Itā€™s not just healthcare organizations that need to adhere to HIPAA requirements. Attorneys and law firms often deal with health care providers and private health records and need to ensure they meet regulatory standards.

Getting HIPAA requirements wrong can lead to a financial penalty, so read on to find out what you need to know about HIPAA as an attorney and the best practices you and your firm should be following.

What Is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. As an attorney, you need to be fully aware of HIPAA requirements and consider them in your everyday practices, from handling sensitive patient data to your use of tort attorney software.

The Health Insurance Portability and Accountability Act was originally designed to improve the efficiency of the healthcare system and ensure that individuals could maintain insurance coverage when changing jobs. The legislation also introduced national standards for electronic healthcare transactions and code sets. This evolved into a framework of privacy and security requirements that extend beyond healthcare providers to include any entity handling health information.

For a law firm, understanding the reach of this act is necessary. The law applies to covered entities and their business associates. While a law firm is not typically a covered entity, it becomes a business associate when it performs legal services that involve access to protected health information. This status requires the firm to meet the same security and privacy standards as the hospitals or insurance companies providing the data.

Attorneys concerned with HIPAA requirements will need to pay particular attention to the accountability aspects of the act noted in these provisions:

  • Privacy Rule: Protects the privacy of individually identifiable health information, known as Protected Health Information (PHI). It sets boundaries on the use and release of health records, establishes safeguards to protect the privacy of PHI, and holds violators accountable, often with civil and criminal penalties.
  • Security Rule: Specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (e-PHI).
  • Transactions and Code Sets Rule: Standardizes the codes used to specify diseases, treatments, and medical procedures. This facilitates health-related electronic transactions like billing, referrals, and other administrative work.
  • Unique Identifiers Rule: Provides a standardized way to identify healthcare entities in electronic transactions through the National Provider Identifier (NPI).
  • Enforcement Rule: Provides guidelines for investigations into HIPAA compliance violations, including imposing monetary penalties for violations and procedures for hearings.

Covered Entities

To understand the obligations of a law firm, one must first identify the covered entities defined by the law. Covered entities include three specific groups:

  • Health Care Providers: Doctors, clinics, dentists, and pharmacies that transmit any health information in electronic form.
  • Health Plans: Health insurance companies, health maintenance organizations, and government programs like Medicare or Medicaid.
  • Health Care Clearinghouses: Entities that process nonstandard health information into standard electronic formats.

These organizations are the primary holders of patient records and billing records. When these entities share information with an attorney or law firm to facilitate legal representation, the firm acts as an extension of the covered entity’s workforce regarding data protection.

Business Associates

A business associate is any person or organization that performs functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information. Law firms are considered business associates when they handle medical records for litigation, care coordination, or benefits claim evaluations.

Under the HITECH Act, business associates are directly liable for compliance with the HIPAA Security Rule. Law firms must implement administrative, physical, and technical safeguards to protect data. The relationship between the covered entity and the firm must be formalized through a written contract.

Key HIPAA Requirements for Attorneys

Business Associate Agreements (BAAs)

If an attorney is performing services for a covered entity (like a healthcare provider or insurer) and has access to PHI, they may be considered what HIPAA terms ā€œbusiness associates.ā€

In this case, they must have a Business Associate Agreement (BAA) with the covered entity, which outlines how PHI will be used, disclosed, and protected. These agreements typically cover your responsibilities concerning PHI and any subcontractors you might work with.

In addition to BAAs, attorneys should also be aware that certain situations may require the use ofĀ HIPAA formsĀ and documentation, such as consent forms for the release of medical records or authorization forms for the use of PHI in legal proceedings.

Data Protection

Attorneys with access to PHI must have physical, administrative, and technical safeguards in place. This means secured databases, encrypted communications, staff training, and protocols for handling and storing sensitive data.

Law firms working with or in relation to a covered entity will be expected to have high data protection in place. Everything from your emails to your remote desktop connection manager should be considered.

Even if an attorney is permitted to access PHI for a case, HIPAA mandates the ā€œminimum necessaryā€ principle. Attorneys should only request, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose.

Notification of Breaches

If thereā€™s a major or minor breach or unauthorized disclosure of PHI, attorneys must have processes to notify the covered entity and, in some cases, the affected individuals and even the Department of Health and Human Services (HHS).

BAAs should inform the covered entity without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach. The notification should provide:

  • A description of the breach
  • The types of information involved in the breach
  • Steps taken to investigate the breach
  • Potential mitigative measures taken

Often, itā€™s then up to the covered entity to inform individuals, but this can depend on who the attorney is working with.

Document Retention

Any PHI records attorneys hold must be retained securely for the required period (often six years), and there should be clear policies about document destruction once that period expires.

Attorneys must retain documents such as:

  • Business Associate Agreements
  • Privacy and security policies and procedures specific to the firmā€™s handling of PHI
  • Risk assessment reports and results
  • Training materials and documentation related to HIPAA compliance training for staff
  • Any incident or breach documentation, including investigations, notifications, and responses

HIPAA doesnā€™t mandate a specific format for retaining records ā€” they can be kept in either electronic or paper format, but they must be accessible, reproducible when required, and protected from unauthorized digital or physical access, tampering, or destruction.

HIPAA Compliance

Achieving HIPAA-compliant status for law firms requires a systematic approach to data management. Compliance is not a one-time event but a continuous process of risk assessment and mitigation. Firms must evaluate how they receive, store, and transmit data in electronic form.

The Office for Civil Rights (OCR) within the HHS is responsible for enforcing these regulations. If a firm experiences a security breach, the OCR may conduct an audit to determine if the firm followed HIPAA rules. Non-compliance can lead to civil and criminal penalties, depending on the level of negligence.

In order to comply with HIPAA, law firms must meet the requirements of the security rule which mandates that organizations handling patient health information maintain administrative, physical and technical safeguards over that information.

Administrative Safeguards

Administrative safeguards are the policies and procedures that manage the conduct of the workforce in relation to the protection of PHI. These are the foundation of a secure practice.

  • Security Management Process: Requires firms to identify and analyze risks to ePHI through a formal risk assessment.
  • Workforce Security: Managed by limiting access to PHI to only those employees who require it for their jobs.
  • Regular Training: All members of the workforce must receive education on security awareness, including password management and identifying malicious software.

Physical Safeguards

Physical safeguards protect the physical assets of the firm, including offices and hardware. These measures prevent unauthorized physical access to systems and data.

  • Facility Access Controls: Limiting physical access to areas where ePHI is stored using keycard entries or security cameras.
  • Workstation Use Policies: Specifying the proper functions for computers that access PHI, ensuring they are not used for tasks that could introduce malware.
  • Device and Media Controls: Managing the receipt and removal of hardware containing ePHI to ensure data is destroyed before hardware is retired.

Technical Safeguards

Technical safeguards involve the technology and policies that protect ePHI and control digital access.

  • Access Control: Measures to ensure that only authorized persons can access ePHI, including unique user IDs and automatic log-offs.
  • Encryption: ePHI must be protected using TLS 1.2 or 1.3 while in motion and robust encryption algorithms while at rest.
  • Audit Controls: Systems used to record and examine activity, allowing the firm to see who accessed data and when.

Establishing HIPAA Compliance for Law Firms

Developing a strategy for HIPAA compliance begins with a thorough audit of the firmā€™s data handling processes. Legal practices must first identify every instance where protected health information enters their workflow, whether through digital portals, physical mail, or fax. Once these data points are identified, the firm must designate specific individuals to oversee the compliance program. This usually involves appointing a privacy officer to manage policy development and a security officer to handle the technical aspects of data protection.

After establishing leadership roles, the firm conducts a risk analysis to find vulnerabilities in its current systems. This analysis forms the basis for implementing the required administrative, physical, and technical safeguards. For a law firm, this also includes ensuring that all BAAs are signed and stored properly. Employees must receive training on these policies to ensure the entire workforce understands how to handle sensitive client data safely. Additionally, the firm must create a clear protocol for detecting potential HIPAA violations and a formal plan for notifying the necessary parties in the event of a breach.

Best Practices for Attorneys to Meet HIPAA Requirements

Thorough and Continuous Training

Attorneys and all staff at a legal firm should familiarize themselves with which of their clients or activities fall under HIPAAā€™s jurisdiction, common violations, and potential risks. This should be included as part of onboarding training and flagged when new cases are accepted.

In addition, you should regularly update your staff and legal professionals onĀ HIPAA compliance, ensuring everyone knows how to handle PHI correctly. Set a fixed annual date for refresher training for all staff.

Tip:Ā Ask all staff to bookmark the official HHS HIPAA webpage or use online HIPAA training resources like the American Bar Association (ABA).

Use Secure Communication

Data breaches are likely if communication lines are insecure, whether email, messaging, or phone calls.

Attorneys should always use secure, encrypted email services when sending or receiving PHI electronically. You should also be wary of discussing PHI over unsecured phone lines or in public places where conversations can be overheard.

Tip:Ā Implement email software that prompts a warning or requires an additional step when sending emails containing potential PHI.

Manage Data Storage, Access Control, and Documents with Care

Communication isnā€™t the only vulnerability at law firms. Your storage solutions and document management systems can be hacked too.

Store electronic files containing PHI on secure, encrypted drives or cloud storage solutions that comply with HIPAA. Limit access to PHI only to those within the firm who need it for case-related reasons. Use strong, unique passwords, and consider two-factor authentication for added security.

You should also maintain a strict protocol for document retention. Have a clear policy for document destruction, ensuring that bothĀ electronic health recordsĀ and paper records containing PHI are destroyed so they canā€™t be reconstructed.

Tip:Ā Use software that tags and categorizes documents containing PHI and sets automated reminders for when these documents should be reviewed or securely destroyed.

Have a Response Plan for Data Breaches

Itā€™s always best to prepare for the worst. You must develop and regularly update a response plan for any potential security incidents. This plan should outline the steps to be taken, including notifications, internal investigations, and corrective actions.

Utilizing incident alert management systems can be highly beneficial in promptly detecting and responding to breaches.

Also, familiarize yourself with the breach notification requirements under HIPAA, ensuring timely reporting if a breach does occur. Ensure all bases are covered, from information stored on sites with other domains viaĀ Only DomainsĀ to employeesā€™ smartphones.

Tip:Ā Conduct mock breach scenarios annually to test your firmā€™s contingency plan. This will help familiarize everyone with the steps they must take in an actual breach situation.

Maintain Physical Security

While the above tips focus on electronic and technical safeguards, many law firms have paper records too. Keep paper documents containing Protected Health Information in locked cabinets or secure rooms.

You should also ensure office premises have adequate security measures like alarms, surveillance cameras, and controlled access to areas where sensitive information is stored.

Tip:Ā Install a logging system for access to workstations and secure areas to trace who had access to sensitive information and when.

Regularly Audit and Review

Once you have administrative safeguards in place, donā€™t just forget about them indefinitely. Instead, regularly audit your firmā€™s practices andĀ data management toolsĀ regarding PHI to ensure ongoing compliance.

Review and update your internal policies regularly to adapt to law changes and address potential vulnerabilities.

Tip:Ā Use a compliance checklist to ensure all areas of potential concern are audited bi-yearly.

Collaborate with IT Staff and External Consultants

IT professionals are your best friends regarding HIPAAā€™s technical policies. Schedule routine cybersecurity assessments, vulnerability scans, and penetration testing to uncover and address potential weaknesses. Breaches can appear in places with little human interaction too, like automated customer service software, so be sure to get IT to cover all the bases.

Finally, if youā€™re still unsure about meeting HIPAA requirements, itā€™s time to seek external advice. And even if youā€™re confident in your technical security measures, seeking external legal or compliance consultation periodically can help identify potential oversights or areas of improvement.

Tip:Ā Attend seminars or webinars focused on the intersection of legal practice and HIPAA compliance.

Conclusion: Ensure your firm meets HIPAA requirements

HIPAA requirements mean any law firm should have reasonable safeguards in place to protect clients, patients, and employees. While monetary penalties are a top concern, HIPAA is also about ensuring trust across your firm and for your clients.

If your firm is dealing with any healthcare industry partners or clients, HIPAA is an essential part of day-to-day security practices, from data storage to everyday administrative actions. In addition to references this blog, please make sure you do a comprehensive research on HIPAA compliance by utilizing various available online and through credible sources.

Atlantic.Net can assist you with all yourĀ HIPAA compliant hosting needs.