There are few words companies fear as much as “potential data breach,” but that was what the health care management firm Alaris Group had to face when it received a demand letter from an attorney last fall that alleged an employee had disclosed protected health information.
The Duluth-based company’s first call was to local legal counsel Kate Andresen, who advised it how to secure the firm’s data systems and handle the internal investigation as she also reviewed Alaris’ cyber liability policies.
As the health care industry deals with continually evolving regulations, including those in the Affordable Care Act, companies are relying more on lawyers like Andresen to help them navigate the complex privacy and security issues that arise on a daily basis. As a result, law firms are building bigger teams and focusing more attention on data privacy.
“There’s a constant evolution that really drives a lot of new levels and methods of integration,” said Ross D’Emanuele, a partner at Dorsey & Whitney who works in the firm’s health care practice. “That creates new legal issues constantly. … Health care reform and the resulting move from fee-for-service payments to value-based care means more information sharing among health care providers, which creates greater potential for privacy issues.”
For example, a hospital and a nursing home may want to share patient information to help identify problems early on to prevent the patient from having an emergency that sends him or her the hospital, but they’re limited by HIPAA regulations on what can be shared, D’Emanuele said.
“We have these competing interests,” said Andresen, who last month joined the Minneapolis firm Nilan Johnson Lewis, where she specializes in data privacy matters.
Doctors are texting patients to make appointments and sharing test results online, said Heidi Christianson, who also works at Nilan Johnson, where one of her specialties is health care regulation and governance.
And now, instead of mainframe computers, data are kept on laptops or other portable devices or sometimes not kept by the owner at all but by another company in a separate location with the help of cloud computing. The lack of information control can lead to breaches, sometimes inadvertent.
In March, North Memorial Health Care agreed to pay $1.55 million to settle charges that it violated federal health privacy law in connection with the 2011 theft of a laptop computer that contained patient data.
Data breaches are a common threat that many health care companies have learned to treat as a priority in recent years. There were 1,673 reported data breaches in 2015, which resulted in more than 707 million records being compromised worldwide, according to information collected in the Breach Level Index. The health care industry led all sectors, accounting for 22 percent of all data breaches.
In the Alaris incident, Andresen was able to help the company confirm that its policies and practices were correct for data privacy and security, but the review did identify a technological improvement that would allow the management firm to respond better to a future investigation and give the company the ability to isolate and address a possible breach down to a specific case.
“We initiate Kate’s services even on fairly simple incidents to ensure that we are correctly handling these incidents and mitigating risk to all parties,” said Alaris’ CEO Marijo Storment, in a statement stressing the firm’s commitment to privacy and security.
The health care team at Nilan Johnson Lewis has grown 30 to 50 percent in the last few years to respond to the increase in business from clients, Christianson said.
The firm has increasingly conducted risk assessments for clients’ privacy and security protections and also helps draft agreements and policies with third-party vendors.
At Dorsey & Whitney, the firm not only has health care attorneys but it also founded Dorsey Health Strategies, a consultancy that provides business advisory and regulatory services to health care clients, such as how to use big data.
D’Emanuele said it’s important for law firms to provide services that “actualize the legal advice.”
“We try to find ways that we can add value on both sides,” he said.
Law firm Fredrikson & Byron also has a consulting subsidiary, Fredrikson Healthcare Consulting, that is based in Minneapolis. That is in addition to the local office’s team of health care lawyers.
Briar Andresen, a shareholder at Fredrikson & Byron who primarily provides services related to health care, data protection and compliance, said she spends a great deal of her time on helping clients with privacy issues.
Part of the push by clients to address privacy concerns is due to recent increased HIPAA enforcement efforts by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, Briar Andresen said. In March, the OCR announced the second phase of its audit program that will entail review of policies and procedures adopted by HIPAA-covered entities and their business associates.
“Now we are seeing a lot more enforcement of it, which always makes people care a lot more about it,” she said. “I think we can expect more of the same with OCR continuing to wield a big stick on the enforcement side of it.”