Ensuring your e-discovery service arrangement is HIPAA-compliant
July 24, 2019
By: Neil C. Brown
In today’s fast-paced and technologically advanced world, parties involved in litigation require efficiency and efficacy in the realm of discovery. To this end, many parties involved in litigation contract with third-party vendors for the provision of e-discovery services. Before any information is shared with an e-discovery vendor, a disclosing party must determine whether it is subject to the Health Insurance Portability and Accountability Act (“HIPAA”), and whether any of the information disclosed to the e-discovery vendor constitutes HIPAA protected health information (“PHI”).
Health information can be relevant to almost every type of litigated matter. From car accident cases to employment cases, a high likelihood exists that some type of health information may be sought by a litigant. While it is perhaps more well known that “covered entities” such as hospitals and other health care providers are often subject to HIPAA, it is less well-known that “business associates” of such HIPAA-covered entities also must comply with certain provisions of HIPAA.
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of HIPAA protected health information (“PHI”) on behalf of, or provides services to, a covered entity.[1] Common forms of “business associate” services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.[2]
Therefore, a party seeking to disclose PHI to an e-discovery vendor may find that it is subject to HIPAA because it is a “covered entity” (e.g. if in-house counsel for a covered entity involved in litigation directly discloses PHI to an e-discovery vendor). A party seeking to disclose PHI to an e-discovery vendor may also be acting in the role of a “business associate” to a “covered entity” (e.g. if a law firm is representing a “covered entity” in a litigated matter, and the law firm wishes to utilize an e-discovery vendor, the law firm would be the “business associate” and the e-discovery vendor would be a “business associate subcontractor”). A “business associate subcontractor” that creates, receives, maintains, or transmits PHI on behalf of a “business associate” is also subject to HIPAA privacy and security restrictions.[3]
In either of these aforementioned cases, if PHI is shared with the e-discovery vendor, the disclosing party must enter into a HIPAA-compliant business associate agreement (“BAA”) with the e-discovery vendor before any PHI is shared.
The main purpose of a BAA is to sufficiently set forth the privacy and security requirements that pertain to PHI shared between a HIPAA “covered entity” and a “business associate” and/or between a “business associate” and a “business associate subcontractor.”
To achieve this purpose, all BAAs must, inter alia:[4]
(a) provide that the “business associate” or “business associate subcontractor” (as applicable) will not use or further disclose the information other than as permitted or required by the contract or as required by law;
(b) require the “business associate” or “business associate subcontractor” (as applicable) to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing security requirements of HIPAA;
(c) require the “business associate” or “business associate subcontractor” (as applicable) to report to the group health plan any use or disclosure of the information not provided for by its contract;
(d) require the “business associate” or “business associate subcontractor” (as applicable) to return or destroy all PHI received from or created or received by the “business associate” or “business associate subcontractor” (as applicable) on behalf of the covered entity at the termination of the contract; and
(e) require the “business associate” to ensure that any “business associate subcontractors” it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the business associate with respect to such information.
Therefore, parties in litigation who wish to retain the services of an e-discovery vendor should carefully analyze whether the proposed disclosure of information implicates HIPAA. If so, such parties must enter into HIPAA-compliant BAAs with e-discovery vendors. Comprehensive BAAs will not only ensure HIPAA compliance but will also provide a structured way for parties to more easily ascertain and manage their rights and responsibilities with respect to the privacy and security of PHI.
Author: Neil C. Brown, Associate Attorney, Health Care Group
© July 2019 Jackson Kelly PLLC
[1] See 45 C.F.R. 160.103
[2] Id.
[3] Id.
[4] 45 C.F.R. § 164.504 et seq.; see 45 C.F.R. § 164.314(a).