HIPAA (Health Insurance Portability and Accountability Act) that came into effect in the year 1996 requires that individuals’ health information remain confidential and secure. The Act’s privacy and security rules govern how PHI or protected health information of patients is used and disclosed. Entities that come under the purview of HIPAA or covered entities are typically healthcare providers and payers, and include physicians and other clinical professionals, dentists, hospitals, clinics, labs, pharmacies and insurance companies. However, now that healthcare organizations are more responsible than ever before for the HIPAA compliance of their partnering organizations, accountants, medical review companies and lawyers also have to ensure compliance with HIPAA.
Lawyers/Legal Entities As Business Associates
What does the term “business associate” signify? It is an individual or entity that carries out certain activities or duties that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. So, when do attorneys become business associates in this sense? Attorneys providing legal services for personal injury or medical malpractice cases need to access the injured party’s medical records for medical record review purposes. A lawyer whose legal services for a covered entity involve handling sensitive patient healthcare data is a HIPAA business associate. A plaintiff attorney suing a doctor or other healthcare provider will also be handling the client’s medical records but doesn’t become a business associate because a patient has the freedom to disclose his/her medical information to anyone. Here are 2 important points to note.
- Covered entities are required by HIPAA privacy rule to get written statements from their business associates, promising to safeguard the PHI received or created on behalf of the covered entity.
- Specific details to be included in every business associate contract include:
- Establish the allowed and required uses and disclosures of PHI by the business associate
- Require the use of proper safeguards to prevent the use or disclosure of PHI other than as provided for by the contract
- Report to the covered entity any breach of confidential patient data.
Risks Involved for Lawyers
Let us look at the risks involved for lawyers and their legal staff that handle sensitive medical records.
- Patient healthcare information stored in laptops and other portable devices is exceedingly vulnerable. Therefore, these portable storage media should be encrypted properly. If an encrypted device is lost, it doesn’t qualify as a reportable data breach. Protection must be ensured against malware, theft, or loss.
- Protected health data could be passed on to another party improperly or in other words, without the consent of the particular patient.
Ensuring HIPAA Compliance
It follows therefore, that a law firm or attorney that qualifies as a business associate must ensure proper HIPAA compliance to avoid data breach and the consequent penalties. Measures to take include the following.
- Have in place HIPAA policies and documented procedures to support those policies.
- Conduct a HIPAA risk analysis and provide adequate training for the management and staff members.
- Ensure that the medical records in their auditing or case management software are secure.
- Do not send unencrypted patient data via email to some entity outside of their firm.
- Have all network and devices safeguarded against unauthorized access and any malware.
- Associate only with partnering agencies such as data centers, cloud vendors, and others that will sign a Business Associate Agreement and implement effective compliance programs.
Data Security Must Be Ensured
HIPAA compliance could prove to be rather complex and as business associates, lawyers and law firms could face the risk of direct liability for any violation of provisions required under HIPAA. As mentioned earlier, legal entities that require access to PHI for purposes of medical record review, such as personal injury defense attorneys hired by insurance companies to defend against claims filed by personal injury plaintiffs; law firms that provide legal services for a covered entity such as a health plan in reviewing a benefits claim; and malpractice defense firms that represent covered entities such as physicians accused of medical negligence or malpractice, need to ensure security of any PHI they handle. Now, data security lawyers help lawyers and legal firms associating with a HIPAA covered entity to review and supervise their compliance with HIPAA. Data security legal services are useful also for organizations that assist such lawyers and legal firms. It is in fact, the best way to understand the nuances of HIPAA and develop a proper compliance plan.
