Law Firm Liability Under HIPAA

Recent surveys demonstrate that the large majority of law firms, large and small, are unaware of their potential exposure pursuant to HIPAA and its most recent iteration, HITECH. While there is a sensitivity among firms regarding the need for HIPAA authorizations and protections of private health information, the full panoply of requirements and liabilities that may befall them are less understood.

Medical records containing both health information and identity information come into the possession of law firms from covered entities such as hospitals, rehab centers and physician offices. Law firms and the individual lawyers within firms who handle such data, whether electronically or otherwise, are generally considered business associates of the health facilities. Federal law requires under such circumstances that there exist a business associate agreement between the health facility and the law firm. This must define the protections that HIPAA/HITECH impose upon such documents and the responsibilities of the parties should there be a breach.

Law firms that possess and use such documents are required by both federal and state law to have encryption systems in place for electronic documents, particularly mobile platforms such as tablets, laptops or phones. Many still believe that the law firm/business associate need not do much else to be compliant. In fact, avoidance of significant penalties or damages imposed by a HIPAA violation requires a good deal more and increased vigorous enforcement of HIPAA as to business associates, large and small, is on the horizon.

At the outset, firms that subcontract with experts, consultants or copy services or data analysis companies are required to have business associate agreements with those entities. Faced with an audit or a whistleblower complaint, firms must have an acceptable HIPAA manual that details that firm’s policies and protocols regarding the privacy and security of HIPAA protected data. The firm will need to demonstrate that it actively promotes HIPAA enforcement and conducts training for both new and current employees whose jobs expose them to protected data. An awareness of breach notification and remediation requirements is required and must be in writing. A person should be designated as a HIPAA compliance officer such that there is a point person with a commitment to enforcement. Handling of paper containing HIPAA protected information should be known within the workforce with policies regarding destruction of such records within a certain amount of time after a case concludes. How electronic and paper records may be transmitted to third parties must be understood. Merely because a law firm receives information properly from a health care facility or another party does not necessarily mean that data can be dispersed to other parties without limit.

Both law firms and lawyers need to understand that violations of their obligations under HIPAA/HITECH can implicate the ethical responsibility of competent representation pursuant to Rule 1.1 of Professional Responsibility; the attorney-client privilege and may well constitute legal malpractice.

For many years, law firms and lawyers have mistakenly assumed that liability for HIPAA requirements rested with health care providers with lawyers as mere outlier “business associates.” Wise practice in 2019 and beyond is a recognition that we are exposed to virtually the same requirements as our health care clients or those that supply us with protected records. There is need for an assessment of HIPAA compliance in law firms and implementation of those safeguards that will avoid potentially substantial damage.

Thomas Leyhane is Of Counsel to Hoagland Longo’s Health Care Law Department and HIPAA Compliance Officer. For more information, please contact him at or call (732) 545-5717.