The HIPAA Omnibus Rule became effective on March 26, 2013. Covered entities and Business Associates had until September 23, 2013 to become compliant with the entirety of the law including the security rule, the privacy rule and the breach notification rule. Law firms that do business with a HIPAA regulated organization and receive protected health information (PHI) are considered a Business Associate (BA) and subject to all regulations including the security, privacy and breach notification rules. These rules are very prescriptive in nature and can impose additional procedures and additional cost to a law firm.

Under the HIPAA, there is a specific rule covering the use of PHI by both covered entities and Business Associates called the “Minimum Necessary Stand” rule or 45 CFR 164.502(b), 164.514(d). The HIPAA Privacy rule and minimum necessary standard are enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Under this rule, law firms must develop policies and procedures which limit PHI uses, disclosures and requests to those necessary to carry out the organization’s work including:

• Identification of persons or classes of persons in the workforce who need access to PHI to carry out their duties;
• For each of those, specification of the category or categories of PHI to which access is needed and any conditions appropriate to such access; and
• Reasonable efforts to limit access accordingly.

The minimum necessary standard is based on the theory that PHI should not be used or disclosed when it’s not necessary to satisfy a particular job. The minimum necessary standard generally requires law firms to take reasonable steps to limit the use or disclosure of, PHI to the minimum necessary to represent the healthcare client. The Privacy Rule’s requirements for minimum necessary are designed to be flexible enough to accommodate the various circumstances of any covered entity.

The first thing firms should understand is that, as Business Associates subject to HIPAA through their access and use of client data, firms are subject to the Minimum Necessary Standard, which requires that when a HIPAA-covered entity or a business associate (law firm) of a covered entity uses or discloses PHI or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

Law firm information governance professionals need to be aware of this rule and build it into their healthcare client related onboarding processes.