Lawyers and HIPAA
How Lawyers Who Serve As Business Associates to Covered Entities Align their Law Practices with HIPAA
HIPAA is certainly not new. Hospitals, medical and dental practices, and other covered entities have been grappling with HIPAA for years now. Ask any healthcare worker about the topic and likely you will receive negative feedback. No doubt such a response relates to the ongoing challenges of HIPAA compliance which includes ongoing training, voluminous policies and procedures, never ending documentation, complicated risk assessments and convoluted risk management plans.
Business Associates are non-employees that create, receive, maintain or transmit protected health information (PHI). Examples of business associates include system vendors such as information technicians contracted to service the computers, software companies who provide support such as remote access, trainers and consultants who have access to the database containing PHI, bookkeepers and accountants whose documentation includes PHI, billing services and transcriptionists, consultants…and yes—lawyers.
Covered entities have been gathering Business Associate Agreements for years. HIPAA basically required that covered entities obtain the agreement from Business Associates to promote good practices in safeguarding information. However, Business Associates were not directly responsible for violations under HIPAA.
The HITECH Act introduced breach notification requirements. This Act also indicated that Business Associates were accountable to safeguard PHI and prevent unauthorized use and disclosure just as the covered entities.
Currently, under the final provisions of HIPAA, Business Associates are subject to penalties just like the covered entities. The Business Associates now have to disclose if they work with subcontractors and if so, obtain Business Associate Agreements. The Business Associate should only use PHI as agreed in the contract.
Thus, with HIPAA’s final rule effective March 26, 2013 and enforceable September 23, 2013, Business Associates such as lawyers are scrambling to get into compliance to avoid non-compliance and potential costly penalties for breaches. It is not simply a matter of signing an agreement with your client or asking one of your subcontractors to sign an agreement.
Where do you begin? A commonsensible place to start is to analyze the flow of information in your firm. Identify the covered entities you serve such as hospitals, clinics, small and large healthcare providers, insurance plans and patients. Additionally, determine who your subcontractors such as co-counsel, transcriptionists, etc.
Revise the Business Associate Agreement to meet the needs of the firm. A sample Business Associate Agreement is provided by the Department of Health and Human Services:
www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
Customize the suggested language to meet the needs of your law firm. If you have an existing agreement in place, keep in mind that agreements should reflect Omnibus changes. Existing agreements obtained must be amended by September 2014.
In prevention of a breach here are a few considerations:
Common breaches of PHI include portable devices. Categorize information systems that contain PHI. Just how many flash drives, tablets, iPads, and notebook computers are in use at your law firm? Do the devices belong to the firm or to the employee?
Utilize encryption on portable media devices. Develop policies to prohibit employees from using personal devices such as flash drives and notebook computers to store or transport information that contains PHI. If employees use personal notebook computers, it may very advantageous to issue policy statements and obtain assurance that the information is encrypted and the device is stored securely.
Identify who has remote access to the law firm’s data base particularly individuals such as attorneys who work from home. Develop policies to assure that information is safeguarded properly and stored on the firm’s file server, not on home computers or devices.
Assess threats and vulnerabilities to the data base before the firm is confronted with a disaster or data breach to promote prevention and a quick response. Store encrypted data offsite to prevent data loss in the event of a natural disaster such as tornadoes, flooding and fire.
Review this video with your staff: www.youtube.com/watch?v+iC38D5am7go
Provide training for the entire workforce at least annually and train new hires when they join the law firm. Simply having a background in healthcare law or exposure to HIPAA at a previous employer is insufficient. Describe how your firm handles the obligation of serving as a Business Associate.
Develop personnel policies to address topics such as background checks, termination procedures, user rights and log-ins. For example, termination procedures should include policy deactivating network log-ins and remote access for employees who terminate whether voluntarily or involuntarily. User rights should be granted according to the individual’s job description to limit how much of the data base is accessed. No one should share log-ins and passwords. Describe how infractions are to be addressed.
Consult with your Information Technician to ensure that workstations have automatic log-offs. Review audit trails regularly to make certain that data corruption is not taking place.
Periodically verify that facsimile numbers are accurate and current to prevent faxing an unintended recipient. Send emails securely using encryption.
Security awareness is everyone’s responsibility at the law firm. Document any security incidents and maintain a log.
Realize that compliance with HIPAA both for you as a lawyer and your clients is an ongoing quest. Reevaluate your compliance regularly and make the necessary corrections using an action plan.
You can be confident in your compliance as a Business Associate by taking the time to review your technology and security policies. Then, you can focus more fully on your clients.
For more information, contact Modern Practice Solutions, LLC (931) 232-7738.
(This article does not constitute legal advice nor does reading this article engage the services of an attorney)
