Important Service Update: For office closures due to Hurricane Helene, please click here.
✕Important Service Update: For office closures due to Hurricane Helene, please click here.
A legal case that involves any type of injury, illness, or healthcare means accessing medical records, either for your client or the opposition. Regardless of whether you use them for direct evidence or background information, the medical record retrieval process comes with strict legal obligations and requirements.
You’ll want to establish practices and policies for retrieving, accessing, and storing what is included in medical records, even as a sole practitioner, that keep you compliant with HIPAA guidelines.
The first step is to understand the intent, evolution, and specifics of HIPAA compliance for law firms.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), together with key amendments over the last two decades, provides a nationwide regulatory framework for how medical records are accessed, stored, and shared.
At its core, the HIPAA legislation: 1
HIPAA protects data created by or shared with a qualifying organization as protected health information (PHI). 1 In a thumbnail, PHI includes (but is not limited to):
When any combination of health information and personal identifiers are stored in the same record set such that the record could reasonably lead to personal identification, that combination comprises PHI.
For instance, if a patient has diabetes, a history of breast cancer in remission, and eczema, this trio of diagnoses under “Patient X” does not constitute PHI. However, if the Patient X file also lists city and treatment dates and details, that could lead to patient identification—thus, this partially identified record falls under PHI.
Covered entities and their business associates have a legal duty to meet HIPAA requirements.
Covered entities are those that collect, create, or transmit PHI electronically, such as:
Business associates refer to any entity that utilizes, transmits, or otherwise comes into contact with PHI in the course of performing work for a covered entity. This runs the gamut from medical consulting to administrative functions such as:
If you read the HIPAA text as a purist, you’ll see that lawyers are included when they perform on behalf of covered entities, as summarized above.
The HIPAA language identifies legal teams employed or consulted by health insurers and healthcare providers, but it doesn’t explicitly call out the governance of medical records in the hands of personal injury lawyers representing patients, criminal prosecution and defense attorneys, or any other instance unrelated to serving a covered entity.
So, does HIPAA apply whenever a lawyer handles PHI? Opinions and perspectives, even from the most well-intended sources, are mixed on the topic. Even within a single article from the American Bar Association, you can see these conflicting messages: 2
That said, an attorney request for medical records should err on the side of caution and follow HIPAA guidelines. From a practical standpoint, lawyers are well advised to handle PHI under HIPAA guidelines as a matter of course. Regardless of whom you represent, HIPAA sets the baseline for client expectations of medical record confidentiality and security, so it can help establish or strengthen trust with clients as well.
There are three core amendments that detail the protection of patient health information, plus a fourth added to clarify the responsibilities of business associates.
The HIPAA Privacy Rule establishes strict confidentiality by requiring the patient or their representative to consent in writing before sharing personal health information as the default approach, with allowances in place for the flow of information as necessary for treatment and billing. 3
Providers and other covered entities are accountable for establishing, reviewing, and maintaining operational practices that limit the use and disclosure of personally identifiable PHI. This includes: 3
Less than 10 years after HIPAA’s debut, the Security Rule was drafted to regulate the transmission, storage, and usage of electronic protected health information (ePHI). The entirety of HIPAA deals with PHI in any form, including electronic, but the HIPAA Security Rule targets ePHI to provide guidance as more entities were transitioning to electronic records.
Under the Security Rule, covered entities must establish security measures and policies that ensure: 3
By 2009, covered entities needed to know what to do in case of a data breach in spite of their efforts to protect PHI and ePHI.
The HIPAA Breach Notification Rule sets up expectations for covered entities in the case of file theft, technical error, hacking, or other security breaches that result in the use or disclosure of PHI impermissible under the HIPAA Privacy Rule. When this occurs, the entity must: 3
If more than 500 residents of a state or jurisdiction are affected, the breached entity is required to provide details to appropriate media outlets.
The 2013 Omnibus Rule was added to invite business associates to the table.
With the Omnibus Rule in 2013, business associates—any entity that encounters PHI in the course of performing work, including legal representation, for a covered entity—were hereafter explicitly held to the same level of HIPAA compliance. 3
The rule also provided guidance on creating legally binding Business Associate Agreements (BAAs) that ensure PHI protection under HIPAA.
Today, ensuring HIPAA compliance involves a combination of platform and hardware security, training, and working habits.
To ensure HIPAA compliance across procedures:
For ePHI:
For paper files:
HIPAA Privacy and Security rules are enforced by the Office for Civil Rights (OCR), which is part of the U.S. Department of Health and Human Services. HIPAA violations can be criminal to a felony level or civil in nature, leading to penalties including: 4
Of the top five compliance issues most often alleged, two are of particular note for lawyers in possession of patient records: 7
The most efficient step in a HIPAA compliance checklist for law firms is to partner with a comprehensive medical records service provider.
The team at U.S. Legal Support Services fulfills more than 400,000 medical record retrieval requests every year. After you tell us what you need and when you need it, we handle the entire process of coordinating with billing and medical records departments including follow-up phone calls, untangling lost or incomplete information, and tracking each document’s progress.
With a nationwide network of over 1.1 million provider relationships, we retrieve and digitize the records you need, and offer organization and analysis. Your files are transferred and stored through a secure portal that’s fully compliant with both HIPAA and SOC 2 Type 2 regulations.
Reach out to learn more about our legal support services today.
Sources:
Content published on the U.S. Legal Support blog is reviewed by professionals in the legal and litigation support services field to help ensure accurate information. The information provided in this blog is for informational purposes only and should not be construed as legal advice for attorneys or clients.