Is My Blog Considered Attorney Advertising?

The Standing Committee on Professional Responsibility and Conduct of the State Bar of California (Standing Committee) recently published a proposed ethics opinion regarding attorney blogging.  (See Formal Opinion Interim No. 12-2006).  The opinion determines when an attorneys’ blog(s) may fall under the scope of the Rules of Professional Conduct (Rules) related to attorney advertising.  The opinion presented four different types of blogs and commented on whether they violated the Rules.

Blogs Including Attorney Successes:

The first kind of blog could be regulated regardless of whether it appeared as part of the lawyer’s website or not.  It did not include an invitation to retain the attorney but included specific representations regarding the quality of the attorney’s services.  For example, the blog included statements such as, “I won another case last week.  That makes 50 in a row, by my count.  Once again, I was able to convince a jury there was reasonable doubt.”  It also stated that the jury as “absolutely mesmerized by my closing argument.”  The Standing Committee believed that these statements in a blog, no matter where the blog appeared, could be regulated and violated the Rules which prohibit communications that are false, deceptive, or which tend to confuse, deceive, or mislead the public.

Informational Blogs on Firm Website:

This blog was on the website of a law firm and included a series of articles written by one of the firm’s attorneys on topics that may interest the firm clients such as changes in tax law, information regarding wills versus trusts, etc.  Each blog post concluded with the statement, “for more information, contact” the author of the particular blog.  Though the Standing Committee did not seem to have any issue with the content, it did opine that the blog was a communication within the meaning of the Rules and was subject to regulation by the State Bar to the same extent as the law firm’s website.

Stand Alone Blogs:

The third type of blog was not a part of the attorney’s website.  The blogs posted by the attorney included information of interest to potential clients.  The blogs were intended to demonstrate the attorney’s knowledge of legal issues, enhance his reputation, and increase his business, but did not describe his practice or qualifications and contained no overt statements of his availability for professional employment.  However, several of the attorney’s blogs stated that if the reader had questions, to contact him.  The blogs also contained a hyperlink to the attorney’s professional web page.  The Standing Committee opined that if it were not for the concluding admonition to the blog readers to contact the attorney, the blogs would not be considered “communications” subject to the Rules.

Non-Legal Blogs by Attorneys:

In this scenario, an attorney wrote a blog about jazz artists, performances and recordings.  The blog was not part of the attorney’s professional website but did contain a link to the website in the by-line and the website contained a link to the blog.  Because the subject matter of the blog was not associated with the attorney’s practice area, the by-line would not be considered an “invitation.”  However, if the two were related, the by-line would be similar to “if you have questions, contact me.”  The Standing Committee opined that an attorney may blog about topics unrelated to the legal field, provided he does not actively use the blog to solicit business as an attorney.

Thus, the California Standing Committee’s conclusions are summarized as follows:

  1. Blogging by an attorney is subject to the requirements and restrictions of the Rules of Professional Conduct relating to lawyer advertising if the blog expresses the attorney’s availability for professional employment directly through words of invitation or offer to provide legal services, or implicitly through its description of the type and character of legal services offered by the attorney, detailed descriptions of case results, or both.
  2. A blog that is part of an attorney’s or law firm’s professional website will be subject to the rules regulating attorney advertising to the same extent as the website of which it is a part.
  3. A stand-alone blog by an attorney that does not relate to the practice of law or otherwise express the attorney’s availability for professional employment will not become subject to the rules regulating attorney advertising simply because the blog contains a link to the attorney or law firm’s professional website. (Formal Opinion Interim No. 12-0006).

North Carolina does not currently have an opinion on attorney blogging; however, based on the NC Rules of Professional Conduct and prior ethics opinions, it is likely that the NC Ethics Committee would agree with the proposed California opinion.

Rule 7.2 governs attorney advertising through written, recorded, or electronic communication, including public media.  This Rule clearly includes written blogs published on firm websites and most likely includes those that are not, if the attorney either discusses his services/accomplishments or invites a potential client to contact him regarding the subject of a legal blog.  “Advertising involves an active quest for clients…” and “may entail the risk of practices that are misleading and overreaching.”  Rule 7.2, Comment 1.

Rule 7.1 prohibits false or misleading communications about the lawyer or the lawyer’s services.  A communication is false or misleading if it is likely to create an unjustified expectation about results the lawyer can achieve.  See Rule 7.1(b).  “This Rule governs all communications about a lawyer’s services, including advertising permitted by Rule 7.2.”  Rule 7.1, Comment 1.  “Truthful statements that are misleading are also prohibited by this Rule.”  Rule 7.1, Comment 2.

Though there are no NC ethics opinions directly on point, there are many which address similar issues in attorney advertising.  Some of these include 2009 FEO 16, 2012 FEO 8, 2010 FEO 11, 2005 FEO 14, and 2012 FEO 1.  See opinions at www.ncbar.gov.

In order to avoid any issues with the State Bar, it is a good idea to ensure that any legal blog you post is compliant with the advertising rules, as there is a strong likelihood the State Bar would take the position that it is a communication it can regulate.

Posted by | Comments Off on Is My Blog Considered Attorney Advertising?

Mixing Business with Pleasure: Dual Relationships

If you have a client or patient that you connect with on a personal level, is it okay to have a social as well as a professional relationship?  It depends on your profession and what type of personal relationship.  Most professions prohibit a sexual or romantic relationship with a current patient/client.  The rules differ significantly among the professions, however, for non-romantic relationships with current or even former clients/patients.

For example, attorneys are generally permitted to have business and non-sexual relationships with current clients, as long as any dealings are fair and the relationship does not interfere with the attorney’s representation or independent judgment.  Like most professions, lawyers cannot have a sexual relationship with a current client, unless it pre-dated the representation.[1]  However, as soon as the representation ends, counselors at law may begin a romantic relationship with a former client.

In contrast, other types of counselors, such as psychologists, clinical social workers, and other therapists, are generally prohibited from having personal or social relationships with current clients and with prior clients, at least for a period of time.   Also, to avoid any potential undue influence from the professional counseling relationships, ethics rules for some therapists effectively have a permanent ban on sexual relationships with past clients, while most rules prohibit romantic involvement for at least a couple years.[2]

Social media has blurred some of the personal/professional lines, especially as it relates to social but non-sexual relationships with current patients/clients.  For example, is it okay to friend or send/accept an invitation to connect on social media with a current client?  The answer varies depending upon the type of social media connection, even within a profession.  Most professional ethics rules have a difficult time keeping pace with rapidly expanding and changing technology and don’t provide clear guidance on these types of issues.  The best course is to check your professional rules, with your licensing board or call someone with experience in these areas before you mix business with pleasure concerning current or past clients.

[1] NC Rule of Professional Conduct 1.19.

[2] See, e.g., for Psychologists: 21 NCAC 54 .1608 and APA Code of Ethics, Standard 3: Human Relations, 3.05 Multiple Relationships; for LCSWs: 21 NCAC 63 .0504 Responsibilities in Professional Relationships; for LPCs: Rule 21 NCAC 53 .0102 and ACA Code A.5. Prohibited Non-counseling Roles and Relationships and A.6. Managing and Maintaining Boundaries and Professional Relationships; and for LMFTs: 21 NCAC 31 .0609 and AAMFT Code of Ethical Principles for Marriage and Family Therapists, Standard I, 1.3 through 1.5.

Posted by | Comments Off on Mixing Business with Pleasure: Dual Relationships

BYOD: “BRING YOUR OWN DEVICE (or DISASTER)”

BYOD (Bring Your Own Device) to work is becoming a common practice. The ABA, who jokingly- I think- referred to the trend as “Bring Your Own Disaster,” reports that more than 60% of employees use a personal device for work.  BYOD refers to a policy which allows or requires employees to use their personal devices, such as smartphones and tablets, to perform job responsibilities and access company data or applications.  Having a smart BYOD policy appears to have many advantages for both employees and companies including:

  • Employees like it because they are comfortable on their own device and do not have to carry more than one device.
  • It can decrease corporate costs because the employee pays for the device and the data service which, as we are all aware, can be expensive.
  • It can decrease training costs because employees are already familiar with the technology.
  • It may increase productively, and client satisfaction, because employees can work on the weekend and after hours.

However, as with most technology, there are numerous risks to be considered and managed.

Keep current on technology

Before you can mitigate the risks, you have to know what they are.  For more on risks, see CRN’s “Top 10 BYOB Risks Facing the Enterprise” here.

NC requires that lawyers keep abreast of changes in the law and its practice, including the benefits and risks associated with technology relevant to the lawyer’s practice.[1]  So lawyers do not have the luxury of burying our head in the sand and hoping everything is okay.  Instead, we are mandated to remain current in rapidly changing technology related to our practice.  It seems to me this mandate would include investigating ways to protect data in light of the BYOD trend.

I recently read an article, Millennials Don’t Care About Mobile Security, and Here’s What to Do About it, by Omar Eiferman, which I though provided an interesting suggestion: separate personal and corporate data on employee devices used for business utilizing multi-persona virtualization.

Eiferman explains:

Multi-persona virtualization creates multiple user personas at the operating system level on a single smartphone. This means a Millennial could have three or more separate personas: one for general use, one for sensitive personal applications such as finance and health, and one persona for professional use. Because personas are separated at the deepest level possible, malware on the personal persona could not get to the professional persona. Yet, a user can switch between both personas in seconds.

Rather than using blacklisting and other draconian measures to secure the entire phone, IT can simply manage the professional persona… Multi-persona virtualization would allow IT departments to manage the context in which apps are used – without controlling what employees do on their personal personas.

I unfortunately do not know enough about multi-persona virtualization (except that is sounds interesting) to advocate implementing this measure or not, but I included it because I thought it was a great example of the security risk management options available. Another security measure I came across:  The employee’s device may be remotely wiped if the device is lost or stolen, the employment is terminated for any reason, or a breach is detected. The important thing is to evaluate and implement security measures which adequately mitigates the risks associated with BYOD.

Implement BYOD written policy

Once you, or your IT department/consultant, determine the best practices for security risk management in your firm, the next step is to develop and implement a written BYOD policy for employees.   You would likely want to address, among other things, the following:  (1) acceptable and unacceptable uses; (2) the devices which are allowed; (3) who will address connectivity and configuration issues; (4) whether the company will provide reimbursement for some of the cost for the device and/or data plan; (5) who will own the applications and data; (6) security issues including: password protection, encryption tools, data storage on the device, firewalls and use of private networks vs. free public Wi-Fi; and (7) an exit strategy if the employee leaves the company.

Once the policy is in place, consider drafting an agreement for employees to sign indicating they read and understand the policy. And after implementation, don’t forget to educate the staff regularly on the policy and, most importantly, enforce it.

Employee-owned devices at work can save the company time and money.  However, threats to a company stemming from these devices “can be as complex as a sophisticated malware attack designed to snoop on an employee’s browsing activity or as simple as a lost phone in a taxicab.” [2]  Given the benefits and risks and the high number of employees bringing their own devices to work, it may be time to think about developing a BYOD policy.

[1] N.C. Rules of Prof’l Conduct, Rule 1.1, Comment 8.

[2] http://www.crn.com/slide-shows/security/240157796/top-10-byod-risks-facing-the-enterprise.htm.

Posted by | Comments Off on BYOD: “BRING YOUR OWN DEVICE (or DISASTER)”

Non-Public Personal Information (NPPI) and the Real Estate Closing Attorney

Non-public Personal Information (NPPI) is personal identifiable data provided by a customer or client generally on a form or application.  It includes the first name or first initial and last name coupled with any of the following: Social Security number, driver’s license number, state-issued identification card, credit or debit card number, or other financial account numbers.  A North Carolina lawyer’s duty to protect this information is governed primarily by the NC Rules of Professional Conduct (Rules) and state law, but federal law may also be implicated, depending on who you are representing.

NC Rules of Professional Conduct

The requirements to protect confidential client information, which includes a client’s identity, are set forth in Rule 1.6 and its comments.  Absent certain exceptions, a lawyer “shall not reveal information acquired during the professional relationship with a client unless the client gives informed consent.”  Comment 3 explains that this Rule applies “not only to matters communicated in confidence by the client, but also to all information acquired during the representation, whatever its source.”  The lawyer must “act competently to safeguard information acquired during the representation of a client” against “unauthorized access by third parties” and “inadvertent or unauthorized disclosure by the lawyer or other persons … participating in the representation of the client.”  This duty extends to the transmission of client information.  Comments 19 and 20.  Further, a client can require a lawyer to employ security measures not required by the Rules.  Comments 19 and 20 are clear that whether a lawyer must take additional steps to safeguard information pursuant to state or federal laws is beyond its scope.

State and Federal Law

In addition to complying with the Rules, NC lawyers must also comply with security breach notification laws.  See N.C. Gen. Stat. §§ 75-61 and 71-65.  Lawyers representing lenders will also likely need to comply with the Gramm-Leach-Bliley Act (GLBA).  This Act requires that financial institutions explain their information-sharing practices to their customers and safeguard sensitive data.  Though it was held in American Bar Association v. Federal Trade Commission, 430 F.3d 457 (D.C. Cir. 2005) that GLBA does not directly apply to lawyers, if you represent an entity that is governed by GLBA, you must comply with GLBA as well as the Federal Trade Commission Privacy, Safeguard, and Disposal Rules.  GLBA requirements can be found here.

Bulletins & Newsletters

The Consumer Financial Protection Bureau’s April 2012 Bulletin made it very clear to lenders that they are not only responsible for complying with state and federal law governing the protection of NPPI, but they are also responsible for all of their service providers, third-party vendors, and supply chain vendors.  Several other agencies have released bulletins regarding this matter including: the Office of the Comptroller of the Currency, the FDIC, and the Federal Reserve. In response to the requirements regarding NPPI compliance, Wells Fargo published the Wells Fargo Title and Settlement Newsletter dated March 6, 2014 which stated that they were expanding and enhancing third-party oversight.  They stated that Wells Fargo supports American Land Title Association (ALTA) Best Practices and made it clear that those they work with need a plan in place to ensure compliance.

Best Practices for Closing Attorneys Representing Lenders

In the webinar entitled “Best Practices Boot Camp” presented by the North Carolina Closing Attorney Best Practices Task Force, Attorney Christopher J. Gulotta, Founder and CEO of Real Estate Data Shield, Inc., set forth the best practices to ensure NPPI compliance which includes the following:

  • Develop all required privacy and data security policies, procedures and plans including
    1. Information Security Plan
    2. Incident Response Plan
    3. Disaster Recovery Plan
    4. Secure Password Policy
    5. Electronic Communications and Internet Use Policy (i.e. employees should only access the internet for work-related matters and not personal use)
  • Assess your company’s risk profile
  • Educate and train your workforce (Nearly 40% of all breaches occur from an employee)
  • Secure your work flows
  • Ensure compliance of all service providers (i.e. off-site storage facilities, the cloud, etc.)
  • Implement a sound document destruction policy

 

Mr. Gulotta also presented his recommendations for Administrative Security Critical Controls, Physical Security Critical Controls, and National Security Critical Controls.  He advised that not only should you implement these policies, but you should inform lenders that you understand the pressure they are under from legislators and demonstrate that you have taken it seriously.  He suggests putting together a manual of policies and procedures and providing it to lenders before they request it, as lenders have identified security as their number one concern.  Mr. Gulotta’s detailed recommendations for closing attorneys representing lenders include the following:

A.  Administrative Security Critical Controls

  1. Staff Training – Have your staff sign an acknowledgement of your policies andprocedures before beginning work.  Conduct background checks of your employees.
  2. Create a Manual of Policies and Procedures
  3. Privacy Notice – Ensure any privacy notice posted on your website is accurate.Make sure the website designer has not posted something you are not living up to.
  4. Have a Shred-All Policy
  5. Implement Vendor Non-Disclosure Agreements
  6. Have a Clean Desk, Clean Office, and Clean Screen Policy – The desks at your office should be empty at the beginning and end of the day.  Any file not currently being worked on should be in a locked filing cabinet.  Only the files that someone is currently working on should be out.  If someone leaves their desk, they need to ensure any file they are working on is closed.  Privacy screens should be used on all monitors and should time out after one minute of activity.  Copy areas should be kept clean.  Employees should be trained on the use of any mobile devices.

 

B.  Physical Security Critical Controls

  1. Entryway Security & Sign-In Log – Have strong locks where the keys cannot be copied. Only personnel who need keys should have them.  Visitors should sign a log and you should check their identification.
  2. Clean Desk Policy
  3. Locked Filing Cabinets
  4. Security Cameras
  5. Privacy Screens
  6. Locked Offices – Offices of management or those dealing with critical documents should be locked.
  7. Shredding of Paper and Digital Media
  8. Locks on Computers – especially those near an entryway.

 

C.   Network Security Critical Controls

  1. Password Protection – Passwords should be a minimum of nine characters long and should use a combination of upper and lowercase letters, numbers, and special characters. A rule should be established that passwords must be changed every two to three months.
  2. Computer Screen Timed Lockout
  3. Use Various Brands of Firewalls
  4. Port Lockdowns – All USB Ports should be disabled except for those of one or two gatekeeper employees. These employees should scan any USB stick before anything is downloaded.
  5. Network Printers/Scanners – These devices are usually leased. Ensure your IT person sets these devices up to have their data deleted on a daily basis.  At the end of the lease term have a technician remove the disk and have a document destruction company destroy it and give you a receipt.
  6. Restrictive Access to Programs, Files, Etc. – Server Room should be a separate room with limited access. Employees should not be able to disable security software.
  7. Updates and Patches – Many breaches occur in between the date you receive an update or patch and the date you put it in place. Immediately incorporate updates and patches.
  8. Email Encryption – Sending an unencrypted email with NPPI is like sending a postcard with someone’s personal information on it. Call the party you are sending the secure email to and offer to walk them through it if needed.

If you are a closing attorney who represents lenders and you have not implemented or at least considered these policies, now is the time to get started.

The information in this blog was largely derived from the webinar entitled “Best Practices Boot Camp” first presented by the North Carolina Closing Attorney Best Practices Task Force on January 28, 2015.  See http://www.ncclosingattorneybestpractices.org/resources.html.

Posted by | Comments Off on Non-Public Personal Information (NPPI) and the Real Estate Closing Attorney

Think Before You Link: New NC Ethics Opinion on Social Media Connections

The Ethics Committee has now adopted an opinion[1] about the propriety of making and accepting invitations to connect and endorsements from judges and others on social media sites.  2014 FEO 8.  You can view the entire opinion by visiting the State Bar’s website and inserting the opinion number on the ethics page.  The opinion distinguishes between two types of “links” and also by who is making them– a judge or a lawyer.  For the first category – connections — the adopted opinion holds that an attorney may ordinarily accept an invitation to connect from a judge.  Opinion #1.  The lawyer generally also may send an invitation to connect with a judge.  Opinion #2.

The opinion warns that if the attorney is currently in proceedings before the judge at the time of the invitation, however, the Rules of Professional Conduct may require the lawyer to decline the invitation until the proceedings have concluded.  The lawyer must determine whether acceptance of the invitation during the pendency of a case will: (a) impair the lawyer’s ability to comply with the Rule 3.5 concerning ex parte communications and (b) amount to conduct that is prejudicial to the administration of justice in violation of Rule 8.4(d), among other Rules.

Ultimately, the opinion directs lawyers to be mindful of their obligation to protect the integrity of the judicial system and to avoid creating an appearance of judicial partiality.  The same criteria apply when deciding whether to send an invitation to a judge to connect. Opinions #1 and 2.  Based upon this opinion, the safest course is to wait to connect with a judge until you are not appearing before that judge, if possible.

The next part of the opinion deals with endorsements and recommendations.  On LinkedIn, you have an option to display your “skills & expertise” on your profile page.  Your connections can then endorse a skill or expertise for you and you get a notification of the endorsement.  If you do nothing, and the endorsement is for a skill you have selected to show, then that endorsement automatically will appear on your profile page.  You may edit the “skills & endorsements” section to “hide” selected endorsements or skills.  People can also post recommendations on your profile page.

Why is all of this important?  The proposed ethics opinion says that it is okay to endorse a judge for skills or expertise (assuming you are not currently appearing before them).  Opinion #3.  Likely, this is permitted because it is really no different than sponsoring a judicial campaign or being listed publicly as a donor.  The lawyer also may accept endorsements and recommendations from persons other than judges as long as they are truthful and not misleading.  Opinion #5.

The opinion, however, holds that an attorney may not accept an endorsement from a judge under any circumstances or at any time because it would create the appearance of judicial partiality in violation of Rule 8.4(e).  Opinion #4.  Further, if a person who endorsed you later becomes a judge, you are required to remove or hide the endorsement from your profile if you know or reasonably should have known the person is or became a judge.  In the final adopted opinion, the State Bar added the reasonableness qualifying language.  Opinion #6.

Although the opinion primarily concerns the use of LinkedIn, it also applies to any social media site that allows public displays of connections, including endorsements or recommendations.  Opinion #7.    After reading the final opinion and before posting this blog, I decided I needed to figure out how to check my LinkedIn profile for people that may have become judges and might have endorsed or recommended me at one time.   Fortunately, no current judges endorsed me on LinkedIn so I didn’t have to learn how to hide or remove any.  Now I am off to figure out how to get onto our firm Facebook, Twitter and Google+ pages to check them as well.  Whose idea was it to set up all these social media sites anyway?

[1] This blog updates an earlier blog on the same topic.

 

Posted by | Comments Off on Think Before You Link: New NC Ethics Opinion on Social Media Connections

Email Encryption: HIPAA Considerations for Lawyers and CPAs

Currently, neither the NC State Bar nor the NC State Board of CPA Examiners specifically requires encrypted email, although licensees must take reasonable measures to ensure any client information maintained and transmitted is confidential and secure. On the other hand, the Health Insurance Portability and Accountability Act of 1996 [“HIPAA”] may require both lawyers and CPAs, under certain circumstances, to encrypt when acting as a “business associate” to a “covered entity.”

Could you be a “business associate” under HIPAA?

When HIPAA was first enacted, only covered entities, such as health care providers and health plans, were required to take steps to secure and prevent the unauthorized disclosure of certain types of individually identifiable protected health information [“PHI”] of their patients or members. The HIPAA privacy and security rules now apply not only to covered entities but also to their business associates. Further, with the new rules firmly in place, the U.S. Department of Health and Human Services is expected to become more aggressive in enforcing HIPAA. Given that lawyers and CPAs, who violate the rules while providing services to covered entities, may be subject to penalties of $100 to over $50,000 per violation, it is worthwhile to consider whether you are classified as a “business associate” under HIPAA.

HIPAA defines a business associate as any entity that creates, receives, maintains, or transmits PHI while performing a function, activity, or service on behalf of a covered entity including the provision of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.[1]  So if you are performing legal or accounting services directly for, or on behalf of, a covered entity, such as a healthcare provider or healthcare plan, you are classified a business associate and, consequently, must meet the same standard of security for the protection of PHI as the covered entity.

HIPAA Encryption Requirement

The good news is that HIPAA does not necessarily require the use of email/fax encryption by covered entities and business associates. The security rule made the use of encryption for PHI an “addressable” implementation specification as opposed to a “required” specification. Therefore, before a covered entity or business associate can decide not to encrypt electronic transmissions of PHI, the entity must engage in a feasibility analysis. The analysis would consider the:

  • Size, complexity and capabilities;
  • Technical infrastructure, hardware and software security capabilities;
  • Costs of security measures; and
  • Probability and criticality of potential risks to electronic PHI.

Under the feasibility analysis, “[i]f the entity decides that the addressable implementation specification is “not reasonable and appropriate”, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose not to execute the implementation specification or any equivalent alternative measure and document the rationale for this decision.”[2] Thus, it is a violation of HIPAA to send unencrypted emails containing PHI while providing services to a covered entity without first having performed and documented the feasibility analysis.

As noted already, a single violation can carry a penalty as high as $50,000. On the other hand, encryption carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements.[3] A security incident that would otherwise require notification is not considered a breach if the PHI affected was encrypted and the encryption key had not been compromised. [4]

In summary, if the lawyer or CPA is performing a service on behalf of a covered entity which involves creating, receiving, maintaining, or transmitting electronic PHI, s/he would likely be a business associate under HIPAA.  Then, to determine if the covered entity and business associate should implement a mechanism to encrypt ePHI, the feasibility analysis discussed above should be conducted.

Other Potential Requirements for Business Associates

In addition to encryption considerations, under HIPAA, business associates may also need to:

(1) Execute Business Associate Agreements

Lawyers and CPAs may need to execute a business associate agreement with the covered entity.  The agreement should comply with the specifications required by HIPAA.  In addition, when the business associate must disclose PHI to a third party (i.e. expert witnesses, investigators, third party providers, etc.), s/he will need to execute a business associate agreement with the third party, to whom it provides PHI, which includes the same restrictions and conditions that originally applied to the business associate with respect to the information.

 (2) Implement HIPAA Policies with Documented Procedures

Business associates should implement and document policies and procedures to prevent, detect, contain, and correct security violations relating to ePHI.

(3) Perform HIPAA Training for Staff and Yearly HIPAA Security Reviews

Everyone that falls under HIPAA must perform HIPAA training for staff and yearly security reviews of their internal systems, their policies, and the flow of their ePHI into and out of their network, among other things.

Note that the list above is not inclusive of all functions a lawyer or CPA, who is classified as a business associate, may need to perform to be compliant under HIPAA. It is highly advisable for any professional who handles PHI while providing a service to a covered entity to consult an attorney practicing in the area of health care regulation to ensure compliance with the complex and changing laws surrounding the privacy and security related to PHI.

THIS INFORMATION IS NOT INTENDED TO BE LEGAL ADVICE.

[1]  See 45 C.F.R. § 160.103.

[2]  http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html.

[3]  78 Federal Register 5644.

[4]  Id.

Posted by | Comments Off on Email Encryption: HIPAA Considerations for Lawyers and CPAs

The CPA Board Rules: They are a’ Changin’

The NC Board of CPA Examiners recently adopted amendments to its regulations in the following areas that may be relevant to your practice if you are a CPA or work with CPAs:

Self-Reporting of Convictions, Judgments, Discipline and Investigation

  • requiring CPAs to notify the board within 30 days of
    • any charge or arrest of a criminal offense, not just a conviction, plea or other resolution. § 08N .0208(a);
    • any settlement in lieu of a civil suit or criminal charge that is based on an allegation of professional negligence, gross negligence, dishonesty, fraud, misrepresentation, competence or violation of any federal, state or local law, regardless of any confidentiality clause in the settlement. § .0208(c);
    • any inquiry or investigation by the IRS or any State Department of Revenue Criminal Investigation Divisions pertaining to any personal or business tax matters. § .0208(d); and
    • the filing of any liens by the IRS or State Department of Revenue regarding the apparent failure to pay any tax amounts due. § .0208(e).

Peer Review

  • Requiring a CPA or CPA firm not currently providing services mandating participation in peer review program to register with that program within 30 days of the issuance of the first report provided to a client for such services. Services requiring a CPA or CPA firm to participate in the peer review program include: audits, reviews or compilations of financial statements, agreed-upon procedures or attestation engagements. § 08M .0105(a) &(b).

Basis for discipline

  • Adding another basis for discipline against CPAs within the definition of “discreditable conduct prohibited” to include:
    • misrepresentation in reporting CPE credits, and
    • entering into any settlement or other resolution of a dispute with a CPA that purports to keep its contents confidential from the Board. § 08N .0203(b).     

Modification of Discipline and Reinstatement of Certificates

  • Restricting rules concerning modification of disciplinary orders to apply only to permanent revocations by the Board (unless by consent). § 08I .0104(a);
  • Requiring affiants supporting reinstatement of a CPA certificate to be familiar with the facts of the revocation or discipline. § .0104(b); and
  • Making restitution of civil settlements, liens or other agreements with the aggrieved party an element of good cause necessary for reinstatement of a CPA certificate . § .0104(c).

CPA Firm ownership requirements

  • Requiring the CPA owner of a firm to actively participate in the business of the CPA firm as his or her principal occupation. § 08N .0302(e)(2). 

CPA Status

  • Eliminating “retired” status so a CPA is either active or inactive. 21 NCAC 08A .0301 (deleting section (32) and corresponding deletions and other changes throughout the regulations)

Application requirements

  • Imposing additional requirements and restrictions on applying for examination and for a CPA certificate, including:
    • prohibiting filing an application while serving a sentence resulting from criminal plea or conviction, including any type of probation. §§ 08F .0103 & .0502(c); and
    • requiring additional disclosure and documentation regarding a criminal plea or conviction or denial of any license by a state or federal agency. § 08F .0502(c).

CPE requirements

  • Ceasing to register CPE sponsors and relying upon those in good standing with the National Registry of CPE sponsors. § 08G .0403;
  • Requiring CPAs to receive and submit a certificate of completion for each CPE. § .0401;
  • Requiring monitoring mechanisms for internet-based CPE programs to ensure active participation by the CPA. § .0409; and
  • Allowing CPE credit for self-study based on national standard word count formulas.

For more detail about these recent changes to the rules, you can access the Board’s rules on its website.

Posted by | Comments Off on The CPA Board Rules: They are a’ Changin’

Conflict Waivers: When are they Enforceable?

I must apologize first for posing a question in the title of this blog that doesn’t have a definitive answer. I can give you some tips for making your conflict waivers as enforceable as you can, but there is no iron-clad way to ensure enforceability. Whether a conflict waiver will be effective, or upheld if challenged, depends in part upon whether the client reasonably understood “the material risks that the waiver entailed.”  Rule 1.7, Comment [22].  In other words, does the client truly appreciate what they are giving up by signing the waiver.

Since the burden will be upon the lawyer trying to enforce the waiver, here are the key items to keep in mind.  First, make sure the waiver is in writing and signed by the client. Needless to say, a court will necessarily be looking to the language of the waiver to determine whether it should be enforced. Second, make the waiver clear and concise.  This would not be the time to use complicated or flowerly language. The key is clarity and simplicity, so that a client would easily understand the risks of consenting to the conflict. Third, and most importantly, make sure that you identify the possible future conflict of interest with specificity.  Even if you cannot precisely identify the type of conflict that may arise, you should at a minimum be able to identify the possible adverse party and the nature of the conflict.  For example, if sharing confidential information between co-plaintiffs is necessary for effective representation, then consent to share relevant confidential information amongst co-plaintiffs must be addressed in the waiver.  At the same time, the failure of one party to allow the lawyer to share clearly relevant information amongst co-plaintiffs becomes a foreseeable future conflict of interest, and should be discussed in the conflict waiver.  Furthermore, any kind of conflict that you can envision at the outset (e.g., dispute arises among multiple claimants as to how to proceed, cross claims developing between co-plaintiffs, etc.) should be described with specificity in the waiver.  The more specific a waiver, the more likely it will be upheld if challenged.

Now, a conflict waiver that is more open ended and less specific in nature may also be upheld, especially where the client is sophisticated in legal matters and has access to independent counsel in signing the waiver.  Rule 1.7, Comment [22].  For example, Law Firm has been asked by large Insurance Company to render corporate tax advice.  Another department of Law Firm regularly handles personal injury matters against Insurance Company.  Law Firm asks Insurance Company to give informed advanced consent to Law Firm representing any of its other clients against Insurance Company in matters unrelated to the corporate tax advice.  Clearly, the firm may not know who will hire them in the future, but it does know the kinds of cases it generally handles and the nature of the conflict.  While the consent to the conflict is rather vague and open-ended, Insurance Company is a sophisticated client with in-house counsel who can review the consent/waiver.  This waiver will likely be upheld.  Law Firm must also obtain waivers from any personal injury clients who are adverse to Insurance Company during the time firm is representing Insurance Company.

There are also circumstances under which a waiver to a future conflict should not be sought: the representation is prohibited by law, the client lacks capacity to consent, one client will assert a claim against the other in the same litigation, or the lawyer will not be able to provide adequate representation to one or more of the clients. In addition, if a lawyer must disclose confidential information of one client to obtain informed consent by the other client, and there is no authorization to disclose that confidential information, the conflict waiver cannot be obtained.

Finally, regardless of the client’s sophistication, it is always a good idea to advise the client in writing to seek independent counsel and to give a reasonable opportunity to do so before signing any waiver.

Stay tuned for a future blog on when waivers can be revoked by the client for cause.

 

 

Posted by | Comments Off on Conflict Waivers: When are they Enforceable?

New Standard for Direct Mail Solicitations

If you use targeted direct mail to advertise your legal services in North Carolina, you may already know that Rule 7.3(c), the direct mail solicitation rule, was amended in October 2014. Some of you may even have received a courtesy letter from the NC State Bar, as a gentle nudge to get your mailers fixed to comply with the new rule.  The amended Rule 7.3(c) reads as follows:

…every written, recorded, or electronic communication from a lawyer soliciting professional employment from anyone known to be in need of legal services in a particular matter shall include the statement, in capital letters, “THIS IS AN ADVERTISEMENT FOR LEGAL SERVICES” (the advertising notice), which shall be conspicuous and subject to the following requirements:

(1) Written Communications. Written communications shall be mailed in an envelope. The advertising notice shall be printed on the front of the envelope, in a font that is as large as any other printing on the front or the back of the envelope. If more than one color or type of font is used on the front or the back of the envelope, the font used for the advertising notice shall match in color, type, and size the largest and widest of the fonts. The front of the envelope shall contain no printing other than the name of the lawyer or law firm and return address, the name and address of the recipient, and the advertising notice. The advertising notice shall also be printed at the beginning of the body of the enclosed written communication in a font as large as or larger than any other printing contained in the enclosed written communication. If more than one color or type of font is used on the enclosed written communication, then the font of the advertising notice shall match in color, type, and size the largest and widest of the fonts. Nothing on the envelope or the enclosed written communication shall be more conspicuous than the advertising notice.

(Emphasis added). What all this means is that you have to be sure that your advertising disclaimer on the front of your envelope and at the top of your letterhead is the most conspicuous printing anywhere on the outside of the envelope or in the letter.  The Rule doesn’t prohibit photographs on the back of the envelope, logos on the front of the envelope, or brochures inside the envelope so long as the logos, photographs and brochures do not detract from the conspicuousness of the advertising disclaimers.

I’ve been reviewing attorney advertising for over 18 years, and I’m still having a bit of trouble trying to figure out when other printing, brochures, logos, or photographs may detract from the conspicuousness of the advertising disclaimer.  Because this language is rather vague and subject to interpretation, I have been advising my clients to get their current advertising approved by the State Bar, even if it has been approved before. “Conspicuousness” may very well be in the eye of the beholder, and in this case, the beholder is the State Bar.

 

Posted by | Comments Off on New Standard for Direct Mail Solicitations

Unauthorized Practice of Law: A Trap for the Unwary

Allegations of unauthorized practice of law [“UPL”] have increased over the last few years. Most of us are familiar with the scenario of a non-lawyer doing prohibited legal work.   However, in a different context, some young NC lawyers are getting wooed by “national” or out-of-state law firms.  Typically, these firms will ask the young lawyer to be “of counsel” to their out-of-state firm so the firm can then practice law in NC.  This can be a potential trap for the unwary from a UPL standpoint.

Under North Carolina law, out-of-state firms looking to set up shop in NC must register as an interstate law firm with the NC State Bar and will also likely need a Certificate of Authority to transact business as a foreign professional corporation from the Secretary of State’s office, even if they hire a NC lawyer to handle NC cases.  In addition, the North Carolina lawyer must certify to the State Bar that other lawyers in the firm not licensed in North Carolina will abide by the NC Rules of Professional Conduct and that all professional services rendered to NC citizens by the firm are only provided by a duly licensed active member of the NC State Bar. Among other consequences discussed below, failure to follow the appropriate procedure may result in a bar grievance against the young NC attorney for assisting in the unauthorized practice of law in violation of the NC Rules of Professional Conduct, Rule 5.5(d).

The NC State Bar Council and any of its committees appointed by it for that purpose, (i.e. the Authorized Practice Committee), as well as District Attorneys, have the authority to investigate UPL allegations.  Following such an investigation, the State Bar may issue a warning letter, issue a cease and desist letter, or seek an injunction to prohibit a person or business from engaging in the unauthorized practice of law depending on the circumstances.  Engaging or assisting in the unauthorized practice of law may also expose a person to potential civil liability. Further, the unauthorized practice of law is a misdemeanor criminal offense.  Other more serious felony offenses, such as false pretenses, could be involved where an unlicensed person accepts fees while in engaging in the unauthorized practice of law.

Under the right circumstances, it may be a good opportunity for young lawyers to associate with an interstate law firm, especially in a tepid legal hiring market.  But, beware: make sure you know the potential pitfalls and closely follow the procedures outlined by the Administrative Rules of the State Bar, Subchapter E, Section .0200, and NC law, before embarking upon any association with an out-of-state firm looking to practice in NC.

Posted by | Comments Off on Unauthorized Practice of Law: A Trap for the Unwary