Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

HIPAA business associate agreement consultations could be unlawful

Non-legal professionals providing advice on HIPAA BAAs might be practicing law without a license.

Under federal law, the Health Information Portability and Accountability Act (HIPAA) Privacy Rule extends to a class of business entities (i.e., health plans, health care clearinghouses and health care providers) that are carrying out covered transactions. These business entities are otherwise known as "covered entities."

The majority of HIPAA-covered entities rely on contractors known as business associates (BAs) to deliver many of their services. As part of the BA relationship, covered entities can disclose protected health information (PHI) to the BAs.

The right of a covered entity to share PHI is acceptable only as long as the covered entity "obtains satisfactory assurances" that its BAs and the BAs' subcontractors use the PHI they create, receive, maintain or transmit strictly within the scope of their services.

The Orange County District Attorney prosecuted 10 individuals for unlawful practice of law between 2003 and 2013.

The agreement between the covered entity and the BA is known officially as a HIPAA business associate agreement (BAA).

According to Marc Schneider, shareholder at the law firm Stradling Yocca Carlson & Rauth P.C., "HIPAA's Omnibus Rule extends direct liability to [BAs] of [c]overed [e]ntities, making them potentially liable for civil penalties for any noncompliance. [BAAs] should be carefully crafted to comply with HIPAA and guidance issued by the Department of Health and Human Services -- including, for example, explicitly stating how a [BA] will report and respond to data breaches [and] including those caused by subcontractors, and satisfactory assurances that the [BA] will appropriately safeguard protected health information."

Among other things, the HIPAA business associate agreement spells out the central aspects of the relationship, including rights and obligations between the covered entity and the business associate.

I would like to offer my perspective on all of this. Let me start by saying I am not providing legal advice. You should consult your attorney in order to decide whether or not my advice applies to you.

There are many IT service providers, "HIPAA Consultants" websites, training organizations and other non-attorneys offering direct advice, templates, document creation, review, suggested language, and training to other providers and clients.

While the support may be helpful and more affordable than using an attorney, these consultants are very possibly breaking the law. Unless you are talking to clients in generic terms -- for example, in an educational webinar or a consulting relationship where you do not deal with the specifics of an individual situation -- you might just be practicing law without a license.

Having been raised by two attorneys, I have long been concerned about the questionable practice of non-legal professionals advising on contracts -- which the HIPAA business associate agreement and Notice of Privacy Practices (NPP) are. I have resisted getting involved in BAA and NPP consulting beyond pointing clients to the Department of Health and Human Services (HHS) for advice and to templates from groups like the American Medical Association. As part of my HIPAA compliance and security consulting, I will suggest the HHS-listed items that should be included as required by HHS.

Recently, I had a covered entity client ask me if I would help them review some agreements with their BAs. When I declined, they asked, "Why not? … Everyone is doing it. It seems to me you should do it if you want to compete."

In the scheme of my extensive work with this client, not supporting the BAA process was seemingly inconsequential to me, but obviously it was consequential to them. I am always willing to support clients' needs to the best of my knowledge and capabilities, so I needed to get a straight answer on whether I could help or not. I then decided I had to dig in and find out if my concerns were founded in reality or if I should start advising clients on these BAA and NPP agreements.

I began my investigation like many would -- by using various search engines, which led me to specific codes and sales pitches from lawyers and non-legal professionals. Unable to convince myself that I had a definitive answer, I decided to call the Bar Association of California.

Let's just say they were less than helpful.

They effectively said, "We cannot comment on that issue, and the jurisdiction is held by the District Attorney."

I found this fascinating, because they are the ones admitting attorneys to practice in California and often refer cases for prosecution.

So, I reached out to a number of attorneys (including the Orange County District Attorney) to find the answer to this question: Is it or is it not practicing law if one provides templates and/or helps a client draft or review language of a HIPAA business associate agreement?

One attorney I spoke with was helpful but stated clearly that he was hesitant to be quoted because it seemed self-serving to tell others they shouldn't be practicing law without a license. However, he cited the following legal rulings. The first two points are findings from a 1998 case from the California Court of Appeals (Estate of Condon Condon v. McHenry). The third point is from The Los Angeles County District Attorney's Office's Unauthorized Practice of Law Manual for Prosecutors:

1. Section 6125 of California's Business & Professions Code provides that, '[n]o person shall practice law in California unless the person is an active member of the State Bar.' Section 6126(a) states that '[any] person advertising or holding himself or herself out as practicing or entitled to practice law or otherwise practicing law who is not an active member of the State Bar, is guilty of a misdemeanor." (Emphasis is mine.)

2. It is well settled in California that 'practicing law' means more than just appearing in court. '[T]he practice of the law . . . includes legal advice and counsel and the preparation of legal instruments and contracts by which rights are secured although such matter may or may not be pending in a court.'"

3. Any person advertising or holding himself or herself out as practicing or entitled to practice law or otherwise practicing law who is not an active member of the State Bar, or otherwise authorized pursuant to statute or court rule to practice law in this State at the time of doing so, is guilty of a misdemeanor punishable by up to one year in a county jail or by a fine of up to one thousand dollars ($1,000), or by both that fine and imprisonment."

During my search, I also found that the laws are similar in many states.

Here are a few examples from the American Bar Association:

1. Alabama says, in part: "§34-3-6. Who may practice as attorneys (b) For the purposes of this chapter, the practice of law is defined as follows: Whoever, … [for] a consideration, reward or pecuniary benefit, present or anticipated, direct or indirect, advises or counsels another as to secular law, or draws or procures or assists in the drawing of a paper, document or instrument affecting or relating to secular rights … is practicing law."

2. Colorado says, in part: "'practice of law' means … (i) furnishing legal counsel, drafting documents and pleadings, and interpreting and giving advice with respect to the law."

3. Connecticut says, in part: "140 A.2d 863, 870 (1958): The practice of law consists in no small part of work performed outside of any court and having no immediate relation to proceedings in court. It embraces the giving of legal advice on a large variety of subjects and the preparation of legal instruments covering an extensive field."

According to the Las Vegas Legal Defense Group, committing unlawful practice of law in the state of Nevada receives a harsh punishment. The punishment increases with each subsequent offense:

1. 1st offense within the last seven years is a misdemeanor in Nevada with a penalty up to $1,000 in fines and/or up to six months in jail.

2. 2nd offense within that last seven years is a gross misdemeanor in Nevada with a penalty up to $2,000 in fines and/or up to one year in jail.

Knowing that many laws are passed but never enforced, I called the Orange County District Attorney's office to inquire whether the district attorneys thought the type of consulting that I am talking about constitutes practicing law without a license. I asked if they ever prosecute unlawful practice of law.

Farrah Emami, spokesperson for the district attorney's office, respectfully resisted commenting on the particulars, but she did confirm that the Orange County District Attorney prosecuted 10 individuals for unlawful practice of law between 2003 and 2013.

It is my goal to educate and assist clients and to never violate the law. It is now my opinion that the act of drafting and consulting on BAAs and NPPs, as well as reviewing their language, proposing modifications or additions, and so forth, could, in fact, be a violation of law in many states.

Therefore, I suggest you consult your attorney and decide whether this is something you want to get involved in or continue to do before you meet the DA under circumstances that you may not enjoy.

Next Steps

HIPAA business associates can expect more penalties in 2017

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you agree with this perspective: Are these non-legal professionals breaking the law?
Interesting, but the author make reference to "under California law...". I wonder by extension does that mean that anyone assisting with tax preparation, with the exception of tax attorney's are also practicing "law". It seems that a template is a template until someone see a possible profit.
Thank you for the article. Very informative. I am wondering however; The organization I work for provides and all encompassing solution for HIPAA compliance even to the degree of contracting to serve as the Privacy and Security Officer. All of our BAA's and related policies and procedures related to compliance are derived from the HHS and OCR website and also reviewed and adjusted by our Attorney. Do you feel from your research this would constitute a violation of the law. Understandably this would be your opinion and not legal advice. Thanks.
There is no universally accepted definition for "LAW".  But the author definitely does not understand what the purpose of these information security companies serve.  They are not administering the law but are considered subject matter experts in policy, processes and compliance. They review the requirements that are applicable to those business and assess their internal controls to achieve compliance, reduce risk from exposure of electronic data and how data and systems are protected, shared, stored and so on.   Hopefully this will clear up the issue that this article raises. 
Go to the Internet to check out potential employees employers should make the most of available technology and resources to find the best candidates for employment, which clearly includes social media related sources


@MainNerve. That is by far one of the best questions that I have received in the past couple of weeks. I will answer to the degree that I can. If you are hired as the privacy and or security officer that may well make you an agent of the organization rather than just a contractor. Therefore, I would argue that you are more like an employee that is negotiating on behalf of the employer (which from what I am told and understand is ok with limitations of skills of course) than a consultant acting as an intermediary. However, since the law does not clearly state working on behalf of your employer or better yet, 1099 versus W2 as a qualifier, it would still be up in the air for me. It is something I have elected to avoid. Keep in mind, the only issue that I raised was that of the two legal instruments (contracts) the BAA and the NPP, so the limitation discussed is narrow in scope. Due to the incredible liability associated with any failure of a BAA or NPP to protect the covered entity and or the business associate, using in-house counsel or an outside attorney might be best even in those cases.

Promulgated forms by HHS which are fill-in the blank; how is that a problem? Just someone trying to stir up trouble, where none otherwise exists. If given the choice of whether the article or "preparing" BA agreements was closer to practicing law without a license, I would vote for the article; looks a lot like a legal opinion to me? Makes me wonder if McDonald is trying to throw the whole industry under the bus or just some competitor. In any case, lock him up.
[@Ccavend, this response comes from Kevin McDonald (practicallyinvisible). He was having trouble posting this and asked me to do so.]

I want to answer a couple of points that you made. Thank you for the comments. The first is on your statement “I would expect that advising if a BAA meets HHS requirements would NOT be an offense.” Reviewing any document that controls rights and responsibilities between two parties is precisely what is covered. If you review any agreement that controls rights and responsibilities, and say it is inadequate or adequate for specific legal reasons… that is legal consulting in most states I have looked at as of today. On your second point, "In order to satisfy regulations, this contract will have to include provisions for specific incident responses" I agree, that would be educational because you are not reviewing specific language of an agreement and in fact are just parroting what HHS has already said should be included in every agreement. In fact even showing an example and going through the specific parts needed, in my opinion would be ok. But providing a document or language to be used, would be a problem. On the third point, the state codes say that the act of drafting documents, and/or interpreting and giving advice with respect to the law is practicing law without a license. That means in my mind that reviewing any document that is a legal instrument and commenting in any way on its efficacy or lack thereof is in violation.
[@DOJerp61, this response comes from Kevin McDonald (practicallyinvisible). He was having trouble posting this and asked me to do so.]

You say I do not understand the purpose of companies that do this kind of consulting. This is more than a touch funny because it is precisely what I and my company do for a living. There are many more companies than “information security” companies as you call them doing the consulting because HIPAA compliance involves every aspect of the business and far more in IT than just security. In fact HIPAA compliance involves confidentiality, integrity and availability, most of which should not even be handled by “information security” companies. I am a certified expert on the subject of HIPAA compliance. I consult on, write published articles about and speak to and/or train large and small audiences on the subject of regulatory compliance in the healthcare industry and others. If you think I don’t understand it, you might want to tell the legislators, law enforcement members, the 100+ lawyers that paid me to train them on these subjects in just the past week and the 13 organizations (including accredited healthcare compliance education programs) asking me to present to their audiences already this year. On point, you totally missed the entire factual outlay of the article. The legal definitions and actual laws referenced in the article spell it out clearly. Advising on Notice of Privacy Practices and the Business Associates Agreements (which are contracts) in particular are the issue and I made ZERO comment on the overall regulatory compliance support you commented about. The act of advising on the contents and/or construction of (beyond telling them what it should include on an educational basis) any legal agreement is in many states practicing law without a license. Reviewing them for completeness, commenting on changes or additions, etc., is also in my and the opinions of many others (including the legal field) practicing law without a license. So, I hope that clears things up for you.
Were any of those 10 cases related to HIPAA and related agreements?

Having been raised by two non-attorneys, I have long been concerned about the questionable practice of legal professionals unduly obfuscating and complicating matters that most intelligent non-legal professionals can do largely or entirely on their own at way less cost.

Hi ShimCodeSr,
I ran your question by Kevin. He did ask the attorney at the DA's office whether they would consider consulting around HIPAA agreements by non-legal professionals to be a violation of the law. The attorney would not answer the question directly but said that the office had prosecuted 10 people for unlawful practice of law between 2003 and 2013. So the conversation with the DA was in the context of HIPAA.
Based on the description of the legal code, and the conversation with the DA, I would expect that advising if a BAA meets HHS requirements would NOT be an offense, nor would a statement along the lines of "In order to satisfy regulations, this contract will have to include provisions for specific incident responses" - note the generic nature of that statement; it does not specify the language of the contract, merely a provision that should be included. I do see that in the states codes listed, all of them would be cover actually writing a contract, but I do not feel that merely saying any specfic contract or draft contract is not satisfactory is the equivalant of preparing that contract.
Providers must ensure that their systems and practices are secure and compliant. BAs are also responsible for the protection of data, and healthcare providers need to keep tabs on each of their associates to be certain that their practices are compliant and up to date