Update from Archstone Law Group

HIPAA – Beyond Notices of Privacy Practices

It has now been almost a decade since the HIPAA Privacy regulations became law. There has been substantial compliance with most of the requirements, but we have found that some of our clients have questions regarding ongoing implementation or have experienced breaches. HIPAA compliance requires continued education and vigilance in areas such as:

  • Theft of laptops and smartphones: Practices and institutions should have mechanisms or personnel in place to ensure that all devices that might contain protected health information are encrypted and secure. Personnel policies should also require that employees protect the physical security of those devices. A review of published breaches on the Health & Human Services (“HHS”) website reveals that a majority of breaches affecting more than 500 individuals are due to theft.
  • Employee snooping: Employees who access the records of relatives, friends, co-workers, or celebrities without authorization create a HIPAA violation even when that access is well-intended. If the purpose of access is malicious, there is the possibility of criminal prosecution.
  • Disposal of records: This is often a subcontracted activity, but a vendor serving as a business associate who does not adhere to privacy and security protections will cause the covered entity to be in breach and require notification to the individuals affected.
  • Notice to Government Agencies: In addition to notifying the individuals affected and HHS, if a HIPAA breach affects more than 500 patients, the media must be notified as well. In Massachusetts, if the breach includes personal information such as a credit card number or health insurance number, the Attorney General must also be notified.

Succession or “Exit” Planning for Closely-Held Family Businesses

When planning for your future and the future of your closely-held business, it’s critical to consider your exit strategy which may be one of the following:

  • Selling or gifting shares to children and/or grandchildren
  • Selling shares to an employee
  • Selling the business (either shares or assets) to a third party

Regardless of your endgame, there are a few critical steps you should take to help you successfully reach your goal:

  1. Have retirement and estate plans in place. As an active business owner, these may not be things you want to think about now, but taking steps to plan for your retirement will help you reach your business goals.
  2. It is never too early to create infrastructure and institute operational “best practices”, including employee policies, document management and retention, data security, protection of your intellectual property, evaluation of contracts with third parties, and instituting and strengthening internal contracts such as buy-sell agreements, shareholder agreements and partnership agreements. This will create value in the business whether you are grooming it for a sale to employees or a third party or passing it on to children. Adopting “best practices” will keep the company legally healthy and in compliance.
  3. Build a team of advisors who are familiar with your business. They should be able to work together collaboratively. Advisors might include a trusts and estates attorney, a CPA, a business attorney, an investment banker, a financial planner and an insurance agent.


Do Businesses Really Own the Software They Think They Own?

It is commonly assumed that if a business hires an independent consultant to develop a custom software application or customize an existing application, the business must own it. It paid for it after all. It should be able to sell or license it to someone else, shouldn’t it? But it’s not that simple.

At issue is who owns the copyright, since the copyright owner has the exclusive right to copy and distribute the work, and to prevent others from using it without permission (among other rights). Under Federal copyright law, as a general rule the author or creator of the work owns the copyright. One of the principal exceptions is the “work for hire” rule, which applies when: (a) an employee creates work within the scope of his or her employment, or (b) someone specially orders or commissions certain types of work under a written agreement that says it is a work for hire. In those cases, the copyright belongs to the person for whom the work was created.

The first prong of the “work for hire” rule would not apply to our example because the software developer is a consultant to our business rather than an employee. The second prong (dealing with “certain types of work”) applies only if the work falls within one of nine specific categories, and it is not clearly established that software falls within any of those nine categories. So an agreement between the business and the consultant that clearly said that the software was a “work for hire” might not be sufficient to ensure that the business would end up owning the copyright.

Experienced lawyers address this situation by having an agreement that says that the work is considered a “work for hire,” but if for any reason it fails to qualify as a “work for hire,” the consultant agrees to assign to the business all of the consultant’s rights to the work. It may seem a small distinction, but, in this situation, slight differences in wording can have enormous differences in outcome.

Recent Client Success

Lori Yarvis recently assisted The Basil Tree, Inc., a corporate catering company serving educational and healthcare institutions and businesses, in its relocation from Somerville to a new facility in Cambridge. The transaction included a commercial lease negotiation and an asset acquisition.