Does your law firm deal with medical records and other protected health information (PHI)? If it does, then you may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The cost of noncompliance with HIPAA can be steep — Advocate Health Care Network paid a violation settlement of $5.5 million! Therefore, it’s wise to understand how this federal law affects your practice.
What is HIPAA?
HIPAA is a US federal law that secures PHI from disclosure without the patients’ consent or knowledge. PHI is any healthcare information that was created, used, or disclosed while providing healthcare services and can be used to potentially identify an individual.
Are law firms subject to HIPAA?
HIPAA applies to covered entities (i.e., healthcare providers, health plans, and healthcare clearinghouses) and business associates.
Law firms can be considered business associates if they perform legal services that involve the access, use, or disclosure of PHI for a covered entity or business associate. An example of such legal services is medical malpractice defense.
Business associates are required to comply with HIPAA as if they were a covered entity. They are also responsible for ensuring that their subcontractors that use PHI are HIPAA-compliant. So if your law firm works with third parties like record retrieval providers and cloud services companies, then you must ensure that they are HIPAA-compliant as well.
Law firms can be considered business associates if they perform legal services that involve the access, use, or disclosure of PHI for a covered entity or business associate.
What could happen if my law firm is not HIPAA-compliant?
If your law firm is a HIPAA business associate, then noncompliance with HIPAA can result in civil fines imposed by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Fines can range from $119 to $58,000 per violation. Violations can also carry criminal charges that can lead to jail time.
A single mistake can result in multiple violations. For example, losing a work laptop that contains the medical records of 500 patients may constitute 500 violations. If your law firm is unable to implement the necessary safeguards, then each day of noncompliance may constitute a separate violation.
What can my law firm do to ensure HIPAA compliance?
To avoid violating HIPAA, your law firm must take the following steps:
1. Execute a BAA with a covered entity
If your client is a covered entity or a business associate that has a case that deals with PHI, then they are required to enter into a business associate agreement (BAA) with you. A BAA contains written satisfactory assurances that you will appropriately safeguard the PHI that you’ll receive or create in behalf of your client.
At a minimum, the BAA would require your law firm to:
- Maintain the privacy of PHI
- Limit use or disclosure of PHI to the purposes authorized by your client
- Assist clients in responding to individual requests concerning their PHI
Execute a BAA with subcontractors
If a subcontractor will assist you in servicing your client and will have access to PHI, then you must also execute a BAA with them. Your law firm can be liable for your subcontractor’s HIPAA violations, so be very diligent in selecting whom to work with.
3. Comply with privacy and security rules
To protect PHI, your law firm must implement the three types of safeguards required by HIPAA:
- Administrative – Procedures and policies that help defend against data breaches (e.g., staff training, contingency plans to restore lost data)
- Physical – Measures that limit physical access to office and computer systems (e.g., locks and alarms)
- Technical – Technologies and policies that safeguard data from unauthorized access. (e.g., unique usernames and passwords, encryption)
4. Respond to and report violations
Your law firm must promptly respond to and report HIPAA violations, data breaches, or security incidents to your client. Should you fail to meet the notification requirements of HIPAA, then the OCR may impose penalties on you.
5. Cooperate with compliance investigations
During a compliance investigation, your law firm must permit the OCR to access your “facilities, books, records, accounts, and other sources of information, including PHI, that are pertinent to ascertaining compliance.”
When you partner with us at [company_short], you’re guaranteed that your requested medical records will be delivered through a HIPAA-compliant online portal. If you have more questions about our security and compliance measures, get in touch with us today.