Ethics in Brief

Ethics in Brief is designed to present ethical issues that practitioners might well face on a daily basis. It is a service of the Legal Ethics Committee of the San Diego County Bar Association for SDCBA members.

HIPAA Omnibus Final Rule: One Year Anniversary and Impact on Attorneys as Business Associates

Introduction and Brief History
January 25, 2014 marks the one year anniversary of the publication of the long-awaited omnibus final rule (“Final Rule”) by the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”).  The Final Rule implemented many proposed regulations, and addressed other provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) in accordance with the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).  This article addresses the most pertinent changes affecting attorneys as business associates who receive protected health information (“PHI”) from a covered entity.  Please note that additional requirements by state-specific privacy laws may apply.

covered entity is a health care provider, health plan, or clearinghouse that transmits health information electronically in connection with a transaction for which the OCR has adopted a standard.  A business associate is an individual (or entity) who (1) is not a member of the covered entity’s workforce, (2) creates, receives, maintains or transmits PHI for a covered entity within a regulated activity or function, and (3) provides legal services to the covered entity that require the attorney to access PHI.  PHI is individually-identifiable health information that is transmitted or maintained in any form.  This information identifies, or there is reasonable basis to believe that it can be used to identify, an individual.  The actual “health information” is broadly defined to include any information, oral or recorded in any form, relating to the physical or mental health or condition of an individual, the health care provided to an individual, or payment for health care provided to an individual.

Understanding the Changes and Deadlines 
Although the Final Rule was effective March 26, 2013, business associates were not required to comply with most of its provisions until September 23, 2013.  The most significant updates affecting business associates resulted from the incorporation of changes in the HITECH Act.  One of these is the expansion of the definition of a business associate to a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.  Second, a business associate is now directly liable for violations of the HIPAA Privacy and Security Rules.  Third, the Final Rule requires updated provisions in business associate agreements (“BAA”) to reflect the incorporated changes from the HITECH Act.  The updated provisions must specify that the business associate has to (1) abide by the HIPAA Security Rule concerning electronic PHI, (2) report breaches of unencrypted PHI to the covered entity, and (3) certify that, if used, a subcontractor will agree to the same requirements that apply to the business associate regarding the handling of PHI.     

Nevertheless, the Final Rule provided a “transition” period for compliance with the required updated BAA provisions.  This allotment essentially postpones the deadline for compliance by one year for existing BAAs.  Therefore, current BAAs are compliant (for an additional year from September 23, 2013) unless they are renewed or modified in the interim.  In other words, if an attorney enters into a new BAA with a covered entity today, he or she must use the updated BAA provisions.  Moreover, if an attorney and covered entity modify or renew an existing BAA, the BAA must contain the updated BAA language.  Finally, if no renewal or modification takes place, the existing BAA between the attorney and client is valid until September 23, 2014, at which point it must be amended to include the updated provisions.           

What This Means to Attorneys as Business Associates Going Forward
The extension of the covered entity’s responsibilities to business associates now brings possible civil and criminal liability to the forefront.  HIPAA civil fines for noncompliance can be up to $50,000 per violation (or a maximum of $1.5 million for repeated violations) depending on the degree of culpability, and criminal penalties may result in up to ten years in prison.  When combined with state penalties, these numbers may be even higher, and land an unwary attorney with front-page publicity of the wrong kind.  Anyone can file a complaint with the OCR if he or she believes that a violation occurred since the complainant need not be an actual victim.  The federal government will then decide whether to investigate and impose a fine or penalty.  Separately, noncompliance may also involve state bar discipline for attorney misconduct or causes for legal malpractice and, in California, individual patients can bring private lawsuits when their PHI has been negligently released in violation of state law.

Attorneys as business associates must immediately comply with the HIPAA Security and Privacy Rules.  That means that they will need to conduct a security risk assessment and draft a security policy for handling client electronic files that contain PHI.  Further, attorneys will need to implement HIPAA privacy policies regarding the use, disclosure, maintenance and destruction of PHI in any form.  Finally, if attorneys have not done so already, they are advised to audit their existing BAAs and come into compliance with the updated provisions, especially if they use subcontractors. 

– Linda Hunt Mullany, Gordon & Rees LLP
– Ofer Barlev, Gordon & Rees LLP
– Charles Berwanger, Gordon & Rees LLP


**No portion of this summary is intended to constitute legal advice. Be sure to perform independent research and analysis. Any views expressed are those of the author only and not of the SDCBA or its Legal Ethics Committee.**