HIPAA & Law Firm Liability

Third-Party Service Providers & Law Firm Liability

Law firms routinely work with sensitive information and it's common practice to implement security procedures to guard said information. Preventing unwanted exposure of sensitive information or data protects a firm’s clients, the firm’s reputation, and ultimately their business. When it comes to personal health information, however, firms can unknowingly be exposed to financial risks not because of their security policies but because of the policies used by outsourced service providers. Working with reputable third-party service providers and understanding their policies and practices helps firms reduce their liability and maintain their reputation.

In this whitepaper we explore HIPAA and how it applies to law firms, how third-party service providers can lead firms to become liable under HIPAA, and finally best practices law firms can act on to protect themselves from violations and penalties.

Included in this whitepaper

HIPAA Background Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) created national standards protecting confidential health information from being disclosed without patient consent. With the passage of HITECH in 2009, law firms working on behalf of covered entities are now required to implement the same privacy and security requirements as the covered entities they serve.

HIPAA & Subcontractors

The HIPAA Omnibus Rule of January 2013 clarified requirements and made business associates of covered entities, as well as their subcontractors, directly liable for compliance with HIPAA’s Privacy and Security rules. This change increases firms’ exposure to HIPAA penalties by making them potentially liable for breaches caused by any outside service provider that handles PHI.

How Law Firms Become Liable Under HIPAA

With the expansion of HIPAA, business associates (law firms) became directly liable for violations. In this section we examine Business Associate Agreements (BAA) and how if not implemented correctly, law firms can be liable for service provider violations.

HIPAA Penalties

Penalties for violating HIPAA result in substantial fines ranging from only $100 to $1.5 million. We examine the four tiers for HIPAA violations, the difference between them and the penalties for each.

Vetting Service Providers

Law firms that do not thoroughly do their due diligence can be held liable for PHI breaches resulting from their service providers. In this final chapter, we define how to perform proper due diligence and which questions to keep in mind when vetting a service provider.

Brandy Patrick is the President of the Record Retrieval Division of Lexitas. Ms. Patrick has over 17 years of experience in sales, operations, and mergers & acquisitions. Ms. Patrick is a thought leader in the industry, providing deep knowledge of HIPAA and the complex laws impacting record retrieval. Prior to her current role, Ms. Patrick was President of America First Legal Services, a premium record retrieval company acquired by Lexitas.

Connect:

Related Resources

HIPAA-Compliant Safeguards for Your Record Retrieval Partners

HIPAA-compliance is a complex detail that law firms cannot afford to overlook, especially when working with third parties who handle medical records.

When is the right time to outsource your records retrieval services?

Making the decision to outsource your records collection can be a challenging one. However, there are many benefits to doing so.

AI Technology and the Legal Industry

In this whitepaper we look at striking a balance between harnessing legal AI’s capabilities and navigating the regulatory landscape to fully leverage its benefits while upholding ethical and legal principles within the legal profession.