The new HIPAA Omnibus Rule adds regulations that directly impact law firms, requiring immediate action to achieve compliance. The most significant change is the vastly expanded scope of HIPAA enforcement. Previously, HIPAA regulations applied only to covered entities (CEs) — organizations like health care providers and insurers — and did not reach their business associates (BAs), such as their law firms.

Under the new Omnibus Rule, business associates of covered entities are now directly liable for violations the entire Security Rule and select provisions of the Privacy Rule, including the requirement that uses and disclosures of protected health information (PHI) must be limited to the “minimum necessary” for an intended purpose.

A number of law firm practice groups frequently come into possession of client data subject to the rules, including insurance, labor and employment, ERISA and litigation. In response, firms are enhancing confidentiality controls and adopting more stringent information security and monitoring measures. In doing so, these organizations have created stricter industry standards and raised client expectations.

The Problem

Previously, law firms could address confidentiality obligations for PHI by executing Business Associate Agreements with their clients. Now firms must put explicit controls in place. They are also directly liable for compliance and may be subject to government and client audits.

With the Omnibus changes, law firms are now directly subject to the administrative, physical and technical safeguard requirements of the Security Rule, as well as new requirements to maintain policies, procedures, and documentation around security risks.

The Security Rule explicitly requires four technical safeguards:

  • Access controls —  software that limits access to electronic PHI (ePHI) to authorized personnel
  • Monitoring controls — software that records and examines access and activity in systems that store PHI
  • Integrity controls — electronic measures to confirm that ePHI has not been improperly altered or destroyed
  • Transmission security — security measures that guard against unauthorized access of transmitted PHI

The stakes are high — the rules set out the first federally-mandated data breach notification requirement. Organizations that lose or disclose personal health information must inform affected parties. And if more than 500 records are breached, notification must also be provided to local media and the United States Department of Health and Human Services, which has set up a public web page listing infractions.

Beyond the attention and embarrassment facing organizations that disclose mistakes, the law provides for civil and criminal damages and grants multiple government agencies the right and duty to investigate breaches or neglect.

Because these rules place ultimate responsibility on the primary creators and caretakers of PHI, clients are taking greater interest in law firm compliance practices. This interest translates into more stringent outside counsel guidelines and RFP criteria. Several healthcare organizations have also developed audit programs to evaluate their business associates to ensure strict compliance.

In this environment, it’s vitally important that law firms examine and update their information management practices to comply with these rules, reduce the risk and potential liability they face, and position themselves to respond to client demands in order to win and retain business.

The Intapp Solution – Intapp Walls

Intapp specializes in helping law firms address information security and compliance issues. For firms looking to take all available steps to align their organizations with information management requirements mandated by the HIPAA Omnibus Rule, Intapp offers assessment and response planning resources coupled with the legal industry’s leading technology platform for unified information security management and compliance reporting.

Intapp’s access control management software is used by more law firms to control and track access to sensitive electronic information than any other solution. And Intapp’s activity monitoring software provides visibility into lawyer and staff engagement with PHI on multiple firm systems and cloud collaboration tools.

Intapp has worked with a large number of law firms to enhance their confidentiality practices as part of a comprehensive response to their obligations under government regulations like HIPAA.


Next: Insider Risk intapp arrow