Law firms across the country might be asking this question, especially after receiving new Business Associate Agreements (BAA) from the covered entity clients in the fall of 2013. The HIPAA Omnibus Rule passed in 2013 and took effect in September strengthening the privacy and security protections established under HIPAA and changing the breach notification provisions of Health Information Technology for Economic and Clinical Health (HITECH).
If your firm represents a covered entity; health plans, health care clearinghouses and health care providers who conduct certain financial and administrative transactions electronically, then you are considered a business associate of your client and must comply with the Administrative, Technical and Physical safeguards required by the HIPAA Security Rule. Your firm may have signed a BAA sent to you by your client promising to implement the safeguards but business associates are required to ensure that anyone they hire to assist them in litigation is also compliant. This would include expert witnesses, litigation support firms like court reporters, record retrieval, legal copy, etc. Law firms must draft BAAs and have them signed by all vendors, experts and consultants who have access to their clients’ Protected Health Information (PHI). The new language for BAAs required by the Omnibus Rule can be found on the Health & Human Services, Office of Civil Rights HIPAA page.
One of the Administrative Safeguards required of those firms representing covered entities is the Risk Assessment. This is a thorough assessment of the potential risks to their clients’ PHI as it is used, stored and transmitted within and outside the law firm. It must include reviews of policies involving hiring and firing of staff, existing training and incident response procedures, computer and mobile device access, information system architecture & protections and many other systems utilized within the firm. A law firm can conduct the Risk Assessment in-house or hire a consultant to conduct the review but new policies almost always have to be implemented after the assessment.
Some of the largest breaches reported to Health & Human Services have involved business associates and law firms. Firms must recognize that they can be liable for large fines for failing to comply with the required safeguards. The required safeguards can be painful for some lawyers. For example; having passwords and short time-outs on their phones, tablets and other portable devices can be inconvenient but is necessary to prevent unauthorized access to client information.
If your firm needs to conduct a Risk Assessment and make some changes to your policies, Heather Hughes, can help. Heather is the HIPAA Privacy Officer for U.S. Legal Support and has over 20 years’ experience in healthcare risk management and HIPAA privacy and security as it involves the legal industry. She has assisted dozens of law firms across the country assess their risks and make policy changes to comply with HIPAA, HITECH, and the Omnibus Rule.
Heather can be contacted at firstname.lastname@example.org or 832.201.3877.
U.S. Legal Support is a full service national litigation support firm specializing in record retrieval, electronic discovery, and court reporting services for law firms, insurance companies and corporations across the country. U.S. Legal Support is headquartered in Houston, Texas and has over 40 offices across the United States.