As published in Health Care Compliance Association’s magazine Compliance Today, August 2015.
- HIPAA has expanded liability for business associates and their subcontractors.
- Law firms are business associates and subcontractors to many covered-entity clients.
- In these roles, law firms may now be held directly liable for HIPAA compliance failures.
- HIPAA obligations may conflict with a law firm’s duties to its clients.
- Because of these conflicts, a “standard” business associate agreement may not suffice.
With the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009 and the January 17, 2013 publishing of final rules (the Omnibus Rule) implementing HITECH, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has expanded the applicability of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) Privacy and Security Rules to business associates and their subcontractors. The Omnibus Rule expands the definition of business associate to include subcontractors that create, receive, maintain, or transmit protected health information (PHI) on behalf of the business associate.1 Consequently, a subcontractor of a business associate also can be a business associate and is subject to the HIPAA Privacy and Security Rules, even if the business associate is not a covered entity under HIPAA.
Law firms often serve as business associates to many of their clients who are covered entities and as subcontractors to clients who are business associates of covered entities. Consequently, as business associates or subcontractors of business associates, law firms may be held directly liable for their failure to comply with the HIPA A Privacy and Security Rules. Consequently, law firms should execute Business Associate Agreements (BAAs) with their subcontractors who create, receive, maintain, or transmit PHI to ensure that these subcontractors are aware and agree to comply with the Privacy and Security Rules. Moreover, law firms should identify whether they are subject to the Privacy and Security Rules as subcontractors of business associates by instituting procedures that would assess whether their clients are business associates of covered entities.
This direct liability for a business associate’s wrongful acts that violate HIPAA creates performance and notice obligations that are significantly broader than under prior versions of law. Some of these broader requirements may conflict with the law firm’s duties to its clients. For example, the requirement that a business associate notify individuals of a “breach” as defined in HITECH and the Omnibus Rule would disclose that the covered entity had retained the law firm. The nature of the law firm’s use of PHI could create issues under the rules of attorney-client confidentiality, attorney-client privilege, and the work-product doctrine. Rule l.6(a) of the American Bar Association’s Model Rules of Professional Conduct states that “[a] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is [otherwise permitted].” Commentary to Rule 1.6 states in part that “[a] fundamental principle in the client-lawyer relationship is that, in the absence of the client’s informed consent, the lawyer must not reveal information relating to the representation …. This contributes to the trust that is the hallmark of the client-lawyer relationship.”
The Model Rules prohibit the attorney from disclosing any information relating to the representation of the client without the client’s consent. Consequently, the law firm/business associate cannot be the party charged with notifying a covered entity’s patients about a breach unless the covered entity consents, thereby waiving the requirement of confidentiality. A provision in a BAA between a law firm and a covered entity dealing with this situation might look like this:
The covered entity (CE) shall determine whether the business associate (BA) or CE will be responsible for providing notification of any “breach” (as specified in 45 C.F.R. § 164.410(c)) to affected individuals, the media, the HHS Secretary, and/or any other parties required to be notified under the HIPAA regulations or other applicable law. If CE determines that BA will be responsible for providing such notification, BA may not carry out notification without receipt of a written directive to do so from CE. Except as otherwise provided in this Agreement, nothing in this Agreement shall be construed as abrogating, or as a waiver by BA of, applicable privilege or other legal protections that may be asserted by CE. If CE fails or refuses to provide notification of a breach as required by 45 C.F.R. § 164.410 and directs BA not to provide notification of such breach, the CE shall have the obligation to defend any legal action that occurs as a result of such directive and to indemnify and hold the BA harmless from any costs, losses, damages, fines, penalties, and other assessments against the BA arising out of or relating to such directive.
Similarly, business associates are required to make available their “internal practices, books, and records relating to the use and disclosure of PHI” on behalf of a covered entity client to the HHS Secretary to determine the covered entity’s (and now the business associate’s) compliance with HIPAA. Such a disclosure could expose information of the covered entity protected by the principles of attorney-client confidentiality enshrined in Rule 1.6 to the government and could even create a situation in which the law firm as a business associate could be required to furnish inculpatory information on its covered entity client.
Consequently, a law firm/business associate would have to assert the privilege and not produce the requested information, risking the imposition of direct sanctions against itself in order to protect the confidences and secrets of the client. To deal with this situation, many law firms require their covered entity clients to affirmatively waive the privilege prior to any production of information, or indemnification if the client refuses to execute a waiver. A provision in a business associate agreement dealing with this scenario might look like this:
BA will promptly notify CE when it receives a request, made on behalf of the HHS Secretary pursuant to 45 CF.R. § 160.310, that BA make available its internal practices, books, and records relating to the use and disclosure of protected health information (PHI) to the Secretary for purposes of determining BA’s or CE’s compliance with the HIPAA regulations. Upon BA’s receipt of a written directive to do so from CE, BA will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for such purposes. Except as provided in this subsection C.6., nothing in this Agreement shall be construed as abrogating, or as a waiver by BA of, applicable privilege or other legal protections that may be asserted by CE or any other CE of BA in response to such a request by the HHS Secretary. H CE directs BA not to make its internal practices, books, and records relating to the use and disclosure of PHI available to the HHS Secretary pursuant to a request from the Secretary, CE shall have the obligation to defend any legal action that occurs as a result of such directive and to indemnify and hold harmless BA from any costs, losses, damages, fines, penalties, and other assessments against BA arising out of or relating to such directive.
Thus, in order to protect itself from liability created by its own client’s failure to waive the protections afforded by the attorney-client relationship, the law firm/business associate must tender a BAA that creates a conflict of interest with its own client. If a client refuses to sign the agreement without negotiation, the law firm/business associate would be required to inform its own client that it should seek independent representation for the purpose of negotiating the law firm’s BAA Rule 1.8(h) states that a lawyer “shall not make an agreement prospectively limiting the lawyer’s liability to a client for malpractice unless the client is independently represented in making the agreement.” To the extent that the BAA is construed merely as a business arrangement and not one limiting the ability to sue for malpractice, Rule 1.8(a) would require that: … the client is advised in writing of the desirability of seeking and is given a reasonable opportunity to seek the advice of independent legal counsel on the transaction; and the client gives informed consent, in a writing signed by the client, to the essential terms of the transaction and the lawyer’s role in the transaction.2
The HIPAA Privacy and Security Rules have created an environment in which attorneys can be adverse to their own clients when defining their roles as a covered entity and business associate. Understanding the attorney’s existing obligations to the client under the attorney-client privilege may help avoid a conflict when it comes time to execute a business associate agreement.
Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta, Ga. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.
- 45 C.F.R. §160.103
- American Bar Association: Rule 1.8 Conflict of Interest: Current Clients: Specific Rules.