MAR 19, 2014 10:23am ET

The Attorney/Client Privilege and Security Incidents

Print
Reprints
Email

It’s safe to say that healthcare organizations are facing situations where breach or regulatory investigations are more prevalent today than ever before. The number of compromised patient health records increased 138% between 2012 and 2013. The Department of Health and Human Services is expected to launch its HIPAA audit program this year. They plan to audit many more entities than the 115 audited during the pilot program that ran from 2011 to 2012. 

When these situations arise in your organization, there is typically the need for legal advice and consultation. None of us can accurately predict whether or not a security incident or breach investigation will end up as a lawsuit or regulatory fine. But all of us need to understand the implications of our communications with others and how these communications can impact an investigation.

I’m not an attorney but I have worked closely with legal advisors on numerous security incident and breach investigations. As a result, I have witnessed firsthand the value of asserting the attorney/client privilege. Unfortunately, there seems to be a lack of awareness and understanding in leveraging this valuable tool which explains why I rarely see it invoked in healthcare. 

The attorney client privilege can protect confidential communications between a lawyer and an incident response and investigative team. When the privilege is asserted, it can prevent the disclosure of these privileged communications. The purpose of the attorney/client privilege is to encourage open communication while minimizing the risk of disclosing these communications to opposing parties.

Communications, both written and oral, may have to be disclosed in a breach or regulatory investigation if the communications do not maintain the attorney/client privilege. Communications, including inaccurate ones, can then be used as evidence against your organization if they are not protected by the attorney/client privilege.

There are four basic elements which should exist for the attorney client/privilege to apply:

  1. A COMMUNICATION – This could be a written, oral or electronic communication. It is recommended that written or electronic communications be marked “Attorney Client Communication – Privileged and Confidential.” This provides the intent of the communication.
  2. MADE BETWEEN PRIVILEGED PERSONS – This can be the incident response and investigative team members and the attorney designated and responsible for working on the issue.  This can also include a paralegal or assistant working on the issue on behalf of the attorney.
  3. IN CONFIDENCE – This means it should be made with the intent that the communications remain confidential. There should be no communication regarding the issue except with persons who have a need to know.  Any communication should be stored in a separate, secure location with limited access to assure it remains confidential.
  4. FOR THE PURPOSE OF SEEKING, OBTAINING OR PROVIDING LEGAL ASSISTANCE – The communications should be for the purpose of obtaining or providing legal advice and counsel which is imperative whenever a breach or regulatory investigation is involved.

Failure to follow these narrow guidelines may result in a waiver of the privilege itself. This means the communications may well have to be revealed in a lawsuit or regulatory investigation. If a court concludes the privilege has been waived, then all confidential attorney client communications in the matter may have to be revealed as well. 

How and with whom you communicate can make an enormous difference in the outcome of a lawsuit or regulatory investigation. The attorney client privilege is well established as a legal doctrine that protects confidential communications between attorneys and their clients. However, its application is not a 100% guarantee that communications won’t be revealed.  But by taking the time to get a basic understanding of the attorney/client privilege, your organization can potentially obtain legal advice while protecting your communications instead of inadvertently creating evidence for the opposing party. 

 

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Blog Archive for Brian Evans

3 Ways to Secure Healthcare’s Biggest IT Vulnerabilities
Building A Security-Aware Culture
Overcoming Vulnerability Management Challenges
Are You Measuring Your Security Program’s Effectiveness?
Are Your Partners Protecting Your Data?

More from Brian Evans »

Blog Index »

loading time...
Sponsored by

Stay Connected

Twitter
Facebook
LinkedIn

Physicians, frequently perceived as a roadblock to a high-quality/low-cost paradigm, often spearhead IT advances central to the effort.

Already a subscriber? Log in here
Please note you must now log in with your email address and password.