silhouettes-317831_640HIPAA Business Associate Role is Based on Services

The question about a lawyer or an accountant being a HIPAA Business Associate is directly related to several sections of the HIPAA Security Ruleframework to protect electronic health information. It is even more important today with the HIPAA Business Associate and subcontractor changes in the HIPAA Omnibus Final Rule that will be enforced after September 23, 2013. Just like security after 9/11, HIPAA is changing the business landscape forever. You no longer have to be a healthcare company to be responsible for the protection of Protected Health Information (PHI.) With health care organizations now more responsible than ever for the compliance of their vendors, lawyers and accountants have to step up and become compliant with HIPAA.


HIPAA Covered Entities are health care providers and payers that process certain transactions electronically. These include doctors, dentists, hospitals, clinics, pharmacies, labs, and insurance companies.

A “Business Associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a Covered Entity.

A HIPAA Business Associate is required to sign an agreement limiting the use of the health information it uses. The HIPAA Omnibus Final Rule requires a HIPAA Business Associate to comply with HIPAA as if it was a Covered Entity, including HIPAA policies and procedures, a Risk Analysis, workforce training, and the security of any patient data it stores.  The rule went further to require that a Business Associate must be responsible for the HIPAA compliance of any subcontractor it uses. Subcontractors now include data centers, cloud services, and online backup companies.

Who is a HIPAA Business Associate is very important because now the companies that service them are also considered Business Associates and have to comply with HIPAA. This means that an IT company, a company that provides legal software, a copier repair company, or a paper storage warehouse, just to mention a few, now will have to comply with HIPAA even though they don’t directly have health care clients. Because their clients have health care clients, they have to comply.


Any lawyer whose legal services for a Covered Entity involve access to patient data is a HIPAA Business Associate. Some legal services like real estate or contracts do not require access to patient records. Malpractice defense is a clear example where patient records are required.

Just possessing medical records does not make an attorney a HIPAA Business Associate. For example, in a malpractice lawsuit, the patient suing their doctor gives their medical records to their attorney. This does not make the plaintiff’s attorney a Business Associate, because the patient can give their records to anyone. The doctor being sued gives the patient’s medical records to his attorney. This makes the attorney for the defendant a HIPAA Business Associate because the doctor is a Covered Entity and is sharing patient data with someone outside his workforce.

The Dallas Bar Association says, “Specifically, lawyers representing Covered Entities, if they receive PHI from the Covered Entity (or produce PHI on the Covered Entity’s behalf), are Business Associates. Therefore, if you represent a health plan, provider or clearinghouse and receive PHI from the client, you must enter into a BAA with the client. If you have not, your client is likely in violation of HIPAA.”  The Minnesota State Bar Association agrees, “Law firms with access to protected health information likely will find themselves classified as “business associates” under new HIPAA rules and therefore subject to new privacy, security, and breach-notification requirements governing their handling  of such information.”

While lawyers often think that HIPAA compliance is an exercise in contracts it is really an exercise in IT security and data protection. It requires that any outsourced IT companies, data centers, cloud-based legal software vendors, e-mail providers, paper records storage providers, shredding companies and others sign Business Associate Agreements and provide HIPAA-compliant services.


An accountant that audits the books of health care organizations often sees patient information. They track treatment bills to follow the patient’s co-pay, insurance payments, and write-offs, to see that the transactions were handled properly in the accounting system. This means that the accountant is a Business Associate.


Lawyers and accountants carry laptops and other portable devices. Large HIPAA fines have been assessed for the loss of laptops and hard drives that contained patient data. Laptops and any portable storage media should be encrypted because if an encrypted device is lost, it is not a reportable data breach. Devices should be protected against malware, loss, or theft. Fines are not only assessed to a Business Associate that breaches patient data, but can also be assessed to their client that hired them.

A law firm or accountant that is a Business Associate requires HIPAA policies, documented procedures to support the policies, a HIPAA risk analysis, and workforce training for its management and staff, including the lawyers and accountants. It must make sure that any patient records in its case management or auditing software are secure. It must never e-mail unencrypted patient information outside of the firm. It must have its network and devices protected against malware and unauthorized access. Its IT support company should be HIPAA certified so it knows the rules. It can only do business with cloud vendors, data centers, and online backup providers that will sign Business Associate Agreements and implement compliance programs.

If a lawyer or accountant won’t sign a HIPAA Business Associate Agreement or implement HIPAA compliance, any information shared with him would be a data breach. A Covered Entity has no choice but to find someone who will comply with HIPAA to provide legal representation or accounting services.

"originally written for 4MedApproved"