A myth about the practice of law that even some lawyers don’t understand is that the attorney-client privilege does not shield lawyers from HIPAA compliance requirements. Balancing both is essential to maintain client confidentiality and patient privacy. (The terms lawyer, attorney and law firm are all used in today’s blog, and are interchangeable here.)
But some administrative history about lawyer/business associate requirements can help lawyers comply with their ethical responsibility to maintain client confidentiality if their HIPAA compliance is investigated.
Lawyers who represent health care providers, health plans or health care clearinghouses need to comply with HIPAA if they encounter protected health information (PHI) during their representation. They are HIPAA business associates and directly liable for their own HIPAA compliance. This only applies to outside counsel however, and not in-house lawyers. As workforce members of a covered entity, in-house lawyers maintain HIPAA compliance by following their employer’s HIPAA policies.
HIPAA Business Associate Definition
Business associates are vendors (to a covered entity) that “create, receive, maintain or transmit” protected health information (PHI); they are required to follow HIPAA and are directly liable for HIPAA compliance. This has been true since the 2009 HITECH Act’s final rule was issued in 2013 amending the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.
Nearly every covered entity has vendors and contractors who help them carry out their responsibilities. Some work that is typically performed by vendors and involve PHI include: collections, billing or coding, practice management, answering services, records storage, remote IT back-up, and legal services, among others.
As defined by the HIPAA Rules, a lawyer or law firm is:
- A business associate when it represents a covered entity in a matter that requires the covered entity to disclose PHI to the lawyer or law firm; and
- A subcontractor business associate when it represents a business associate in a matter that requires the business associate to disclose PHI to the lawyer or law firm.
Ordinary Business Associates
The HIPAA Privacy Rule requires business associates to:
- disclose PHI to the Secretary of the U. S. Department of Health and Human Services (HHS) to investigate the business associate’s HIPAA compliance; and to
- make its internal practices, books and records relating to the use and disclosure of PHI by the covered entity, available to the Secretary to evaluate the covered entity’s HIPAA compliance.
These disclosures broadly cover all PHI maintained by a business associate and all its internal practices, books and records relating to the use and disclosure of PHI received from a covered entity and maintained by a business associate without mention or exemption of materials that are within the scope of attorney-client privilege or subject to protection under the work product doctrine.
A Lawyer is a Special Kind of Business Associate
Lawyers have a separate professional responsibility to protect attorney-client privilege and work product material, and yet under HIPAA, business associates are required to disclose information to the HHS Secretary to aid an investigation.
Attorney-client privilege protects communications between clients and attorneys in confidence for the purpose of obtaining or providing legal assistance for the client.
Waiver – The attorney-client privilege belongs to the client and only the client has the right to waive that privilege. A client has the right to direct an attorney to waive the privilege on their behalf and the attorney must do so. The privilege may also be waived unintentionally if the confidentiality is broken, that is, a confidential communication is disclosed to a third party who does not have a right to receive it.
Work Product Doctrine
Work Product is material prepared in anticipation of litigation. There are two categories: documents and other tangible items prepared in anticipation of litigation or for trial, and documents containing mental impressions, strategies and plans prepared in anticipation of litigation or for trial.
Right to Protect Work Product – Both the attorney and the client have the right to protect Work Product. Unlike attorney-client privilege, attorneys have an independent right to protect their own Work Product.
HHS Administrative History Provides Guidance
When the rule about lawyers as business associates was first published for comment before being finalized, some commenters objected, saying it would interfere with attorney-client privilege. Another commented that the requirement to return or destroy PHI at the end of the business associate contract conflicts with the professional responsibility to maintain client records.
HHS responded that it would not exempt attorneys from the business associate requirements, however:
The Privacy Rule is not intended to interfere with attorney-client privilege.
HHS does not anticipate that it will be necessary for the Secretary to have access to privileged material in order to resolve a complaint or investigate a violation of the Privacy Rule.
With respect to the requirement to return or destroy PHI, regulators pointed out that the Rule requires the return or destruction of PHI at the end of the contract only where feasible or permitted by law. If it is not feasible, the contract must state that the information will remain protected after the contract ends for as long as the information is maintained by the lawyer/business associate, and that further uses and disclosures of the information will be limited to those purposes that make the return or destruction infeasible.
How to Respond to Investigations by the Secretary
If investigated for HIPAA compliance and the investigation includes a request to disclose PHI, here is what we suggest (this is not legal advice):
- Disclose PHI not within the scope of attorney-client privilege or the Work Product doctrine;
- Withhold PHI within the scope of attorney-client privilege unless the client chooses to waive its attorney-client privilege;
- Withhold materials covered by the Work Product doctrine unless both the lawyer/law firm and the client choose not to protect that material; and
- Inform the Secretary that it maintains but is not disclosing certain materials containing PHI in accordance with the requirements to maintain attorney-client privilege or protect Work Product material.
How a Lawyer or Law Firm can Comply with HIPAA
- Put someone in charge with authority – should be a lawyer
- Maintain up to date HIPAA Policies and Procedures
- Coordinate Privacy and Security Official responsibilities
- These functions may be held by one person, especially for a sole practitioner or smaller firm
- Perform annual Risk Analysis – Risk Management
- Follow the Minimum Necessary Standard
- Provide workforce training to all staff who encounter PHI