ADVERTISEMENT
Minnesota Law Firms Growing Healthcare Businesses
Nicole Norfleet
May 13--There are few words companies fear as much as "potential data breach," but that was just what Duluth-based health care management firm Alaris Group had to face when the company received a demand letter from an attorney last fall that alleged an employee had disclosed protected health information.
The company's first call was to local legal counsel Kate Andresen who advised how to secure the company's data systems and handle the internal investigation as she also reviewed their cyber liability policies.
As the health care industry deals with continually evolving regulations, including those included in the Affordable Care Act, companies are relying more on teams of lawyers like Andresen to help them navigate the influx of complex privacy and security issues that arise on a daily basis. As a result, law firms are building bigger teams and focusing more attention on data privacy.
"There's a constant evolution that really drives a lot of new levels and methods of integration," said Ross D'Emanuele, a partner at Dorsey & Whitney who works in the firm's health care practice. "That creates new legal issues constantly. ... Health care reform and the resulting move from fee-for-service payments to value-based care means more information sharing among health care providers, which creates greater potential for privacy issues."
For example, a hospital and a nursing home may want to share patient information to help identify problems early on to prevent a patient from having an emergency where he or she could end up in the hospital but are limited by HIPAA regulations on what information can be shared, D'Emanuele said.
"We have these competing interests," said Andresen, who last month joined Minneapolis firm Nilan Johnson Lewis where she specializes in data privacy matters.
Doctors are texting patients to make appointments and sharing test results online, said Heidi Christianson, who also works at Nilan Johnson, where one of her specialties is health care regulation and governance.
And now instead of on mainframe computers, data is kept on laptops or other portable devices or sometimes data is not kept by the owner at all but by another company in a separate location with the help of cloud computing. The lack of information control can lead to breaches, sometimes inadvertent.
In March, North Memorial Health Care agreed to pay $1.55 million to settle charges that it violated federal health privacy law in connection with the 2011 theft of a laptop computer that contained patient data.
Data breaches are a common threat that many health care companies have learned to treat as a priority in recent years. There were 1,673 reported data breaches in 2015, which resulted in more than 707 million records being compromised worldwide, according to data collected in the Breach Level Index. The health care industry led all sectors, accounting for 22 percent of all data breaches.
In the case of the Alaris incident, Andresen was able to help the company confirm their policies and practices were correct for data privacy and security, but the review did identify a technological improvement that would allow the management firm to respond better to a future investigation and give the company the ability to isolate and address a possible breach down to a specific case.
"We initiate Kate's services even on fairly simple incidents to ensure that we are correctly handling these incidents and mitigating risk to all parties," said Alaris' CEO Marijo Storment, in a statement stressing the firm's commitment to privacy and security.
The health care team at Nilan Johnson Lewis has grown 30 to 50 percent in the last few years to respond to the increase in business from clients, Christianson said.
The firm has increasingly conducted risk assessments for clients privacy and security protections and also helps draft agreements and policies with third party vendors.
At Dorsey & Whitney, the firm not only has health care attorneys who practice law but it also founded Dorsey Health Strategies, a consultancy that provides business advisory and regulatory services to health care clients such as how to use big data.
D'Emanuele said it was important for law firms to provide services that "actualizes the legal advice."
"We try to find ways that we can add value on both sides," he said.
Law firm Fredrikson & Byron also has a consulting subsidiary, Fredrikson Healthcare Consulting, that is based in Minneapolis in addition to the local office's team of health care lawyers.
Briar Andresen, a shareholder at Fredrikson & Byron, who primarily provides services related to health care, data protection and compliance, said she spends a great deal of her time with helping clients with privacy issues.
Part of the push by clients to address privacy concerns is due to the recent increased HIPAA enforcement efforts by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, Briar Andresen said. In March, the OCR announced the second phase of its audit program that will entail review of policies and procedures adopted by HIPAA covered entities and their business associates.
"Now we are seeing a lot more enforcement of it, which always makes people care a lot more about it," she said. "I think we can expect more of the same with OCR continuing to wield a big stick on the enforcement side of it."
Twitter: @nicolenorfleet
Copyright 2016 - Star Tribune (Minneapolis)