Skip to content

New HIPAA Rule, New Liability for Lawyers

This article is for informational purposes only. It is not intended to be used in place of professional advice, treatment, or care in any way. Lawyers, law students, judges, and other legal professionals in Massachusetts can find more on scheduling a Free & Confidential appointment with a licensed clinician here.

Earlier this year, new HIPAA regulations were implemented under the HIPAA Omnibus Rule. The rule extends certain requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Those requirements include privacy, security, enforcement and breach notification rules. Under the new rule, “business associates” and subcontractors are directly liable for compliance with HIPAA/HITECH. Noncompliance may result in significant civil monetary penalties and other enforcement actions. Attorneys who do business with HIPAA-covered health care entities or business associates of those entities may be impacted as a result of these changes.
Following the September 2013 compliance deadline, attorneys that handle HIPAA-related matters should increase vigilance and implement necessary precautions to protect PHI (personal health information) as required by HIPAA and HITECH. Here are some suggested steps that law firms can take to help ensure compliance and mitigate risk:

  • Firms can examine existing business associate contracts, firm policies and procedures to ensure that PHI is being protected in accordance with HIPAA standards. Flagging HIPAA-related matters upon intake can help draw attention to those matters to ensure that information is handled with the proper care.
  • Firms can review service agreements with third-party vendors and service providers (such as cloud service providers) that handle PHI to ensure security and HIPAA compliance. (Recall that Massachusetts’ data privacy laws and regulations require vetting and contracting with third party vendors/service providers that have access to confidential information.) Firms should establish protocols for vetting new vendors and service providers that touch PHI.
  • Firms can revisit current malpractice policies to determine whether additional coverage is needed. Adding cyber insurance policies can cover the cost of a data breach and notification requirements, fines and penalties, litigation, data corruption/loss and more.

For more information, discussion and resources for health care law practitioners, visit My Bar Access and join the Massachusetts Bar Association’s Health Law Section.
This post originally appeared in the Massachusetts Bar Association’s eJournal.

CATEGORIES: Law Firm Management | Risk Management | Technology

Share This

Related Posts

Back To Top