Most attorneys, paralegals, and legal assistants avoid HIPAA like the plague. It has just been another form to fill out in order to get their job done. Unfortunately for some, new regulations were passed last year that can directly affect law firms.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, was enacted as part of the American Recovery and Reinvestment Act of 2009 and amended several aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Prior to HITECH, most law firms dealt with HIPAA in only two ways:
1. When representing “Covered Entities” as defined by HIPAA (health care providers who transmit information electronically, health plans and healthcare clearinghouses) because their clients required them to sign Business Associate Agreements and;
2. When engaged in documents retrieval or medical records retrieval during the discovery process of litigation involving claims of medical injury or illness. Covered Entities have required HIPAA compliant authorizations or subpoenas before releasing the records to the law firms for review.
Since 2003, law firms representing Covered Entities have been signing Business Associate Agreements which were contracts between the law firms and their clients that addressed the firm’s obligations to protect information it received, maintained or created on behalf of their client as defined by 45 CFR164.504. Basically, those agreements stated that the firms would secure the Protected Health Information (PHI) that they may come in contact with while representing their clients.
HITECH now requires all Business Associates to comply with certain HIPAA Privacy and Security Rules by February 17, 2010.
Law firms that are Business Associates of Covered Entities are now required to implement written policies and procedures regarding the security of (PHI) and must be compliant with the following Security Rule Measures regarding PHI:
- Administrative Safeguards as defined by 45 CFR 164.308
- Technical Safeguards as defined by 45 CFR 164.312
- Physical Safeguards as defined by 45 CFR 164.310
These safeguards require such things as electronic security, disaster recovery plans, data backup, workstation security, employee training including sanctions for failure to comply, and information systems reviews.
Law firms representing Covered Entities are now also responsible for any vendors they hire to assist them in litigation and must ensure the vendors’ HIPAA compliance. Examples include; medical records retrieval companies, electronic document retrieval companies, legal medical and nurse consultants, deposition services, etc.
Business Associate law firms are now subject to the enforcement consequences of the Department of Health and Human Services audits including the new tiered Civil Monetary Penalties:
- Violation without knowledge of the violation: $100-$50,000 per violation with a limit of $1.5 million for identical provision violations in a calendar year
- Violation due to reasonable cause: $1000-$50,000 per violation with a limit of $1.5 million for identical provision violations in a calendar year
- Violation due to willful neglect and corrected: $10,000-$50,000 per violation with a limit of $1.5 million for identical provision violations in a calendar year
- Violation due to willful neglect and NOT corrected: $50,000 per violation with a limit of $1.5 million for identical provision violations in a calendar year
What Can Law Firms Do?
- Conduct a Security Risk Assessment
- Implement policies and procedures which address the administrative, technical and physical safeguards required
- Train all employees
- Develop Business Associate Agreements for all law firm vendors
U.S. Legal Support and HIPAA:
Since 2006, U.S. Legal Support has employed a full time HIPAA Privacy Officer with over 18 years healthcare compliance experience.
U.S. Legal Support is HIPAA and HITECH compliant and has implemented policies and procedures that adhere to the Administrative, Technical and Physical safeguards required by the HIPAA Security Rule. Our subpoena services and authorizations are HIPAA compliant. Our electronic systems are encrypted and firewall protected and all employees have signed Confidentiality Agreements.
U.S. Legal Support offers HIPAA Consulting:
- Risk Assessment for HIPAA and HITECH requirements
- Confidentiality forms and workforce training
- HIPAA Security Safeguards implemented and tailored to your department’s needs
- HIPAA CLE available: “HIPAA and How it Affects Discovery”
