The question has been posed — are law firms governed by HIPAA?  Unfortunately, the answer is “sometimes.”  In order to support the “sometimes,” you first need to understand the “spirit” or intent of HIPAA and its relationship to law firms.  The Health Insurance Portability and Accountability Act of 1996 was assembled and passed for a number of reasons.  The primary objective of the regulation was to introduce standards related to transactions, coding, identifiers, security and privacy.  To that end, the regulation was assembled with five sections (titles), two of which are the focus of this article (given their relationship to IS) — privacy and security.

April 14, 2003 was the effective date (read compliance deadline) for the privacy rule.  The purpose of this rule was two-fold:  first, to educate patients that healthcare providers collect and manage collections of information about the patient; second, to force providers to describe with whom and under what circumstances they will share this information and give the patient individual rights.  This has been widely implemented through the use of agreements which patients sign at the time service is delivered.

The effective date for the security rule was April 21, 2005 (April 21, 2006 for small healthcare plans).  This rule describes security as “confidentiality, integrity and availability” and mandates that steps be taken by healthcare providers to preserve the security of the healthcare information described in the privacy rule (now known as Personal Healthcare Information or PHI).  The details of this regulation prescribe numerous requirements and addressable features of a “comprehensive security program,” it but remains technology agnostic and provides little in the way of guidance towards establishing compliance.

Now the twist — the privacy and security rules generally follow the information, not the provider.  However, this doesn’t exactly mean that if you are in possession of PHI you need to invest in the comprehensive security program and start distributing contracts describing how you will use the PHI under your care.  The parties who drafted the regulation realized that this would have widespread ramifications (read costs) if applied generally,  So, they directed focus toward healthcare providers and encouraged providers to share the responsibility for a comprehensive security program with their security providers, which brings us to law firms.

While law firms are not directly accountable for demonstrating a comprehensive security program, which protects the privacy and ensures the security of PHI, they have begun to receive shared responsibility via a vehicle described in the regulation — a Business Associate Agreement.  The purpose of the Business Associate Agreement is to contractually establish the expectations of the service provider (e.g., hospital, clinic, etc.) to their vendor (e.g., law firm) if the service provider intends on providing PHI to the service provider.

So, here is where you come in.  As an agent of the organization (which you are if you are a manager, director or officer), you need to be apprised if your organization will be receiving PHI (generally in electronic form known as EPHI).  You may be personally liable if the security or privacy of the EPHI is breached while under your care.  Once notified of the intent to receive (the key here is that you need to know before the EPHI is on your system/site), you need to negotiate a Business Associate Agreement you can demonstrate (read produce documentation).  Once the agreement has been executed, you need to follow through on the agreement — to the letter.

Now you’re thinking — okay, I need a Business Associate Agreement, but what will or should it include?  Simply put,  one of your attorneys will draft something that is vague, slippery and that will surely be modified prior to acceptance by the service provider.  However, the final version will likely include “Incident Response,” “Notification,” duration/life of the agreement and termination parameters.  Now, it becomes your job to develop technologies, processes or procedures that establish compliance with the agreement.

And, as if the process weren’t already difficult, here’s the icing on the cake.  Since this regulation is technology agnostic, there is little guidance describing what technologies or projects to implement or complete to establish compliance.  This approach was selected because every organization is different, thus making prescribed technology impossible.  As a general rule, you should consider how this information is protected while at rest and in transit, as well as authorization and authentication schemas.  When applied in a layered approach, this will go far toward demonstrating compliance or at least “due care,” if audited.

Finally, without case law (which would be impossible given the effective date of the security rules), it’s difficult to measure potential quantitative damages (read how much would the fine be?).  However, when you talk to your managing partner, he/she will likely value the firm’s reputation slightly more than the money or time you’ll need to invest in your compliance/security program.

About our author . . .

Adam Hansen is Manager of Information Security at Sonnenschein Nath & Rosenthal LLP.  He can be reached at ahansen@sonnenschein.com.