publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/503802
ILTA WHITE PAPER: APRIL 2015 WWW.ILTANET.ORG 14 ΦΔΙΓ: TIPS ON RUSHING THE HIPAAST LAW FIRM FRATERNITY third parties to provide hosted IT services, legal services and much more to run their businesses, which often resulted in sharing patient PHI. Because these third parties are just as susceptible to security breaches as covered entities, HHS extended liability for select provisions to third-party business associates. The 2013 HIPAA Omnibus Rule finalized these changes. As a result, law firm business associates are now directly liable for compliance with portions of the HIPAA Privacy and Breach Notification Rules and all of the HIPAA Security Rule. • The Privacy Rule sets standards for permissible uses and disclosures of PHI, stipulating who may access PHI under what circumstances. The rule defines the patient's right to access information and authorize others to see and use it. It advises a "minimum necessary" operating principle, where organizations only use and disclose PHI as needed to perform a particular business function. • The Security Rule sets detailed requirements to protect the confidentiality, integrity and availability of electronic PHI. It contains administrative, physical and technical standards accompanied by "implementation specifications," which are more granular guidelines to address a given standard. While business associates must address all standards, they may forgo or substitute addressable specifications with justification. The name symbolized the group's mission and objective: to revise their firmwide information governance practices to comply with the 2013 HIPAA Omnibus Rule, which had a compliance date set for September 23, 2013. This month marks the two-year anniversary of the (fictitious) fraternity's formation. It has grown significantly as ever more law firms find themselves classified as HIPAA business associates due to litigation or corporate transaction work for clients in industries like healthcare, pharmaceuticals or insurance. However, many law firm business associates remain excluded from the prestigious ranks of ΦΔΙΓ since they still need to update their information governance practices to satisfy HIPAA compliance requirements. Here are tips on how to rush ΦΔΙΓ successfully. KNOW THE ΦΔΙΓ RULES AND REGS When Congress first passed HIPAA in 1996, the focus was on portability, allowing individuals to carry health coverage from one employer to the next. According to a recent article by Kirk J. Nahra, a partner at Wiley Rein, accountability came into the mix because Congress also sought to standardize health transactions such as the submission and payment of insurance claims using mandatory electronic formats that organizations would be required to share. This brought up privacy and security concerns about the electronic storage of health care information. Legislators eventually realized the network of organizations creating, maintaining, receiving or transmitting individual health information (which is how HIPPA defines a business associate) was broader than just hospitals and insurance carriers dealing directly with patients. These entities depended on