Attorneys are very familiar with the notion of having to keep information private and abide by the law. Still, even experienced attorneys might not be familiar with all of the specific details of HIPAA compliance, which means following all the guidelines established in the Health Insurance Portability and Accountability Act of 1996.
Depending on the focus of a law firm, HIPAA compliance may only be an important concern in a small number of cases, since protected health information (PHI) is strictly defined. However, when PHI is involved, as is typically true of personal injury cases, staying compliant protects a firm’s finances and reputation.
Why do personal injury lawyers need HIPAA hosting?
Under HIPAA, lawyers who handle and store ePHI (electronic protected health information) are business associates under HIPAA, as they are responsible for protecting health data.
Lawyers as Business Associates Under HIPAA
Under HIPAA law, there are two primary organizational classifications for which the regulations are important: covered entities and business associates. While the former includes health insurance plans, healthcare providers, and health data clearinghouses, the latter contains a diverse array of companies that handle this sensitive information as a service, including hosting companies, shredding services, and attorneys.
Under the HIPAA Omnibus Final Rule that came into effect because of the Health Information for Economic and Clinical Health Act of 2009 (HITECH), responsibility for protection of health data was more directly assigned to business associates.
A perfect example of the scope of the business associate is seen in the personal injury or accident attorney. An accident attorney certainly would not view herself as a healthcare professional; nonetheless, the federal law now requires that she meets certain standards, particularly in the ways that she protects the privacy and security of electronic health records (or, in HIPAA terms, electronic protected health information, aka ePHI).
Not every attorney is a HIPAA business associate. Any attorney could play that role, becoming one the moment she gives legal services to organizations that are not employing her. An attorney is also considered a business associate if she “works for an organized health care arrangement in which the covered entity participates,” noted attorney Jarrod A. Malone in The Indiana Lawyer.
Relationship Between Attorneys and ePHI
PHI or ePHI consists of information and materials such as health records, lab work, images, and insurance data. Attorneys that handle this type of information are across a broad range of areas, including eldercare law, medical malpractice, and personal injury. When a firm decides to take a client that has a case relying on medical records, they need to know that they will be held to the standards of a HIPAA business associate in relationship to that data.
The HIPAA stipulations, which are collectively intended to boost the number of people who have health insurance, focused on migration or transfer of data, tax ramifications, and changes to administration that were called “simplification” but were really about standardization to enhance both security and efficiency. With the 2013 effective date of the HIPAA Final Omnibus Rule, business associates were directly held to meet HIPAA compliance. Attorneys such as accident lawyers had to start learning about this legislation that must be followed by them and their subcontractors.
The HIPAA Privacy Rule is one of the rules within HIPAA that is critical for covered entities and, by extension, their business associates. The Privacy Rule does not block the sharing of information with service providers (or business associates); instead, it is acceptable for the covered entity to share the data if the outside organization signs a business associate agreement (BAA). The BAA will state exactly how the data will be used; will provide proper security protections to keep unauthorized parties from accessing it; and will support the covered entity in maintaining its compliance to avoid violations from the HIPAA enforcer, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).
Law Firm Goes Astray With HIPAA
The HHS Department has received complaints related to attorneys. For instance, the OCR conducted an investigation of a pharmacy chain’s law firm that was believed to have passed on protected health data to another party improperly (i.e. without the consent of the applicable patient of the pharmacy chain), as discussed within the American Bar Association’s Law Technology Today.
Attorneys must be compliant with HIPAA rules. Plus, they have to be certain that their subcontractors are following the guidelines as well. Because of the need to be conscientious about subcontractors, an attorney should make sure that HIPAA compliance is maintained throughout her ecosystem, extending to such disparate partners as cloud hosting services and expert witnesses.
Three Categories of HIPAA Safeguards
Key HIPAA safeguards that must be met are the guidelines covered within Title II of the law, the Administrative Simplification provisions. As an effort that the US Department of Health and Human Services says was intended “[t]o improve the efficiency and effectiveness of the health care system,” this part of HIPAA directed the HHS to create, develop, and enforce standards to allow for secure digital health environments that protected confidentiality. They also mandated unique health identifiers and code sets so that healthcare could be delivered more seamlessly.
The Privacy and Security Rules are core to Title II. Particularly important to the Security Rule are its three categories of mandated, standardized protections, as indicated by the HIPAA Security Rule Summary from the HHS. These rules are fundamental to a HIPAA hosting environment, whose engineers should have expertise on all ePHI requirements.
Administrative Safeguards for HIPAA Compliance
- Security management – covered entities and business associates protecting ePHI have to find and study possible vulnerabilities to healthcare systems. Security mechanisms must be put into place to minimize any threats posed.
- Security roles – To comply with HIPAA, it is necessary to have a person on your staff who is in charge of HIPAA security. This individul is the point-person for deployment and maintenance of security procedures and protocols.
- Access management – The “minimum necessary” rule for disclosure of PHI is key to the Privacy Rule. Similarly, the Security Rule mandates role-based access, in which users only access data if they have a position with permissions to view it, on a need-to-know basis.
- Employee management & training – Guidance and controlled authorization of your employees who handle healthcare data is necessary for HIPAA compliance as well. The key Security Rule parameters and protocols should be conveyed to these individuals. Plus, there should be a system of sanctions in place so that anyone who does not abide by the healthcare law is held accountable.
- Assessment – In order to maintain HIPAA compliance, you should regularly and systematically review your security mechanisms and protocols.
Physical Safeguards for HIPAA Compliance
- Controls of facility access – HIPAA compliance includes making sure that all people who are granted entry to physical locations of PHI/ePHI are authorized.
- Device/workstation protections – Access and use of electronic files and workstations should be described within policies and procedures documents. The procedures that are followed when healthcare data is moved, deleted, destroyed, or reused should also be discussed within policy and procedure paperwork.
Technical Safeguards for HIPAA Compliance
- Controls of access – There should be appropriate protocols and tools implemented to confirm that all users who access sensitive health data are authorized.
- Controls of auditing – Steps should be taken with equipment and programs to log and analyze user access and behavior within areas holding ePHI.
- Controls of integrity – To be HIPAA-compliant, you must be certain that any changes to or removal of electronic health records are properly conducted. Technologies should be deployed to verify that ePHI is not destroyed or changed.
- Transmission protections – When ePHI is sent through an electronic network, HIPAA compliance requires security steps be taken to prevent malicious access.
HIPAA Hosting Plan for Lawyers
It should be clear from the above discussion that your accident law firm needs HIPAA hosting. At Atlantic.Net, our infrastructure is SSAE SOC 1 and SOC 2 (formerly SSAE 16) certified and HIPAA/HITECH audited. See our HIPAA compliant hosting solutions.