Lawyers: What You Don’t Know About HIPAA Could Hurt You

Do you receive, use, store, or transmit personal health information (PHI) on behalf of covered entities subject to HIPAA?  If so, you are a “business associate.”

As a business associate, lawyers must implement privacy and security programs to protect against improper use or disclosure of client health information. They are also obliged to ensure that their subcontractors follow HIPAA rules.

Practice Areas Affected by HIPAA Regulations

Lawyers who provide services in the following areas are business associates subject to HIPAA:

  • Advice to a hospital/provider
  • Insurance Defense
  • HIPAA breach notification/response
  • Health plan fraud/abuse investigations
  • Provider payment disputes

The following does NOT make a lawyer a business associate for HIPAA purposes:

  • Representing an individual plaintiff in a personal injury, workers comp, social security, or medical malpractice case
  • In-house counsel (generally)
  • Drafting a business associate agreement for a covered entity
  • Drafting notices of privacy practices for a covered entity

However, you may possibly become a subcontractor of a business associate (and subject to HIPAA) IF you represent clients who have access to PHI because they provide services to a “covered entity” (health plan, health care provider, health care clearinghouse). Here is an example: You represent a software developer. The scope of your services is limited to entity formation and answering questions about intellectual property. The software developer writes software for health care providers. In order to write the software, the developer is given access to PHI stored on its client’s server. The software developer is a business associate for HIPAA purposes. You are a subcontractor of a business associate (your client) and therefore subject to HIPAA.

For more information on how HIPAA may apply to your law firm, see Kelly T. Hagan, “Business Associate, Esq.: HIPAA’s New Normal,” In Brief (September 2013) and
Kelly T. Hagan, “The HIPAA Compliance Process,” In Brief (May 2014), available on the PLF Web site,

In his 2013 article, Hagan recommended lawyers subject to HIPAA take the following steps:

  1. Identify Privacy and Security Officials. This is not only required by rule, it places responsibility with identified persons. So long as everyone is responsible, no one is.
  2. Document a Risk Analysis. Again, this is required, not simply a good idea. The firm may wish to take this on, or may look to compliance professionals for assistance.
  3. Focus on Mobile Devices. The OCR hates PDAs. Data breaches resulting from stolen or misplaced laptops, iPhones, or Blackberries with PHI on them or accessible through them are a recurring breach scenario.
  4. Compile Existing Policies and Procedures. We all have policies and procedures for keeping files safe and secure. You may be surprised at how far along you already are. You won’t know what is left to be done until you have all of your explicit materials in one place and can compare them to your legal obligations.

The Multnomah Bar Association presented a CLE on October 17, 2013 entitled HIPAA Omnibus Rule Compliance Checklist – For Law Firms and Other Entities that Fall Within the Definition of a Business Associate.  This program was recorded and is available on the MBA Web site.


3 thoughts on “Lawyers: What You Don’t Know About HIPAA Could Hurt You

  1. Pingback: A Look at the Year Past – Tips You May Have Missed | Oregon Law Practice Management

  2. Pingback: What Lawyers Can Learn from the Yahoo Email Hack | Oregon Law Practice Management

  3. Pingback: Legal Tech by the Numbers | Oregon Law Practice Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.