Attorney Responsibilities Under HIPAA
by Jeff Drummond
Any attorney who has been to a doctor’s office has heard of HIPAA, the often-misunderstood and occasionally misspelled federal healthcare privacy law. The Health Insurance Portability and Accountability Act of 1996 originated as the Kennedy-Kassebaum bill, a bipartisan legislative effort to prevent health insurers from rejecting potential new beneficiaries due to pre-existing conditions if the applicant had recently had insurance from another provider.
While HIPAA originally was intended to provide “portability” of insurance, it expanded into an omnibus law (embellished by extensive regulations) addressing, among other things, (i) the use of electronic transactions in the healthcare industry, (ii) healthcare fraud enforcement and (iii) a national standard of medical record privacy and security. The privacy and security requirements, not the portability issues, have caused the most angst for doctors and hospitals.
Original HIPAA Statute
The original HIPAA statute required the development of privacy and security rules applicable to a limited set of “Covered Entities”: health plans (insurers, including self-insured group health plans), healthcare providers (hospitals, doctors, dentists, etc.) and healthcare clearinghouses (specialized entities that translate claims data into different formats). But when the regulations were drafted, the Department of Health and Human Services and Human Services lacked the authority to draft privacy and security regulations that would cover everyone who came into contact with medical information.
The regulations (specifically including separate privacy rules and security rules) were therefore drafted to impose rules only on Covered Entities. One of the rules required Covered Entities to enter into “Business Associate Agreements,” or “BAAs,” imposing similar restrictions on otherwise unregulated parties to whom they provide “protected health information” or “PHI.” Effectively, the HIPAA regulations required the Covered Entities to extend by contract the regulations the Department of Health and Human Services could not directly apply to other industry participants.
Any entity that receives PHI from a Covered Entity in the course of providing a service to the Covered Entity is a Business Associate. Specifically, lawyers representing Covered Entities, if they receive PHI from the Covered Entity (or produce PHI on the Covered Entity’s behalf), are Business Associates. Therefore, if you represent a health plan, provider or clearinghouse and receive PHI from the client, you must enter into a BAA with the client. If you have not, your client is likely in violation of HIPAA.
Most Covered Entities want all of their vendors to sign the same form of BAA, and will often encourage their law firms to sign the same agreement. However, because lawyers are different from other vendors, there are several reasons to resist signing a standard-form BAA.
Specifically, attorneys have ethical obligations to their clients that other vendors do not, and as a result, their BAAs need to be tailored accordingly. HIPAA requires that all BAAs contain a provision stating that the Business Associate will allow the Secretary of the Department of Health and Human Services to review the Business Associate’s books and records to ensure HIPAA compliance. Unfortunately, including this language without appropriate carve-outs could result in unintentionally waiving attorney-client privilege. Additionally, many BAAs contain indemnification provisions, which could effectively void an attorney’s malpractice insurance coverage. Finally, lawyers need to be aware of the inherent ethical conflicts that occur when they are negotiating a contract between themselves and the client they are obligated to protect.
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) amended HIPAA by adding additional privacy requirements and making much of HIPAA directly applicable to Business Associates. Specifically, the HIPAA security rule provisions were made directly applicable to Business Associates. This means that Business Associates, including attorneys, must adopt administrative, physical and technical safeguards to protect the PHI in their possession, and must adopt policies and procedures to document and enforce those safeguards.
These should include such safeguards as locking medical records when not in use, securing computers, servers and networks that contain PHI from improper access, prohibiting access by improper parties (including staff not working on the particular matter), password management, training and potentially encrypting data in storage or when transmitted over a non-secure network. The specific steps to be taken will be determined by the risk analysis that the Business Associate is also obligated to undertake.
Attorneys who serve Covered Entity clients, and who receive PHI from those clients, have an obligation to ensure that they enter into BAAs with those clients, and that the BAAs do not contain inappropriate provisions. Additionally, they must conduct a risk analysis and institute appropriate safeguards to protect the security of the PHI they handle.
Jeff Drummond is a partner with Jackson Walker LLP, representing healthcare providers in transactional and regulatory matters. He can be reached at firstname.lastname@example.org.