the incorporation of machine learning techniques into IG to enable law firm IG processes to have a much more granular understanding of what the actual meaning of the data, not just that it’s a firm business record or part of a client eDiscovery response. This will in turn enable more granular data categorization capability of all firm information.

Iron Mountain has hosted the annual Law Firm Information Governance Symposium which has directly addressed many of these topics around law firm IG. The symposium has produced ”A Proposed Law Firm Information Governance Framework” a detailed description of the processes to look at as law firms look at adopting an information governance program.