The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines the information protected under the Act as electronic, personal health information. Health care providers and individual and group health plans are the main focus of HIPAA rules; however, those organizations often need to work with what HIPAA defines as "Business Associates" in order to carry out their line of business.
Law firms large and small often have occasion to handle protected, electronic personal health information they receive from HIPAA covered health care providers or health plans. When they do, they generally meet HIPAA's definition of a "Business Associate." Business associates have formal duties and obligations established under HIPAA. Firms should note that HIPAA also sets out serious monetary penalties if Business Associates fail to take the required compliance measures. Let's take a closer look.
What Constitutes Personal Health Information under HIPAA?
During their regular course of business, legal practices such as medical malpractice, product liability, personal injury, and elder law often come into possession of a client's personal health information. This personal information may take the form of medical history records, lab test results, and/or health insurance records. Each of these records constitutes personal health information under HIPAA rules.
What Does HIPAA Require for Handling Personal Health Information?
Portability, Privacy, and Security
HIPAA rules focus on the portability of personal health information, simplified record keeping, tax implications, privacy, and maintaining the security of sensitive personal health information. The Act's final Omnibus Rule came into effect in 2013 and made substantial changes to privacy and security rules in the expanding digital world in which Business Associates operate. The Omnibus Rule incorporates four final rules that enable health information technology mandates in the health arena, such as the adoption of electronic health records.
The final rule also made significant changes to Business Associate Agreements. Under the final rule, Business Associates are independently responsible to the Office of Civil Rights to comply with HIPAA's privacy, security, and breach notification requirements. Medical practices are no longer responsible for the violations of their Business Associates.
HIPAA recognizes Business Associates as a legitimate business need and requires those relationships to:
- use the personal health information they obtain for the purposes intended,
- safeguard personal health information, and
- use the information to help the medical practice/health plan carry out its duties under HIPAA's privacy rule.
It is important that law firms and their clients enter into detailed Business Associate Agreements that spell out each party's compliance duties under HIPAA.
What Are HIPAA's Penalties for Non-compliance?
Penalties are multi-tiered and increase with culpability
Penalties for non-compliance with HIPAA are onerous. The penalties take the form of a multi-tiered structure which increases the size of the fines in correlation with the culpability level of the offense. The categories of penalty, from lowest to highest infraction, are:
- reasonable cause without willful neglect,
- willful neglect but corrected in the appropriate time frame,
- uncorrected willful neglect.
The maximum penalty is $1.5 million for each violation.
What Can Law Firms Do to Assess HIPAA Compliance?
law firms should perform risk assessments to confirm they are compliant
The Security Rule under HIPAA requires that medical providers protect an individual's electronic personal health record. They do this by using strong administrative procedures, and both physical and technical safeguards. Law firms that represent providers or health plans covered by HIPAA must perform risk assessments to show they meet or exceed HIPAA's strict standards.
There are several types of HIPAA risk assessments:
Physical Security Standards
Law firms must take precautions to ensure that their networks, stored data, and their physical computers and offices are secure from cyber attacks. Law firms must protect the areas where computers reside and secure all computer terminals. Firms must handle personal health information stored on electronic devices in a HIPAA compliant manner. HIPAA also requires limiting access to sensitive personal health information to authorized personnel only.
Implementing Technical Safeguards
Technical safeguards include authentication procedures that require strong passwords that change periodically, tough encryption, multi-layer authentication, and tracking software to create an access audit trail.
Every law firm that handles sensitive personal health information must adopt adequate policies and procedures to prevent security violations and to correct security issues once IT detects a problem. Administrative safeguards include policies that limit access to electronic personal health information.
Law firms must train all staff in security protocols and how to document security incidents. They must adopt security response procedures and appoint a security official to handle any crises that develop. Naturally, part of a system's safeguards includes emergency procedures in the event of natural disasters, cyber security attacks, or plain-old mechanical failures. Firms must also take care to determine and secure personal health information that stores electronically in traditional office equipment, like photocopiers.
Firms must adopt action plans to address failures in regulatory compliance. Encryption and security are an important part of every action plan. Law firms that use cloud providers and data vendors must ensure that those providers are HIPAA compliant as well. That's where business associate agreements come into play.
Small Firm Issues
A smaller law firm may not have the resources they need or the on-staff compliance specialists that larger firms enjoy. In that instance, smaller firms can benefit by partnering with niche companies that provide turnkey products that are designed, built, and installed ready-to-use to help them stay on the right side of compliance issues. Turnkey products assist with securing paper/digital documents, as well as providing digital tracking of users.
HIPAA Is Complex
This post set out some important points about HIPAA requirements and compliance issues. Law firms should take care, however, to accord HIPAA the appropriate respect for it is complex legislation for which failure to comply with the rules can result in expensive fines.
To learn how COVID-19 is putting HIPAA to the test, read the natlawreview.com article from March 2020 entitled "Public Health v Patient Privacy: How Coronavirus Is Putting HIPAA to the Test."
To talk more about how HIPAA may apply to your firm's practice or other topics of interest to you, please contact us. We stand ready to serve as your resource on all your compliance questions.