Understanding the “Chain of Liability” Under HIPAA and How Business Associate Agreements Allocate Risk and Protect Your Practice

January 26, 2018

Published in NH Bar News (1/17/2018)

While lawyers and law firms are generally well versed in complying with the privilege and confidentiality rules, many fail to recognize their parallel data management obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). As a general matter, law firms that handle protected health information (“PHI”) from “covered entities” are business associates under HIPAA and required to comply with HIPAA’s strict privacy and data security standards.

The obligations of entities under HIPAA can be thought of as links in a chain of liability. At the highest level, HIPAA’s privacy rules apply to “covered entities,” such as health plan providers, clearinghouses, insurance carriers, and certain healthcare providers, which lie at the top of the chain. The HIPAA privacy rules require covered entities such as medical practices to implement comprehensive privacy and data safeguards to protect PHI, such as medical records, laboratory reports, or hospital bills. These requirements generally fall into three categories: (i) administrative safeguards, such as requiring ongoing risk assessments to identify potential vulnerabilities and risks; (ii) physical safeguards, such as requiring physical measures to prevent unauthorized access and protect against environmental hazards; and (iii) technical safeguards, such as requiring technical controls to ensure data security.

Beneath covered entities in the chain of liability are “business associates” and their subcontractors. Under HIPAA, a business associate is a person or entity that uses or processes PHI for a covered entity.  Common examples of business associates include providers of billing services, IT and cloud storage, and third-party administrative and benefit management.  But, apart from the more obvious examples, business associates may also include providers of legal, accounting, or other consulting services depending on their relationships to covered entities and their access to PHI.

Lawyers fall under the business associate definition if they provide services to or for a covered entity which involve access to PHI. Therefore, it is less likely for an attorney practicing in real estate to fall under the definition than one in health care, corporate, employment, or medical malpractice. But, the application is a little more nuanced. For example, a plaintiff’s attorney suing a doctor will receive his/her client’s medical records in connection with the case. However, as a general matter, the attorney is not a business associate because a patient can freely disclose his/her own medical records to just about anyone. In contrast, the doctor’s attorney in the same situation, will likely receive the patient’s records from the doctor, a covered entity, and therefore will be deemed a business associate under those circumstances.  Similarly, an attorney who counsels a medical practice about health care and corporate risk management and employee health and legal related issues also is a business associate under HIPAA.

The HIPAA privacy rule requires covered entities to obtain written assurances from its business associates where the business associate promises to safeguard PHI received or created on behalf of the covered entity. HIPAA sets forth specific elements that must be in every business associate contract. These elements include: establishing the permitted and required uses and disclosures of PHI by the business associate; requiring the use of appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the contract; and reporting to the covered entity any breaches of unsecured PHI.

Notably, business associate status attaches regardless of whether the law firm signs a formal business associate agreement. If law firms are classified as business associates, they are bound to HIPAA’s privacy and data security rules. This means that, at a minimum, the law firm must conduct a comprehensive risk analysis to determine the risk, vulnerabilities, and types of safeguards needed, given the size and scope of its practice.  It must then implement those safeguards to reduce its vulnerabilities to reasonable and appropriate levels under HIPAA, adopt a written information security policy, and train its workforce with respect to HIPAA security. Further, beyond just security protocols, the firm must also comply with HIPAA’s privacy and breach notification requirements. Lastly, if the law firm is deemed a business associate, the chain of liability will extend to its subcontractors. Therefore, law firms must identify and review their vendors contracts to ensure that their vendor contracts, such as those for cloud storage services, are also HIPAA compliant.

HIPAA compliance is complex, and failing to comply can be expensive in terms of money and reputation. As business associates, law firms can face direct liability under HIPAA for violations of provisions required under the privacy and data security rules. Moreover, there are nuanced issues particular to attorneys that need to be addressed in business associate agreements, such as integration with legal malpractice insurance, the preservation of attorney-client privilege in the event of an audit, and compliance with the Model Rules of Professional Conduct.  Therefore, it is important for all lawyers and law firms who do business with a HPIAA covered entity to seek an experienced data security lawyer to carefully review and monitor their HIPAA’s compliance. Such professionals can help those lawyers who do not practice in this area gain an understanding of the applicable HIPAA privacy, security and breach notification requirements and advise them on how to get started in developing a plan for assuring future compliance. These basic steps are absolutely essential to protecting the integrity, security and reputation of your practice.

Kevin Lin is an associate in the firm’s Corporate Department, where he assists clients in a wide array of corporate and commercial matters, including mergers and acquisitions, securities regulation, entity formation and restructuring, and corporate governance.

In addition, Kevin maintains a robust practice in the area of privacy law including creating and implementing privacy policies, terms of use agreements, information use and social media policies, advising clients about workplace privacy, social media, and consumer privacy