By Lisa M. Carlson
Having a laptop or smartphone stolen makes for a very bad day. Now imagine having to pay the federal government a seven-figure fine because that device contained protected health information (“PHI”) and was not encrypted. If your practice includes having access to health information, you may be subject to the stringent data protections imposed by the Health Insurance Portability & Accountability Act (“HIPAA”). With over $100 million in fines collected for HIPAA violations since 2003, the cost of non-compliance is demonstrably steep. This article will discuss the components of HIPAA that lawyers are likely to encounter and provide an action plan to assist lawyers in remaining HIPAA-compliant.
Protecting PHI under HIPAA
Most people recognize that HIPAA requires a covered entity to safeguard protected health information. However, obligations under HIPAA also extend to business associates of a covered entity. A business associate is generally defined as any person or entity who “creates, receives, maintains, or transmits” protected health information in the course of performing services on behalf of a covered entity. Additionally, a subcontractor of a business associate that has access to PHI in performing services on behalf of a business associate will also be deemed a business associate for purposes of HIPAA compliance. This means that an attorney performing legal services for a covered entity or as a subcontractor of a business associate, where the legal services involve the access, use, or disclosure of PHI by the covered entity or business associate, will be deemed a business associate and must comply with HIPAA.
Penalties for HIPAA violations
HIPAA violations can lead to civil fines imposed by the U.S. Department of Health and Human Services, Office for Civil Rights, or even criminal penalties. An attorney business associate’s non-compliance with HIPAA can not only lead to enforcement actions and fines imposed against the covered entity but can also subject the attorney to direct liability. Fines can range anywhere from $119 to $58,000 per violation.
Where a HIPAA violation stems from willful neglect, defined as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA, the Office of Civil Rights is obligated to impose monetary penalties on the offending individual or entity in an amount between $11,000 and $58,000 per violation. A single misstep can result in multiple violations. For example, loss of a laptop with the records of 500 individuals may constitute 500 violations. Similarly, if the violation is based upon the failure to implement a required policy or safeguard, each day of non-compliance may constitute a separate violation.
To avoid subjecting themselves or their clients to civil or criminal penalties for HIPAA violations, attorneys who handle PHI for covered entities or business associates should take the following steps to ensure compliance and safeguard against claims of willful neglect.
Execute a BAA with the covered entity
Covered entities are required to obtain written satisfactory assurances from any business associate wherein the business associate agrees to appropriately safeguard the PHI it receives or creates on behalf of the covered entity. These written satisfactory assurances between a covered entity and business associate are referred to as a business associate agreement (“BAA”).
HIPAA specifies the minimum requirements that must be contained within a BAA. At a minimum, HIPAA requires the business associate to maintain the privacy of PHI, limit the business associate’s use or disclosure of PHI to those purposes authorized by the covered entity, and require the business associate to assist the covered entity in responding to individual requests concerning their PHI.
An attorney business associate should watch for provisions in the BAA where the covered entity shifts the responsibility for responding to PHI requests to the attorney. For example, a covered entity may require the business associate to respond directly to an individual requesting access to their PHI or for an accounting of disclosures. This contractually assigned obligation can lead to direct liability imposed by the Office of Civil Rights if the attorney fails to comply with the individual’s request. Arguably, an attorney’s compliance with this requirement could violate the attorney’s obligation to maintain client confidentiality.
Some covered entities may also include additional provisions in their BAAs beyond those required by HIPAA. For example, a covered entity may require a business associate to have specific insurance limits or types (e.g., cyber insurance), indemnify and defend the covered entity for HIPAA violations, or pay for and provide notice of privacy breaches or security incidents to affected individuals. While these provisions are generally negotiable, an attorney business associate should consider whether BAA negotiations with a client create a professional conflict wherein the interests of the attorney are adverse to those of the client.
Execute a BAA with subcontractors
A business associate is required to obtain a BAA from any subcontractor the business associate utilizes to assist with performing services on behalf of a covered entity that will have access to PHI. Therefore, if an attorney business associate enlists a person or entity, such as a jury expert or investigator, or even a cloud-based service provider, to assist with performing services on behalf of the covered entity, the attorney must execute a BAA with that subcontractor to ensure the subcontractor will also comply with HIPAA. The subcontractor then becomes a business associate themselves.
Significantly, an attorney business associate can be liable for the HIPAA violations of their subcontractor if the attorney is aware of a pattern or practice of violations by the subcontractor and fails to act, or if the subcontractor is an agent (and not an independent contractor) of the attorney. Therefore, an attorney business associate should take reasonable steps to remedy any known non-compliance by subcontractors.
Comply with Privacy & Security Rules
HIPAA’s Privacy and Security Rules set the standards for when PHI may be used and disclosed as well as those requirements that covered entities and business associates must implement to protect the confidentiality, integrity, and availability of electronic PHI. Most of HIPAA’s Privacy Rule provisions do not apply directly to business associates, but instead apply indirectly, as a business associate is not permitted to use or disclose PHI in a manner that would violate HIPAA if done by the covered entity itself. Generally, HIPAA prohibits a covered entity from using, accessing, or disclosing PHI without the individual’s valid, HIPAA-compliant authorization unless the use or disclosure fits within an exception.
The Security Rule, on the other hand, expressly applies to business associates. It requires them to protect electronically stored PHI through implementation of specific administrative, physical, and technical safeguards. Because the Office of Civil Rights can impose penalties on a business associate for non-compliance with the requirements of the Security Rule, it is important for attorney business associates to understand the obligations imposed by the Security Rule and to ensure strict compliance.
With regard to obligations under the Privacy and Security Rules, attorney business associates often overlook the general processes they use to store and share client information, and how those processes should be adapted when the client information includes PHI. For example, a law firm may ordinarily store client data on a shared network drive, cloud service, or an unencrypted portable memory device. Additionally, they may utilize an unencrypted email service to transmit information within or outside the firm. While these general processes may be appropriate under general confidentiality standards applicable to attorneys, they may not comply with heightened obligations for safeguarding PHI under HIPAA. Understanding and adapting to risks associated with data and technology is also required by an attorney’s duty to provide competent representation.
Respond to and report violations
A business associate must timely respond to or report HIPAA violations or data breaches to the covered entity. These obligations are required to be set forth in the BAA between the covered entity and business associate. A business associate will also generally be required to report to the covered entity any security incidents, which are defined to include the “attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in a PHI system.” The covered entity is then obligated to make any necessary reports to individuals, the Department of Health and Human Services, or the media. Significantly, the Office of Civil Rights has authority to impose penalties on a business associate for non-compliance with these notification requirements.
An attorney business associate who is faced with a real or potential HIPAA violation, breach, or security incident should take prompt action to minimize the risk of data compromise. This will include timely notification to the covered entity, timely remediation of any remaining vulnerability (e.g., remote wiping of lost devices and recovery of improperly disclosed records), and compliance with other obligations pursuant to the BAA.
Cooperate with compliance investigations
HIPAA requires a business associate to comply with the federal government’s efforts to investigate complaints and ensure compliance. A business associate must permit the Office of Civil Rights to access “its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance.” For an attorney business associate, this broad right to access by the Office of Civil Rights to documentation maintained by the firm can be problematic under the attorney’s duty of confidentiality owed to clients. Attorneys may want to evaluate whether a prospective waiver from the client is necessary to protect against conflict between the obligation to cooperate with the Department of Health and Human Services and the professional obligation to safeguard information.
The obligations imposed upon business associates are numerous and the consequences for non-compliance are significant. Before agreeing to be bound by a BAA and corresponding HIPAA requirements, attorneys should confirm they fit within the statutory definition as a business associate. While some covered entities and vendors take an ultra-conservative approach to HIPAA compliance by requiring all service providers to enter into a BAA, attorneys should exercise caution against subjecting themselves to HIPAA compliance unnecessarily.
If an attorney does qualify as a business associate under HIPAA, it is important to conduct a thorough risk analysis and determine those measures that will be necessary to ensure compliance not only with HIPAA, but also the attorney’s professional responsibilities in representing a covered entity and business associate clients. Finally, before executing a BAA, an attorney may want to confirm that their malpractice insurance carrier will provide appropriate coverage for any assumed obligations under the BAA.
Lisa M. Carlson is a healthcare and corporate law attorney in the Boise office of Holland & Hart, LLP. Her practice includes supporting hospitals, physicians, administrators, and business partners to implement effective strategies for legal compliance and risk mitigation. Outside of work, you will likely find her enjoying the great Idaho outdoors with her husband and three teenagers.
 Dep’t of Health & Human Servs., Enforcement Results as of Dec. 31, 2019, , https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.
 A covered entity is generally defined to include health plans, health care clearinghouses, and health care providers. 45 C.F.R. § 160.103 (2013).
 Id. (defining “business associate”).
 Id. § 164.502(e).
 Id. § 160.400 et seq.; 42 U.S.C. § 1320d-6.
 DEP’T OF HEALTH & HUMAN SERVS., Direct Liability of Business Associates (May 24, 2019) https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.
 45 C.F.R. § 160.404. These numbers are adjusted annually and listed in the table found at 45 C.F.R. § 102.3.
 Id. §§ 160.401, 164.404, 102.3.
 Id. § 160.406.
 Id. §§ 164.308(b), 164.502(e).
 Id. § 164.504(e).
 See Id. § 164.502(a)(4)(ii).
 See Idaho Rule of Professional Conduct (I.R.P.C.) 1.6.
 See I.R.P.C. 1.8(h).
 45 C.F.R. §§ 164.308(b)(2), 164.314(a)(2).
 Id. § 160.103.
 Id. § 164.504(e)(1).
 45 C.F.R. §§ 160, 164.
 Id. § 164.502.
 Id. § 164.300 et seq.
 42 U.S.C. § 17931. See also note 6.
 See I.R.P.C. 1.1, cmt. 8.
 45 C.F.R. §§ 154.410, 164.504(e)(2).
 Id. § 164.304.
 Id. §§ 164.404, 164.406, 164.408.
 Id. § 164.410. See also note 6.
 45 C.F.R. § 160.310(c)(1).
 See I.R.P.C. 1.6.