Lawyers who receive, use, store, or transmit personal health information are considered "business associates" under HIPAA and must implement privacy and security programs to protect client health information. Many legal practice areas beyond just personal injury or medical malpractice can involve health information, such as estate planning, insurance law, or bankruptcy. The document recommends that lawyers identify privacy and security officials, conduct a risk analysis of how client data is handled, focus on protecting mobile devices with health information, and compile existing privacy policies to ensure compliance with HIPAA business associate rules.

1. Lawyers: What You Don’t Know About HIPAA Could Hurt You
Posted on 10/07/2013 by beverlym
Do you receive, use, store, or transmit personal health information (PHI) on behalf of
clients? If so, you are a “business associate” under HIPAA.
As a business associate, lawyers must implement privacy and security programs to
protect against improper use or disclosure of client health information. They are also
obliged to ensure that their subcontractors (digital print shops, cloud providers, legal
nurse consultants, medical experts) follow HIPAA rules.
Practice Areas Affected by HIPAA Regulations
HIPAA has the potential of touching more than the obvious practice areas:





Personal Injury
Insurance Defense
Social Security
Workers Compensation
Medical Malpractice
Any lawyer who reviews or obtains inforamtion concerning payment for health care is
also a business associate under the act. This may affect lawyers who practice in:







Conservatorships and Guardianships
Estate Planning
Probate
Business Law
Insurance Law
Bankruptcy
Debt Collection
For more information on how HIPAA may apply to your law firm, see Kelly T. Hagan,
“Business Associate, Esq.: HIPAA’s New Normal,” in the September 2013 issue of In
Brief, available on the PLF Web site > In Brief.
Hagan recommends lawyers take the following steps now:
1. Identify Privacy and Security Officials. This is not only required by rule, it places
responsibility with identified persons. So long as everyone is responsible, no one
is.

2. 2. Document a Risk Analysis. Again, this is required, not simply a good idea. The
firm may wish to take this on, or may look to compliance professionals for
assistance.
3. Focus on Mobile Devices. The OCR hates PDAs. Data breaches resulting from
stolen or misplaced laptops, iPhones, or Blackberries with PHI on them or
accessible through them are a recurring breach scenario.
4. Compile Existing Policies and Procedures. We all have policies and procedures
for keeping files safe and secure. You may be surprised at how far along you
already are. You won’t know what is left to be done until you have all of your
explicit materials in one place and can compare them to your legal obligations.
The Multnomah Bar Association is offering a CLE on October 17 entitled HIPAA
Omnibus Rule Compliance Checklist – For Law Firms and Other Entities that Fall Within
the Definition of a Business Associate. This promises to be an incredibly helpful
program for lawyers and legal staff. If you can’t attend, the MBA records and archives
all CLEs for later access.
Originally posted at http://oregonlawpracticemanagement.com/2013/10/07/lawyerswhat-you-dont-know-about-hipaa-could-hurt-you/ on October 7, 2013. All Rights
Reserved.