For years now lawyers and law firms providing professional services to health care providers or health insurance plans should have had in place essential safeguards to meet the responsibilities and requirements as business associates under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA and the related privacy and security rules governing how health care providers, health insurance plans and others (defined under HIPAA as “covered entities”) are allowed to use and disclose health and medical information (defined under HIPAA as “protected health information”) have been in effect since 2003. However, many third parties, including lawyers and law firms, who regularly handle health information on behalf of their client covered entities while providing professional services have not taken seriously their duty and responsibility to safeguard such information in full compliance with HIPAA and its associated regulations.

On January 17, 2013, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services ("HHS") issued the long awaited final rule (“Final Rule”) amending the HIPAA privacy, security, enforcement and breach notification rules in accordance with the Health Information Technology for Economic and Clinical Health (“HITECH”), which significantly expands certain obligations for health care providers and their business associates. The Final Rule, published in the Federal Register on January 25, 2013, has been described as "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented."

Originally Published from the FDCC Annual Meeting, The Greenbrier Resort, White Sulfur Springs, West Virginia - July 27 - August 2, 2014.