Medical records are an indispensable requirement for attorneys during the prosecution of their case. When handling protected healthcare information (PHI), attorneys have to comply with state laws concerning patient privacy and also with federal regulations found in the HIPAA Act of 1996. The “Omnibus Rule” published in 2013 contains several amendments to HIPAA and incorporates compulsory security requirements of the HITECH Act (Health Information Technology for Economic and Clinical Health Act).
According to the new rule, organizations including law firms that do not have explicitly executed contracts with a covered entity are also considered business associates (those who conduct business “that involves the use or disclosure of individually identifiable health information”). Consequently, HHS will now hold law firms also directly liable for HIPAA violations. It is important that attorneys understand the requirements of HIPAA though the mere possession of PHI does not make an attorney a business associate.
- The updated federal HIPAA rule requires attorneys that represent or work for a protected entity to comply with the Security and Breach Notification Rules. Safety standards are set by the Security Rule with a view to protect sensitive health information.
- The safety standards can be “required” or “addressable”; the former are uniform and have to be strictly followed whereas the latter allows firms to formulate their own policies as regards security standards.
- The Breach Notification Rule requires a business associate to report a breach of unsecured PHI to the client, say a physician. The client must then reveal the breach to the patient concerned.
- Breaches can be penalized by the HHS. The HITECH Act has a four-tier system that penalizes HIPAA breaches with a maximum penalty of $1.5 million per year. Attorneys are held responsible and may be penalized for their own violations as well as those made by their subcontractors such as record retrieval companies.
Staying Safe from HIPAA Breaches
Law firms handling PHI for medical record review purposes must be extremely cautious about complying with federal as well as state requirements. The first step is to determine whether they and their firms come under the definition of a covered entity or business associate as per federal or state law. If they do, the next step is to assess carefully how the firm uses and shares PHI. A risk assessment will help to identify any potential security threats. Law firms can no longer postpone the process of evaluating their firm’s compliance and bringing in the required changes.
There should be a clear internal policy that provides guidelines regarding the handling of PHI; all employees should be trained on the importance of maintaining privacy and security standards in this regard. Compliance should be ensured with all federal and state standards in all existing contacts with sub contractors because the amendments introduced attach the subcontractors with the same level of responsibility as the covered entity.