Complying with HIPAA – Important Pointers for Law Firms

by | Last updated on Sep 11, 2023 | Published on Nov 5, 2014 | HIPAA

Medical records are an indispensable requirement for attorneys during the prosecution of their case. When handling protected healthcare information (PHI), attorneys have to comply with state laws concerning patient privacy and also with federal regulations found in the HIPAA Act of 1996. The “Omnibus Rule” published in 2013 contains several amendments to HIPAA and incorporates compulsory security requirements of the HITECH Act (Health Information Technology for Economic and Clinical Health Act).

According to the new rule, organizations including law firms that do not have explicitly executed contracts with a covered entity are also considered business associates (those who conduct business “that involves the use or disclosure of individually identifiable health information”). Consequently, HHS will now hold law firms also directly liable for HIPAA violations. It is important that attorneys understand the requirements of HIPAA though the mere possession of PHI does not make an attorney a business associate.

Vital Considerations

  • The updated federal HIPAA rule requires attorneys that represent or work for a protected entity to comply with the Security and Breach Notification Rules. Safety standards are set by the Security Rule with a view to protect sensitive health information.
  • The safety standards can be “required” or “addressable”; the former are uniform and have to be strictly followed whereas the latter allows firms to formulate their own policies as regards security standards.
  • The Breach Notification Rule requires a business associate to report a breach of unsecured PHI to the client, say a physician. The client must then reveal the breach to the patient concerned.
  • Breaches can be penalized by the HHS. The HITECH Act has a four-tier system that penalizes HIPAA breaches with a maximum penalty of $1.5 million per year. Attorneys are held responsible and may be penalized for their own violations as well as those made by their subcontractors such as record retrieval companies.

Staying Safe from HIPAA Breaches

Law firms handling PHI for medical record review purposes must be extremely cautious about complying with federal as well as state requirements. The first step is to determine whether they and their firms come under the definition of a covered entity or business associate as per federal or state law. If they do, the next step is to assess carefully how the firm uses and shares PHI. A risk assessment will help to identify any potential security threats. Law firms can no longer postpone the process of evaluating their firm’s compliance and bringing in the required changes.

There should be a clear internal policy that provides guidelines regarding the handling of PHI; all employees should be trained on the importance of maintaining privacy and security standards in this regard. Compliance should be ensured with all federal and state standards in all existing contacts with sub contractors because the amendments introduced attach the subcontractors with the same level of responsibility as the covered entity.

Discover our medical record review solutions and partner with us for your next case.

Related Posts

How Can A Medical Record Review Company Be HIPAA-Compliant?

How Can A Medical Record Review Company Be HIPAA-Compliant?

Providers of medical records services that assist attorneys in personal injury, workers’ compensation, medical malpractice and other cases are required to maintain HIPAA compliance. This means that they have to be extra cautious about safeguarding the security and...

HIPAA and PHI Disclosures for Workers’ Compensation Claims

HIPAA and PHI Disclosures for Workers’ Compensation Claims

In a workers’ compensation case, when determining the claimant’s eligibility, you need proper substantial evidence. To avoid any complications during the medical record review for workers compensation insurance, injured workers will be requested to disclose protected...

How Lawyers Can Remain HIPAA-Compliant Business Associates

How Lawyers Can Remain HIPAA-Compliant Business Associates

HIPAA (Health Insurance Portability and Accountability Act) that came into effect in the year 1996 requires that individuals’ health information remain confidential and secure. The Act’s privacy and security rules govern how PHI or protected health information of...