The Privacy Rule from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides rights related to personal healthcare protection, applies to covered entities – healthcare plans, providers, and data clearinghouses – according to the United States Department of Health and Human Services (HHS). Covered entities will typically contract with outside organizations such as law firms, and it is permissible under HIPAA for covered entities to share protected health information (PHI) with those third parties. PHI is personally identifiable healthcare data, encompassing a broad range of information, such as medical records, insurance details, Social Security numbers, lab reports, and medical histories.
When business associates such as personal injury law firms handle electronic health records and similarly sensitive health files, they are liable for only using the data in the manner described in the business associate agreement (BAA) with the organization; they must protect the data and otherwise help the covered entity meet its Privacy Rule duties. As noted by Joe Kelly in Law360, this concern with subcontractors does not just implicate law firms but extends downstream as well “to any third party helping the law firm, such as cloud providers, e-discovery partners, expert witnesses, IT providers and third-party backup providers.” The use of HIPAA hosting and other steps you take toward compliance will solidify trust in these relationships.
How are law firms liable for HIPAA protections?
When HIPAA was first released, it was focused on regulating healthcare providers, healthcare plans, and health data clearinghouses. Covered entities had to create BAAs with any third parties who handled PHI, but those business associates were not legally required to meet HIPAA parameters. That changed dramatically with the release of the Health Information for Economic and Clinical Health Act (HITECH) – part of the American Recovery and Reinvestment Act of 2009 (ARRA). When HITECH was written into the HHS code in 2013 with the Omnibus Final Rule, it sent shockwaves throughout the industry by making business associates directly accountable to meet the healthcare law.
As the federal government increased its expectations for business associates in the Final Rule, it listed three specific organizations that qualify as these organizations that had to newly meet HIPAA compliance: any firm that accesses or sends health data for a covered entity (as occurs with electronic prescription gateways and health information companies); electronic health record providers that supply services to covered entities; and business associates of business associates (i.e., their subcontractors).
The key compliance concern of these three groups, noted the American Bar Association’s GP Solo, is the third. As an example, personal injury lawyers have to maintain a HIPAA-compliant system even when they are storing or sending health data for a business associate rather than a covered entity. The lawyer and the business associate, in these cases, would need to sign a subcontractor business associate agreement – a tweak of a typical BAA.
The Breach Notification Rule (requiring prompt communication of breaches to all key stakeholders) applies to lawyers in these situations, as do the Security Rule (see below) and Privacy Rule.
In order for personal injury law firms to be HIPAA-compliant, it is important that all members of the management and workforce receive routine training on the healthcare law. Risk assessments must be performed at regular intervals too.
At the core of HIPAA compliance is the Security Rule, which applies the rights provided through the Privacy Rule with specific parameters for electronic protected health information (ePHI). The Security Rule includes the requirement for three types of digital protections. Technical safeguards include the needs for transmission security, as well as for access controls, audit controls, and integrity controls. Physical safeguards include the need for workstation and device security, as well as for facility access controls. Administrative safeguards include requirements for workforce training, routine assessment, access management, security personnel, and security management.
HIPAA-compliant hosting is a must.
Because of this law, it is important for personal injury attorneys to know that any hosting they use to store healthcare information should be certified as HIPAA-compliant. Since HIPAA is legal in nature, many firms want to handle compliance on their own. However, this law is dense, and meeting its needs does not just involve legal knowledge but the expertise to pick out the right tools for defense of IT environments – leading many firms to work with hosts since they already have experience working directly with HIPAA parameters.
This post has been sponsored by Atlantic.Net
Digital Health Buzz!
Digital Health Buzz! aims to be the destination of choice when it comes to what’s happening in the digital health world. We are not about news and views, but informative articles and thoughts to apply in your business.
