Under federal law, the Health Information Portability and Accountability Act (HIPAA) Privacy Rule extends to a class of business entities (i.e., health plans, health care clearinghouses and health care providers) that are carrying out covered transactions. These business entities are otherwise known as "covered entities."
The majority of HIPAA-covered entities rely on contractors known as business associates (BAs) to deliver many of their services. As part of the BA relationship, covered entities can disclose protected health information (PHI) to the BAs.
The right of a covered entity to share PHI is acceptable only as long as the covered entity "obtains satisfactory assurances" that its BAs and the BAs' subcontractors use the PHI they create, receive, maintain or transmit strictly within the scope of their services.
According to Marc Schneider, shareholder at the law firm Stradling Yocca Carlson & Rauth P.C., "HIPAA's Omnibus Rule extends direct liability to [BAs] of [c]overed [e]ntities, making them potentially liable for civil penalties for any noncompliance. [BAAs] should be carefully crafted to comply with HIPAA and guidance issued by the Department of Health and Human Services -- including, for example, explicitly stating how a [BA] will report and respond to data breaches [and] including those caused by subcontractors, and satisfactory assurances that the [BA] will appropriately safeguard protected health information."
I would like to offer my perspective on all of this. Let me start by saying I am not providing legal advice. You should consult your attorney in order to decide whether or not my advice applies to you.
There are many IT service providers, "HIPAA Consultants" websites, training organizations and other non-attorneys offering direct advice, templates, document creation, review, suggested language, and training to other providers and clients.
While the support may be helpful and more affordable than using an attorney, these consultants are very possibly breaking the law. Unless you are talking to clients in generic terms -- for example, in an educational webinar or a consulting relationship where you do not deal with the specifics of an individual situation -- you might just be practicing law without a license.
Having been raised by two attorneys, I have long been concerned about the questionable practice of non-legal professionals advising on contracts -- which the HIPAA business associate agreement and Notice of Privacy Practices (NPP) are. I have resisted getting involved in BAA and NPP consulting beyond pointing clients to the Department of Health and Human Services (HHS) for advice and to templates from groups like the American Medical Association. As part of my HIPAA compliance and security consulting, I will suggest the HHS-listed items that should be included as required by HHS.
Recently, I had a covered entity client ask me if I would help them review some agreements with their BAs. When I declined, they asked, "Why not? … Everyone is doing it. It seems to me you should do it if you want to compete."
In the scheme of my extensive work with this client, not supporting the BAA process was seemingly inconsequential to me, but obviously it was consequential to them. I am always willing to support clients' needs to the best of my knowledge and capabilities, so I needed to get a straight answer on whether I could help or not. I then decided I had to dig in and find out if my concerns were founded in reality or if I should start advising clients on these BAA and NPP agreements.
I began my investigation like many would -- by using various search engines, which led me to specific codes and sales pitches from lawyers and non-legal professionals. Unable to convince myself that I had a definitive answer, I decided to call the Bar Association of California.
Let's just say they were less than helpful.
They effectively said, "We cannot comment on that issue, and the jurisdiction is held by the District Attorney."
I found this fascinating, because they are the ones admitting attorneys to practice in California and often refer cases for prosecution.
So, I reached out to a number of attorneys (including the Orange County District Attorney) to find the answer to this question: Is it or is it not practicing law if one provides templates and/or helps a client draft or review language of a HIPAA business associate agreement?
One attorney I spoke with was helpful but stated clearly that he was hesitant to be quoted because it seemed self-serving to tell others they shouldn't be practicing law without a license. However, he cited the following legal rulings. The first two points are findings from a 1998 case from the California Court of Appeals (Estate of Condon Condon v. McHenry). The third point is from The Los Angeles County District Attorney's Office's Unauthorized Practice of Law Manual for Prosecutors:
1. Section 6125 of California's Business & Professions Code provides that, '[n]o person shall practice law in California unless the person is an active member of the State Bar.' Section 6126(a) states that '[any] person advertising or holding himself or herself out as practicing or entitled to practice law or otherwise practicing law who is not an active member of the State Bar, is guilty of a misdemeanor." (Emphasis is mine.)
2. It is well settled in California that 'practicing law' means more than just appearing in court. '[T]he practice of the law . . . includes legal advice and counsel and the preparation of legal instruments and contracts by which rights are secured although such matter may or may not be pending in a court.'"
3. Any person advertising or holding himself or herself out as practicing or entitled to practice law or otherwise practicing law who is not an active member of the State Bar, or otherwise authorized pursuant to statute or court rule to practice law in this State at the time of doing so, is guilty of a misdemeanor punishable by up to one year in a county jail or by a fine of up to one thousand dollars ($1,000), or by both that fine and imprisonment."
During my search, I also found that the laws are similar in many states.
1. Alabama says, in part: "§34-3-6. Who may practice as attorneys (b) For the purposes of this chapter, the practice of law is defined as follows: Whoever, … [for] a consideration, reward or pecuniary benefit, present or anticipated, direct or indirect, advises or counsels another as to secular law, or draws or procures or assists in the drawing of a paper, document or instrument affecting or relating to secular rights … is practicing law."
2. Colorado says, in part: "'practice of law' means … (i) furnishing legal counsel, drafting documents and pleadings, and interpreting and giving advice with respect to the law."
3. Connecticut says, in part: "140 A.2d 863, 870 (1958): The practice of law consists in no small part of work performed outside of any court and having no immediate relation to proceedings in court. It embraces the giving of legal advice on a large variety of subjects and the preparation of legal instruments covering an extensive field."
According to the Las Vegas Legal Defense Group, committing unlawful practice of law in the state of Nevada receives a harsh punishment. The punishment increases with each subsequent offense:
1. 1st offense within the last seven years is a misdemeanor in Nevada with a penalty up to $1,000 in fines and/or up to six months in jail.
2. 2nd offense within that last seven years is a gross misdemeanor in Nevada with a penalty up to $2,000 in fines and/or up to one year in jail.
Knowing that many laws are passed but never enforced, I called the Orange County District Attorney's office to inquire whether the district attorneys thought the type of consulting that I am talking about constitutes practicing law without a license. I asked if they ever prosecute unlawful practice of law.
Farrah Emami, spokesperson for the district attorney's office, respectfully resisted commenting on the particulars, but she did confirm that the Orange County District Attorney prosecuted 10 individuals for unlawful practice of law between 2003 and 2013.
It is my goal to educate and assist clients and to never violate the law. It is now my opinion that the act of drafting and consulting on BAAs and NPPs, as well as reviewing their language, proposing modifications or additions, and so forth, could, in fact, be a violation of law in many states.
Therefore, I suggest you consult your attorney and decide whether this is something you want to get involved in or continue to do before you meet the DA under circumstances that you may not enjoy.
HIPAA business associates can expect more penalties in 2017