Law Firms With Access to PHI are Business Associates
Under new HIPAA rules, law firms with access to protected health information (“PHI”) most likely qualify as “business associates.” Pursuant to 45 CFR §160.103, a business associate is a non-employee of a covered entity who performs legal, actuarial, accounting, billing, administrative, accreditation, financial or similar services on behalf of the covered entity.
The HIPAA security and privacy rules permit a covered entity (healthcare plan, provider, or clearinghouse) to disclose protected health information to a business associate only if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. This satisfactory assurance must be documented through a written contract or other written agreement or arrangement with the business associate. 45 CFR §164.502 (e)(1)(2).
Without a Business Associate Agreement, There May be Trouble Under HIPAA
This provision signals that a law firm’s refusal to enter into such an agreement with a covered entity client could affect that client’s ability to do business with the firm while discharging its duties/responsibilities under HIPAA. Note that even if the firm does not sign a formal agreement or contract, the pertinent regulations suggest that if that firm represents a covered entity or a business associate of a covered entity, and the firm must access protected health information to do its job, such as defending a malpractice claim, business associate status may attach, with its attendant requirements. This is because the HIPAA rules now subject business associates, and not just covered entities, to new privacy, security, and breach-notification requirements that govern the handling of protected health information.
What a Business Associate Agreement Must Include
The HIPPA security and privacy regulations, particularly 45 CFR §164.504, specify that a Business Associate Agreement must:
1) establish the permitted uses and disclosures of PHI;
2) provide that the Business Associate will:
- not use or disclose the PHI other than as permitted or required by the Business Associate Agreement or as required by law,
- use appropriate safeguards to prevent use or disclosure of the PHI other than as permitted,
- report to the Covered Entity any use or disclosure not permitted by the Business Associate Agreement of which it becomes aware,
- ensure that any agents or subcontractors to whom it provides PHI agree to the same restrictions and conditions,
- make PHI available to the individual as provided in the regulations,
- make PHI available for amendment as provided in the regulations,
- make PHI available for an accounting as provided in the regulations,
- make its internal practices, books, records relating to the use of PHI available to the Secretary of Health and Human Services, and
- at termination, if feasible, destroy or return all PHI.
The foregoing list of requirements for Business Associate Agreements is not exhaustive, and the regulations indicate that other provisions agreeable to the parties can be incorporated in the contract. For example, in the context of an attorney-client relationship, it is recommended that a provision preserving the relevant attorney-client privileges be included in the Business Associate Agreement. However, other terms beyond those required by HIPAA should be limited and not impose any additional burdens on either party. For instance, a law firm business associate may consider indemnification/hold harmless language included in some business associate agreements to be extraneous, as such a clause would certainly burden the firm if a claim arose out of a breach of the agreement. In any event, the primary focus of law firms in this context should be internal implementation of the necessary safeguards to ensure compliance with the various obligations imposed upon the firm by the business associate agreement, as violation of the contract can result in fines and penalties.
Allen & Gooch is providing this legal update for informational purposes only. This article should not be construed as legal advice or a legal opinion as to any specific facts or circumstances. You should consult your own attorney concerning your particular situation and any specific legal questions you may have.