Lawyers and HIPAA

HIPAA is certainly not new, especially for lawyers and HIPAA-related challenges. Hospitals, medical and dental practices, and other covered entities have grappled with HIPAA for years. Ask any healthcare worker about the topic, and they will likely share negative feedback. Such responses often relate to ongoing challenges, including continuous training, extensive policies, documentation, risk assessments, and complex risk management plans.

Who Are Business Associates?

Business Associates are non-employees that create, receive, maintain or transmit protected health information (PHI). Examples of business associates include system vendors such as information technicians contracted to service the computers, software companies who provide support such as remote access, trainers and consultants who have access to the database containing PHI, bookkeepers and accountants whose documentation includes PHI, billing services and transcriptionists, consultants…and yes—lawyers.

Covered entities have been gathering Business Associate Agreements for years. HIPAA basically required that covered entities obtain the agreement from Business Associates to promote good practices in safeguarding information. However, Business Associates were not directly responsible for violations under HIPAA.

HITECH Act Changes

The HITECH Act introduced breach notification requirements. This Act held Business Associates accountable for safeguarding PHI and preventing unauthorized use or disclosure.

Currently, under HIPAA’s final provisions, Business Associates face penalties for violations like covered entities. Business Associates must disclose subcontractors and obtain Business Associate Agreements. They must use PHI only as outlined in their contracts.

HIPAA’s Final Rule

With HIPAA’s final rule effective March 26, 2013, and enforceable September 23, 2013, Business Associates scrambled to comply. Non-compliance risks costly penalties for breaches. Lawyers must do more than sign agreements with clients or subcontractors.

Where to Begin

A commonsensible place to start is to analyze the flow of information in your firm. Identify the covered entities you serve such as hospitals, clinics, small and large healthcare providers, insurance plans and patients. Additionally, determine who your subcontractors such as co-counsel, transcriptionists, etc.

Revise the Business Associate Agreement to meet the needs of the firm. A sample Business Associate Agreement is provided by the Department of Health and Human Services.

Customize the suggested language to meet the needs of your law firm. If you have an existing agreement in place, keep in mind that agreements should reflect Omnibus changes. Existing agreements obtained must be amended by September 2014.

Preventing a Breach

• Portable devices often cause breaches. Categorize systems containing PHI. How many flash drives, tablets, or laptops does your firm use?
• Utilize encryption on portable media devices. Develop policies to prohibit employees from using personal devices such as flash drives and notebook computers to store or transport information that contains PHI. If employees use personal notebook computers, it may very advantageous to issue policy statements and obtain assurance that the information is encrypted and the device is stored securely.
• Identify who has remote access to the law firm’s data base particularly individuals such as attorneys who work from home. Develop policies to assure that information is safeguarded properly and stored on the firm’s file server, not on home computers or devices.
• Assess threats and vulnerabilities to the data base before the firm is confronted with a disaster or data breach to promote prevention and a quick response. Store encrypted data offsite to prevent data loss in the event of a natural disaster such as tornadoes, flooding and fire.
• Provide training for the entire workforce at least annually and train new hires when they join the law firm. Simply having a background in healthcare law or exposure to HIPAA at a previous employer is insufficient. Describe how your firm handles the obligation of serving as a Business Associate.
• Develop personnel policies to address topics such as background checks, termination procedures, user rights and log-ins. For example, termination procedures should include policy deactivating network log-ins and remote access for employees who terminate whether voluntarily or involuntarily. User rights should be granted according to the individual’s job description to limit how much of the data base is accessed. No one should share log-ins and passwords. Describe how infractions are to be addressed.
• Consult with your Information Technician to ensure that workstations have automatic log-offs. Review audit trails regularly to make certain that data corruption is not taking place.
• Periodically verify that facsimile numbers are accurate and current to prevent faxing an unintended recipient. Send emails securely using encryption.

Promoting Security Awareness

Security awareness is everyone’s responsibility at the law firm. Document any security incidents and maintain a log.

Realize that compliance with HIPAA both for you as a lawyer and your clients is an ongoing quest. Reevaluate your compliance regularly and make the necessary corrections using an action plan.

You can be confident in your compliance as a Business Associate by taking the time to review your technology and security policies. Then, you can focus more fully on your clients.

For more information, contact Modern Practice Solutions, LLC.

(This article does not constitute legal advice nor does reading this article engage the services of an attorney)