HIPAA Breach Notification Rule: A simple guide for law firms

December 7, 2022
Security

The legal industry touches upon a range of areas in society, making sure that the law is upheld and that justice is delivered for all. While all law firms must follow regulations put forth by the industry, practices that support healthcare providers (and come into contact with their patients’ information) are required to take additional steps to ensure that data is kept confidential.

A legal requirement, the Health Insurance Portability and Accountability Act (HIPAA), was created to help preserve the integrity of protected health information (PHI). There are several rules that HIPAA-compliant organizations must follow to avoid breaking the law and suffering more severe consequences. One of these is the Breach Notification Rule.

What is the HIPAA Breach Notification Rule?

The Breach Notification Rule is a law that requires HIPAA-covered entities and their business associates to alert the necessary parties when PHI is breached under their watch. For the primary entities themselves, this includes informing the Secretary working for the Department of Health and Human Services (HHS), the impacted individuals, and, depending on the breach’s severity, the media.

Under the Rule, a “breach” is when an individual acquires, uses, accesses, or discloses PHI in ways that violate HIPAA’s Privacy Rule. PHI can exist in three forms:

No matter what form your data takes, it must be protected 24/7/365. When the breach affects over 500 individuals, HIPAA-covered entities must issue formal notifications within 60 days of the breach’s discovery. In situations where the number of victims is below 500, notifications must be sent to the Secretary of the HHS “no later than 60 days after the end of the calendar year” when the incidents were discovered.

Under HIPAA, unreasonable delays in notifications (no matter the number of victims) is deemed unacceptable and are a common violation companies must avoid.

What is a business associate?

A business associate is any company that provides services to a HIPAA-covered entity that involves the use or disclosure of PHI. Business associates do not have to belong to the healthcare industry to comply with HIPAA—as long as your firm handles PHI, you are considered a business associate.

Legal companies and attorneys that must be HIPAA-compliant typically specialize in:

Are personal injury lawyers subject to HIPAA?

In short: Yes. Despite 12.5% of respondents to a Google Surveys poll stating they would carry out their own personal injury case, personal injury attorneys are still highly sought after. In these types of cases, plaintiffs and insurance companies are likely to share medical records and other PHI to support their case.

Without the proper HIPAA protections, these documents could be exposed to the public—a violation that can result in fines and reputational damage for your firm and its attorneys.

How does the HIPAA Breach Notification Rule apply to business associates?

Business associates, such as personal injury-focused legal firms, must alert their HIPAA-compliant clients if the associate has been breached. The timeframe for this rule is 60 days upon the breach’s discovery—within that period, you will be required to notify your client and hand over any information belonging to the victims of the breach.

The idea behind this practice is to assist your client in preparing a breach notification. While 60 days is the standard time you are given, a covered entity has the right to shorten this limit within your business associate agreement (BAA) to whatever they see fit. In these circumstances, vigilance is key to ensuring that you send the correct information over in a timely manner and remain compliant with HIPAA.

What are the consequences of breaking the Breach Notification Rule for law firms?

If you were to breach the Notification Rule, consequences you may encounter include:

HIPAA compliance values integrity and people’s wellbeing—it is a school of thought based on the legality and ethics surrounding your practice’s approach to PHI security and cyber safety.

The penalties for breaching HIPAA’s rules are serious and can easily undo all of the work you put into building your firm into a legal powerhouse. So, it is important that you and your team understand the risks and make sure that your cyber security measures are compliant and robust.

What is IT HIPAA compliance services?

IT-centric HIPAA compliance services combine the expertise of information technology and HIPAA compliance. It is a comprehensive service that business associates and covered entities can use to shore up their operations and digital frameworks with compliance processes, thereby becoming HIPAA compliant.

Provided by managed service providers (MSPs) with expertise in HIPAA, compliance services generally consist of:

HIPAA-compliant IT services for law firms, delivered by LA’s best

A law firm’s legal services are vital to the wellbeing of its clients. The Breach Notification Rule is equally as important—failure to follow regulations can result in legal (and financial) consequences that attorneys are meant to be managing, not receiving themselves.

IT Gurus’ HIPAA experts specialize in managed IT services for law firms whose IT systems and networks must comply with HIPAA. Contact the IT Gurus team today to ensure that you comply with all relevant regulations and that you have an IT infrastructure that is secure and functional for the demands of the modern legal landscape.