Before we dive into what exactly HIPAA requires of law firms today, we thought it might be helpful to describe what HIPAA required from prior to the HITECH Act and then explain how things have evolved. Some may remember that HIPAA compliance garnered a lot of attention from health care practices in 2009 with the with the passage of the HITECH Act. While the HITECH Act did dramatically expand the reach of HIPAA’s Security Rule, the act was not the first attempt to apply some privacy and security requirements to third parties serving the health care industry.
“Business Associates” - Contractual Obligations for Security and Privacy
Few will be surprised to hear that law firms were not the intended regulatory target of the original 1996 HIPAA legislation. At that time, HIPAA dealt solely with health care organizations now referred to as “covered entities” (CEs). Covered entities consist of health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically. (Whether an entity is subject to HIPAA can be a complex issue. For a more detailed explanation of the types of covered entities, please see the Health and Human Services website.)
In 1999, the federal agency responsible for issuing HIPAA regulations--the US Department of Health and Human Services (HHS)--recognized that CEs outsource a variety of operational functions to third parties (like law firms) and may need to disclose protected health information (PHI) to those third parties. While such outsourcing is perfectly legitimate, when HHS issued the Final Privacy Rule in 2000, it took steps to ensure that third parties providing services to CEs would be obligated to protect PHI.
Under that rule, CEs must enter into a “Business Associate Agreement” (BAA) with third parties who need access to PHI. A BAA establishes a contractual obligation on the part of the business associate to to protect PHI disclosed by the CE. The rendering of legal services is an activity requiring a BAA, so whenever a CE-client discloses PHI to a law firm (e.g., to defend a health plan client), the CE-client must first execute a BAA with the firm. Given that HHS began enforcing this requirement against all CEs by 2004, it is very likely that firms with a health care practice have entered into a BAA at some point or other. As a result, even though law firms were not the target of HIPAA requirements as a covered entity, law firms must contractually agree to protect PHI before a covered entity client can release such information to the firm.
Non-Regulatory Exposure Is Still Exposure
While signing a BAA before the HITECH Act did not directly expose firms to regulatory enforcement, firms were liable to their CEs if they breached provisions of their BAAs. A firm with a health care practice that failed to protect PHI in a reasonable manner would likely experience difficulty attracting new health care clients.
However, as we’ll see in our next post the landscape changed dramatically with the HITECH Act, and firms under BAAs must now agree to comply with the entire Security Rule. We are entering a new era of HIPAA enforcement where law firms will find themselves in the crosshairs of regulators.