Last week they kicked off a series of articles about impending updates to HIPAA/HITECH rules, with the bold proclamation: "We are entering a new era of HIPAA enforcement where law firms will find themselves in the crosshairs of regulators.":
- "Legal professionals generally know that HIPAA is a federal health care law, but few understand how HIPAA privacy/security requirements impact law firms. For firms subject to HIPAA, distributed responsibility for compliance adds to the challenge of meeting a complex set of requirements. But fulfilling those requirements has suddenly become much more critical, given that the federal government will soon exercise its expanded enforcement powers pursuant to the HITECH Act. Specifically, the federal government will enforce HIPAA directly against law firms. With penalties for noncompliance at potentially six or seven figures, meeting HIPAA regulations has never been more important for law firms."
- "Few will be surprised to hear that law firms were not the intended regulatory target of the original 1996 HIPAA legislation... In 1999, the federal agency responsible for issuing HIPAA regulations--the US Department of Health and Human Services (HHS)--recognized that CEs outsource a variety of operational functions to third parties (like law firms) and may need to disclose protected health information (PHI) to those third parties. While such outsourcing is perfectly legitimate, when HHS issued the Final Privacy Rule in 2000, it took steps to ensure that third parties providing services to CEs would be obligated to protect PHI."
- "While signing a Business Associate Agreement before the HITECH Act did not directly expose firms to regulatory enforcement, firms were liable to their CEs if they breached provisions of their BAAs. A firm with a health care practice that failed to protect PHI in a reasonable manner would likely experience difficulty attracting new health care clients. However, as we’ll see in our next post the landscape changed dramatically with the HITECH Act, and firms under BAAs must now agree to comply with the entire Security Rule."