Lawyers take note: on February 17, 2010, the HITECH Act (“Health Information Technology for Economic and Clinical Health Act”) went into effect. This act extends HIPAA confidentiality, monitoring and compliance tracking requirements to certain classes of businesses (“Business Associates” as defined by the Act) that receive personal health information from, among others, doctors, hospitals and insurance companies.
The Act requires that more stringent procedures be in place to protect health care data and also allows for harsher penalties for failure to comply with the requirements of the Act. A non-compliant law firm is now considered to be directly liable to the federal government and may face civil penalties of up to $50,000 per violation.
Generally speaking, the new rules apply primarily to attorneys who represent “covered entities” including doctors, health insurers and hospitals. And, as Jennifer A. Stiller explains here :
The new rules do not apply to attorneys who merely interact with healthcare insurers or providers in the context of representing clients who are not themselves healthcare insurers or providers. For example, a personal injury lawyer who subpoenas a person’s medical record, an estates lawyer drafting a medical power of attorney, or a business lawyer negotiating a deal between his non-healthcare client and a hospital or health insurance company would generally not be considered to be Business Associates.
Given the severe penalties for failure to comply with this Act, lawyers would be wise to review the requirements of the Act and determine if they are subject to its requirements. Should you wish to learn more, the article referred to above, “Lawyers Beware: Take action now to protect healthcare information or risk stiff penalties!” written by Jennifer A. Stiller, provides a great summary of the Act and offers further guidance for lawyers, should you wish to learn more.