publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/503802
ILTA WHITE PAPER: APRIL 2015 WWW.ILTANET.ORG 18 ΦΔΙΓ: TIPS ON RUSHING THE HIPAAST LAW FIRM FRATERNITY Manage Mobile Devices: Law firms, in particular business associates, should implement a mobile device management service to protect firm information on personal mobile devices and enable the risk team to wipe devices remotely if they are lost or stolen. Review for Privacy As Well As Privilege: The HIPAA rules spell out requirements organizations must follow when disclosing PHI for litigation purposes, but they do not provide concrete guidance on how firms should manage PHI received during discovery. The conservative approach is to include review for PHI and/or PII during review for privilege, remove unnecessary PHI, or ensure copies of PHI are returned upon termination of litigation. Update Third-Party Vendor Management Programs: Law firm business associates should identify subcontractors, which include operational third-party service providers that have contact with PHI and business relationships like expert witnesses. Firms should perform due diligence on subcontractors prior to disclosing PHI, provide them with business associate agreements and monitor compliance with agreed-upon terms. Conduct Security Awareness Training: By now it is common knowledge that the end user is the Achilles' heel of information security. Firms should lather, rinse and repeat information security training courses to keep security top of mind as hackers develop more sophisticated methods of attack. Firms should remind lawyers of their HIPAA compliance obligations at least annually via onsite CLE courses or on-demand programs. MAKE THE PLEDGE TO ΦΔΙΓ Undertaking such a vast range of administrative, physical and technical security and privacy requirements is no easy task. It takes a village, uniting efforts across IT, records management, risk management and practice area leadership. But persevering through compliance efforts yields great rewards. New executive-level information governance positions are emerging across the industry every day, spurred partly because compliance with regulations like HIPAA is critical to business success. Firmwide HIPAA compliance initiatives unite firm leadership, IT and risk management stakeholders, which can provide momentum to implement other information security initiatives and integrate IT ever more tightly into the business. After all the blood, sweat and tears are shed, it'll be time to celebrate (TOGA! TOGA!). Firms should perform due diligence on subcontractors prior to disclosing PHI, provide them with business associate agreements and monitor compliance with agreed-upon terms.