Legal support services have become an important part of the legal system. Such services include the following: service of process; obtaining, translating, copying, and assembling documents for litigation; trial graphics; and the like. But here at Veterans Press and EMR Legal, we have been getting more and more queries from such services about whether and how the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) and its Department of Health and Human Services (“DHHS”) implementing regulations apply to such services. Unfortunately, no easy answer exists. The answer depends on who hired the service and what services it will provide.
Some lawyers and law firms have to comply with HIPAA directly as business associates. A business associate is a person or organization who performs a service for or on behalf of a covered entity involving protected health information (“PHI”). 45 C.F.R. § 160.103 contains the complete definition of a business associate. Covered entities are health plans, health care clearinghouses, Medicaire prescription drug plan sponsors, and providers who submit a standard transaction in electronic format. The clause “submit a standard transaction in electronic format” modifies only the word “providers.” The standard transactions are primarily billing transactions. Thus, a law firm hired by a hospital to defend it in a malpractice case would be a business associate because it would be performing a service for the hospital involving PHI (the alleged malpractice victim’s medical records).
The 2009 Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (Title XIII of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act, Subtitle D—Privacy (hereinafter “HITECH Act”)) expanded HIPAA’s criminal and civil liability to business associates. Thus, business associates not only may be indicted for a violation of 42 U.S.C. § 1320d-6 (the HIPAA criminal statute) but also are subject to HIPAA’s civil money penalties, which can reach as high as $50,000 per violation (HITECH Act § 13410(d)), and to a lawsuit in federal court (HITECH Act § 13410(e)). The first such lawsuit against a business associate (a debt collection service), which had to be brought on behalf of the aggrieved individual by the state attorney general, settled for $2.5 million.
Before the HITECH Act, the business associate had to comply only with the terms of the business associate agreement that the covered entity was required to get in place before using the service involving the use or disclosure of PHI with certain required contents. All such contracts required that the business associate implement reasonable and appropriate safeguards to protect the PHI and to use and disclose the PHI only in a manner authorized in the agreement, along with certain ministerial duties. Now, business associates must comply with the Security and Privacy Rules and other requirements to the same extent that covered entities must comply (HITECH Act § 13401.)
And the so-called Omnibus Rule expanded the definition of business associates to include subcontractors of the business associate. In 45 C.F.R. §§ 164.306, 164.314(a), DHHS clarified the definition of ‘‘subcontractor’’ in § 160.103 to provide that subcontractor means “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” The addition of subcontractors means that all requirements and obligations that apply to direct contract business associates of a covered entity also apply to all downstream service providers. Thus, the rule makes it clear that subcontractors face the same criminal and civil liability as do covered entities and “upstream” business associates and must follow those Security and Privacy Rules applicable to business associates. Thus, if a law firm (an upstream business associate) hires a legal support service, it, as a subcontractor (a downstream business associate) is a business associate. It is, however, the duty of the upstream business associate not the covered entity to get the business associate agreement in place with the subcontractor. Of course, if the legal support service outsources, for example, translation of health records to a “further” downstream subcontractor, it must get a business associate agreement in place with the translation service.
The plaintiff’s lawyer or law firm would not, however, be a business associate because he or it is not performing a service for or on behalf of the hospital that is the defendant. That situation does not mean that HIPAA has no implications for a law firm that is not representing a covered entity. HIPAA has rules concerning the production of health information and how it must be safeguarded even when one is not a covered entity or a business associate of one. Somewhat simplistically stated, even though one who puts his or her physical or mental health or condition on the line in a malpractice lawsuit, the plaintiff lawyer or the legal services support organization that he or she hires must still comply with the HIPAA discovery rules.
45 C.F.R. § 164.512(e) regulates uses and disclosures for judicial and administrative proceedings. It essentially makes uses and disclosures under state subpoena or court order permissible under the privacy rules. A covered entity may disclose PHI in the course of any judicial or administrative proceeding as follows:
- In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by such order.
- In response to a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or an administrative tribunal, if one of the following conditions applies:
- The covered entity receives satisfactory assurance, as described below, from the party seeking the information that it has made reasonable efforts to ensure that the individual who is the subject of the PHI has been given notice of the request, § 164.512(e)(1)(ii)(A). For purposes of this subsection, a covered entity receives satisfactory assurances from a party seeking PHI in a written statement and accompanying documentation demonstrating that all of the following conditions apply:
o The party requesting such information has made a good faith attempt to provide written notice to the individual or, if the individual’s location is unknown, to mail a notice to his or her last known address.
o The notice included sufficient information about the litigation or proceeding in which the PHI is requested to permit the individual to raise an objection to the court or administrative tribunal.
o The time for the individual to raise objections to the court or administrative tribunal has elapsed, and either no objections were filed, or all objections filed have been resolved, and the disclosures being sought are consistent with such resolution.
o The covered entity receives satisfactory assurance from the party seeking the information that it has made reasonable efforts to secure a qualified protective order that meets the requirement of § 164.512(e)(1)(v) and § 164.512(e)(1)(ii)(B). A covered entity receives satisfactory assurance from a party seeking PHI if the covered entity receives from such party a written statement and accompanying documentation demonstrating that either of the following conditions applies:
- The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute.
- The party seeking the PHI has requested a qualified protective order from such court or administrative tribunal. A qualified protective order, under this subsection, means, with respect to PHI, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that both (1) prohibits the parties from using or disclosing PHI for any purpose other than the litigation or proceeding for which such information was requested, and (2) requires the return to the covered entity or the destruction of the PHI (including all copies made) at the end of the litigation or proceeding.
o Notwithstanding the requirements above in cases in which no order of a court or administrative tribunal ordered the disclosure, a covered entity may disclose PHI in response to lawful process (subpoena or discovery request) without receiving satisfactory assurance if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of § 164.512(e)(1)(ii)(A) (notice of the request for the information) or (B) (the party seeking the information has made reasonable efforts to secure a qualified protective order), above, or to seek a qualified protective order sufficient to meet the requirements of § 164.512(e)(1)(iv). This subsection notes that its provisions do not supersede other provisions of § 164.512 that otherwise permit or restrict disclosures of PHI.
Thus, a lawyer or legal support service that is assisting the lawyer must determine which of the above three grounds for obtaining the information applies and what restrictions it places on the use and disclosure of the information. And we at Veterans Press and EMR Legal would strongly encourage reasonable and appropriate security measures to protect any health information from improper disclosure or misuse regardless of whether one is a business associate or not. Not only do we have the HITECH Act expanding HIPAA civil and criminal liability to business associates and the Omnibus Rule expanding it to subcontractors, the HITECH Act, greatly expanded HIPAA’s criminal liability. Before the HITECH Act, HIPAA’s criminal liability was only applicable to covered entities. The HITECH Act, however, expanded liability to employees of covered entities and other individuals. That section reads:
For purposes of the previous paragraph [the HIPAA crimes], a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part [the HIPAA crimes] if the information is maintained by a covered entity . . . and the individual obtained or disclosed such information without authorization. [HITECH Act § 13408].
Just how broad the expansion to “other individuals” may be is demonstrated by a recent conviction of a hospital visitor for taking records from a Birmingham, Alabama, hospital to use to commit identity theft. According to a Department of Justice (“DOJ”) press release, a federal court sentenced her to 15 months in prison. If a hospital visitor can commit a criminal HIPAA violation, who can’t? And if a hospital visitor can commit such a crime, certainly a legal support service or employee thereof could.