Under HIPAA, a business associate is a person/entity that performs certain functions/activities that may involve the use or disclosure of PHI (protected health information) on behalf of, or provides services to, a covered entity. Covered entities include healthcare providers and payers that carry out certain transactions electronically – doctors, hospitals, dentists, clinics, labs, pharmacies and insurance companies. Law firms and lawyers handling work that involves PHI for covered entities also fall under the business associate classification. This means that an attorney or lawyer who has to perform medical records review with regard to a personal injury, medical malpractice, or mass tort case becomes a business associate because PHI includes items such as medical records or history, lab results and insurance information. When accepting clients who are covered entities, legal firms and professionals become regulated by HIPAA and will be held liable for any violation under the Act.
Merely possessing medical records will not make an attorney an HIPAA business associate. Take the case of a medical malpractice lawsuit where in the patient suing the doctor gives his/her medical records to the attorney representing them. Since the patient can give the medical records to anyone they want, his/her attorney does not fall under the business associate definition. On the other hand, the doctor’s (defendant in this case) attorney who also handles the patient’s medical records is an HIPAA business associate because the doctor is a covered entity, and is sharing patient data with someone outside his workforce.
Lawyers representing a health plan, provider or clearing house and receive PHI from the client must enter into a Business Associate Agreement (BAA) with the client to ensure compliance. In addition, they must make sure that their vendors or subcontractors also sign such an agreement. These external agencies include outsourcing IT companies, cloud-based legal software vendors, paper records storage providers, shredding companies, data centers, medical records review companies and so on. When the contractor/subcontractor works with another agency with regard to receiving, maintaining or transmitting PHI, those contractors and subcontractors also become business associates.
Legal entities must have in place the necessary administrative, physical and technical safeguards to ensure compliance and if there is a data breach follow all the guidelines on disclosure such as immediately notifying the covered entity.
Failing to comply with HIPAA can be expensive. When partnering with an outsourcing provider, lawyers and law firms should consider only those providers who clearly understand the risks involved and have the resources to make sure that all regulations are being met. With a reliable, knowledgeable partner, legal entities can enjoy trouble-free existence and stay away from issues that may prevent them from providing the best service to their clients.