What Law Firms Should Know About HIPAA Compliance

A legal case that involves any type of injury, illness, or healthcare means accessing medical records, either for your client or the opposition. Regardless of whether you use them for direct evidence or background, the medical record retrieval process comes with strict HIPAA obligations.

Even as a sole practitioner, you’ll want to establish practices for retrieving, accessing, and storing what is included in medical records to keep you compliant with HIPAA guidelines.

The first step is to understand the intent, evolution, and specifics of HIPAA compliance.

What is HIPAA? Understanding the Regulatory Context

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its amendments over the last two decades provide a nationwide regulatory framework for how medical records are accessed, stored, and shared. It applies to stakeholders both in and adjacent to the industry.

At its core, the HIPAA legislation¹:

• Declares the inherent confidentiality of patient records
• Ensures patients can view and submit corrections to their own records
• Promotes record portability so patients can change providers, insurers, or employers
• Establishes practical guidelines on the administration of each rule

While the spirit of these laws is protecting patients’ privacy, an unintended consequence of them is that sharing records between providers, legal teams, and others is often extremely challenging. Keeping record collection secure and compliant requires attention to detail.

How HIPAA Came to Be: The History of the HIPAA Regulation

HIPAA was initially proposed in 1996 to optimize the security and availability of health data for patients and other stakeholders across the U.S., but it did not come into force until the dawn of the 21st century. Its history includes the publication of its major rules and its connection to other major legislation and policy initiatives that would expand its scope over time.²

The initial Privacy Rule was published in 2000 with the intent of defining what information HIPAA would protect and the baseline restrictions on use and disclosure. This rule would be revised and expanded and then officially required in 2003. Soon afterward, the Security Rule was drafted to extend protections to electronic records, including specific safeguards to be required across virtual platforms. A final draft surfaced in 2003 and was required by 2006.

The next major advancement in HIPAA was the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.³ HIPAA became augmented with greater specificity on enforcement penalties and communication requirements, which would become the Breach Notification Rule. All these advancements would culminate in the Omnibus Rule in 2013, which remains the form of HIPAA that is applicable today with minor adjustments.

What Information is Protected Under HIPAA Law?

HIPAA protects data created by or shared with a qualifying organization as protected health information (PHI).¹ In a thumbnail, PHI includes (but is not limited to):

• Identification including name, contact details, relationships, gender, ethnicity, etc.
• Insurance company and billing details, including claims, payments, and eligibility determinations
• Medical history, genetic information, family history, and biometric identifiers
• Current, past, and future physical and mental health conditions and diagnoses
• Treatments, test results, surgeries, medications, and provider visits

When any combination of health information and personal identifiers are stored in the same record such that the record could reasonably lead to personal identification, it comprises PHI. 

For instance, if a patient has diabetes, a history of breast cancer in remission, and eczema, this trio of diagnoses under “Patient X” does not constitute PHI. However, if the Patient X file also lists the city in which treatment occurred, along with specific dates and other details that could lead to Patient X being identified, the record would be considered PHI for HIPAA purposes.

What Entities Are HIPAA Mandated Under the Law?

HIPAA applies to two main parties: covered entities and select business associates thereof.

A HIPAA-covered entity is any organization or individual that collects, creates, or transmits PHI or electronic PHI (ePHI) through physical or virtual means. Specific examples include but are not limited to:

• Healthcare providers, both individual and institutional
• Health insurance providers and health plan administrators
• Healthcare clearinghouses dedicated to processing PHI data

Business associates are entities that utilize, transmit, or otherwise come into contact with PHI in the course of performing work for a covered entity. HIPAA Business associate roles and responsibilities run the gamut from direct medical consulting to administrative and other functions, such as: 

• Third-party medical and administrative consultants and facilities
• Billing companies 
• Electronic health record (ESR) platforms 
• Physical storage, faxing, and shredding providers
• Cloud service, email hosting, and IT providers
• Managed service providers (MSPs)
• Accountants and auditors
• Lawyers and legal service providers

In practice, legal professionals handling PHI through record retrieval or general trial processes may be considered HIPAA business associates. As such, they may need to comply with HIPAA.

What Do HIPAA Guidelines Mean for Law Firms?

If you read the HIPAA text as a purist, you’ll see that lawyers are included when they perform on behalf of covered entities, as summarized above.

Looking more closely, HIPAA’s language identifies legal teams employed or consulted by health insurers and medical providers, but it doesn’t explicitly call out the governance of medical records in the hands of personal injury lawyers representing patients, criminal prosecution and defense attorneys, or any other instance unrelated to serving a covered entity. 

So, does HIPAA apply whenever a lawyer handles PHI?

Opinions, even from the most well-intended sources, remain mixed on the topic. Even within a single article from the American Bar Association, you can see these conflicting messages⁴:

1. “Of particular interest to family law attorneys, Title II of HIPAA provides the majority of the provisions regarding the safekeeping, sharing, and enforcement requirements for health care providers and others who handle “protected health information” (PHI).”

2. “…if the holder of the medical information does not meet the definition of a covered entity, HIPAA does not apply…”

That said, all attorney requests for medical records should err on the side of caution and follow HIPAA guidelines. From a practical standpoint, lawyers are well advised to handle PHI under HIPAA guidelines as a matter of course, irrespective of whether HIPAA technically applies.

Regardless of whom you represent, HIPAA sets the baseline for client expectations of record confidentiality and security, so it can help establish or strengthen trust with clients as well. 

What Are the Four Rules of HIPAA?

There are three core rules and amendments that detail the protection of patient health information, plus a fourth added to clarify the responsibilities of business associates.

#1 Privacy Rule (Required as of 2003)

The HIPAA Privacy Rule establishes strict confidentiality by requiring a patient or representative to consent in writing before sharing personal health information as the default approach, with allowances in place for the flow of information as necessary for treatment and billing.⁵

Covered entities are accountable for establishing, reviewing, and maintaining operational practices that limit the use and disclosure of personally identifiable PHI. This includes: 

• Limiting disclosure to only what is necessary or identified in a records request
• Removing personal identifiers from health data shared for research or similar purposes
• Training staff to follow HIPAA guidelines and policies

Collectively, these restrictions limit the use and disclosure of PHI to only those parties who have a right to access it (e.g., the patients) and authorities or other stakeholders who may need it.

#2 Security Rule (Required as of 2005)

Less than 10 years after HIPAA’s debut, the Security Rule was drafted to regulate the transmission, storage, and usage of electronic protected health information (ePHI).

The entirety of HIPAA deals with PHI in any form, including electronic; but the HIPAA Security Rule specifically targeted ePHI to provide guidance as more entities were transitioning to electronic records. 

Under the Security Rule, covered entities must establish security measures to ensure: 

• Confidentiality at all stages of creation, receipt, maintenance, and transmission
• Access for on-demand usage by authorized personnel
• File safety from deletion, tampering, or corruption
• Staff and contractor training to maintain these measures

The safeguards prescribed in the Security Rule establish specific protections that ensure the initiatives in the Privacy Rule are met—that PHI is never used or disclosed inappropriately.

#3 Breach Notification Rule (Required as of 2009)

By 2009, covered entities needed to know what to do in case of a data breach in spite of their efforts to protect PHI and ePHI. Contrary to popular belief, a data breach does not necessarily mean a major-scale attack in which many records are leaked, although those are the worst and most damaging scenarios. Per HIPAA, a breach could happen if even one record is leaked.

The HIPAA Breach Notification Rule sets up expectations for covered entities in the case of file theft, technical error, hacking, or other security breaches that result in the use or disclosure of PHI impermissible under the HIPAA Privacy Rule. When this occurs, the entity must: 

• Provide written notice without delay (maximum 60 days from discovery of breach)
• Describe the nature of the breach and what data was compromised
• Outline their investigation and plans to limit the resulting damage
• Recommend precautionary steps that affected individuals can take
• Note what efforts are underway to ensure this doesn’t happen again

If more than 500 residents of a state or jurisdiction are affected, the breached entity is required to provide details to appropriate media outlets so that all impacted parties receive notice.

#4 Omnibus Rule (Accessible as of 2013)

The 2013 Omnibus Rule was added to streamline all HIPAA protections into one uniform regulation. It also invited business associates to the table. With the passing of the Omnibus Rule in 2013, business associates—any entity that encounters PHI in the course of performing work, including legal representation, for a covered entity, as defined above—were hereafter explicitly held to the same level of HIPAA compliance. The rule also provided clarity on legally binding Business Associate Agreements (BAAs) that ensure PHI security under HIPAA. 

What Happens if You Violate HIPAA Rules?

HIPAA Privacy and Security rules are enforced by the Office for Civil Rights (OCR), which is part of the U.S. Department of Health and Human Services (HHS). HIPAA violations can be processed at the civil level by the OCR, but the Department of Justice (DOJ) is brought in for cases of severe or chronic noncompliance that are elevated to the criminal (possibly felony) level.

Across these different levels, penalties include but are not limited to⁶:

• Up to $250,000 in fines (nearly $135 million collected to date)^7,8
• Federal jail time up to 10 years
• Referral to a professional licensing authority
• Further sanctions by a State Attorney General

Of the top five violation issues most often alleged, two are of particular note for lawyers in possession of patient records⁹:

• Lack of safeguards for protected health information
• Lack of administrative safeguards for electronic protected health information

Importantly, both of these HIPAA violation issues can happen even to legal teams that make a concerted effort to safeguard PHI. Failing to secure a communication channel through which PHI is sent or missing an update on a firewall used in a system used to store PHI could result in a breach.

Staying ahead of pitfalls like these requires attention to detail from anyone who contacts PHI.

Best Practices for HIPAA Compliance

Today, ensuring HIPAA compliance involves a combination of platform and hardware security, training, and working habits across members of a legal team who come in contact with PHI.

To ensure HIPAA compliance across procedures: 

• Train your team on the importance and methodology of HIPAA compliance.
• Limit access to PHI to officially authorized individuals only.
• Record access to either ePHI or physical copies at an individual level (no account sharing or signing out files at a team/project level).

To ensure compliance with ePHI specifically: 

• Utilize security protocols, including encryption and password protection
• Track authorized users and file access
• Limit ePHI to a secure cloud environment vs. downloads, email transfer, etc. 
• Maintain an inventory of utilized hardware 
• Ensure ePHI isn’t accessible by the next user/workstation operator 
• Consider HIPAA compliance in hardware and media re-use and disposal procedures

And, to ensure compliance with legacy paper records: 

• Store documents in a locked, limited-access location
• Institute a record-keeping process for accessing and reviewing files

Collectively, practices like these minimize the possibility of a HIPAA data breach.

Technological Approaches to Help Ensure HIPAA Compliance

One of the best ways an attorney or law firm can ensure HIPAA compliance when working with PHI and other sensitive records is to apply cutting-edge technologies for secure retrieval, processing, storage, and sharing. Working with a quality medical record retrieval partner means getting access to a platform for secure, efficient medical record processing and preventing a medical records breach.

For instance, artificial intelligence (AI) and machine learning (ML) tools can identify PHI before or during collection, mark it, and monitor for noncompliance risks throughout its lifespan in your systems. Personally identifiable information (PII) can be redacted or otherwise accounted for, and communication channels can be cleared for known vulnerabilities before documents are shared.

Best of all, these functions should all be easily accessible to anyone on the legal team and/or clients with data access rights, irrespective of their technological literacy. HIPAA is as much about ensuring the availability of PHI to those who need it as it is about safeguarding it.

Optimize Your Law Firm’s HIPAA Compliance Practices

The most efficient step in a HIPAA compliance checklist for law firms is to partner with a comprehensive medical records service provider that streamlines the entire process.

The team at U.S. Legal Support Services fulfills more than 400,000 medical record retrieval requests every year. After you tell us what you need and when you need it, we handle the entire process of coordinating with billing and medical records departments, including follow-up phone calls, untangling lost or incomplete information, and tracking each document’s progress. 

With a nationwide network of over 1.1 million provider relationships, we retrieve and digitize the records you need, and offer organization and analysis. Your files are transferred and stored through a secure portal that’s fully SOC 2 Type 2 and HIPAA compliant.

Reach out to learn more about our legal support services today. 

Sources: 

1. HIPAA Journal. What is Considered PHI Under HIPAA? https://www.hipaajournal.com/considered-phi-hipaa/
2. U.S. Department of Health and Human Services. HIPAA for Professionals. https://www.hhs.gov/hipaa/for-professionals/index.html
3. U.S. Department of Health and Human Services. HITECH Act Enforcement Interim Final Rule.  https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
4. American Bar Association. HIPAA for the Family Law Attorney. https://www.americanbar.org/groups/family_law/publications/family-advocate/2023/winter/hipaa-family-law-attorney/
5. Ground Labs. Personally Identifiable Information: HIPAA Facts & Best Practices. https://www.groundlabs.com/blog/personally-identifiable-information-hipaa-facts-best-practices-ground-labs/
6. U.S. Department of Health and Human Services. Health Information Privacy / HIPAA Enforcement. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html
7. HIPAA Journal. What Happens if You Break HIPAA Rules? https://www.hipaajournal.com/what-happens-if-you-break-hipaa-rules/
8. U.S. Department of Health and Human Services. Health Information Privacy / Enforcement Highlights. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
9. Health Capital Consultants. “Big Data” Privacy and Security Challenges Under HIPAA/HITECH. https://www.healthcapital.com/hcc/newsletter/6_13/HTML/DATA/6.6_big-data-ii_6.19.13.zd.php