9 / 100

HIPAA Compliance for Lawyers, Health Professionals, Small-Medium Business and other Industries

HIPAA have long been used in covered units such as hospitals, dental clinics and medical practices. It has varied reactions from healthcare workers. Some may have positive feedback but the majority has the opposite because of the challenges brought about in being HIPAA compliant. Not to mention never ending training, documentation, policies and procedures that comes about with HIPAA.

The other individual that receives and transmits protected health information are business associates. These are not employees of the covered entities but are associated with them. One example is information technicians that do IT services, accountants who do billing services and lastly, lawyers who provide legal services.

HIPAA requires covered entities and business associates to have an agreement. The reason behind it is to promote safety and ensure information is well guarded.

Under HIPAA, business associates are not directly responsible in case of presence of violations. But under The HITECH Act, they are accountable in protecting PHI and prevent unnecessary disclosure to any unauthorized use just as with the covered entities.

Presently, HIPAA have made their final provisions where in business associates are penalized just like the covered entities in cases where there is violation. Business associates are required to acquire business associate agreements if they work with subcontractors and should use PHI as stated in the said contract.

Consequently, under HIPAA’s final rule, business associates such as lawyers should be compliant about it to avoid paying for penalties for breaches. It’s not as simple as signing a contract with a client but the first step is to analyze how your information flows in your firm. Next important step is to identify covered entities and determine who your subcontractors are. Then revise the agreement taking into account the needs and data you have gathered in your law firm. You can use the sample of a business agreement provided by the Department of Health and Human Services for your reference.


To avoid costly penalties, few considerations should be kept in mind. One example is the use of portable devices. Make sure that you take note which gadgets and computers are utilized in your law firm and whether that portable device belongs to you or your employee. If possible, use encryption in these devices.

If ever you have co-lawyers who work from home, make sure that Phi is securely stored in your law firm’s file server. Carefully identify who has remote access to your firm’s data base to avoid breaches. Aside from that, make sure your databases are routinely checked for any threats to data breach.

Provide training for your whole team annually especially if you have new recruits in your firm. Create personnel policies in addressing protection of PHI such as during voluntary and involuntary termination.

Talk to your information technicians in making sure your computer system has an automatic log-off. Also, require them to have regular audit and assessment to avoid potential data corruption from happening.

Religiously document any security incidents and reevaluate regularly and make necessary modifications to improve your data system and avoid data breach. For more information, contact Avert Network Services, LLC (855) 283-7848.

(This article does not constitute legal advice nor does reading this article engage the services of an attorney)