When most lawyers hear the term “HIPAA,” they dismiss it as “that law health care lawyers need to know.” Whereas one may argue that this statement rang true years ago, the same is not true today. In general, any lawyer who uses, creates, or discloses protected health information (PHI) on behalf of a health care provider (i.e., physician), health plan (i.e., HMO), or health care clearinghouse in the course of his or her representation, must abide by the Health Information Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. This could include, for example, the lawyer who defends a chiropractor accused of malpractice, the lawyer who represents a pharmacist in a payment dispute with a commercial insurance carrier, or the lawyer who assists a hospital in responding to a government subpoena. In each case, the client is a “covered entity” and the lawyer is a “business associate.”
To better understand a lawyer’s duties under HIPAA, it is important to understand the purpose and effect of HIPAA. HIPAA is a federal law that prevents, among other things, a covered entity from using or disclosing PHI for purposes unrelated to treatment, payment, healthcare operations, or certain defined exceptions without first obtaining the individual’s prior written authorization. Under HIPAA:
(1) a “covered entity” is defined a group health plan, health care clearinghouse, or health care provider who transmits health information in electronic form;
(2) a “business associate” is defined as a person who, on behalf of a covered entity (a) creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA; or (b) provides various non-medical services (i.e. legal, actuarial, management, administrative, etc.) for a covered entity, where the provision of the services involves the disclosure of PHI from such covered entity, or from another business associate of such covered entity, to that person; and
(3) “PHI” is defined as any information, including demographic information collected from an individual, that (a) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (b) relates to the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual (e.g., name, address, birth date, specific tattoo).
In early 2013, the Department of Health and Human Services (HHS) published the HIPAA Omnibus Rule, which implemented provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted by Congress in 2009. While the HIPAA Omnibus Rule posed significant compliance issues for covered entities, it also raised major concerns for the business associates, which often include lawyers and law firms. In particular, the HIPAA Omnibus Rule implemented provisions in HITECH that significantly expand the accountability of business associates. Not only is a business associate now contractually obligated to provide satisfactory assurances that a covered entity’s PHI will be protected (vis-à-vis a Business Associate Agreement), but the business associate is also directly liable to the Government for any HIPAA breach. Even more, subcontractors of business associates (i.e., cloud-based servers) are now directly liable as well. Before the HIPAA Omnibus Rule and HITECH, only covered entities were labile if the security of privacy of PHI was impermissibly used or disclosed.
Failure to achieve or maintain HIPAA compliance can lead to harsh consequences. From an enforcement standpoint, the HITECH Act established four tiers of monetary penalties (Tier 1—$100–$50,000; Tier 2—$1,000–$50,000; Tier 3—$10,000–$50,000; Tier 4—$50,000). Each tier corresponds to a different degree of culpability, and the secretary of HHS assesses penalties on a per incident basis, subject to an annual cap of $1.5 million for violations of the same provision. For example, the HHS Office of Civil Rights settled with a dermatology practice for $150,000 resulting in part from a stolen unencrypted thumb drive containing ePHI, which uncovered significant deficiencies in the practice’s security management processes.
Based on the foregoing, lawyers and law firms should first determine if they are a business associate to one or more covered entities. Although it is a covered entity’s responsibility to identify its business associates and enter into Business Associate Agreements, lawyers arguably have an obligation to take steps to protect their client’s interests in this regard even if the scope of representation is unrelated to HIPAA. Consequently, if a lawyer or law firm determines that it is a business associate of a covered entity, per the HIPAA Security Rule, it should execute a Business Associate Agreement with the covered entity, and implement appropriate e-administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of the covered entity’s electronic PHI. This includes performing a risk analysis on the way the business associate stores (i.e., laptop, server) and transmits (i.e., text, email) PHI.