Everything you tell your own lawyer is confidential. The relationship between lawyers and clients is similar to the one between doctors and patients. People need to tell their full and truthful story and trust it will remain confidential in order to receive the best advice and the highest quality care.
A leading Ohio law firm, Bricker and Eckler recently had the difficult job of notifying 420,532 patients their personal data was breached after a ransomware attack on the firm compromised reams of electronic protected health information (PHI). The law firm, which has offices across Ohio and clients throughout the country is a HIPAA business associate because it represents a number of healthcare organizations and has access to patient information as part of its work.
A Business Associate Behind the Scene
The uncomfortable twist here is that those hundreds of thousands of patients were not clients of the law firm, and likely were not even aware the firm had access to their information. The patients knew their healthcare providers but not the name Bricker and Eckler, the law firm business associate hired by those providers to provide legal advice. The firm represents more than two thirds of the hospitals in Ohio, and their client list includes home health agencies, health care provider networks, managed care, assisted living facilities and hospices, among others.
This was a large breach since so many health care providers – covered entities under HIPAA – use Bricker and Eckler for counsel. For Bricker and Eckler, lots of clients equals lots of data. For context, this is the eighth largest of the 166 breaches reported so far this year on the Office for Civil Rights (OCR) breach portal.
And while there appear to be no other law firms on the breach portal list yet, there are plenty of business associates. Business associates are separately liable for HIPAA compliance and subject to the same requirements to safeguard the privacy and security of all protected health information entrusted to them.
Two of the largest breaches nationally in 2019 and 2020 occurred at business associates. The American Medical Collections Agency (AMCA) breach in 2019 and the Blackbaud software breach in 2020 each affected millions of patients. AMCA performed billing and collections for covered entities and Blackbaud is a cloud service software provider used for fundraising across a variety of industries, including healthcare. In addition to HIPAA investigations, AMCA and Blackbaud also face numerous large expensive federal class action lawsuits from individuals and companies claiming negligence and breach of contract due to their failure to safeguard PHI.
Aftermath of a Big Data Breach
We wrote earlier this week about the cost of healthcare data breaches. After patients have been notified, the breach has been reported to the media, to OCR and to federal law enforcement officials, after the forensic investigation is complete, the risk management work continues. Bricker and Eckler announced that it has “implemented additional security protocols designed to enhance the security of Bricker’s network, internal systems and applications.” They also pledged “to evaluate additional steps that may be taken to further increase Bricker’s defenses going forward.”
One step they will likely take is to review and revise their HIPAA Risk Analysis and make sure they’ve completed the Security Rule Checklist.
OCR is investigating and they will ask Bricker and Eckler to prove they’ve been complying with HIPAA and to document their Risk Management Plan. Their business associate agreements with their covered entity clients will be scrutinized. In addition to the OCR investigation, with over 420,532 individuals affected, the law firm may find itself defending lawsuits.
Business associates who may not be sure whether they’re doing enough should take an unflinching look at their HIPAA compliance program. It’s much less painful and less costly to prevent a breach than clean up afterward.