When the Health Insurance Portability and Accountability Act (HIPAA) took effect in 1996, a number of legal “gray areas” existed in that original law. At the top of the list: to what extent was a law firm obligated to protect the confidentiality of Protected Health Information (PHI) stored in their client records? There simply wasn’t a clear-cut answer back then; ask five different lawyers, and you’d probably get five different answers.
After 13 years of wading through ambiguity, those issues would be mostly settled by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Law firms are now clearly defined as “business associates” of a “covered entity”—the plaintiff or defendant in any legal matter in which PHI served as evidence.
As a Business Associate, the law firm is governed by strict IT procedures—about 40 “minimum necessary standards” in total—for safeguarding PHI stored in their electronic records. This affects virtually the entire IT configuration of the firm: document files, emails, authorized access and password security, encryption and firewalls, anti-malware protection, and even screen savers.
The Feds: Ignorance is No Excuse
According to HIPAA regulations, any lapse in those 40 minimum standards can be considered a direct data breach.
The penalty for an HIPAA violation—or failure to report it to Covered Entities/HHS regulators? A fine of up to $50,000 per incident, or a whopping $1.5 million per year.
Among the large number of Bay Area law firms we’ve worked with, a major problem we’ve noticed is that many don’t realize that HIPAA/HITECH compliance is actually retroactive for all legal records kept after 1996. If the firm used PHI in any case—from medical malpractice, an injury accident, or worker’s comp to elder care or estate planning—it is now bound by HIPAA/HITECH IT regulations. And if only one attorney on a law firm’s staff of 30 worked a PHI case, that means the entire firm’s IT environment may be subject to those IT rules from a practical perspective.
Know What You Don’t Know… Before It’s Too Late
If your firm is still unclear about the full scope of HIPAA/HITECH compliance, now is the time to admit it. We recommend an immediate, comprehensive IT “gap assessment” to identify any problem areas which fall under HIPAA governance—specifically how PHI is stored on onsite servers, Cloud-service vendors, desktop hard drives, mobile devices, and E-mail. Security may also be a problem area, including password policy, workstation and server patching, filtering malware at your firewall, and even door locks!
Next, establish a formal HIPAA compliance policy that features employee security training. Conduct bi-annual audits to ensure your firm doesn’t fall out of compliance.
With heavy penalties at stake, you don’t want to go it alone. Work with a trusted IT partner who understands HIPAA regulations inside and out—and who will help you maintain airtight compliance. Like those old motor oil commercials used to say, you can pay now, or pay later.