When you hear the words “HIPAA compliance,” it’s natural to think this important part of patient wellness is just the concern of covered healthcare-related entities. After all, the Health Insurance Accountability and Portability Act (HIPAA) is largely concerned with data security related to a medical patient’s electronic private health information(ePHI).
But just because this is typically the realm of doctors and a healthcare provider, doesn’t mean that lawyers are exempt from these HIPAA rules.
For instance, if you’re a business associate of a covered entity and providing legal intake services that involve the disclosure of private health information, you also must be compliant.
If that’s the case, how can law firms manage HIPAA compliance virtually and how can a legal call center help? Read on to find your answers.
What Does HIPAA Compliance for Law Firms Entail?
To practice HIPAA compliance, it helps to know the rules and standards like the back of your hand.
As it was initially envisioned, HIPAA was meant to create safeguards for protecting private health information and preventing fraud, as well as insuring individuals who were in between jobs. The original bill was composed of 5 titles:
- Title I “Health Care Access, Portability, and Renewability” – Sought to provide insurance plans for individuals with pre-existing conditions or who were out of work.
- Title II “Preventing Healthcare Fraud and Abuse; Administrative Simplification” – Directed the HHS to define standards for ePHI accessibility, security, and transactions, regarding documentation, storage, and transmission of patient records.
- Title III “Tax-related Health Provisions” – Set tax provisions and stipulations for medical care provision.
- Title IV “Application and Enforcement of Group Health Plan Requirements” – Protected individuals who were out of work or with preexisting conditions.
- Title V “Revenue offsets” – Creates stipulations on company-owned life insurance and citizens who lose U.S. citizenship due to tax purposes.
These were then later supplemented by three rules and an additional act:
- Privacy Rule – Created national standards for privacy regarding individually identifiable health information.
- Security Rule – Set security standards for the protection of ePHI.
- HIPAA Enforcement rule – Set enforcement mechanisms for compliance violations.
- HITECH – The Health Insurance Health Information Technology for Economic and Clinical Health (HITECH) Act promoted and expanded the adoption of electronic health records, removed HIPAA loopholes, and stipulated stricter penalties for compliance violations.
How Does HIPAA Apply to Legal Firms?
Under HIPAA, four primary groups must be compliant with HIPAA. They include:
- Health care providers who interact with electronic medical records.
- Health plans that have access to ePHI
- Healthcare clearinghouses that process atypical or tangential ePHI.
- Business associates who perform: “…certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provide services to, a covered entity.”
This final group of “business associates” is the category in which legal firms fall. They’re in the same category as other healthcare service providers like accountants, consultants, financial services, and so on. Naturally, which legal groups are considered business associates depends on their area of practice, clientele, and service provision.
Common examples of law firms that HIPAA applies to include:
- Law firms that provide legal services to a covered entity.
- Defense firms that represent covered entities accused of malpractice.
- Legal firms that review medical records regarding a personal injury suit.
How Can I Practice Law Firm Regulatory Compliance?
When we speak of HIPAA compliance, Title II—sometimes referred to as the Administrative Simplification Provisions—is the primary focus, along with the later provisions mentioned above.
So, how can you make sure your legal firm is compliant? Be sure to address the following when crafting your client intake checklist.
Address the Privacy Rule
The HIPAA privacy rule was created to guarantee the confidentiality, integrity, and availability of ePHI. It stipulates that individually identifiable health information (IIHI) must be protected when it’s stored, used, or transmitted by a covered entity or business associate. And that private data can be in any form or media, including electronic, paper, or oral.
But what is considered IIHI? Health and Human Services define it as:
“Information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.”
There are only two scenarios in which ePHI may be disclosed: upon request by the individual or if requested by HHS as part of an investigation. Additionally, there are six other permitted uses and disclosures:
- To the Individual (unless required for access or accounting of disclosures)
- Treatment, Payment, and Health Care Operations
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure
- Public Interest and Benefit Activities
- Limited Data Set for research, public health, or health care operation
Even in the cases where disclosure is allowed, the Minimum Necessary Requirement emphasizes the idea that all permitted uses should be limited to the least amounts possible in the vast majority of permitted use cases, barring the first.
Put simply, you must restrict and control PHI access. Here’s how.
Apply the Security Rule and Its Standards
The security rule requires that covered entities and business associates must perform an internal risk assessment. While there’s some leeway in the type of review you perform, HHS recommends the National Institute of Standards and Technology’s (NIST) Guide for Conducting Risk Assessment, which specifies procedures for identifying internal and external security vulnerabilities—both virtual and physical.
A self-assessment can help you understand the relationship between the two and then determine specific risk levels. Once done, you then need to update your policies and procedures to mitigate identified risks.
But this is just the first step.
The security rule also recommends a set of prescriptive standards that legal firms could apply to strengthen HIPAA compliance. These include:
Administrative safeguards put systems in place that prioritize HIPAA compliance. Add the following to your firm’s compliance to-do list:
- Establish security management processes that reduce risks and vulnerabilities to a reasonable level.
- Designate a security official who will be responsible for developing and then applying the security policies and procedures.
- Limit uses and disclosure of PHI to the minimum necessary.
- Provide appropriate authorization, supervision, and training of any attorneys, paralegals, or support staff that have access to ePHI.
- Sanction members of the firm who violate policies and procedures.
- Perform a periodic self-assessment to verify that existing policies and procedures are capable of addressing the current threat landscape.
Implement Physical Safeguards
Implementing policy safeguards won’t be as effective unless you also put in place physical safeguards such as:
- Limit physical access to facilities where PHI is stored.
- Implement policies and procedures that ensure that all workstations and devices are secure and properly disposed of once retired.
Technical safeguards allow patient information to be as secure in the digital space as you’ve made it in your firm’s physical space.
Be sure to:
- Implement policies and procedures that only allow authorized persons within your firm to access ePHI.
- Add hardware, software, and procedural mechanisms necessary to compile and review access audit logs.
- Add integrity controls that ensure that ePHI is not improperly altered or destroyed.
- Implement security measures that protect against unauthorized ePHI access when it’s transmitted via an electronic network.
What Are the Most Common HIPAA Violations?
So, where are legal firms most vulnerable? How do they commonly violate HIPAA? Familiarize yourself with this list of “don’ts” so you can be sure to steer clear:
A Lack of Encryption
HIPAA requires ePHI to be secure from external and internal threats. But when information is transferred over an insecure network, it can easily be hacked or accessed by unauthorized individuals.
How to Address A Lack of Encryption
HIPAA compliance requires end-to-end encryption that ensures that data is transferred directly from A to B. That means it isn’t sent to an intermediary server—as is the case with a standard email or text message—and only the sender and recipient can open or access the information.
One of the most common and easily avoidable HIPAA violations results from a firm’s employee losing or having a device stolen that contains ePHI.
How to Address The Issue of Lost Devices
Firms need to stipulate clear BYOD and work device security policies about how they’re used, where they may be accessed, how they must be stored, and then what must occur if lost or stolen. Additionally, requiring strong passwords and two-factor identification prevent unauthorized access regardless.
Physical and virtual access to confidential information is all too often left unsecured or only partially secured.
How to Address Unsecure Records
Similar to other instances, ensuring that digital records are encrypted and password protected is vital.
Failure to Perform a Firm-Wide Risk Analysis
If a HIPAA violation does occur, and you are responsible, making this mistake could result in significant penalties.
How to Address a Firm-Wide Risk Analysis
Either perform an internal assessment or hire a third-party audit team to perform an external review. After, be sure to document your findings and prescriptive actions.
Failure to Perform a Breach Notification
Legal firms sometimes fail to disclose the fact that they experienced a privacy breach, which can result in steep fines.
How to Address Minor Breach Notifications
For minor breaches that impact 500 or fewer individuals, everyone must be notified of the breach within 60 days of the vent. For major breaches that impact 500 or more individuals, the impacted individuals must be notified, as well as the HHS Secretary and the media.
Alert—Helping Your Law Firm Ensure HIPAA Compliance
Want to make sure that you, the attorney, or your legal firm is HIPAA compliant in its virtual activities?
If so, you must only partner with SaaS providers that are also HIPAA compliant, especially when it comes to virtual correspondence.
Here, Alert makes it easy to develop good lawyer client communication while upholding HIPAA compliance. We provide HIPAA compliant 24/7 legal answering service in addition to secure SMS and email messaging. That means that your clients can receive the same virtual privacy that they’d receive in your office.
So, how does Alert work? Try us for free today!
U.S.Gov. Health Insurance Portability and Accountability Act of 1996. https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf
HHS. Business Associates. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
HHS. Summary of HIPAA Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?language=es