MARCH 2026 | 23 THE OKLAHOMA BAR JOURNAL Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff. Services (CMS) offers an interactive decision tool. The tool and additional simplification resources can be found on the CMS website.4 Companion regulations passed in 2009 have extended the HIPAA privacy, security and enforcement rules to business associates automatically, without the requirement of a written contract or a business associate agreement (BAA).5 In practice, this means that outside legal counsel or contractors for any person or organization that furnishes, bills or is paid for health care in the normal course of business must comply with HIPAA. Further, covered entities and business associates are responsible for ensuring systems for receiving, storing, accessing, transmitting and destroying PHI meet HIPAA standards. COMPLIANCE TIPS FOR ATTORNEYS BOUND BY HIPAA Due to the confidential and private nature of PHI, any custodian should always be cautious of
RkJQdWJsaXNoZXIy OTk3MQ==