Medical Providers: Is Your Partner Law Firm HIPAA Compliant?
by Marius Ged, on Apr 14, 2021 9:19:32 AM
Health care providers treat car accident injuries throughout Florida and all no-fault insurance states without recovering their total costs from insurance companies. Legal assistance may be necessary to follow up with insurance carriers with contractual obligations to pay for medical treatment.
The attorneys at Ged Lawyers are well-versed in personal injury protection (PIP) claims under Florida statutory and case law. Our firm has an excellent track record of recovering medical costs on behalf of doctors, hospitals, medical imaging offices, chiropractors, physical therapists, and other healthcare professionals.
Just as important, we comply with all laws and regulations pertaining to hospital administrators, medical groups, and other HIPAA-covered entities when handling health data.
The Dangers of Hiring HIPAA-Non-Compliant Law Firms
As our medical clients know, under the Health Insurance Portability and Accountability Act of 1996, health care providers and additional covered entities must comply with federal patient privacy standards, as well as security and breach notification rules.
A 2009 amendment to the Act affirmed that these requirements apply to Business Associates (BAs), including law firms, whose personnel or systems may touch patients’ Protected Health Information (PHI), including data delivered electronically (ePHI).
Subsequently, in 2013, the Health Information Technology for Economic and Clinical Health (HITECH) Act directed Business Associates’ subcontractors to adhere to HIPAA rules and standards.
Thus, law firms and their subcontractors, if any, who work with HIPAA-covered entities to process personal injury protection claims must be HIPAA-compliant. Covered entities can transmit PHI to Business Associates if they have a signed agreement to ensure appropriate data protection. Yet, under HITECH, § 78 FR 5574, Business Associates must adhere to the HIPAA Security Rule whether or not such a signed agreement exists.
HIPAA is unusual in the contract sphere. The Business Associate Agreement may not indemnify medical providers against fines for health data security breaches. Under the Act, providers must have satisfactory assurances that the Business Associate is HIPAA-compliant.
For example, when law firms provide services that involve the transmission of electronic PHI (ePHI) through their data systems, they must have a protocol for administrative, physical, and technical compliance, as described in the signed HIPAA Business Associate agreement.
This step is critical to the health care professional. Suppose personal health information is improperly handled or exposed. In that case, the medical provider could be held responsible by the Department of Health and Human Services’ Office for Civil Rights, the Attorney General of Florida, or both.
Surprisingly, surveys have shown that not all attorneys or law firms implement HIPAA safeguards. This oversight opens their data to potential spoofing, hacking, and virus attacks. Ultimately, HIPAA non-compliance may result in significant monetary payments, severe corrective actions, suits, and settlement agreements. But perhaps the worst aspect of non-compliance is the lack of public trust it can induce.
Why Partner With Ged Lawyers?
The legal team at Ged Lawyers are keenly aware of the twin dangers of data breaches and non-compliance with federal laws. We have no tolerance for lax cybersecurity or unauthorized access to sensitive health information.
Per the Act, we inform our medical clientele of the steps we take to ensure data protection. Our measures for protecting PHI and ePHI include, but are not limited to:
- Putting a Business Associate agreement into place with our medical clients.
- Training our attorneys in HIPAA compliance.
- Assigning the processing of claims to our attorneys, not third parties.
- Identifying and indexing all drives, electronic equipment, software, and systems that touch PHI or ePHI.
- Carrying out all-encompassing HIPAA risk assessments and putting in place a protocol to provide notification in case of a breach as required by the Act.
- Applying correct disposal methods for ePHI, completely deleting PHI in completed cases, and terminating access to any person for whom access is no longer imperative.
- Transmitting and receiving data with health care professionals and administrators’ systems through secure, HIPAA-compliant VPN.
- Using updated protection against viruses, malware, phishing, hacking, etc.
Our attorneys handle claims cases, treating our medical providers’ data with the highest standards of professional responsibility. We are conscious of our shared duties and obligations under HIPAA.
How Our Service Works
A customer service representative will ask the medical provider for the Assignment of Benefits (AOB), the Explanation of Benefits (EOB), and the name of the vehicle insurance company. These three pieces of information are enough to start our process.
Our automated PIP claims examination system zeroes in on overdue benefits from the patient's EOB. Our proprietary software, Inspire®, cross-checks the Florida statute and state case law while assessing and indexing the claims.
Under Florida law, we have a five-year lookback period for a breach of contractual obligations. We aim to catch older PIP claims first while they’re still within the statute of limitations period.
Insurance carriers are allowed a second chance to pay medical providers. Sending a demand letter allows the insurer time to respond. The insurer has 30 days to reply, either by paying or rejecting the claim. Usually, our attorneys find the claim adequately paid.
We close the file and send the payment to the medical provider. Otherwise, we litigate to recover the benefits due, plus interest. The insurance carriers pay our fees and costs as directed by state law.
Also, we can implement a protocol to examine bills continuously to promptly recover all reimbursements due up to the $10,000 cap. We are also available to train medical office staff to optimize intake forms and protect claims.
Throughout these processes, we keep records in secured locations only. When cases are closed, we completely delete case data from our system.
We Invite You to Schedule a Consultation
While information related to injuries and treatment can be disclosed to law firms for legal payment processes, lawyers like ours are HIPAA-covered business associates.
We must, and do, adhere to the letter and substance of HIPAA's requirements in every action. We ensure our medical partners understand the dangers of non-HIPAA-compliant claims processing.
At the same time, we tap the long-running knowledge and expertise of Ged Lawyers, our parent firm. We hope you’ll learn more about our successes and our processes.
We invite you to schedule a consultation through our secure online link to begin.