The September 23rd deadline for compliance with the HIPAA Omnibus Final Rule (Final Rule) has passed, but it certainly isn't gone. If your law firm is an explicit (or implicit) business associate of a covered entity, your firm should already be in compliance with the HIPAA Security Rules by now. But, even if your firm has done everything to fulfill the statutory requirements, how do you know your business associates and subcontractors have? How about your legal practice management software provider (a.k.a. your business associate)? One of the most important duties of an attorney is to safeguard client confidentiality, including electronic protected health information (ePHI) of the client from unauthorized access, disclosure or breach.

If your firm has been doing what we at MerusCase have been doing for months and months, it undoubtedly involved countless debates and meetings to implement the best policies and procedures for complying with the Final Rule. And like us, if your firm expended valuable time and resources to come into strict compliance, you want a guarantee from your legal practice management software provider that they take the Final Rule just as seriously, and has demonstrable policies and procedures in place to safeguard your clients’ ePHI.

This means, if you are a business associate and use a legal practice management software provider to store electronic or hard copy of ePHI on your behalf in the cloud, on a server, or wherever else, there are certain things you should have already done by now. First, you should have a business associate agreement or subcontractor agreement in place and review and revise existing agreements to conform to the Final Rule. Second, you should make sure that your legal practice management software provider is in compliance with the applicable requirements of the Security and Privacy Rules, and obtain assurances that any subcontractors that create, receive, maintain or transmit ePHI on their behalf agree to the same restrictions and conditions that apply to them with respect to such ePHI. At minimum, the Security Rule requires your firm to ask the following questions about your business associate’s security risk management program:

• What administrative safeguards are in place to protect the confidentiality, integrity, and availability of ePHI?
• What physical safeguards are in place to protect the confidentiality, integrity and availability of ePHI?
• What technical safeguards are in place to protect the confidentiality, integrity and availability of ePHI?
• Who is the privacy/compliance officer responsible for assuring the safeguards are adequate, and for overseeing ongoing compliance within their organization?

Stay tuned for our next post detailing some of the steps we took to comply with the Final Rule, and helpful tips on maintaining the security and privacy standards for safeguarding PHI.