Attorneys who handle the sensitive private health information (PHI) of their clients are responsible for the confidentiality and safekeeping of their client’s medical records. For lawyers engaged in litigation involving healthcare matters, understanding and adhering to requirements of the Health Insurance Portability and Accountability Act (HIPAA)[1] is not just a regulatory requirement but a crucial aspect of protecting the privacy and confidentiality of individuals' health data as well as safeguarding of the firm’s reputation.

Enacted in 1996, HIPAA was designed to safeguard individuals' sensitive health information while promoting better access and portability of patients’ medical records. Lawyers handling their litigant’s PHI should generally be well-versed in these regulations but specifically the Privacy Rule, Security Rule, and Breach Notification Rule of the Act.

Under HIPAA, all PHI is confidential and is not available to anyone other than the patient or his or her authorized representative. Others who require access to a patient’s PHI, including lawyers, must obtain specific written authorization from the patient or his or her representative outlining the purpose, scope, and entities involved in the disclosure before accessing, using, or disclosing their PHI for litigation purposes.

Handling PHI is a sometimes confusing and sensitive matter. Here are some best practices for any attorney or firm handling PHI under HIPAA.

1. Limited Use and Disclosure: Lawyers should limit the use and disclosure of PHI to what is minimally necessary for litigation purposes. This principle ensures that only essential information is accessed only by people who require it, reducing the risk of inadvertent disclosure.
2. Secure Transmission and Storage: Transmission and storage of PHI must be secure. Attaching an image to an email, for example, is typically not secure.       Mailing a CD through the standard mail or even a courier could be a breach of HIPAA if it ends up in the wrong hands. Storing medical images on your administrator’s computer, where others may have access, may be risky. Lawyers must employ encryption and other safeguards when sending or storing health information both in analog and electronic format.
3. Employee Training and Awareness: It’s not sufficient to just understand and be compliant with the Act. Law firms handling PHI must invest in regular HIPAA training for their staff. This includes educating legal professionals and support staff about the importance of safeguarding PHI and the potential legal consequences of non-compliance. There are services and online training programs available for this purpose that will check the box on this requirement.
4. Business Associate Agreements: When lawyers engage third-party vendors, experts, consultants and license software that touches PHI, a HIPAA-compliant business associate agreement (BAA) is essential. This legal document outlines the responsibilities and safeguards to ensure the protection of PHI. You are responsible for ensuring the software you use to handle PHI is HIPAA compliant (not all case management software is) and that the vendor signs a BAA.
5. Individual Rights: Lawyers, just like others who handle PHI, must respect individuals' rights regarding their health information. This includes providing access to their PHI upon a patient’s request, allowing them to request corrections, and enabling them to control and direct the disclosure of their information.
6. Breach Notification: In the event of a security breach involving PHI, lawyers must follow HIPAA's breach notification requirements. This involves notifying affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media.

Consequences of Non-Compliance:

Failure to adhere to HIPAA regulations can result in material civil and criminal penalties, as well as impact to the law firm's reputation. Individuals affected by unauthorized disclosures may pursue legal remedies against the responsible parties. The fines for a lawyer or any entity breaching the Health Insurance Portability and Accountability Act (HIPAA) can vary depending on the severity of the violation; from several hundred dollars for an inadvertent act to tens of thousands for willful neglect.

By understanding and implementing the safeguards outlined by HIPAA, attorneys can ensure the protection of individuals' private health information while effectively advocating for their clients in healthcare-related legal matters.

[1] Health Insurance Portability and Accountability Act of 1996. 42 USC 201

For more about handling medical records during litigation, watch the full webinar:
The Fast and Secure Way to Share Medical Records to Win Your Case
or reach out to us with your questions

Les Trachtman discusses the handling of PHI