The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/657874
58 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2016 are directly liable for compliance with some provisions of HIPAA when in possession of a client's electronic Protected Health Information (ePHI). Several provisions, called safeguards, need to be considered when deciding how to manage the proliferation of mobile devices at law firms and which apps should be allowed. The safeguards fall into three categories: administrative, physical and technical. Here are some of the administrative and technical safeguards to consider. Administrative Safeguards One of the administrative safeguards that affects all technology, mobile devices included, is that risk management and sanction policies must be in place to evaluate and implement new technology or systems. Mobile device management policies should be craed with this in mind. Each new strategy or app should be evaluated with an eye toward assessing and mitigating risks as specified in the firm's policy. Covered Entities and Business Associates HIPAA defines a "covered entity" as "a health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form…" [§ 160.102 (a)]. Law firms typically are not covered entities unless they are large enough to administer their own health plans. Instead, they are more oen business associates of covered entities. A "business associate" "provides legal,…consulting, data aggregation management,…administrative…or financial services to or for such covered entity…where the provision of the service involves the disclosure of protected health information from such covered entity…or from another business associate of such covered entity…to the person" [§ 160.103]. It is when they act in this capacity that law firms encounter HIPAA compliance issues. Law firm vendors processing client data would also be acting as business associates and be subject to the same compliance issues. As of 2013, business associates of covered entities If your law firm works primarily with health care providers, then you already know about the Health Insurance Portability and Accountability Act (HIPAA) and its requirements. For those firms that only occasionally encounter health care providers, it is helpful to understand what may be required to protect client data, especially for mobile devices. HIPAA and Mobile Devices by Rebecca Sain