The best attorneys understand that earning — and keeping — their clients’ trust is one of the most critical factors for a successful practice. Law firm clients entrust their attorneys with sensitive personal information to help advance their case and rely on them to protect this information. However, if personal health information is involved, complying with the Health Insurance Portability and Accountability Act (HIPAA) will be another factor for attorneys to consider.
HIPAA, a federal law, requires health care providers and “business associates” to protect PHI from inadvertent disclosure. Since law firms are considered business associates, they must comply with HIPAA when handling PHI on behalf of their clients.
HIPAA violations and other kinds of data security breaches can not only have devastating financial and regulatory effects on law firms and their clients but often result in a breakdown of the attorney-client relationship. Failing to comply with HIPAA can also result in astronomical financial penalties. Therefore, awareness of possible HIPAA violations and ways to avoid them is crucial for any law firm handling PHI.
This article outlines what you need to know to be HIPAA-compliant, including a HIPAA compliance checklist for law firms and how to select legal practice management software that can help you manage your HIPAA obligations.
HIPAA’s rights for individuals
HIPAA protects the privacy and security of individuals’ identifiable health care information and establishes rights regarding an individual’s ability to access and obtain their health information.
Organizations that must follow HIPAA are called “covered entities”, and include:
- Health care plans (such as health insurance companies, health plans, and government programs like Medicare and Medicaid);
- Health care providers (such as doctors, hospitals, and other medical professionals); and
- Health care clearinghouses.
However, HIPAA obligations do not end with health care professionals. Suppose an attorney deals with health care, health plan, or insurance information. In that case, they’re considered a “business associate” that must implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
What firms must comply to HIPAA?
All American attorneys — especially those who access protected health information (PHI) from “covered entities” —should be acutely aware of HIPAA compliance for law firms. While HIPAA is often associated with the health care sector, law firms who possess or process PHI on behalf of their clients are also subject to HIPAA. Attorneys are likely to handle PHI in practice areas like personal injury, insurance defense, malpractice, and elder law. However, attorneys in other areas may also deal with PHI and therefore need to follow HIPAA’s security and data privacy standards.
Who must follow HIPAA’s requirements?
Anyone who handles personal health information must comply with HIPAA. Therefore, in the law firm setting, educating employees and anyone else who might come into contact with PHI for your law firm’s work is paramount to ensuring compliance.
Also, law firms must ensure that any parties they work with are HIPAA-compliant. These “parties” may include subcontractors, practice management service providers, or expert witnesses.
The dangers of HIPAA non-compliance
Violating HIPAA can have devastating consequences for a law firm, even if the violation was accidental.
HIPAA violations typically result in fines. The amount of the penalty depends on the seriousness of the violation, as follows:
- Tier one— 120 to $ 30,113 per violation. Tier one fines could be applied where the non-compliant law firm was unaware (and could not reasonably have been aware) of the violation.
- Tier two— $ 1,205 to $ 60,226 per violation. Tier two fines could be applied where the non-compliant party was unaware of (but there was reasonable cause for) the violation.
- Tier three— $ 12,045 to $ 60,226 per violation. Tier three fines could be applied where the violation was caused by wilful neglect but was corrected promptly.
- Tier four — 60,226 per violation. Tier four fines could be applied where the violation was caused by willful neglect and was not corrected promptly.
Moreover, if a law firm violates HIPAA multiple times in one calendar year, the fines can skyrocket to $ 1,806,757 per violation.
HIPAA non-compliance can have other effects on a law firm. For example, a HIPAA violation can destroy client relationships. It can also result in consequences for legal malpractice insurance and compliance with a firm’s professional conduct obligations.
The most common HIPAA violations
Understanding where things often go wrong will help your law firm comply with HIPAA. Some of the most common areas where an attorney or law firm might violate their HIPAA obligations are:
- Failing to enter into a HIPAA-compliant business associate agreement.
- Failing to obtain satisfactory assurances from third-party vendors and business associates;
- Inappropriately disclosing or disposing of PHI.
- Insufficient firm-wide risk management processes or analyzes (including employee training).
- Failing to report a HIPAA breach to HHS and other authorized entities or exceeding the 60-day deadline for issuing breach notifications.
How law firms can ensure compliance
The best way to avoid HIPAA violations is to understand your HIPAA obligations. Understanding business associates’ physical, technical, and administrative safeguards is a good starting point.
- Administrative: Implementing policies and procedures to prevent and detect HIPAA violations. Training on HIPAA compliance for all staff members is essential.
- Technical: Controlling access to systems that contain PHI. Passwords, encryption, and other technical safeguards are key components of this requirement.
- Physical: Ensuring the security of offices, networks, data, and technology. Limit access as much as possible within your firm. For example, leaving a laptop that contains PHI in a public area (such as a cafe) represents a HIPAA violation.
HIPAA compliance checklist for law firms
To avoid HIPAA violations, start by implementing the following HIPAA checklist for law firms:
- Enter business associate agreements with clients and subcontractors (where appropriate).
- Ensure you are complying with the administrative, physical, and technical requirements for data protection under HIPAA.
- Administrative: Ensure staff know how to deal with PHI and have policies and procedures in place addressing HIPAA compliance;
- Physical: Security measures limiting physical access to systems or areas containing PHI.
- Technical: Encryption, unique usernames and passwords, and other technologies that protect data.
- If a breach occurs, notify the Office for Civil Rights (OCR) promptly and cooperate with any questions or investigations.
- Consider law firm practice management software that helps manage HIPAA compliance for law firms.
Law firm management software and HIPAA
HIPAA compliance for law firms is easy with the right legal practice management software. Notably, software providers are “business associates” to the law firms and must agree to HIPAA’s privacy and data security standards when handling PHI. The right LPM software takes the guesswork out of HIPAA compliance while helping you protect your client’s privacy rights.
It might surprise you to know that not every legal practice management software helps with HIPAA compliance. As a result, when selecting a legal practice management software provider, customers should demand, at a minimum, that their legal practice management software provides:
- A business associate agreement,
- rigorous internal testing and examination, and
- a continued commitment to HIPAA compliance.
For example, Clio has completed an internal HIPAA attestation examination by reviewing and meeting the 658 standards in StandardFusion, a risk management platform, to measure and document our HIPAA compliance. Clio’s data security standards adhere to industry best practices for client data management. While Clio’s HIPAA add-on for Clio Manage and Clio Grow customers is a relatively new offering, we’ve long set the pace for data security amongst legal practice management providers by meeting the technical standards required for business associates under HIPAA.
By meeting these standards, Clio continues to demonstrate its ability to help customers fulfill their PHI obligations and store and process data in line with HIPAA standards.
Final thoughts on HIPAA compliance for law firms
Clients trust their attorneys to keep them compliant with their data protection responsibilities. For law firms handling PHI, HIPAA compliance is an absolute requirement.
Implementing a HIPAA compliance checklist for law firms can help everyone at your firm understand their HIPAA obligations. However, adopting industry-leading legal practice management software like Clio can assist with HIPAA compliance for law firms in day-to-day work.
In conclusion, demand only the highest standards from legal practice management software providers and work with companies who have demonstrated a continued commitment to HIPAA compliance for law firms. By selecting the right provider, you can protect your law firm from inadvertent disclosure of PHI and focus on providing top-quality legal services for your clients.