Law firms and HIPAA: Is your firm compliant?

By: Rick Juarez

It's been almost 2 years since the HIPAA Business Associate and subcontractor changes in the HIPAA Omnibus Final Rule have been enforced, but an eye opening conversation with a law firm this week showed me that there are a lot of law and accounting firms who still are not compliant and remain exposed.

While discussing some remedies for a potential new customer's security audit from a Fortune 100 non-healthcare related company, I mentioned that if we can ensure HIPAA compliance for our customers, we certainly can handle the simple concerns the audit addressed. That's when they revealed to me that they need to be HIPAA compliant due to their handling of Personal Healthcare Information or PHI for their clients, but have known for almost 2 years that they are not. Further, they shared that 6 other firms they spoke with last week also know they are out of compliance. SEVEN firms who should know more than most about the legal ramifications of non-compliance sit completely exposed. A couple of calls the next day to some accounting friends revealed similar results.

It used to be that only accounting firms and law firms engaged with HIPAA Covered Entities were qualified as a Business Associate, but as a post on the Dallas Bar Association's website states:

"A law firm that receives, maintains, or discloses protected health information in the provision of legal services is statutorily a business associate. In other words, if your law firm deals with personal medical records in the course of representing clients, it is probably a business associate. Previously, law firms were only contractually liable to healthcare covered entities under a business associate agreement.

As a business associate, law firms must comply with some aspects of HIPAA's Privacy Rule and all aspects of HIPAA's Security Rule. Failure to do so may result in civil monetary penalties imposed by the U.S. Department of Health and Human Services (DHHS)."

In spite of being the law for 19 years, there are still a lot of questions regarding compliance. Securing a physical file is one thing, but with Electronic Records becoming the new normal, guaranteeing compliance has gotten more complex. With penalties ranging from $100 to $50,000 per violation, practices that are not proactive regarding HIPAA Compliance are at risk.

Here is a high level overview of what your practice should be doing at a minimum:

  • Access Control – Access to records should be role based. Meaning only those employees who have a legitimate reason to access PHI are given access. And this access should be password protected with policies in place to change passwords frequently.
  • Physical Access – Care should be taken to limit access to physical files, computers and doors to communications closets should be locked with access limited to only those employees who need to have access to those systems.
  • Documentation - Processes and Procedures need to be carefully documented and training provided so that everyone fully understands the rules and what is at stake for even an inadvertent violation.
  • Disaster Recovery and Contingency Planning – The practice needs to plan and document the process for backing up records and establishing a recovery plan with a well-planned infrastructure and secured offsite replication of those records.
  • Battery Backups for Networks – Offices need to have batteries or Uninterruptable Power Supplies in place to protect the network from power failures. Data centers have this covered, but local resources are also important.
  • HIPAA Audits – To protect the practice, policies and procedures should be reviewed and updated regularly. Audits should be performed to benchmark the practice's performance to standard on a yearly basis.

Remember that any and all breaches of PHI or security require the notification of the patients affected, notifying the Secretary of Health and Human Services, and if the breach affects more than 500 or more people in one state, the media must be notified as well.

With fines that can reach as much as $1.5 Million per violation, medical practice vendors and law offices need to stay up to date with HIPAA compliance. If you are out of compliance, you can no longer afford to keep your head in the sand while your firm is at risk. If your practice's IT vendor does not offer HIPAA Audits with full documentation, you need to question why. Your practice may just depend on it.

View all blog posts »