Under HIPAA, covered entities are defined as individuals or entities that transmit protected health information for certain transactions. These transactions generally include include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization. Covered entities are defined in the HIPAA rules as (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Law firms are not health plans; they are not healthcare clearinghouses; and at the risk of stating the obvious, they provide legal services, not provision of healthcare. Nevertheless, law firms may be required, under the HIPAA Privacy Rule, to do what is required of covered entities: to implement appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI). As a HIPAA business associate, law firm HIPAA compliance is required to service healthcare clients.
What are Business Associates?
A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Business associate services include (among others):
- Legal services;
- Actuarial services;
- Accounting services;
- Consulting services;
- Data aggregation services; and
- Financial services.
When is a Law Firm a Business Associate?
Any attorney whose legal services for a covered entity involves access to PHI is a HIPAA Business Associate, therefore, law firm HIPAA compliance is required. Some types of law firms, such as those that concentrate in real estate or contract law, do not require access to patient records.
Other types of law firms, however, routinely require access to PHI. Such firms include:
- Law firms that perform medical records review with regard to a personal injury case.
- Personal injury defense attorneys hired by insurance companies (i.e., homeowner’s insurance companies, auto accident insurance companies), to defend against claims brought by personal injury Plaintiffs. If the insurance company shares medical records with the defense attorney so that the defense attorney can review the records, to provide legal advice, and the records contain PHI, the law firm is a business associate, and law firm HIPAA compliance is required.
- Law firms that perform legal services for a covered entity (e.g., for a health plan).
- For example, an attorney who provides legal services to a plan in reviewing a benefits claim is a business associate, if the claim involves PHI.
- Malpractice defense firms that represent covered entities accused of medical malpractice.
- In such cases, the doctor against whom malpractice is alleged, shares patient medical records containing patient PHI, with the law firm, so the law firm can provide a legal defense for the doctor. Here, a covered entity (the doctor) is sharing patient data with someone outside his or her office (the attorney), so that someone can provide a service with respect to the PHI (a legal defense). Under these circumstances, the law firm is a business associate, and law firm HIPAA compliance is required.
In sum, a law firm is considered a business associate of a covered entity, if:
- The covered entity transmits PHI to the law firm; in order for
- The law firm to provide legal services to the covered entity, services that involve access to the PHI.
What Must Business Associate Law Firms Do to Comply With HIPAA?
Under the HIPAA Omnibus Rule, business associates, including those business associates that are law firms, must comply with the HIPAA Security Rule and the HIPAA Privacy Rule. Business Associates are subject to audits by the Office for Civil Rights through the Department of Health and Human Services. Those business associates that are found to not be HIPAA compliant after a HIPAA compliance audit may be held accountable for data breaches and suffer penalties.