Determining whether a healthcare lawyer is a business associate under HIPAA is context-dependent. The key consideration is whether their services require access to or handling PHI. Healthcare organizations should carefully assess the nature of their relationship with legal counsel and establish BAAs as necessary to ensure compliance and protect patient information.
When healthcare lawyers are business associates
Healthcare lawyers are classified as business associates when they:
- Provide services involving PHI: If a lawyer’s work requires access to PHI, they are considered a business associate. Examples include:
- Advising on compliance with HIPAA regulations.
- Assisting with breach notification and response plans.
- Representing healthcare organizations in legal disputes that involve patient information.
- Conducting internal investigations or audits where PHI is reviewed.
- Perform functions on behalf of a covered entity: When lawyers perform specific functions on behalf of a healthcare organization—such as contract reviews or legal analysis—and these functions involve PHI, they meet the criteria for being a business associate.
The importance of a business associate agreement (BAA)
When a healthcare lawyer qualifies as a business associate, the covered entity must establish a BAA with the lawyer or their law firm. This agreement outlines:
- The permitted uses and disclosures of PHI.
- The lawyer’s responsibility to safeguard PHI.
- Reporting obligations in the event of a breach.
Without a BAA in place, both the covered entity and the lawyer may face regulatory penalties for non-compliance.
See also: Who is responsible for a data breach?
When healthcare lawyers are not business associates
In contrast, healthcare lawyers are not considered business associates when:
- Their work does not involve PHI: Lawyers advising on general business matters, corporate structuring, or regulatory compliance without needing access to PHI do not qualify as business associates.
- Access to PHI is incidental: If a lawyer’s exposure to PHI is minimal and incidental to their services, they may not fall under the business associate category. For example, drafting policies without handling patient data does not constitute business associate activity.
Key considerations
- Incidental access: If access to PHI is incidental and not integral to their legal services, lawyers may not fall under the definition of a business associate. The HIPAA Privacy Rule “permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.”
- Hybrid entities: A law firm may be considered a hybrid entity, with certain departments functioning as business associates while others do not.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
How can healthcare organizations determine if their lawyer is a business associate?
Healthcare organizations should evaluate the scope of services provided by their lawyer. If the services involve handling PHI, a BAA is required. If in doubt, organizations should consult with a compliance expert.
What safeguards should lawyers implement when handling PHI?
Lawyers must ensure physical, administrative, and technical safeguards to protect PHI, such as secure storage of documents, access controls, and encryption for electronic data.
What penalties apply for non-compliance with HIPAA?
Penalties for non-compliance can include fines ranging from $146 to $71,162 per violation, with an annual maximum of more than $2 million, depending on the severity and circumstances of the breach.