It’s not just healthcare organizations that need to adhere to HIPAA requirements. Attorneys and law firms often deal with health care providers and private health records and need to ensure they meet regulatory standards.
Getting HIPAA requirements wrong can lead to a financial penalty, so read on to find out what you need to know about HIPAA as an attorney and the best practices you and your firm should be following.
What Is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. As an attorney, you need to be fully aware of HIPAA requirements and consider them in your everyday practices, from handling sensitive patient data to your use of tort attorney software.
Attorneys concerned with HIPAA requirements will need to pay particular attention to the accountability aspects of the act noted in these provisions:
- Privacy Rule: Protects the privacy of individually identifiable health information, known as Protected Health Information (PHI). It sets boundaries on the use and release of health records, establishes safeguards to protect the privacy of PHI, and holds violators accountable, often with civil and criminal penalties.
- Security Rule: Specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (e-PHI).
- Transactions and Code Sets Rule: Standardizes the codes used to specify diseases, treatments, and medical procedures. This facilitates health-related electronic transactions like billing, referrals, and other administrative work.
- Unique Identifiers Rule: Provides a standardized way to identify healthcare entities in electronic transactions through the National Provider Identifier (NPI).
- Enforcement Rule: Provides guidelines for investigations into HIPAA compliance violations, including imposing monetary penalties for violations and procedures for hearings.
The Scope of HIPAA for Attorneys
The healthcare industry may be the primary target of HIPAA regulations. Still, there are various instances where attorneys must follow its guidelines, especially when dealing with medical cases with Protected Health Information (PHI).
Attorneys may encounter PHI in scenarios such as:
- Medical malpractice litigation
- Personal injury cases
- Worker’s compensation
- Family law cases involving medical records
- Employment discrimination cases with medical considerations
Key HIPAA Requirements for Attorneys
Business Associate Agreements (BAAs)
If an attorney is performing services for a covered entity (like a healthcare provider or insurer) and has access to PHI, they may be considered what HIPAA terms “business associates”.
In this case, they must have a Business Associate Agreement (BAA) with the covered entity, which outlines how PHI will be used, disclosed, and protected. These agreements typically cover your responsibilities concerning PHI and any subcontractors you might work with.
In addition to BAAs, attorneys should also be aware that certain situations may require the use of HIPAA forms and documentation, such as consent forms for the release of medical records or authorization forms for the use of PHI in legal proceedings.
Data Protection
Attorneys with access to PHI must have physical, administrative, and technical safeguards in place. This means secured databases, encrypted communications, staff training, and protocols for handling and storing sensitive data.
Law firms working with or in relation to a covered entity will be expected to have high data protection in place. Everything from your emails to your remote desktop connection manager should be considered.
Even if an attorney is permitted to access PHI for a case, HIPAA mandates the “minimum necessary” principle. Attorneys should only request, use, or disclose the minimum amount of PHI necessary to accomplish the intended purpose.
Notification of Breaches
If there’s a major or minor breach or unauthorized disclosure of PHI, attorneys must have processes to notify the covered entity and, in some cases, the affected individuals and even the Department of Health and Human Services (HHS).
BAAs should inform the covered entity without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach. The notification should provide:
- A description of the breach
- The types of information involved in the breach
- Steps taken to investigate the breach
- Potential mitigative measures taken
Often, it’s then up to the covered entity to inform individuals, but this can depend on who the attorney is working with.
Document Retention
Any PHI records attorneys hold must be retained securely for the required period (often six years), and there should be clear policies about document destruction once that period expires.
Attorneys must retain documents such as:
- Business Associate Agreements
- Privacy and security policies and procedures specific to the firm’s handling of PHI
- Risk assessment reports and results
- Training materials and documentation related to HIPAA compliance training for staff
- Any incident or breach documentation, including investigations, notifications, and responses
HIPAA doesn’t mandate a specific format for retaining records — they can be kept in either electronic or paper format, but they must be accessible, reproducible when required, and protected from unauthorized digital or physical access, tampering, or destruction.
Best Practices for Attorneys to Meet HIPAA Requirements
Thorough and Continuous Training
Attorneys and all staff at a legal firm should familiarize themselves with which of their clients or activities fall under HIPAA’s jurisdiction, common violations, and potential risks. This should be included as part of onboarding training and flagged when new cases are accepted.
In addition, you should regularly update your staff and legal professionals on HIPAA compliance, ensuring everyone knows how to handle PHI correctly. Set a fixed annual date for refresher training for all staff.
Tip: Ask all staff to bookmark the official HHS HIPAA webpage or use online HIPAA training resources like the American Bar Association (ABA).
Use Secure Communication
Data breaches are likely if communication lines are insecure, whether email, messaging, or phone calls.
Attorneys should always use secure, encrypted email services when sending or receiving PHI electronically. You should also be wary of discussing PHI over unsecured phone lines or in public places where conversations can be overheard.
Tip: Implement email software that prompts a warning or requires an additional step when sending emails containing potential PHI.
Manage Data Storage, Access Control, and Documents with Care
Communication isn’t the only vulnerability at law firms. Your storage solutions and document management systems can be hacked too.
Store electronic files containing PHI on secure, encrypted drives or cloud storage solutions that comply with HIPAA. Limit access to PHI only to those within the firm who need it for case-related reasons. Use strong, unique passwords, and consider two-factor authentication for added security.
You should also maintain a strict protocol for document retention. Have a clear policy for document destruction, ensuring that both electronic health records and paper records containing PHI are destroyed so they can’t be reconstructed.
Tip: Use software that tags and categorizes documents containing PHI and sets automated reminders for when these documents should be reviewed or securely destroyed.
Have a Response Plan for Data Breaches
It’s always best to prepare for the worst. You must develop and regularly update a response plan for any potential security incidents. This plan should outline the steps to be taken, including notifications, internal investigations, and corrective actions.
Utilizing incident alert management systems can be highly beneficial in promptly detecting and responding to breaches.
Also, familiarize yourself with the breach notification requirements under HIPAA, ensuring timely reporting if a breach does occur. Ensure all bases are covered, from information stored on sites with other domains via Only Domains to employees’ smartphones.
Tip: Conduct mock breach scenarios annually to test your firm’s contingency plan. This will help familiarize everyone with the steps they must take in an actual breach situation.
Maintain Physical Security
While the above tips focus on electronic and technical safeguards, many law firms have paper records too. Keep paper documents containing Protected Health Information in locked cabinets or secure rooms.
You should also ensure office premises have adequate security measures like alarms, surveillance cameras, and controlled access to areas where sensitive information is stored.
Tip: Install a logging system for access to workstations and secure areas to trace who had access to sensitive information and when.
Regularly Audit and Review
Once you have administrative safeguards in place, don’t just forget about them indefinitely. Instead, regularly audit your firm’s practices and data management tools regarding PHI to ensure ongoing compliance.
Review and update your internal policies regularly to adapt to law changes and address potential vulnerabilities.
Tip: Use a compliance checklist to ensure all areas of potential concern are audited bi-yearly.
Collaborate with IT Staff and External Consultants
IT professionals are your best friends regarding HIPAA’s technical policies. Schedule routine cybersecurity assessments, vulnerability scans, and penetration testing to uncover and address potential weaknesses. Breaches can appear in places with little human interaction too, like automated customer service software, so be sure to get IT to cover all the bases.
Finally, if you’re still unsure about meeting HIPAA requirements, it’s time to seek external advice. And even if you’re confident in your technical security measures, seeking external legal or compliance consultation periodically can help identify potential oversights or areas of improvement.
Tip: Attend seminars or webinars focused on the intersection of legal practice and HIPAA compliance.
Conclusion: Ensure your firm meets HIPAA requirements
HIPAA requirements mean any law firm should have reasonable safeguards in place to protect clients, patients, and employees. While monetary penalties are a top concern, HIPAA is also about ensuring trust across your firm and for your clients.
If your firm is dealing with any healthcare industry partners or clients, HIPAA is an essential part of day-to-day security practices, from data storage to everyday administrative actions. In addition to references this blog, please make sure you do a comprehensive research on HIPAA compliance by utilizing various available online and through credible sources.
Atlantic.Net can assist you with all your HIPAA cloud and storage hosting needs.