United States: "BAA" Is Not A Sound A Sheep Makes

Calling all litigators: Do you know what a "BAA" is? Well, if your practice ever involves the review or dissemination of personal health information, listen up. HIPAA's latest mandate may directly subject you to the penalties associated with the disclosure of medical information.

Let's start with the basics. As initially chartered, HIPAA's regulations precluded the use or disclosure of individually identifiable health information ("PHI") by a "covered entity"(health insurers, health care clearinghouses and health care providers) without patient authorization. Covered entities, in turn, were responsible for ensuring compliance of their employees, business associates, and others who, on behalf of the covered entity, maintain or transmit PHI. Over time, HIPAA's enforcement and oversight extended to business associates who became directly responsible for compliance.

More recently, HIPAA was amended to broaden the definition of a "business associate" to include lawyers (that's us!) and other professionals who receive PHI from covered entities. Now that lawyers may be subject to penalties for privacy and security breaches, it is time to change the way PHI is treated before, during, and after it ends up in our office.

Step #1 – Do I need a business associate agreement and if so, do I have one that fulfills the regulatory requirements?

If I have been hired by a covered entity and my services will include a review of PHI, then I need to prepare and execute a business associate agreement ("BAA") with the client prior to my review of PHI. As drafted, the BAA must incorporate the privacy and security assurances consistent with HIPAA standards.

Step #2 – If I hire an expert to provide consulting services in connection with the review of PHI, does that expert need a BAA?

Yes, and if the expert does not know this, consider using another expert. The expert should have a separate BAA with the covered entity, and if the expert utilizes the services of a subcontractor, the expert must have a contract with the subcontractor to ensure HIPAA compliance. Subcontractors in litigation services, including court reporters and translation companies, are already considering the need for their own form of agreement to satisfy HIPAA's new standards.

Step #3 – Do I need to consider safeguards in the electronic delivery of PHI?

There are a number of ways to protect information received from a client in electronic form. Business associates should encrypt their system to ensure additional privacy and security protection. In addition, whether the PHI is electronically or manually forwarded, efforts should be made to provide only the "minimum necessary." In most cases, patient identifiers can and should be removed prior to transmission.

Step #4 – Can I store and file PHI the same way that I treat other client records?

Nope. Additional protections should be in place to safeguard PHI. To the extent medical records are in your office, they should be maintained in a locked file drawer to prevent unintended disclosures.

Step #5 – My health care provider has been served with a subpoena to produce a patient's medical records. Since there is an exception to HIPAA allowing for the production of PHI in response to a subpoena, do I need to be concerned?

You need to be careful here. First, while there are exceptions to HIPAA's broad reach, you need to be mindful of whether your provider has obtained a HIPAA compliant authorization that incorporates the new standards. In addition, the production of documents beyond the scope of the exception may expose the provider to the penalties associated with a HIPAA breach. If, for example, the subpoena requests information relating to a personal injury matter and the patient's medical record includes information regarding mental health, addiction or other unrelated and potentially sensitive information, the provider must obtain a separate authorization to release such records.

Step #6 – What do I do with PHI when the case is over?

The BAA should outline the lawyer's responsibilities with respect to the PHI when the case is completed. It may be maintained, returned or destroyed in a manner consistent with the BAA. If it is maintained in the office, it should be stored in a locked drawer as set forth above.

HIPAA's reach continues to redistribute responsibility for compliance. Make sure that your practice can withstand regulatory scrutiny by developing practices that protect PHI consistent with HIPAA's heightened standards and broad reach.

So, now that you know what a "BAA" is, make sure that you don't lose credibility by referring to "HIPPA." It is not an animal and it only has one "P."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.