The Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA, sets the national standard for safeguarding a patient’s protected health information. It was initially introduced as the Health Insurance Reform Act, with the goal of reducing the risks of an uninsured workforce by regulating the health insurance industry. A primary focus of the original act was to facilitate the movement of health insurance coverage among providers without a loss of benefits or disruptions to continuity of care.

The provisions that many of us associate with HIPAA, including the privacy rule, were added to the act years later. As the portability of health insurance – and with it, health data – expanded, so did the need for enhanced privacy protections. In 2003, the U.S. Department of Health and Human Services issued the privacy rule standards to “address the use and disclosure of individuals’ health information” and to allow individuals to “understand and control how their health information is used.”[1]

Today, a complex web of federal and state statutes and administrative laws imposes strict requirements on those handling health information. This means HIPAA compliance isn’t just a concern for hospitals and health insurance companies. Attorneys handling health information in a variety of practice areas are subject to HIPAA’s requirements, as well as its penalties. This article seeks to identify common HIPAA compliance pitfalls and tips for maintaining proper privacy standards throughout your practice.

WHO IS SUBJECT TO HIPAA

You are required to comply with the HIPAA Privacy Rule if you meet the definition of a covered entity or business associate.[2] “The HIPAA Rules are limited in application to (1) health plans, healthcare clearing houses, and those healthcare providers that transmit health information in electronic form in connection with standard transactions, including health insurance claims (‘covered entities’); and (2) persons or entities that access or use protected health information (PHI) to provide certain services to, or perform certain functions on behalf of, covered entities (‘business associates’).”[3]

To assist with identifying whether you are a covered entity, the Centers for Medicare & Medicaid Services (CMS) offers an interactive decision tool. The tool and additional simplification resources can be found on the CMS website.[4] Companion regulations passed in 2009 have extended the HIPAA privacy, security and enforcement rules to business associates automatically, without the requirement of a written contract or a business associate agreement (BAA).[5]

In practice, this means that outside legal counsel or contractors for any person or organization that furnishes, bills or is paid for health care in the normal course of business must comply with HIPAA. Further, covered entities and business associates are responsible for ensuring systems for receiving, storing, accessing, transmitting and destroying PHI meet HIPAA standards.

COMPLIANCE TIPS FOR ATTORNEYS BOUND BY HIPAA

Due to the confidential and private nature of PHI, any custodian should always be cautious of disclosure, regardless of whether they are bound by HIPAA. The HIPAA Privacy Rule “generally prohibits a covered entity from using or disclosing protected health information unless authorized by patients, except where the prohibition would result in unnecessary interference with access to quality health care or with certain other important public benefits or national priorities.”[6]

Those subject to HIPAA may be liable for civil and criminal penalties for unauthorized disclosure. Key compliance considerations for attorneys include:

Only Disclose PHI in Response to a Valid Medical Authorization, Court Order or for a Legally Permissible Purpose

A covered entity or business associate may use or disclose PHI for treatment, payment, health care operations or for a public benefit activity without prior oral or written authorization.[7] These permissible disclosures are complex and beyond the scope of this article. They are defined by statute and are the subject of helpful guidance by HHS.[8]

A subpoena alone is not sufficient to authorize disclosure of PHI from a covered entity or business associate.[9] Any subpoena for PHI should be accompanied by a valid medical authorization, a qualified protective order signed by the court or written assurances that the issuing attorney made a good faith attempt to provide written notice of the subpoena, and the patient did not object, or the patient’s objections were resolved by the court.[10]

HIPAA expressly defines what constitutes a valid medical authorization.[11] The Oklahoma State Department of Health Standard Authorization to Use or Share PHI includes the “core elements” required by HIPAA. It can be downloaded from the Oklahoma State Department of Health website.[12]

The DHS authorization form was created to facilitate the transfer of patient medical information among health care providers in Oklahoma. To be used for other purposes, such as the release of medical records in a personal injury lawsuit, additional language may be necessary. For example, to comply with Oklahoma jurisprudence, the following language may be added to the authorization:

My health care providers are authorized to discuss any and all confidential medical information, subject to this authorization, with attorneys at [ ]. Their decision to communicate with said attorneys is purely voluntary and may not be compelled or prohibited by any party.[13]

If the disclosure is for some other legally permissible purpose, a medical authorization is not required. These permitted disclosures include preventing or controlling disease, reporting child abuse, reporting births and deaths, law enforcement purposes, reporting suspected criminal activity or other uses or disclosures required by law.[14] Any disclosure of PHI by a covered entity should be approved and documented in an accounting of disclosures. This must be maintained for at least six years.[15]

Ensure All Devices That Receive, Store, Access or Transmit PHI Are Properly Secured and Encrypted and That Staff Is Trained on Your Compliance Practices and Incident Management Process

Documents containing PHI should not be transmitted electronically without additional security protections. This generally means your systems for receiving, storing, accessing, transmitting and destroying PHI must be secure. Unlike the HIPAA Privacy Rule, which applies to all forms of PHI, the HIPAA Security Rule applies only to electronic PHI.

The security rule requires any device or system that creates, maintains or transmits PHI to have technical safeguards and integrity controls, such as a security management process and data backup plan. It does not expressly require data encryption. However, depending on the size, resources and scope of PHI managed by the entity, encription is likely considered best practice. It may also be mandated by your BAA, malpractice or cybersecurity insurance policies or other written agreements. Regardless of your security measures, you should document the rationale for your security decisions.[16]

Failure to comply with the security rule can result in direct enforcement action against not only a covered entity but also a business associate.[17] The security management process under HIPAA requires the implementation of “policies and procedures to prevent, detect, contain, and correct security violations.”[18] This includes the following required actions:

• Conduct an accurate and thorough risk analysis of the confidentiality, integrity and availability of PHI;
• Implement security measures sufficient to reduce risks and vulnerabilities, such as a security policy, use of password-protected files, data encryption and door locks on rooms where electronic PHI is stored;
• Impose a sanctions policy for violations of the security policy;
• Implement data backup procedures to maintain retrievable copies of electronic PHI;
• Ensure procedures for the proper final disposition or disposal of PHI; and
• Adopt breach response, notification and documentation policies.

Compliance tools are only effective if everyone in your office with access to PHI uses them. The security rule also contains training and documentation requirements. Guidance from HHS on each of these requirements can be accessed online through the Security Rule Educational Paper Series by HHS.[19]

Business Associate Agreements Are Not Optional for Vendors or Systems Receiving PHI Electronically From You as a Covered Entity or Business Associate

Failure to enter into BAAs with subcontractors who create or receive PHI on your behalf can result in direct enforcement action.[20] If you are outside legal counsel for a covered entity, you are likely using an electronic case management system that stores claimant PHI. In your day-to-day representation of the covered entity, you may also electronically transmit PHI to vendors who perform vital functions, such as:

• Printing and binding records for delivery to a witness;
• Printing and filing pleadings with exhibits under seal in a distant county;
• Designing hearing and trial exhibits;
• Offering data storage and transmission services.

As an entity subject to the HIPAA rule, you should have a BAA with any vendor or service provider who has access to the PHI you possess from a covered entity that is not otherwise subject to a protective order. Most vendors that operate in the legal or health care space have BAA forms available upon request. Consider your tablet, trial software, storage programs and other ways you store and use PHI to determine if you need a BAA and if you are following consistent compliance measures across all systems.

CONCLUSION

As the electronic medical record and health data marketplace continues to grow, so too do the risks of unauthorized disclosure of PHI. As cybersecurity threats, public awareness of data breaches and enforcement frameworks proliferate, it is important to stay on top of proper privacy and security standards throughout your practice.

---

ABOUT THE AUTHOR

Lauren K. Lindsey has represented hospitals and health care providers in complex medical malpractice litigation and regulatory actions for more than a decade. An advocate in and out of the courtroom, she emphasizes meticulous preparation, effective negotiation and strong trial strategy to achieve the best results for her clients. Ms. Lindsey’s representation of health care facilities and medical providers also allows her to combine her passions for civic engagement, continuing education and advocacy for the benefit of the medical system as a whole.

 

 

 

---

ENDNOTES

[1] HHS, Health Information Privacy: “Summary of the HIPAA Privacy Rule,” (rev. March 2025), https://bit.ly/4qJXONb.

[2] 45 CFR §160.103; U.S. Department of Health and Human Services, Health Information Privacy: “Covered Entities and Business Associates,” (rev. August 2024), https://bit.ly/4bqWTwy.

[3] S.A. Tovino, “Going Rogue: Mobile Research Applications and the Right to Privacy,” pp. 157-8 (2019), Scholarly Works: https://scholars.law.unlv.edu/facpub/1282; see also 45 C.F.R. §160.103.

[4]https://bit.ly/45zO7bU.

[5] 42 U.S.C. §17931.

[6] HHS, OCR HIPAA Privacy: “Uses and Disclosures for Treatment, Payment, and Health Care Operations,” 45 CFR 164.506, p. 1 (rev. April 2003) https://bit.ly/4qNdaR4.

[7] 45 C.F.R. §164.501; 45 C.F.R. §164.500(a), (c).

[8] 45 C.F.R. §164.506; see also HHS, OCR HIPAA Privacy: “Uses and Disclosures for Treatment, Payment, and Health Care Operations,” 45 CFR 164.506 (rev. April 2003) https://bit.ly/4k4qiPc.

[9] 45 C.F.R. §164.512(e); see also 43A O.S. §1-109(D).

[10] Id.

[11] 45 C.F.R. §164.508(c)(1) and (2).

[12] https://bit.ly/3ZEN2fj.

[13] Holmes v. Nightingale, 2007 OK 15, ¶¶31-32.

[14] 45 C.F.R. §164.512.

[15] See https://bit.ly/4q7RePs.

[16] HHS, HIPAA Security Series: “1. Security 101 for Covered Entities,” p. 7, rev. March 2007, https://bit.ly/4qchlF9.

[17] 42 U.S.C. §17931.

[18] 45 C.F.R. §164.308(a)(1).

[19] Security Rule Educational Paper Series: https://bit.ly/4qVzEja.

[20] 45 C.F.R. §164.502(e); HHS, Health Information Privacy: “Direct Liability of Business Associates,” rev. July 2021, https://bit.ly/4rgCq1V.

.