Over the past two years, there’s been a lot of talk about HIPAA. Or, usually, its counterpart “HIPPA,” which resides in the addled imaginations of anti-vaxxers and disgruntled COVID-denialists everywhere. In their mind, the federal government prohibits you from asking them if they’ve done the absolute bare minimum to maintain public health.
It usually gets cited along with the Nuremberg Code or some such nonsense.
In reality, The Health Insurance Portability and Accountability Act of 1996 does not do any of that. But this lunacy did spawn a fun Twitter account:
That’s the law in a nutshell. Most of the people whining about HIPAA (or “HIPPA”) are just bonkers.
But, as the above Tweet clarifies, HIPAA does place obligations on doctors (and affiliated entities like nurses and hospitals), insurers, and health information clearinghouses. If one of these entities provides a lawyer with Protected Health Information, the lawyer is obligated to abide by the law too.
Easy enough, right? Well, guaranteeing that a modern legal practice doesn’t run afoul of federal law requires a little more effort. Truly securing data involves sending that data to the cloud and that brings someone else into the equation.
Clio recently completed its own internal HIPAA attestation examination, meaning it can sign Business Associate Agreements with clients to store and process PHI consistent with HIPAA standards.
Joshua Lenon, Clio’s Lawyer in Residence, detailed the comprehensive (ultimately checking around 658 different requirements) administrative, technical, and organizational review the company undertook to develop the confidence required to provide its HIPAA add-on. Encryption and security — which Clio already provides — were never really a question, of course. But beyond that stuff, having restricted physical access to the production servers, systems that report account activities of both users and content, a formally defined and tested breach notification policy, and heavily restricting employee access to customer data files are among the features of a robust HIPAA compliance system that Clio provides.
And, not for nothing, but lawyers don’t necessarily understand when they’re dealing with PHI, so Clio had to make sure it had the processes and training of employees on security policies necessary to guarantee that all the data triggering HIPAA is correctly handled.
“The challenge firms have is that almost all the information they have is confidential, but not all of it fits under data protection laws. How do you set up a system that says ‘this is confidential, and this is protected.’” It’s reminiscent of the classic GDPR compliance problem: your holiday card mailing list is one of the few non-confidential documents lawyers keep… but it’s likely filled with personally identifiable information covered by GDPR.
While medical malpractice doesn’t necessarily invoke HIPAA — because presumably the patient is putting their own medical history at issue — a business dispute between doctors over billing or something like that could easily bring documents through the door that contain PHI and heap obligations on the firm.
That’s the challenge lawyers face and keeping that information properly cordoned off is exactly the pain point where partnering with Clio can help.
For the record, saying “pain point” is not PHI.
Joe Patrice is a senior editor at Above the Law and co-host of Thinking Like A Lawyer. Feel free to email any tips, questions, or comments. Follow him on Twitter if you’re interested in law, politics, and a healthy dose of college sports news. Joe also serves as a Managing Director at RPN Executive Search.
