Law Firm Roadmap to Avoid Getting Run Over by HIPAA Hippo by Carolyn Casey

The U.S. 2013 Health Information Portability and Accountability Act (HIPAA) Omnibus Rule, which took effect in September 2013, ushers in enormous new liability that law firms with healthcare, medical malpractice, insurance and litigation practices areas will want to understand so as to avoid fines, prevent harm to your brand and protect client cases from breaches. Firms are now directly liable for parts of the Privacy Rule, the Security Rule and the updated breach notice requirements. This is a wake-up call to address the new regulatory requirements as business associates of health care organizations known as covered entities under HIPAA. In short, firms need to assess their risk management of protected health information (PHI), and build policies and procedures to safeguard uses of and access to that information.

The regulatory compliance processes that HIPAA pushes law firms to adopt are part of a larger law firm information governance framework built to manage and protect firm and client information. That's why we founded the Iron Mountain Law Firm Information Governance Symposium, a think tank where we convene law firms and experts to draft and publish emerging standards, definitions and best practices for governing information in the unique setting of law firms. The latest series of Symposium publications features a HIPPA Omnibus Task Force Report, authored by law firms and experts, which analyzes Omnibus Rule impacts to firms including non-compliant penalties up to $1.5 million and gives a roadmap on what law firms should do to comply.

As your firm charts its course for HIPAA compliance, here are few key ideas to keep in mind:

1. The Privacy Rule's new minimum necessary standard has one of the biggest impacts for firms. In a nutshell, the rule says law firms need to button down access to PHI, granting access to this private information only to those lawyers and employees who need the information to do their job. The good news is, most firms aren't starting from scratch, and therefore can leverage your existing ethical wall/conflicts and other sensitive information access policies and controls they already have in place. However, you will need to identify PHI in the firm and make sure there are guardrails up to meet this new HIPAA Omnibus standard.

2. The Security Rule requires safeguards to protect electronic PHI (ePHI). HHS guidance for this rule includes details on how to assess your risks, even for items such as digital copiers and file sharing applications. Firms that handle PHI are going to want to do some kind of security risk assessment and train your people on PHI security policies and procedures. Law firms can take a look at the Symposium Task Force Report to determine what you need to do to comply. You'll also want to be sure your service providers operate in accordance with these HIPAA requirements, especially if you store in the cloud or you or your clients use providers for scanning medical records.

3. Breach Notification. Law firms are directly liable for reporting breaches of unsecured protected health information to their covered entity, which in turn must report the breach to HHS, the affected individual, and in some instances, even the media. Needless to say, firms want to avoid the breach notification scenario. The potential for harm to the firm's brand, client cases and pocketbook is as big as a hippo. The Omnibus Rule includes a new presumption that an impermissible use or disclosure is a breach, unless the firm can prove otherwise. Another point to keep in mind is that HIPAA only requires notification of breaches of unsecured PHI meaning PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. To meet this standard, HHS guidelines specify things like encrypting PHI, and clearing, purging or destroying electronic media in accordance with NIST standards. For paper and film, HHS looks at whether the media was shredded so that the PHI is unreadable and cannot be reconstructed. Firms will want to ensure that their own and their vendor methodologies meet these standards.

Don't let the HIPAA hippo overwhelm your firm - take advantage of the roadmap for compliance in the Symposium HIPAA Task Force Report today.

Founded by Iron Mountain, the Law Firm Information Governance Symposium is a community of industry thought leaders that provides common approaches and best practices for building law firm information governance enabling law firms and their clients to leverage common elements for governing and managing client information.

LINK:	http://blogs.ironmountain.com/2014/industry/law-firms/law-firms-avoid-...
	See more stories from ironmountain

Most recent headlines