HIPAA and Information Governance in Law Firms
Summary: The HIPAA Omnibus Rule has consolidated and formalized many privacy rules regarding personal health information and also, in most aspects, made law firms liable as business associates of covered entities with or without any contract defining law firms as such. The HIPAA Task Force Report 2014 deals with best practices of information management in law firms in regard to HIPAA compliance.
The recent Law Firm Information Governance Symposium held in July 2014 found that law firms could be blindsided by the U.S. 2013 Health Information Portability and Accountability Act (HIPAA) Omnibus Rule. Consequently, the HIPAA Task Force of the Symposium published a report this August of their findings, of the risks, liabilities and best practices that law firms doing HIPAA related work need to remain careful of.
With the broadened ambit of the rule, the report notes "if the defense of a client in a medical malpractice claim requires access to PHI (personal health information), the law firm will qualify as a business associate." But the same information procured from a plaintiff via a subpoena will not put a law firm under the same constraints. Hence, information management in law firms in regard to HIPAA requirements has become a critical issue.
The HIPAA Omnibus Rule has also formalized multiple changes to privacy requirements and data security. However, as business associates, law firms are liable to comply only with select portions of the Privacy Rule. In general, law firms are permitted to disclose PHI as required by law. This means that a subpoena or discovery request signed by an attorney requires either notice to the individual, or declaration that reasonable efforts have been made to notify the individual without success, but a court order for PHI signed by a judge requires no further assurances.
The HIPAA Task Force report observed, "Many firms must modify not only their access control strategies, but also the manner in which they request and intake information from clients. The Privacy Rule stipulates that business associates should "request" the minimum amount of PHI required for a given purpose. Firms should, therefore, consider providing engagement letters to covered entity and business associate clients that explicitly request that the client refrain from sending information easily identified as not necessary for the engagement."
The aspects of the Privacy Rule the task force recommends law firms should focus on include:
- Reviewing all business associate agreements to understand and comply with access control restrictions
- Limiting permissible disclosure to the minimum necessary
- Limiting uses and disclosures of PHI as required by a business associate agreement, or as permitted or required under HIPAA
- Providing access to a covered entity, to an individual who is the subject of the PHI, or to HHS during an investigation
- Ensuring PHI is never sold
- Establishing business associate agreements with relevant clients, subcontractors, hosted service providers, expert witnesses and etcetera
- Maintaining compliance records and submitting reports to HHS when required to evaluate compliance
- Providing a breach notification to a covered entity within 60 days of a breach
- Developing a program to communicate privacy requirements to affected lawyers and staff
A vast majority of law firms are liable for compliance because they can be classified as HIPAA business associates with respect to clients that qualify as covered entities, or with respect to third-party organizations that process HIPAA-protected information on behalf of a covered entity. The new situation is significantly different from the earlier one where law firms were classified and held liable as business associates only if they had a contract with a covered entity specifically defining and classifying them as business associates under HIPAA/HITECH.
The liabilities and penalties are also quite strict and steep. The report observes, "Law firms should be aware there is no single official method for tallying monetary penalties, and total penalties will exceed those incurred prior to the HITECH Act, when firms were only liable for breach of contract. While a possible penalty of $1.5 million dollars per provision may seem like a steep fine, the greatest risk of a compliance breach poses to a firm is a tarnished reputation that could compromise future business opportunities with clients."
If you are looking for health care attorney jobs in law firms then please click here to find them.