MARCH 2026 | 25 THE OKLAHOMA BAR JOURNAL Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff. Impose a sanctions policy for violations of the security policy; Implement data backup procedures to maintain retrievable copies of electronic PHI; Ensure procedures for the proper final disposition or disposal of PHI; and Adopt breach response, notification and documentation policies. Compliance tools are only effective if everyone in your office with access to PHI uses them. The security rule also contains training and documentation requirements. Guidance from HHS on each of these requirements can be accessed online through the Security Rule Educational Paper Series by HHS.19 Business Associate Agreements Are Not Optional for Vendors or Systems Receiving PHI Electronically From You as a Covered Entity or Business Associate Failure to enter into BAAs with subcontractors who create or receive PHI on your behalf can result in direct enforcement action.20 If you are outside legal counsel for a covered entity, you are likely using an electronic case management system that stores claimant PHI. In your day-to-day representation of the covered entity, you may also electronically transmit PHI to vendors who perform vital functions, such as: Printing and binding records for delivery to a witness; Printing and filing pleadings with exhibits under seal in a distant county; Designing hearing and trial exhibits; and Offering data storage and transmission services. As an entity subject to the HIPAA rule, you should have a BAA with any vendor or service provider who has access to the PHI you possess from a covered entity that is not otherwise subject to a protective order. Most vendors that operate in the legal or health care space have BAA forms available upon request. Consider your tablet, trial software, storage programs and other ways you store and use PHI to determine if you need a BAA and if you are following consistent compliance measures across all systems. CONCLUSION As the electronic medical record and health data marketplace continues to grow, so too do the risks of unauthorized disclosure of PHI. As cybersecurity threats, public awareness of data breaches and enforcement frameworks proliferate, it is important to stay on top of proper privacy and security standards throughout your practice. ABOUT THE AUTHOR Lauren K. Lindsey has represented hospitals and health care providers in complex medical malpractice litigation and regulatory actions for more than a decade. An advocate in and out of the courtroom, she emphasizes meticulous preparation, effective negotiation and strong trial strategy to achieve the best results for her clients. Ms. Lindsey’s representation of health care facilities and medical providers also allows her to combine her passions for civic engagement, continuing education and advocacy for the benefit of the medical system as a whole. ENDNOTES 1. HHS, Health Information Privacy: “Summary of the HIPAA Privacy Rule,” (rev. March 2025), https://bit.ly/4qJXONb. 2. 45 CFR §160.103; U.S. Department of Health and Human Services, Health Information Privacy: “Covered Entities and Business Associates,” (rev. August 2024), https://bit.ly/4bqWTwy. 3. S.A. Tovino, “Going Rogue: Mobile Research Applications and the Right to Privacy,” pp. 157-8 (2019), Scholarly Works: https://scholars.law.unlv.edu/facpub/1282; see also 45 C.F.R. §160.103. 4. https://bit.ly/45zO7bU. 5. 42 U.S.C. §17931. 6. HHS, OCR HIPAA Privacy: “Uses and Disclosures for Treatment, Payment, and Health Care Operations,” 45 CFR 164.506, p. 1 (rev. April 2003) https://bit.ly/4qNdaR4. 7. 45 C.F.R. §164.501; 45 C.F.R. §164.500(a), (c). 8. 45 C.F.R. §164.506; see also HHS, OCR HIPAA Privacy: “Uses and Disclosures for Treatment, Payment, and Health Care Operations,” 45 CFR 164.506 (rev. April 2003) https://bit.ly/4k4qiPc. 9. 45 C.F.R. §164.512(e); see also 43A O.S. §1-109(D). 10. Id. 11. 45 C.F.R. §164.508(c)(1) and (2). 12. https://bit.ly/3ZEN2fj. 13. Holmes v. Nightingale, 2007 OK 15, ¶¶31-32. 14. 45 C.F.R. §164.512. 15. See https://bit.ly/4q7RePs. 16. HHS, HIPAA Security Series: “1. Security 101 for Covered Entities,” p. 7, rev. March 2007, https://bit.ly/4qchlF9. 17. 42 U.S.C. §17931. 18. 45 C.F.R. §164.308(a)(1). 19. Security Rule Educational Paper Series: https://bit.ly/4qVzEja. 20. 45 C.F.R. §164.502(e); HHS, Health Information Privacy: “Direct Liability of Business Associates,” rev. July 2021, https://bit.ly/4rgCq1V.
RkJQdWJsaXNoZXIy OTk3MQ==