Over the years, the legal and medical professions have often gone head to head.
These days, however, they share a common headache: the Health Insurance Portability and Accountability Act, better known as HIPAA, including amended federal laws and regulations called the Health Information Technology for Economic and Clinical Health Act, or HITECH. Unlike most headaches, however, this one requires a lot more than a few aspirin to manage.
As everyone knows by now, HIPAA is designed to safeguard a patient’s protected health information, or PHI. Because HIPAA was designed to keep PHI confidential, health care information transmitted by health care providers often remains HIPAA-protected even after it leaves the hospital or doctor’s office.
As a result, lawyers who receive medical records in the course of representing physicians, hospitals and health care plans (in HIPAA parlance, covered entities) must comply with HIPAA’s stringent requirements or risk finding themselves on the wrong side of a federal inquiry.
HIPAA dubs lawyers who represent covered entities “business associates”—an innocuous phrase that gives rise to a significant mix of requirements and obligations.
For example, before a law firm representing a physician or a hospital can receive PHI in connection with a client’s case, the firm must have a written business associate agreement with the client.
Among other things, the agreement must require that the law firm comply with various HIPAA privacy and security rules, and notify the client if the firm improperly discloses the health care information. Some agreements also require that the law firm indemnify the client for any HIPAA breaches, although this is not required by HIPAA.
In addition to entering into a business associate agreement, lawyers doing work for physicians, hospitals, and other covered entities must also have privacy.