[ Monday, March 17, 2014 ]
HIPAA Compliance for Law Firms:
Jeff [12:14 PM]
Law firms that create, receive, maintain or transmit PHI on behalf of clients that are HIPAA covered entities are, by definition, business associates, but with attorney-client privilege and other ethical restrictions, are very, very different from most vendor BAs. While BAAs are still needed, take careful consideration that you don't waive the attorney-client privilege or negate the value of your malpractice insurance by an overreaching indemnification provision.
Recent news on possible NSA spying on law firms and their clients has raised an additional concern. As BAs, law firms must have Security Rule safeguards in place to protect PHI. Law firms that deal with financial institutions have additional information security requirements. These might not necessarily foil the intrepid spooks at the NSA, but they should help counter what Scott Vernick says
might be a greater threat: law firm insiders. Additionally, if you're a BA, you have HIPAA employee training requirements (which may be specific under state law). So, do the right thing.
Blogger: HIPAA Blog - Edit your Template