Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the final HIPAA Omnibus Rule (Final Rule) and the Health Information Technology for Economic and Clinical Health Act (HITECH), lawyers who work with protected health information (PHI) may qualify as “business associates” (BA), which mandates strict compliance with HIPAA standards. As a result, many practice areas have been impacted by the “business associate” classification including general health care, litigation and risk management, False Claims Act litigation, medical staff and peer review, personal injury and professional liability. Law firms that work for these clients are governed by HIPAA and are subject to liability for any violations.
The Final Rule highlighted the need for law firms that qualify as business associates of covered entities to evaluate and assess if they are in compliance with the HIPAA regulatory scheme to avoid costly penalties resulting from violations.
Who is a business associate?
As Law Technology Today reported (“What HIPAA Compliance Means for Lawyers as Business Consultants,” published April 17, 2015,) HIPAA defines a business associate as a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. In the final HIPAA Omnibus Rule in 2013, the U.S. Department of Health and Human Services (HHS) significantly expanded the types of persons or entities that qualify as business associates. When business associates such as law firms come in contact with PHI from covered entities, they have to comply with regulations that include using the information only for the purposes for which they were engaged, safeguarding the information and helping the covered entity comply with its obligation under the privacy rule. PHI is interpreted broadly and includes any information about health status, provision of health care or payment for health care that can be linked to a specific individual. It includes any part of a patient’s medical record or payment history. Business associate agreements (BAA) are contracts between HIPAA-covered entities and business associates. BAAs are used to protect PHI in accordance with HIPAA guidelines.