Law firms, depending on the nature of the services they provide to covered entities, may fall under the definition of “business associates.” Law firms that qualify as business associates (BAs) must be HIPAA compliant. Tips for developing a HIPAA compliance checklist for law firms are discussed below.
What is a HIPAA Compliance Checklist for Law Firms: When is a Law Firm a BA?
Business associates perform functions or activities on behalf of covered entities. These services involve PHI use or disclosure. Companies that provide such services include accounting services, consulting services, financial services, and law firms, among many others. The types of law firms that involve regular access to PHI, thereby invoking HIPAA, include:
Medical malpractice firms. These firms routinely provide services to doctors accused of medical malpractice. To prove a medical malpractice case, a plaintiff must show that a doctor acted negligently. The plaintiff must also show that but for the negligence, the plaintiff would not have been injured. To assess the strength of the plaintiff’s claims, the medical malpractice firm reviews patient records supplied to it by the physician.
Whenever a law firm provides legal medical record review to a physician – whenever the law firm transmits, maintains, receives, or accesses PHI – the law firm is acting as a business associate.
This means, checklist-wise, that the law firm must comply with all components of the HIPAA Privacy Rule that the covered entity would be required to comply with, had the covered entity not contracted with the lawyer for the lawyer’s service and instead performed the service itself.
The law firm must comply with the entirety of the HIPAA Security Rule.