Understanding HIPAA compliance for law firms

HIPAA's origins date to the early 1990s as medical records first began being transmitted in electronic form. The law was passed by Congress and signed by President Bill Clinton in 1996. After HIPAA's enactment, the U.S. Department of Health and Human Services (HHS) was tasked with issuing regulations to implement the statute. In general, HIPAA's portability requirements were intended to promote greater continuity of health plan coverage, while its privacy and security rules govern how individuals' health information (referred to as "protected health information" (PHI)) is used and disclosed.
The HIPAA statute has been amended over the years and has been the topic of numerous sets of implementing regulations and related guidance. For example, in 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act added breach notification requirements for covered entities and expanded how HIPAA's privacy and security requirements apply to business associates. In 2010, the Affordable Care Act (ACA) made significant changes affecting HIPAA's portability requirements. In 2013, HHS issued comprehensive regulations that updated HIPAA's privacy, security, and enforcement rules to reflect the HITECH Act.

HIPAA's portability requirements address:

• Limits involving preexisting condition exclusions (which were also impacted by the ACA).
• Situations in which health plan participants can obtain special enrollment rights.
• Rules prohibiting certain kinds of discrimination.

In addition, HIPAA's "administrative simplification" rules address:

• Privacy requirements that govern how HIPAA covered entities and business associates may access PHI and impose restrictions concerning the use and disclosure of PHI.
• Security standards that protect electronic PHI through specified administrative, physical, and technical safeguards.
• Breach notification requirements under the HITECH Act that require notifications to HHS, individuals, and (in some cases) the news media when there is an improper use or disclosure of unsecured PHI.
• Electronic transactions rules that standardize how health care claims are processed.

HIPAA's requirements apply directly to "covered entities," which are defined as health plans, health care providers that carry out certain kinds of transactions electronically, and health care clearinghouses. HIPAA's requirements also apply to organizations that perform services for HIPAA covered entities – known as "business associates." Covered entities can disclose PHI to their business associates only if the covered entities obtain certain assurances (through a contractual agreement) that the business associate will appropriately protect the PHI.

Covered entities are defined as the following

• Health plans, which include employer-sponsored group health plans, health insurance companies, health maintenance organizations (HMOs), and certain government programs that pay for health care (for example, Medicare and Medicaid).
• Health care providers that transmit health information in electronic form, including most doctors, clinics, hospitals, therapists, chiropractors, nursing homes, pharmacies, and dentists.
• Health care clearinghouses, which are companies that process non-standard health information they receive from another entity into a standard electronic format (or vice versa).

The following entities (or types of coverage) are not directly subject to HIPAA's requirements, though some of the entities may need to comply indirectly:

• Life insurers
• Employers/health plan sponsors
• Workers' compensation and disability insurance
• Most schools and school districts
• Many state agencies like child protective service agencies (though some state child health plans are covered)
• Most law enforcement agencies

Health information is "individually identifiable health information" for HIPAA purposes if it:

• Is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and 
• Relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.
  
  When individually identifiable health information is created or received by a HIPAA covered entity (or a business associate acting on a covered entity's behalf) it becomes PHI that is subject to HIPAA's privacy requirements. In addition, PHI in electronic form is subject to HIPAA's security requirements. For example, enrollment information that is received by a health plan (a HIPAA covered entity) is PHI as to the plan and is therefore subject to HIPAA's privacy requirements.
  

Unless PHI is used or disclosed for specified purposes (for example, treatment or payment), a covered entity must obtain an authorization from the individual who is the subject of the information in order to use or disclose it. In addition, a covered entity can use or disclose PHI without obtaining an individual's authorization if the use or disclosure is required by law or regarding judicial/administrative proceedings (for example, in response to a court order).

HIPAA gives individuals certain rights involving how their PHI is used. By regulation, individuals have the rights to:

• Access, inspect, and copy their PHI (for example, the individuals' medical and billing records) that is part of a designated record set
• Amend or correct PHI that is wrong or incomplete
• Obtain an accounting of disclosures of an individual's own PHI
• Request restrictions concerning certain uses or disclosures of PHI
• Ask that communications of PHI from a health plan be sent using alternative methods

The definition of business associate under HIPAA's regulations expressly includes attorneys who perform legal services for a HIPAA-covered entity (for example, a health plan), if the attorneys are not members of the covered entity's workforce. For purposes of HIPAA's privacy and security requirements, the definition applies if the legal services provided involve disclosure of PHI from the covered entity (or from another business associate) to the attorney. In other words, an attorney that does not create, receive, or have access to PHI is not a business associate. For example, an attorney who provides legal services to the plan in reviewing a benefits claim would likely be a business associate if the claim involves PHI. An attorney who is a business associate must comply with HIPAA's requirements as applicable to business associates (for example, by providing satisfactory assurances to the covered entity that it will safeguard PHI).

HHS has taken an aggressive approach to enforcing HIPAA's requirements in recent years. HHS's enforcement actions have resulted in numerous highly publicized settlement agreements with noncompliant covered entities, and typically require significant monetary payments and stringent corrective actions. The following non-exhaustive list reflects some of the more common HIPAA compliance failures that have resulted in HHS enforcement actions:

• Failing to obtain a business associate agreement before disclosing PHI.
• Failing to carry out an enterprise-wide HIPAA risk assessment
• Failing to erase hard drives containing PHI, especially if the hard drives are later stolen or otherwise removed from the covered entity's or business associate's premises
• Not providing HIPAA breach notifications as required to HHS or others
• Failing to terminate access to PHI by unauthorized individuals (especially former employees and third parties)
• Keeping records in unsecured locations (for example, employees' vehicles) and/or on unsecured laptops and other mobile devices
• Keeping or transmitting PHI in unencrypted form
• Lack of employee HIPAA training, especially if the lack of training results in a breach of PHI
• Improper disposal of PHI (for example, abandoning PHI in publicly accessible trash receptacles)
• Improper disclosures of PHI (for example, resulting from malicious malware and disclosures to the public without obtaining a patient's authorization)
• Failing to obtain satisfactory assurances from third-party vendors/business associates
• Not restricting disclosures of PHI to the “minimum necessary”

Law firms are commonly asked to help covered entities and business associates assess their compliance with HIPAA's privacy, security, and breach notification requirements. This review may occur in the context of an ongoing enforcement action between HHS and a covered entity, or as a covered entity's preventive self-audit to reduce the risk of an impermissible disclosure. In recent years, HHS has emphasized the need for enterprise-wide HIPAA risk analyses of privacy and security risks and vulnerabilities. Regarding HIPAA's security rules, for example, this process may include identifying and creating an inventory of all electronic equipment and data systems that use electronic PHI. In response to the risk assessment, a law firm may be asked to help the covered entity or business associate:

• Develop a risk management plan to address and mitigate any risks uncovered during the risk analysis    
• Review and revise the covered entity's or business associate's HIPAA privacy and security policies and procedures
• Establish and periodically update training materials for all employees and other workforce members
• Develop procedures to terminate access to PHI when employees and other workforce members leave employment