What Law Firms Should Know About HIPAA Compliance

A legal case that involves any type of injury, illness, or healthcare means accessing medical records, either for your client or the opposition. Regardless of whether you use them for direct evidence or background information, the medical record retrieval process comes with strict legal obligations and requirements. 

You’ll want to establish practices and policies for retrieving, accessing, and storing what is included in medical records, even as a sole practitioner, that keep you compliant with HIPAA guidelines.

The first step is to understand the intent, evolution, and specifics of HIPAA compliance for law firms.

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), together with key amendments over the last two decades, provides a nationwide regulatory framework for how medical records are accessed, stored, and shared. 

At its core, the HIPAA legislation: ¹

• Declares the inherent confidentiality of patient records
• Ensures patients can view and submit corrections of their own records
• Promotes record portability so patients can change providers, insurers, or employers
• Establishes practical guidelines on the administration of each rule

Information Protected Under HIPAA

HIPAA protects data created by or shared with a qualifying organization as protected health information (PHI). ¹ In a thumbnail, PHI includes (but is not limited to): 

• Identification including name, contact details, relationships, gender, ethnicity, etc.
• Insurance and billing details including claims, payments, and eligibility determinations
• Medical history, genetic information, family history, and biometric identifiers
• Current, past, and future physical and mental health conditions and diagnoses
• Treatments, test results, surgeries, medications, and provider visits

When any combination of health information and personal identifiers are stored in the same record set such that the record could reasonably lead to personal identification, that combination comprises PHI. 

For instance, if a patient has diabetes, a history of breast cancer in remission, and eczema, this trio of diagnoses under “Patient X” does not constitute PHI. However, if the Patient X file also lists city and treatment dates and details, that could lead to patient identification—thus, this partially identified record falls under PHI.

What Entities Are HIPAA Mandated Under the Law?

Covered entities and their business associates have a legal duty to meet HIPAA requirements.

Covered entities are those that collect, create, or transmit PHI electronically, such as: 

• Healthcare providers, both individual and institutional
• Health insurance providers
• Healthcare clearinghouses dedicated to processing PHI data

Business associates refer to any entity that utilizes, transmits, or otherwise comes into contact with PHI in the course of performing work for a covered entity. This runs the gamut from medical consulting to administrative functions such as: 

• Third-party medical and administrative consultants and facilities
• Billing companies 
• Electronic health record (ESR) platforms 
• Physical storage, faxing, and shredding providers
• Cloud service, email hosting, and IT providers
• Managed service providers (MSPs)
• Accountants and auditors
• Lawyers

What Do HIPAA Guidelines Mean for Law Firms?

If you read the HIPAA text as a purist, you’ll see that lawyers are included when they perform on behalf of covered entities, as summarized above.

The HIPAA language identifies legal teams employed or consulted by health insurers and healthcare providers, but it doesn’t explicitly call out the governance of medical records in the hands of personal injury lawyers representing patients, criminal prosecution and defense attorneys, or any other instance unrelated to serving a covered entity. 

So, does HIPAA apply whenever a lawyer handles PHI? Opinions and perspectives, even from the most well-intended sources, are mixed on the topic. Even within a single article from the American Bar Association, you can see these conflicting messages: ²

1. “Of particular interest to family law attorneys, Title II of HIPAA provides the majority of the provisions regarding the safekeeping, sharing, and enforcement requirements for health care providers and others who handle “protected health information” (PHI).”

2. “…if the holder of the medical information does not meet the definition of a covered entity, HIPAA does not apply…”

That said, an attorney request for medical records should err on the side of caution and follow HIPAA guidelines. From a practical standpoint, lawyers are well advised to handle PHI under HIPAA guidelines as a matter of course. Regardless of whom you represent, HIPAA sets the baseline for client expectations of medical record confidentiality and security, so it can help establish or strengthen trust with clients as well. 

What Are the Four Rules of HIPAA?

There are three core amendments that detail the protection of patient health information, plus a fourth added to clarify the responsibilities of business associates. 

#1 Privacy Rule (2003)

The HIPAA Privacy Rule establishes strict confidentiality by requiring the patient or their representative to consent in writing before sharing personal health information as the default approach, with allowances in place for the flow of information as necessary for treatment and billing. ³

Providers and other covered entities are accountable for establishing, reviewing, and maintaining operational practices that limit the use and disclosure of personally identifiable PHI. This includes: ³

• Limiting disclosure to only what is necessary or identified in a records request
• Removing personal identifiers from health data shared for research or similar purposes
• Training staff to follow HIPAA guidelines and policies

#2: Security Rule (2005)

Less than 10 years after HIPAA’s debut, the Security Rule was drafted to regulate the transmission, storage, and usage of electronic protected health information (ePHI). The entirety of HIPAA deals with PHI in any form, including electronic, but the HIPAA Security Rule targets ePHI to provide guidance as more entities were transitioning to electronic records. 

Under the Security Rule, covered entities must establish security measures and policies that ensure: ³

• Confidentiality at all stages of creation, receipt, maintenance, and transmission
• Access for on-demand usage by authorized personnel
• File safety from deletion, tampering, or corruption
• Staff and contractor training to maintain these measures

#3: Breach Notification Rule (2009)

By 2009, covered entities needed to know what to do in case of a data breach in spite of their efforts to protect PHI and ePHI. 

The HIPAA Breach Notification Rule sets up expectations for covered entities in the case of file theft, technical error, hacking, or other security breaches that result in the use or disclosure of PHI impermissible under the HIPAA Privacy Rule. When this occurs, the entity must: ³

• Provide written notice without delay (maximum 60 days from discovery of breach)
• Describe the nature of the breach and what data was compromised
• Outline their investigation and plans to limit resulting damage
• Recommend precautionary steps that affected individuals can take
• Note what efforts are underway to ensure this doesn’t happen again

If more than 500 residents of a state or jurisdiction are affected, the breached entity is required to provide details to appropriate media outlets. 

#4: Omnibus Rule (2013)

The 2013 Omnibus Rule was added to invite business associates to the table. 

With the Omnibus Rule in 2013, business associates—any entity that encounters PHI in the course of performing work, including legal representation, for a covered entity—were hereafter explicitly held to the same level of HIPAA compliance. ³

The rule also provided guidance on creating legally binding Business Associate Agreements (BAAs) that ensure PHI protection under HIPAA. 

Best Practices for HIPAA Compliance

Today, ensuring HIPAA compliance involves a combination of platform and hardware security, training, and working habits. 

To ensure HIPAA compliance across procedures: 

• Train your team on the importance and methodology of HIPAA compliance
• Limit access to PHI to officially authorized individuals only
• Record access to either ePHI or physical copies at an individual level (no account sharing or signing out files at a team/project level)

For ePHI: 

• Utilize security protocols including encryption and password protection
• Track authorized users and file access
• Limit ePHI to a secure cloud environment vs. downloads, email transfer, etc. 
• Maintain an inventory of utilized hardware 
• Ensure ePHI isn’t accessible by the next user/workstation operator 
• Consider HIPAA compliance in hardware and media re-use and disposal procedures

For paper files: 

• Store in a locked, limited-access location
• Institute a record-keeping process for accessing and reviewing files

What Happens If You Violate HIPAA Rules?

HIPAA Privacy and Security rules are enforced by the Office for Civil Rights (OCR), which is part of the U.S. Department of Health and Human Services. HIPAA violations can be criminal to a felony level or civil in nature, leading to penalties including: ⁴

• Up to $250,000 in fines (nearly $135 million collected to date) ^5,6
• Federal jail time up to 10 years
• Referral to a professional licensing authority
• Further sanctions by a State Attorney General

Of the top five compliance issues most often alleged, two are of particular note for lawyers in possession of patient records: ⁷ 

1. Lack of safeguards of protected health information, and 
2. Lack of administrative safeguards for electronic protected health information.

Guarantee Your Firm’s HIPAA Compliance

The most efficient step in a HIPAA compliance checklist for law firms is to partner with a comprehensive medical records service provider. 

The team at U.S. Legal Support Services fulfills more than 400,000 medical record retrieval  requests every year. After you tell us what you need and when you need it, we handle the entire process of coordinating with billing and medical records departments including follow-up phone calls, untangling lost or incomplete information, and tracking each document’s progress. 

With a nationwide network of over 1.1 million provider relationships, we retrieve and digitize the records you need, and offer organization and analysis. Your files are transferred and stored through a secure portal that’s fully compliant with both HIPAA and SOC 2 Type 2 regulations. 

Reach out to learn more about our legal support services today. 

Sources: 

1. HIPAA Journal. What is Considered PHI Under HIPAA? https://www.hipaajournal.com/considered-phi-hipaa/
2. American Bar Association. HIPAA for the Family Law Attorney. https://www.americanbar.org/groups/family_law/publications/family-advocate/2023/winter/hipaa-family-law-attorney/
3. Ground Labs. Personally Identifiable Information: HIPAA Facts & Best Practices. https://www.groundlabs.com/blog/personally-identifiable-information-hipaa-facts-best-practices-ground-labs/
4. U.S. Department of Health and Human Services. Health Information Privacy / HIPAA Enforcement. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html
5. HIPAA Journal. What Happens if You Break HIPAA Rules? https://www.hipaajournal.com/what-happens-if-you-break-hipaa-rules/
6. U.S. Department of Health and Human Services. Health Information Privacy / Enforcement Highlights. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
7. Health Capital Consultants. “Big Data” Privacy and Security Challenges Under HIPAA/HITECH. https://www.healthcapital.com/hcc/newsletter/6_13/HTML/DATA/6.6_big-data-ii_6.19.13.zd.php