HIPAA Compliance for Law Firms and Attorneys – Some Facts to Know

Law firms and attorneys that deal with protected health information (PHI) from “covered entities” are business associates under HIPAA and must be compliant with HIPAA’s strict privacy and data security standards. Covered entities include healthcare providers, health plan providers, clearing houses, and insurance carriers. Medical record retrieval companies that are entrusted with the task of retrieving patient medical records for personal injury, workers’ compensation, medical malpractice, and insurance lawyers have to be extra cautious about maintaining the confidentiality and security of these sensitive records.

Attorneys and Law Firms as “Business Associates”

The attorney or law firm becomes a business associate if the legal services provided include exposure of PHI from the covered entity or from another business associate. On the other hand, an attorney that does not create, receive, or have access to PHI is not a business associate. PHI or ePHI comprises data and materials including medical records, lab test records, X-rays and other images, and insurance data. Any kind of data breach would result in violation of HIPAA. Studies show that most of the breaches are caused by hacking or IT incidents. Legal entities must ensure that their offices are safe from hackers and data breaches. The following law firms regularly require access to PHI and therefore must remain HIPAA-compliant:

• Law firms that carry out medical chart reviews for personal injury cases: Defense attorneys working for insurance companies will have to handle the injured party’s medical records. When an insurer shares medical records with the defense attorney they hired and those records contain PHI, the law firm becomes a business associate and HIPAA compliance is mandatory.
• Law firms that provide legal services for covered entities such as a health plan: An attorney that provides legal services to a health plan in reviewing a benefit claim becomes a business associate if the claim contains PHI.
• Malpractice defense firms representing covered entities that have been accused of medical negligence: The doctor who is accused of medical malpractice typically has to share patient medical records containing PHI with the law firm so that he/she can obtain a legal defense. In such a case, the law firm becomes a business associate that has to be HIPAA compliant.

The Most Common HIPAA Violations

According to the HHS (Department of Health and Human Services), the following are the most common HIPAA violations observed:

• Lack of a good risk management process
• Not performing an enterprise-wide risk analysis
• Insufficient ePHI access controls
• Failure to enter into a HIPAA-compliant business associate agreement
• Employees are not properly trained on HIPAA requirements, especially regarding breach of PHI and its consequences
• Not providing HIPAA breach notifications as required to HHS and other authorized entities
• Failure to obtain satisfactory assurances from 3rd party vendors and business associates
• Not restricting PHI disclosures to the “minimum necessary”
• Impermissible disclosures of PHI
• Inappropriate disposal of PHI
• Not using encryption or a similar measure to protect ePHI on portable devices
• Exceeding the 60-day deadline for issuing breach notifications

Ensuring HIPAA Compliance

What can legal entities do to comply with HIPAA rules? Ideally, they should have in place the advanced technology that is so vital to ensure HIPAA compliance. If this is absent, or if technical safeguards are lacking, law firms would be easy targets for hackers and other safety concerns.

• To ensure physical safeguards, limit access to facilities and electronic patient data at offices. Protect servers and backup data as well.
• To ensure administrative safeguards, designate a security officer who is responsible for maintaining privacy and security policies, procedures, and systems. Develop good policies that limit access to PHI, and an emergency response plan to address accidental or deliberate incidents (data breach or a natural disaster) that could result in data compromise.
• To ensure technical safeguards, protect electronic PHI via intrusion detection protection systems (IDPS), encryption and key management, HIPAA-level security auditing, 2-factor identification, passwords and other methods.
• Conduct a risk analysis to identify weaknesses that exist in your system. Adapt the current policies you have or create new ones. Create documentation that clearly outlines the processes involved in maintaining the integrity, confidentiality, and availability of electronic PHI that includes the physical, technical, and administrative safeguards. Your documentation should clearly specify your processes for creating passwords and encrypting data, maintenance, access logs, security audits, and other factors. Also, include a plan for the measures to take in the event of a data breach, such as notifying the covered entity. Have effective procedures to address emergencies such as natural disasters, systems failures, and other incidents.
• Provide compliance training for the firm. Give them an overview of HIPAA and its Omnibus Rule. Include information on HITECH that was introduced to promote the adoption and meaningful use of health information technology. In addition to providing training on legal requirements, clarify what the firm expects from attorneys and office staff regarding ensuring privacy and security.
• Conduct a risk assessment every year and periodically train and refresh users regarding their obligations and best practices.

HIPAA is among the most stringent among government standards regarding security and privacy. Attorneys, medical review firms providing medical records services for attorneys, and other entities handling PHI must ensure HIPAA compliance to avoid penalties for non-compliance. The HHS is very strict about enforcing HIPAA’s requirements. Their enforcement actions have led to many settlement agreements with non-compliant covered entities, with these actions requiring considerable monetary payments and severe corrective actions.