The deadline for complying with the Omnibus Rule is quickly approaching. Psst…it’s September 23 for most covered entities (CEs) and business associates (BAs). I’ve been tardy in getting blog posts made because I’ve been happy to have the opportunity to help my hundreds of Compliance Helper and Privacy Professor clients to get into compliance with all the HIPAA and HITECH rules, many just getting there for the first time, in addition to the Omnibus Rule changes and new requirements. I’ve been getting a lot of HIPAA questions from many of the CEs and BAs. I thought it would be helpful to provide some of them on my blog. I’ll start with an interesting question about protected health information (PHI) I recently received from one of my mid-sized law office clients; I’ve had similar questions while at some of the classes I’ve taught this year.
Question from a Law Firm
Do HIPAA/HITECH/Omnibus requirements apply to medical records, which include PHI, we receive pursuant to subpoena, as well as records received directly from a hospital with which we have a Business Associate Agreement (BAA)? There are two types of situations we are involved with to consider.
- Sometimes we defend hospitals in cases where a patient has brought a civil suit, and we have access to the patient’s medical records that the hospital provides to us. Clearly HIPAA applies because we are doing work on behalf of the hospital, and we must abide by HIPAA and the BAA.
- Other times we are hired by a patient, or an organization such as an auto insurance company who has an insured who has been a patient, who is bringing a lawsuit after an accident. In this case we get medical records from a hospital at the request of the patient to use for the case, but the hospital is not involved in the case, and we are not doing any work for the hospital. Do we treat the plaintiff’s medical records thus received as PHI subject to HIPAA compliance?
HIPAA Applicability Analysis
PHI is information that is created or collected by a covered entity (CE): a healthcare provider, healthcare insurer, or healthcare clearinghouse as defined by HIPAA. The Department of Health and Human Services (HHS) advises that an organization that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services where the provision of such services involves disclosure of PHI to the organization qualifies as a business associate (BA), and would need to sign a BA Agreement and follow HIPAA requirements. So, a lawyer doing work for a hospital that involves PHI would be a BA, and needs to have a BA Agreement in place. Pursuant to the BA Agreement, a lawyer must ensure that other legal counsel, jury experts, document or file managers, investigators, litigation support personnel, or others hired by the lawyer to assist the lawyer in providing legal services to the hospital (the CE), will also safeguard the privacy of the PHI the lawyer receives to perform its duties.
On the flip side, a lawyer who happens to be a BA to some of his clients who are CEs does not fall under HIPAA requirements when working for an individual who has been a patient, and who provides the lawyer with the patient’s medical records for a court case; even if the records are provided directly from the hospital at the request of the patient. The lawyer is working for the patient in this situation, not the hospital. So, when the hospital has the medical records they are PHI. In the hands of the lawyer performing work for the patient, the records are no longer PHI, as defined and covered by HIPAA. Of course, there may be other laws or regulations (some state laws, such as in Texas, generally expand PHI requirements to virtually all types of organizations doing business in their state) that apply which would require specific safeguards.
How about the opposing counsel in a court case where medical records are used as evidence? Would they be covered by HIPAA? Even if the lawyer representing a hospital (so the lawyer in this case is a BA) provides medical records to the opposing lawyer, the opposing lawyer is not covered by HIPAA; he or she is not doing work for the hospital. Additionally, fact witnesses, or other persons who do not perform functions or services that assist the hospital’s lawyer in performing services, are not covered by the hospital lawyer’s BA Agreement or by HIPAA even if they also obtain the medical records as a result of the court case.
Safeguard Non-PHI as a Good & Ethical Business Practice
Even though there are situations where medical records that include PHI are not covered by HIPAA, from an ethical and good business perspective, all types of personal information, including that which qualifies as PHI in some other entity’s care, should be appropriately safeguarded by any type of organization that possesses it. Unauthorized access due to lack of, or ineffective, safeguards could negatively impact the plaintiff, could result in financial, medical or identity fraud, could result in a civil suit to the organization, and would still need to be treated as a breach by the applicable 50 U.S. state and territory breach notice laws.
All types of organizations would be wise to include the information items that fall under the definition of PHI within the scope of their information security policies and procedures, even if they are not obligated to under HIPAA.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, marketing, midmarket, monitoring, non-compliance, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, sales, security, social network, surveillance, systems security, training