Legislation Alerts Issue of In Brief Now Online

The January issue of In Brief is now available on the PLF Web site.

imagesFrom the Editor:  This special issue focuses on some of the significant changes made by the 2013 Oregon Legislature.  Bills are listed by area of law.  Some bills pertain to more than one practice area, so practitioners are encouraged to look through all the sections.

The new legislation takes effect January 1, 2014, unless otherwise noted.  In addition the PLF published “2013 Oregon Legislative Session – ‘Emergency Legislation'” in the September issue of In Brief, focusing on some of the bills that became effective last year.  Those bills are NOT reprinted in this issue, so practitioners are encouraged to consult that document as well.

The following practice areas are covered in this special issue:

Administrative Law
Business Law
Civil Procedure and Litigation
Construction Law
Consumer and Debtor-Creditor Law
Criminal Law
Domestic Relations and Juvenile Law
Estate Administration, Elder Law, and Trust Law
Financial Institutions Law
Health Law
Labor and Employment Law
Land Use
Military and Veterans Law
Real Property
Taxation Law


Lawyers: What You Don’t Know About HIPAA Could Hurt You

Do you receive, use, store, or transmit personal health information (PHI) on behalf of covered entities subject to HIPAA?  If so, you are a “business associate.”

As a business associate, lawyers must implement privacy and security programs to protect against improper use or disclosure of client health information. They are also obliged to ensure that their subcontractors follow HIPAA rules.

Practice Areas Affected by HIPAA Regulations

Lawyers who provide services in the following areas are business associates subject to HIPAA:

  • Advice to a hospital/provider
  • Insurance Defense
  • HIPAA breach notification/response
  • Health plan fraud/abuse investigations
  • Provider payment disputes

The following does NOT make a lawyer a business associate for HIPAA purposes:

  • Representing an individual plaintiff in a personal injury, workers comp, social security, or medical malpractice case
  • In-house counsel (generally)
  • Drafting a business associate agreement for a covered entity
  • Drafting notices of privacy practices for a covered entity

However, you may possibly become a subcontractor of a business associate (and subject to HIPAA) IF you represent clients who have access to PHI because they provide services to a “covered entity” (health plan, health care provider, health care clearinghouse). Here is an example: You represent a software developer. The scope of your services is limited to entity formation and answering questions about intellectual property. The software developer writes software for health care providers. In order to write the software, the developer is given access to PHI stored on its client’s server. The software developer is a business associate for HIPAA purposes. You are a subcontractor of a business associate (your client) and therefore subject to HIPAA.

For more information on how HIPAA may apply to your law firm, see Kelly T. Hagan, “Business Associate, Esq.: HIPAA’s New Normal,” In Brief (September 2013) and
Kelly T. Hagan, “The HIPAA Compliance Process,” In Brief (May 2014), available on the PLF Web site, www.osbplf.org.

In his 2013 article, Hagan recommended lawyers subject to HIPAA take the following steps:

  1. Identify Privacy and Security Officials. This is not only required by rule, it places responsibility with identified persons. So long as everyone is responsible, no one is.
  2. Document a Risk Analysis. Again, this is required, not simply a good idea. The firm may wish to take this on, or may look to compliance professionals for assistance.
  3. Focus on Mobile Devices. The OCR hates PDAs. Data breaches resulting from stolen or misplaced laptops, iPhones, or Blackberries with PHI on them or accessible through them are a recurring breach scenario.
  4. Compile Existing Policies and Procedures. We all have policies and procedures for keeping files safe and secure. You may be surprised at how far along you already are. You won’t know what is left to be done until you have all of your explicit materials in one place and can compare them to your legal obligations.

The Multnomah Bar Association presented a CLE on October 17, 2013 entitled HIPAA Omnibus Rule Compliance Checklist – For Law Firms and Other Entities that Fall Within the Definition of a Business Associate.  This program was recorded and is available on the MBA Web site.


Data Breach Coverage for Law Firms

In the October 2012 issue of In Brief , the Professional Liability Fund (PLF) announced the addition of data breach and cyber liability coverage for law firms covered by the PLF Claims Made Excess Plan beginning January 1, 2013.  Here is the announcement:

The number of businesses suffering data breach losses has been increasing in recent years.  These breaches occur both electronically and on paper.  Information lost could include Social Security numbers, driver’s license numbers, credit and banking information, e-mail addresses, case histories, etc.  Law firms are particularly vulnerable to these types of losses due to the quantity of sensitive information contained in client files.

After a loss occurs, the statutorily required notification and credit monitoring for each affected individual can be expensive and time-consuming.  Such claims are excluded under the PLF primary coverage plan.  Beginning January 1, 2013, PLF Excess Coverage will include Data Breach and Cyber Liability Coverage.  This coverage includes forensic and legal assistance to determine compliance with applicable law, notifications to individuals as required by law, an offer to each notified individual for 12 months of credit monitoring, and loss mitigation resources for law firms.

The PLF recommends that Oregon law firms obtain data breach coverage either through PLF Excess Coverage or a commercial carrier.  If you are considering additional malpractice coverage for your firm, the PLF Excess Program limits are available up to $10 million in total coverage.

New firm and renewal applications for 2013 PLF Excess Coverage will be available in November.  Check the PLF Web site (www.osbplf.org), e-mail us at excess@osbplf.org, or call the PLF at 503-639-6911 or 1-800-452-1639 for more information.

The October issue of In Brief is Now Online

The October issue of In Brief is now available on the Professional Liability Fund Web site.  Articles and announcements include:

ABA Techshow 2013

Adjusted Tort Liability Limits Against Public Bodies

Check Scams Become Even More Sophisticated and Generally Have No PLF Coverage

Data Breach Coverage Added to 2013 PLF Excess Coverage

Immigration Law Resources

In Brief Returns to Print

Modification to Civil Case Management System in Multnomah County

New Foreclosure Law Requirements and PLF Practice Aids

PLF Claims Attorney Position

Reporting Responsibilities Under Medicare

Tips, Traps, and Resources

July Issue of In Brief Now Available

The July issue of In Brief is now available on the Professional Liability Fund Web site.  Articles and announcements include:

  • Modification to Civil Case Management System in Multnomah County
  • Revised Uniform Trial Court Rules Effective August 1, 2012
  • Adjusted Tort Liability Limits Against Public Bodies Effective July 1, 2012
  • Contract Lawyers: Independent Contractors or Employees?
  • New Foreclosure Law Requirements and PLF Practice Aids