Lawyers & HIPAA Administrative Simplification Privacy Rule Business Associate Agreements

Here is an excerpt from the HHS Preamble to the final privacy rule's most recent amendment -- this comment addressed the subject of an American Bar Association Health Law Section comment letter to the Secretary of Health and Human Services to raise the lawyer issue:

"Comment: Certain commenters raised concerns with the Rule's classification of attorneys as business associates. A few of these commenters urged the Department to clarify that the Rule's requirement at Sec. 164.504(e)(2)(ii)(H), which requires a contract to state the business associate must make information relating to the use or disclosure of protected health information available to the Secretary for purposes of determining the covered entity's compliance with the Rule, not apply to protected health information in possession of a covered entity's lawyer. Commenters argued that such a requirement threatens to impact attorney-client privilege. Others expressed concern over the requirement that the attorney, as a business associate, must return or destroy protected health information at termination of the contract. It was argued that such a requirement is inconsistent with many current obligations of legal counsel and is neither warranted nor useful. Response: The Department does not modify the Rule in this regard. The Privacy Rule is not intended to interfere with attorney-client privilege. Nor does the Department anticipate that it will be necessary for the Secretary to have access to privileged material in order to resolve a complaint or investigate a violation of the Privacy Rule. However, the Department does not believe that it is appropriate to exempt attorneys from the business associate requirements. With respect to the requirement for the return or destruction of protected health information, the Rule requires the return or destruction of all protected health information at termination of the contract only where feasible or permitted by law. Where such action is not feasible, the contract must state that the information will remain protected after the contract ends for as long as the information is maintained by the business associate, and that further uses and disclosures of the information will be limited to those purposes that make the return or destruction infeasible."