In today’s podcast, Julie Clements, one of our Chief Solutions Officers, discusses about some facts about HIPAA compliance for law firms and attorneys.
Now Let’s Listen to the Podcast!
Hello, this is Julie Clements – Iam a Chief Solutions Officers at Managed Outsource Solutions. Today I want go over a little bit about HIPAA Compliance For Law Firms And Attorneys – Some Facts To Know.
Law firms and attorneys that deal with protected health information (PHI) from “covered entities” are business associates under HIPAA and must be compliant with HIPAA’s strict privacy and data security standards. Covered entities include healthcare providers, health plan providers, clearing houses, and insurance carriers. Medical record retrieval companies that are entrusted with the task of retrieving patient medical records for personal injury, workers’ compensation, medical malpractice, and insurance lawyers have to be extra cautious about maintaining the confidentiality and security of these sensitive records.
Attorneys and Law Firms as “Business Associates”
So, the attorney or law firm becomes a business associate if the legal services provided include exposure of PHI from the covered entity or from another business associate. On the other hand, an attorney that does not create, receive, or have access to PHI is not a business associate. PHI or ePHI comprises data and materials including medical records, lab test records, X-rays and other images, and insurance data. Any kind of data breach would result in violation of HIPAA. Studies show that most of the breaches are caused by hacking or IT incidents. Legal entities must ensure that their offices are safe from hackers and data breaches. The following law firms regularly require access to PHI and therefore must remain HIPAA-compliant –
- Law firms that carry out medical chart reviews for personal injury cases: Defense attorneys working for insurance companies will have to handle the injured party’s medical records. When an insurer shares medical records with the defense attorney they hired and those records contain PHI, the law firm becomes a business associate and HIPAA compliance is mandatory.
- Another would be a law firm that provides legal services for covered entities such as a health plan: An attorney that provides legal services to a health plan in reviewing a benefit claim becomes a business associate if the claim contains PHI.
- And another would be a malpractice defense firm representing covered entities that have been accused of medical negligence: The doctor who is accused of medical malpractice typically has to share patient medical records containing PHI with the law firm so that he/she can obtain a legal defense. In such a case, the law firm becomes a business associate that has to be HIPAA compliant.
The Most Common HIPAA Violations
According to the HHS (Department of Health and Human Services), the following are the most common HIPAA violations being observed:
- The first is the lack of a good risk management process
- And other not performing an enterprise-wide risk analysis
- Insufficient ePHI access controls
- Failure to enter into a HIPAA-compliant business associate agreement
- Employees are not properly trained on HIPAA requirements, especially regarding breach of PHI and its consequences
- Not providing HIPAA breach notifications as required to HHS and other authorized entities
- Failure to obtain satisfactory assurances from 3rd party vendors and business associates
- Impermissible disclosures of PHI
- Inappropriate disposal of PHI
- Exceeding the 60-day deadline for issuing breach notifications and just some other
Ensuring That There Is HIPAA Compliance and what legal entities do to comply with HIPAA rules?
Ideally, they should have in place the advanced technology that is so vital to ensure HIPAA compliance. If this is absent, or if technical safeguards are lacking, law firms would be easy targets for hackers and other safety concerns.
HIPAA is among the most stringent among government standards regarding security and privacy. Attorneys, medical review firms providing medical records services for attorneys, and other entities handling PHI must ensure HIPAA compliance to avoid penalties for non-compliance. The HHS is very strict about enforcing HIPAA’s requirements. Their enforcement actions have led to many settlement agreements with non-compliant covered entities and with these actions requiring considerable monetary payments and severe corrective actions.
To learn more about this, you can go to our website at MOS – medicalrecordreview.com.