skip to Main Content

New HIPAA Rule, New Liability for Lawyers

This article is for informational purposes only. It is not intended to be used in place of professional or legal advice in any way. Lawyers, law students, judges, and other legal professionals in Massachusetts can find more on scheduling a Free & Confidential consultation with a law practice advisor here.

Earlier this year, new HIPAA regulations were implemented under the HIPAA Omnibus Rule. The rule extends certain requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Those requirements include privacy, security, enforcement and breach notification rules. Under the new rule, “business associates” and subcontractors are directly liable for compliance with HIPAA/HITECH. Noncompliance may result in significant civil monetary penalties and other enforcement actions. Attorneys who do business with HIPAA-covered health care entities or business associates of those entities may be impacted as a result of these changes.
Following the September 2013 compliance deadline, attorneys that handle HIPAA-related matters should increase vigilance and implement necessary precautions to protect PHI (personal health information) as required by HIPAA and HITECH. Here are some suggested steps that law firms can take to help ensure compliance and mitigate risk:

  • Firms can examine existing business associate contracts, firm policies and procedures to ensure that PHI is being protected in accordance with HIPAA standards. Flagging HIPAA-related matters upon intake can help draw attention to those matters to ensure that information is handled with the proper care.
  • Firms can review service agreements with third-party vendors and service providers (such as cloud service providers) that handle PHI to ensure security and HIPAA compliance. (Recall that Massachusetts’ data privacy laws and regulations require vetting and contracting with third party vendors/service providers that have access to confidential information.) Firms should establish protocols for vetting new vendors and service providers that touch PHI.
  • Firms can revisit current malpractice policies to determine whether additional coverage is needed. Adding cyber insurance policies can cover the cost of a data breach and notification requirements, fines and penalties, litigation, data corruption/loss and more.

For more information, discussion and resources for health care law practitioners, visit My Bar Access and join the Massachusetts Bar Association’s Health Law Section.
This post originally appeared in the Massachusetts Bar Association’s eJournal.

CATEGORIES: Law Firm Management | Risk Management | Technology

Share This

Related Posts

Benefits of Mediation Strategies to Better Serve Your Clients [Webinar]

Find out how mediation can improve your client service from Miriam G. Kosowsky, JD with this 30-minute installment of Webinars…

Key New Info on Access to Health Insurance for Solo & Small Firms in MA [Webinar]

Watch now to find out how your solo or small law practice can take advantage of a new resource improving…