Feb. 7, 2018 – Does your firm or business handle health information?
Even if you aren’t a health care lawyer, you need to be aware of the protection requirements under the Health Insurance Portability and Accountability Act (HIPAA), say Sarah Erdmann and Meghan O’Connor of Quarles & Brady LLP, Milwaukee.
Erdmann and O’Connor spoke at the State Bar of Wisconsin’s 2017 Health, Labor, and Employment Law Institute.
With the increasing complexity of technology and data transmission, it's important that lawyers understand the use and disclosure of protected health information. This includes compliance requirements, requests and fees for copying medical records, vendors, encryption, and cyber and malpractice insurance coverage.
Who Is Included under HIPAA?
HIPAA requires protection of certain health information (PHI) – essentially, any information that is individually identifiable. When HIPAA-covered entities handle PHI, they must follow the requirements to protect that information under HIPAA, as must any of their business associates and subcontractors – including attorneys.
You are still liable for HIPAA regulations once you receive any PHI – even if you didn’t expect to receive any at all. “The HIPAA Omnibus Rule actually includes covered entities’ business associates and their subcontractors, which can be lawyers, as directly regulated by the Office of Civil Regulation – so they can be liable for violations,” Erdmann said.
As a result, lawyers need to be conscious of HIPAA’s requirements regarding maintaining protection of that PHI, Erdmann said.
Protecting You and Your Firm
Security risk assessments are required under HIPAA for anyone handling PHI, O’Connor said – including law firms that are business associates of HIPAA-covered entities. In fact, some of the covered entities will take steps to ensure their business associates and vendors are compliant.
It’s a good idea to do a full security risk assessment for all information, not just for the security of the PHI. “Law firms deal with all sorts of confidential information, not just health information,” O’Connor said.
When attorneys realize they are receiving protected health information from a client, they typically sign a business associate agreement (BAA) with that client. It’s important to take a look at the terms in the BAA, O’Connor says. “Standard BAAs don’t take into account the attorney/client relationship,” she said. They should look at the return and destroy requirements, insurance requirements, and indemnification.
First Steps Toward Compliance
Smaller and mid-size firms that receive PHI should look into using encryption of any electronic information – to make sure the data you have is encrypted in your files. “That’s usually the first safeguard to look at,” O’Connor said.
Also, firms should ensure they have appropriate insurance coverage, including cybersecurity coverage. “That is becoming more standard now,” O’Connor said.
Save the Date: 2018 Health, Labor, and Employment Law Institute
Mark your calendars: the 2018 Health, Labor, and Employment Law Institute is Aug. 16-17, 2018, at Glacier Canyon Lodge at the Wilderness in Wisconsin Dells. More information to come at hle.wisbar.org.