Newsroom > In Our Words > DTCI: Business associate classification and...
September 20, 2016

DTCI: Business associate classification and HIPAA liability for lawyers

Written By

Jarrod A. Malone
Member, Stoll Keenon Ogden PLLC

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the final HIPAA Omnibus Rule (Final Rule) and the Health Information Technology for Economic and Clinical Health Act (HITECH), lawyers who work with protected health information (PHI) may qualify as “business associates” (BA), which mandates strict compliance with HIPAA standards. As a result, many practice areas have been impacted by the “business associate” classification including general health care, litigation and risk management, False Claims Act litigation, medical staff and peer review, personal injury and professional liability. Law firms that work for these clients are governed by HIPAA and are subject to liability for any violations.

The Final Rule highlighted the need for law firms that qualify as business associates of covered entities to evaluate and assess if they are in compliance with the HIPAA regulatory scheme to avoid costly penalties resulting from violations.

Who is a business associate?

As Law Technology Today reported (“What HIPAA Compliance Means for Lawyers as Business Consultants,” published April 17, 2015,) HIPAA defines a business associate as a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. In the final HIPAA Omnibus Rule in 2013, the U.S. Department of Health and Human Services (HHS) significantly expanded the types of persons or entities that qualify as business associates. When business associates such as law firms come in contact with PHI from covered entities, they have to comply with regulations that include using the information only for the purposes for which they were engaged, safeguarding the information and helping the covered entity comply with its obligation under the privacy rule. PHI is interpreted broadly and includes any information about health status, provision of health care or payment for health care that can be linked to a specific individual. It includes any part of a patient’s medical record or payment history. Business associate agreements (BAA) are contracts between HIPAA-covered entities and business associates. BAAs are used to protect PHI in accordance with HIPAA guidelines.

READ MORE

Written By

Photo of Jarrod A. Malone
Jarrod A. Malone

Related Articles

View More
April 16, 2024
New Indiana Law Will End Ban on “Happy Hour,” Permit Carry-out Alcohol, and Establish New Liquor Liability Insurance Requirements
As of July 1, 2024, Indiana will no longer be on one of the unhappiest lists in the United States: U.S. States that ban happy hours. Throughout the 1980s, various states, including Indiana in 1985, banned happy hours, defined as a specific time during the day when alcoholic drinks are discounted for patrons. As such, […]
March 4, 2024
Corporate Transparency Act Series:  Is the CTA on “Pause”? 
On Friday, March 1, 2024, an Alabama federal district court issued its decision in National Small Business United v. Yellen, holding that the Corporate Transparency Act (the “CTA”) is unconstitutional. The plaintiffs argued that, in enacting the CTA, Congress exceeded the enumerated powers granted to it under the U.S. Constitution.  The federal government argued that […]
February 28, 2024
Corporate Transparency Act Series:  Why the CTA?
In a recent SKO Insider, we provided a quick introduction to the now-effective Corporate Transparency Act (“CTA”) and promised more information about this new law.  Before going into the CTA’s requirements, we have fielded many questions that come down to “Why the CTA?” So let’s get that out of the way. In recent years the […]