Do the HIPAA Omnibus Rules Increase Responsibility (and Risk) for E-Discovery Providers?

If you’re reading this, you may now be considered a “business associate” or subcontractor under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The 2013 HIPAA Omnibus Rule, which took effect on March 26, expands the definition of a “business associate” of covered entities, makes such “business associates” directly liable for compliance with the HIPAA privacy and security rules’ stringent requirements.

Specifically, the expanded definition of “business associate” creates new obligations for subcontractors and those previously excluded business associates who, many of which, previously have not had to deal directly with HIPAA obligations but now are expected to agree to the same restrictions and conditions as the “business associate.” Now, both will need to re-examine their internal policies and practices, as well as rigorously enforce information security protocols, to protect their clients’ protected health information (PHI), control employee access to such information and monitor compliance.

The Omnibus Rule raises an interesting issue for the electronic discovery ecosystem: Does the expanded definition of “business associate” put new affirmative responsibility on law firms and e-discovery providers, shifting the liability of potential inappropriate disclosure of PHI, even if it is done at the direction of the covered entity or as a subcontractor to the “business associate”?

“Business associates” of covered entities, including any entity that receives, maintains or transmits PHI, will have increased exposure. This means that compliance will be required downstream from the covered entity, thereby creating potential liability for entities with more attenuated relationships with covered entities. Compliance in the context of e-discovery proceedings is already complicated, and now there will be an expansion in the application of the law and a more heightened scrutiny of entities providing legal services and those providing electronic discovery services.

Thus, there are a number of possible implications for law firms and e-discovery providers alike:

• For the first time, it appears that lawyers will be (and their e-discovery providers may be) held responsible for ensuring that in e-discovery, data is not collected that might be applicable to HIPAA privacy rules. They will have to limit the uses, disclosures of, requests for, and productions of PHI to the “minimum necessary.” This means lawyers must curtail requests for PHI to data needed for a matter. When PHI is part of a data collection, parties must avoid producing more data than required and redact nonresponsive PHI and may need to pursue protective orders when needed.

• In the event of a breach, the business associate must notify the covered client within 60 days of discovering a security breach affecting PHI. The Rule expands the definition of “breach” from a use or disclosure that caused a “significant risk of financial, reputational or other harm” to any impermissible acquisition, access, use, or disclosure of PHI. A breach is presumed to have occurred unless the business associate can show a low probability that PHI was compromised.

• The Omnibus Rule also points to the need for “business associates” to adopt security and privacy controls that address access to PHI and security breaches, as well as implement the HIPAA Security Rule (which includes designating a security official and installing access-control software).

We have yet to see how the obligations of e-discovery providers may shake out with this new rule, as affected entities have 180 days to figure it out. Stay tuned.

Chris O’Brien is chief operating officer at Conduent. He can be reached at cobrien@conduent.com.