Physicians: Is Your Lawyer a Business Associate Under HIPAA?

The Omnibus Final Rule (78 Fed. Reg. 5566 (Jan. 25, 2013), which mandated compliance for most of the aspects by September 23, 2013, can be viewed as the crescendo of the HIPAA-related laws and regulations stemming back to 1996.

Business associates or those "persons" performing functions or activities directly for or on behalf of a covered entity (i.e., providers, health plans and healthcare clearinghouses), must meet the same standards of protection of traditional and electronic protected health information (PHI). And, in turn, their subcontractors must do the same. Additionally, business-associate contracts are required between each entity along the continuum of PHI who "creates, receives, maintains, or transmits" PHI. So, do these requirements extend to lawyers? Yes.

In today’s complex healthcare landscape, it is highly unlikely that a provider has not interacted with an attorney. In fact, HHS addressed the provision of legal services to a covered entity on its website in 2005. The general rule is that there is a business-associate relationship created between a law firm and the covered entity. In turn, there is a business associate relationship created between the law firm and the subcontractor that, for example, maintains their electronic PHI data, or a legal-services entity that provides trial services and compiles the discovery information. As HHS indicated:

It depends on who the recipient is. The business associate agreement between the covered entity and the lawyer-business associate must provide that the lawyer will ensure that any agents, including subcontractors, to whom it provides protected health information agree to the same restrictions and conditions that apply to the business associate with respect to the information. See 45 CFR 164.504(e)(2)(ii)(D).

Thus, if a lawyer-business associate enlists the services of a person or entity in furtherance of the lawyer’s legal services to a covered entity, and the lawyer must provide protected health information to the person or entity for such purpose, the lawyer’s business associate contract with the covered entity [or other business associate] requires that the lawyer ensure that these persons agree to the same restrictions and conditions with respect to the protected health information they receive that apply to the lawyer as a business associate.

This situation could arise in the context of various types of representation - medical malpractice, compliance, or billing disputes. HHS expressly indicated that "other legal counsel, jury experts, document or file managers, investigators, litigation support personnel, or others hired by the lawyer to assist the lawyer… will also safeguard the privacy of the protected health information" (emphasis added). The exception is that the lawyer does not need to ensure that opposing counsel meets these requirements. State laws, however, must also be considered because the requirements could be more strict than federal HIPAA, which is permissible under the law in many aspects of the federal laws and regulations.

In sum, providers should make sure that their attorneys and, in turn, the attorneys' subcontractors, are compliant with protecting and securing PHI and e-PHI. Given the flow of liability, it is prudent for all entities to be compliant.