pressmaster - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

HIPAA consulting and the channel's ethical responsibility

The channel seems to be in denial about its ethical responsibility pertaining to HIPAA consulting around business associate agreements, said technology and security consultant Kevin McDonald.

A few months ago, I wrote an article about the practice of non-attorneys consulting on HIPAA business associate agreements. After talking with scores of people about the article, I've concluded the issue of ethical and professional duty wasn't discussed as it should have been. Readers, including IT professionals (who are or wish to be dealing with HIPAA-regulated entities), security and HIPAA consultants, and attorneys, etc., had some strong opinions about the article. They didn't fully agree, of course, but they held common ground in their denial about their ethical and professional -- and sometimes statutory -- responsibilities.

The fact is, there are times (like when asked to draft contracts without an attorney involved) when we must overlook income potential. We must let the client know that while it may cost more, some things should be handled by an attorney. At other times, we have to tell a client that we are not qualified and/or licensed to do the work being requested.

Like it or not, there is a reason professionals are obligated to be licensed, certified and/or otherwise shown to be qualified to provide professional services. Yes, in part it is to lock out competition and increase prices -- I think we can acknowledge that reality. Another reality, however, is that impartial industry certifications and licensing are primarily meant to ensure the individual doing the work or providing the advice has a genuine foundation of knowledge needed to take the right actions or offer the best advice.

There are times when we must bypass the income potential. We must let the client know that while it may cost more, some things should be handled by an attorney.

Let's go back to my earlier article's example of providing unlicensed -- and therefore unqualified -- advice on HIPAA-related contracts such as Notice of Privacy Practices and business associate agreements. In that article, I primarily addressed my belief that it could very well be illegal for a non-attorney to engage in HIPAA consulting with a client by providing advice, beyond general education, on specifics of agreements. I argued that in many states it ultimately could be defined as providing legal advice without a license, and would therefore be illegal. Since that article, I have heard from many people who said things along the lines of, "I am far more qualified to draft a business associate agreement than the vast majority of lawyers; they don't understand the healthcare business nearly as well as I do", and, "I am just trying to save the client money, and attorneys just want to extend and delay the process longer than they should to make more money."

For the point of discussion, let's say we do better understand the issues at hand from a purely regulatory perspective, and we could save the client a few hundred or even thousands of dollars on the agreement by offering specific advice on HIPAA contracts. Let's also assume we are infinitely qualified to address the fundamental components of the agreement as required by HIPAA and the U.S. Department of Health and Human Services. Even with these assumptions, I still believe it is illegal for us to provide specific advice on business associate agreements. And at the very least, providing that advice fails our ethical duty to offer qualified advice and do what is in the best interest of a client.

How, you ask, can we be more qualified than an attorney on HIPAA and still be wrong to engage in HIPAA consulting around a contract without the help of a lawyer? It's simple: There is far more to a contract than making sure required content makes it into the agreement. Contracts are not just about words; they are about a construct of rights and obligations defined by those words, their order, and their relationship to one another. To be enforceable, a contract must comply with a vast array of state and federal prescriptions and limitations. If terms are left out -- or even included in the wrong order or section of an agreement -- it could greatly reduce or even nullify the protections that a contract is designed to offer.

From a failed-duty perspective, if we give a client bad advice or don't provide advice where we should, it could cause that client to pay dearly due to an absence of protections that may have been provided by an attorney-drafted agreement. An attorney not only comes with specialized training, but also ethical and legal obligations and rights, such as privilege and malpractice insurance.

I have begun to aggressively question the way general regulatory obligations are or are not being managed in the face of what many see as unrelated consulting and implementation/management services. I believe ethical responsibility goes beyond an issue of agreements or promises; it relates directly to leading a client down the right path for them, not necessarily us. Sometimes that means trying to convince them to use another provider's services, or to spend more than they would like. Some organizations such as IT and facilities management and security companies argue that they do not have the duty to understand the impact of their services on a client's compliance posture. I would argue that we do in fact have a responsibility, because no one knows our product better than us.

If you are working in a regulated environment in the capacity of a technology consultant or vendor, for instance, it is your duty to understand and advise how technology might impact the compliance posture of a client's environment. If you cannot, I believe you are, at minimum, obligated to make a clear statement about your inability to address that issue. I would even argue that a recommendation should be made that the client consult with someone qualified before the new product transaction is completed. The introduction of new technology is much more than a speed-and-feeds discussion. It must involve the discussions of potential risks, how the technology can be used in a compliant manner, and how it can be monitored or otherwise demonstrated to be safe. I also believe that marketing claims are in some ways equal to consulting when dealing with less-sophisticated clients, and we have a duty to be sure they are accurate. Many clients that lack the professional knowledge or in-house expertise around regulations, for example, often rely on advertising and marketing claims as to regulatory impact. This adds to the ethical responsibility of vendors to not overstate what a product or service does as it relates to the client's compliance posture.

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Are you more qualified than an attorney to provide specific advice around HIPAA business associate agreements to customers?