HIPAA Liability for Lawyers

American Bar Association website (http://www.americanbar.org/publications/gp_solo/2013/july_august/new_hipaa_liability_lawyers.html

On January 17, 2013, a moment highly anticipated by the health care industry finally arrived. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its Final Rule implementing changes to the regulations of the Health Insurance Portability and Accountability Act of 1996, 45 CFR Parts 160 and 164 (HIPAA). These changes were mandated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The Final Rule addresses not only privacy and security rules governing protected health information (PHI) but also enforcement rules, breach notification rules, and the genetic privacy provisions of the Genetic Information Nondiscrimination Act (GINA) as they apply to PHI maintained by health plans. The effective compliance date of the Final Rule is September 23, 2013.

The Final Rule may impact attorneys with elder law practices in several ways. Many issues facing their clients may be health-related, and these clients may wish to understand how the privacy of their health information is protected. Elder law practitioners will need to understand how HIPAA, as amended by the Final Rule, restricts uses and disclosures of PHI, the types of entities it governs, and the protections it requires for electronic PHI. In addition, counseling such clients may require attorneys to obtain copies of medical records. Attorneys who represent health care providers or other entities covered under HIPAA (covered entities) and who must obtain access to PHI as part of that representation will be treated as “business associates” under HIPAA. Pursuant to the Final Rule, attorneys who are business associates are now directly regulated by and liable under HIPAA.

Legal Cloud Workspace Is HIPAA Compliant... How About Your Law Firm?

A HIPAA Risk Assessment Is Your First Step Towards HIPAA Compliance

We provide comprehensive HIPAA Risk Assessments in four ways:


We understand that many small Law Firms/Business Associates have limited resources to invest in their clients' (or their own) protection. For these organizations, we offer a One-Time HIPAA Compliance package. This package includes: 

  • HIPAA Policy and Procedures Document
  • HIPAA Risk Analysis
  • HIPAA Management Plan
  • Evidence of HIPAA Compliance

These core documents will help you meet your responsibility of having an audit conducted.


Conducting a comprehensive Risk Assessment is one thing, but that really should not be the "end" for your HIPAA compliance… It should be the "means" to the end. Your assessment is more-than-likely going to uncover a number of issues that need to be addressed.  Some of these issues may be nothing more difficult than learning how to password-protect your desktop and screensaver.  But others could be much more serious and involved, like changing the data back-up and recovery program or reconfiguring your network firewall and other security settings.  We will provide a Risk Score Matrix that will prioritize the work that should be done based upon potential impact to your business and likelihood of occurrence.  You will have the option to sign up for a Remediation Project that will address those issues that carry the highest risk, and highest fines.


Organizations are not static, nor are their networks.  New computers, software, mobile devices, equipment and files are continually being added onto the network throughout the year.  And even with a relatively stable IT environment, most organizations' employees come and go, and change positions within the organization at a regular rate. A HIPAA assessment performed today has a "shelf-life." How long really depends on a number of factors, including the type of the business, size of the organization, and speed of change.

Best practice is to have a HIPAA assessment performed at some regular interval (but no less than once a year as required by law) to ensure that the organization is not only compliant at the time of the Risk Analysis – or upon completion of the follow-on remediation project – but that it REMAINS compliant at all times.

After your initial assessment and remediation project is complete, we set you up with a schedule of periodic re-assessments, which we call Monthly Risk Profiles, to ensure continued on-going compliance.


We provide a full HIPAA Compliance Risk Assessment as a value added component of our comprehensive managed services plan. The value of our HIPAA Risk Assessments go well beyond just HIPAA Compliance.


If your law firm has access to protected health information (PHI), you are a Business Associate and subject to HIPAA -- our HIPAA Risk Assessment is your best opportunity to protect yourself from a costly violation of the HIPAA Security Rule and the stiff fines that are often levied on those who fail to take pro-active measures to prevent them.