Are lawyers considered business associates?

Attorneys working with healthcare clients face unique challenges related to HIPAA. Lawyers may be considered business associates under HIPAA when providing legal services to covered entities, like healthcare providers. 

Some common scenarios and the types of PHI they might encounter include:

• Healthcare regulatory and compliance matters: Attorneys may handle patients' medical records, billing information, or other sensitive data while ensuring their clients comply with healthcare regulations.
• Medical malpractice defense: PHI may include patients' medical histories, treatment plans, and communications with healthcare providers.
• Healthcare mergers and acquisitions: Due diligence may involve reviewing medical records, billing data, or contractual relationships involving PHI.
• Healthcare billing audits and investigations: Lawyers may need to analyze patient billing records, coding practices, and reimbursement claims.
• Health information technology and electronic health records matters: Attorneys may handle patients' ePHI or address data breaches and cybersecurity concerns.
• Patient privacy and data breach matters: Cases may involve investigating unauthorized access, disclosure, or use of PHI.
• Employment and labor law matters: Lawyers may encounter employees' medical records or health-related information in workplace accommodations disputes.
• Contract negotiation and drafting: PHI may even be present in contracts with vendors, payors, or other entities.

In a nutshell, when casework contains PHI, and the client is a covered entity, the attorney may be considered a business associate. 

Lawyers' HIPAA obligations as business associates

A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a covered entity. The Department of Health and Human Services states, "The HIPAA Rules apply to covered entities and business associates."

When acting as business associates, attorneys must comply with specific HIPAA requirements:

• Adhere to the Privacy Rule: Lawyers should only use or disclose PHI as permitted or required by the BAA, the Privacy Rule, or as required by law. This includes implementing safeguards to prevent unauthorized access, disclosure, or use of PHI.
• Comply with the Security Rule: Attorneys must establish administrative, physical, and technical safeguards to protect ePHI. This may involve risk assessments, data encryption, access controls, and regular security audits.
• Promptly notify the covered entity of any breaches: In case of a breach involving unsecured PHI, attorneys must provide detailed information about the breach, including the number of affected individuals, the nature of the breach, and any mitigation steps taken.
• Enter into a business associate agreement (BAA): The BAA should outline permitted uses and disclosures of PHI, implemented safeguards, and other terms to ensure HIPAA compliance.

Covered entities' obligations to ensure lawyer compliance

Covered entities have a responsibility to ensure that their lawyers fulfill their HIPAA obligations:

• Verify that the attorney understands HIPAA requirements.
• Establish a BAA with the lawyer.
• Periodically review the lawyer's compliance with HIPAA.
• Address any concerns about the handling of PHI.
• Terminate the BAA if a breach occurs or the attorney fails to comply with HIPAA requirements.

Several tools and resources can assist attorneys in managing and maintaining their HIPAA compliance:

• Secure communication platforms: Services like Paubox offer encrypted email solutions specifically designed for HIPAA compliance.
• HIPAA training providers: Organizations like the American Health Lawyers Association (AHLA) and the Health Care Compliance Association (HCCA) offer training programs and resources tailored for legal professionals.
• Risk assessment tools: The HHS Office for Civil Rights (OCR) provides a free Security Risk Assessment Tool to help organizations identify potential risks and vulnerabilities in their ePHI handling.
• HIPAA compliance checklists: Resources like the HIPAA Compliance Checklist from the OCR can help attorneys ensure they cover all necessary requirements.

The importance of secure, HIPAA-compliant communication

Secure and HIPAA-compliant communication between attorneys and covered entities is vital to protect PHI:

• Use HIPAA compliant email services that adhere to HIPAA requirements: Select a secure email provider with encryption, strict access controls, and audit capabilities.
• Train staff on secure email practices and handling PHI: Educate employees about the importance of secure communication, password management, and recognizing phishing attempts.
• Establish a secure document-sharing platform for exchanging PHI: Choose a platform with encryption, access controls, and audit logging to share sensitive information securely.
• Implement access controls and password policies: Require strong, unique passwords, two-factor authentication, and regularly review access rights to limit unauthorized access to PHI.

Tips for maintaining HIPAA compliance

To maintain HIPAA compliance, lawyers and healthcare clients should:

• Determine if a BAA is necessary: Consult with experts to understand when a BAA is required and ensure that both parties are clear about their roles and responsibilities.
• Ensure BAAs include clear terms for permitted uses, disclosures, and safeguards: Draft a comprehensive BAA that outlines the lawyer's responsibilities, permitted uses, and disclosures of PHI and the specific safeguards to be implemented.
• Implement training programs for staff handling PHI: Provide regular training on HIPAA requirements, secure communication practices, and handling PHI to minimize the risk of breaches.
• Conduct regular audits of policies, procedures, and security measures: Perform periodic reviews and assessments to ensure ongoing compliance with HIPAA and identify improvement areas.
• Review and update BAAs as needed, particularly when new services or subcontractors are involved: Periodically reassess the BAA and update it as necessary to reflect changes in services, subcontractors, or HIPAA requirements.

Consequences of non-compliance

Non-compliance with HIPAA requirements can result in severe consequences for both lawyers and covered entities, such as:

• Financial penalties: Violators can face fines ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations. In some cases, higher fines may be imposed depending on the level of negligence or intent.
• Reputational damage: HIPAA breaches can lead to negative publicity, loss of trust among clients and patients, and potential harm to an organization's or attorney's reputation.
• Legal consequences: In addition to regulatory penalties, non-compliance may expose the involved parties to civil lawsuits from affected individuals or other entities.
• Corrective action plans: The HHS Office for Civil Rights (OCR) may require violators to implement corrective action plans, which can be time-consuming, expensive, and involve ongoing monitoring.

In 2023, a New York law firm agreed to pay a $200,000 settlement after failing to protect clients' personal data. The case emphasized the responsibility of law firms to maintain adequate data security measures, especially when handling sensitive personal and healthcare information.

In 2017, the Center for Children's Digestive Health (CCDH) agreed to pay a $31,000 settlement for failing to have a business associate agreement in place with its medical records storage provider, FileFax. The HHS Office for Civil Rights (OCR) discovered the lack of a BAA during an investigation initiated after a separate investigation of FileFax. This case underscores the necessity of establishing BAAs with all parties that handle PHI.

Best practices in selecting and working with legal counsel

Covered entities should consider the following best practices when selecting and working with legal counsel:

1. Assess the attorney's experience in healthcare law: Choose a lawyer with a strong background in healthcare law and proven experience handling cases involving HIPAA regulations.
2. Evaluate the attorney's knowledge of HIPAA requirements: Ensure that the attorney is knowledgeable about current HIPAA regulations and has a track record of maintaining compliance for their clients.
3. Request references from other healthcare clients: Ask for references from other covered entities who have worked with the attorney and can speak to their expertise in healthcare law and HIPAA compliance.
4. Establish secure, encrypted communication channels: Work with your attorney to create a secure method of exchanging PHI and other sensitive information.
5. Monitor and review the attorney's HIPAA compliance: Periodically assess the lawyer's compliance with HIPAA requirements and address any concerns or issues that may arise.

Roles in protecting PHI

As attorneys navigate the complex intersection of legal services and healthcare, understanding their role as business associates and HIPAA obligations is critical. Lawyers can maintain compliance and protect their client's sensitive information by staying informed and following best practices.