New Hampshire Bar Association
About the Bar
For Members
For the Public
Legal Links
Online Store
Vendor Directory
NH Bar Foundation
Judicial Branch

Clio is the most widely-used, cloud-based practice management system in the world.

Order with big business buying power.
New Hampshire Bar Association
Lawyer Referral Service Law Related Education NHBA CLE NHBA Insurance Agency
Member Login
Member Portal

Bar Journal - March 1, 2003

HIPAA and Lawyers: Yes Lawyers!


The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")1 was enacted to improve the efficiency and effectiveness of the country’s health care system. One of its primary goals is to protect patient health information. It does so by addressing both privacy concerns, what can be done to disclose health information in appropriate circumstances, and security concerns, what must be done not to disclose such information in all other circumstances.

Over the past two years, the Federal Department of Health and Human Services ("HHS") has proposed, revised and revised again regulations to implement the privacy provisions of HIPAA. The final Privacy Rules ("Privacy Rules")2 were published on April 14, 2002 and will become effective on April 14, 2003. The Privacy Rules apply to "covered entities," which include health care providers, such as hospitals, nursing homes, doctors, dentists and pharmacists; health plans; and health care clearinghouses ("Covered Entities"). The Privacy Rules impose numerous requirements on Covered Entities to ensure the privacy of a patient’s individually identifiable health information, or "protected health information" ("PHI").

In 1998, HHS proposed regulations to implement the security provision of HIPAA.3 To date, HHS has not published final Security Rules ("Security Rules"), but publication of the Security Rules was expected by the end of 2002. The Security Rules will most likely impose numerous requirements, complementary to the requirements imposed by the Privacy Rules, on Covered Entities.

The purpose of this article is, unfortunately, to stop the collective "sign of relief" by lawyers who have concluded (correctly) that they are not Covered Entities and (incorrectly) that the requirements of HIPAA do not apply, indirectly, to lawyers. The article discusses, in turn, the indirect application of HIPAA’s privacy requirements to lawyers who obtain PHI from Covered Entities who are not clients and from Covered Entities who are clients. It also discusses the ethical concerns raised in the latter case.4


There are many circumstances in which a lawyer seeks PHI from a Covered Entity that is not a client. For example, in defending an insurance company in connection with a personal injury claim, a lawyer may need to obtain the plaintiff’s PHI from a hospital. Also, a lawyer representing an employer in a medically related employment dispute may need to obtain the employee’s PHI from the treating doctor.

Because lawyers are not, as discussed above, Covered Entities, the Privacy Rules do not directly impose any new obligations on lawyers with regard to obtaining PHI from a non-client Covered Entity or safeguarding it once it has been obtained. However, HIPAA does not allow Covered Entities to release a patient’s PHI without an authorization from the patient that meets the standards in the Privacy Rules. Thus, lawyers are faced with the practical requirement of drafting and using patient authorizations that meet the requirements of the Privacy Rules or not obtaining the PHI they need.

In order to comply with the Privacy Rules, a patient authorization form must include, among others, the following elements:

  1. A description of the information to be disclosed that identifies the information in a specific and meaningful fashion.

  2. Specific identification of the persons authorized to make the requested disclosure.

  3. Specific identification of the persons to whom the Covered Entity may make the requested disclosure.

  4. A description of each purpose of the requested disclosure.

  5. An expiration date or an expiration event that relates to the patient or the purpose of the disclosure.

  6. A signature of the patient and the date. (If the authorization is signed by a personal representative of the patient, a description of his or her authority to act must also be provided.)

  7. A statement in writing which is adequate to place the patient on notice of his right to revoke the authorization and which includes either the exceptions to the right to revoke (such as the Covered Entity’s reliance on the authorization) and a description of how the patient may revoke the authorization.

  8. A statement adequate to put the patient on notice that there is a potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer protected by the Privacy Rules.5

In addition, the patient authorization must be written in plain language.

The Privacy Rules expressly provide that a patient authorization will not be valid if it has certain defects described therein. For example, the invalidation of such an authorization where the expiration date has passed may be the most important defect with which lawyers should be concerned.6

If a Covered Entity refuses to accept an authorization, a lawyer can institute judicial proceedings in order to obtain the desired PHI. The Privacy Rules allow PHI to be used or disclosed without the patient’s written authorization in certain circumstances, which include disclosures for judicial proceedings.7 Accordingly, a doctor may disclose PHI in response to an order of a court, or, under certain conditions, in response to a subpoena, discovery request or other lawful process that is not accompanied by an order of a court.8


A. Business Associate Agreements ("BAA’s")

1. Need for BAA’s

There are, again, many circumstances in which a lawyer seeks PHI from a Covered Entity that is a client. For example, in representing a medical practice group in collecting a fee from a former patient, or his insurance company, a lawyer may need to obtain the former patient’s PHI from the medical practice group. Also, a lawyer representing a dentist in a breach of warranty claim against a software vendor for failures in its billing software may need to obtain the misbilled patients’ PHI from the dentist.

A Covered Entity must meet strict requirements with regard to the manner in which it discloses PHI to an entity acting on its behalf when such disclosure is outside of patient treatment purposes. The Privacy Rules define such an entity as a "Business Associate" of the Covered Entity. More precisely, a Business Associate includes a lawyer who provides, to or for a Covered Entity, legal services where the provision of the services involves disclosure of PHI to the lawyer.9 The Privacy Rules permit a Covered Entity to disclose PHI to a Business Associate if the Covered Entity obtains satisfactory assurances that the Business Associate will appropriately safeguard, and account for, the PHI.10

The Privacy Rules further require that a Covered Entity document such assurances through a written agreement (a "Business Associate Agreement" or "BAA") with the Business Associate that meets the applicable requirements of the Privacy Rules.11

A lawyer who receives PHI from a client Covered Entity is not under any direct obligation to enter a BAA. However, the Covered Entity is required by the Privacy Rules to enter a BAA with its lawyer before disclosing PHI to the lawyer. A Covered Entity will not be pleased with its lawyer if it is fined for disclosing PHI to the lawyer in the absence of a BAA. The lawyer’s protestations that "she was not obligated" to enter a BAA will probably not mollify the client Covered Entity.

2. Contents of BAA

a. Required Provisions

The Privacy Rules first require that the BAA establish the permitted uses and disclosure of PHI by the Business Associate. To that end, the BAA cannot generally authorize the Business Associate to use or further disclose the information in a manner that would violate HIPAA if done by the Covered Entity. The Privacy Rules then provide certain limited exceptions to this general rule.12

The BAA also must provide that the Business Associate will:

  1. Not use or further disclose the PHI other than as permitted or required by its BAA or as required by law;
  2. Use appropriate safeguards to prevent the use or disclosure of the PHI other than as provided by its BAA;
  3. Report to the Covered Entity any use or disclosure of the PHI, of which it becomes aware, not provided by its BAA;
  4. Ensure that any agents, including a subcontractor, to whom it provides PHI agrees to the same restrictions and conditions that apply to the Business Associate with respect to such information;
  5. Make available PHI in order to allow the Covered Entity to furnish the patient with access to his PHI;
  6. Make available PHI for amendment by the Covered Entity and incorporate any amendments to the PHI;
  7. Make available the information required to provide an individual with an accounting of disclosures of his PHI;
  8. Make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with HIPAA; and
  9. At the termination of the BAA, if feasible, return or destroy all PHI that the Business Associate still maintains in any form and retain no copies of such information.13

It takes little imagination to begin the "parade of horribles" that can befall an unwary lawyer entering a BAA containing these provisions. What are the "appropriate safeguards" he is required to use(see paragraph (b) above)? Does he need to enter a contract similar to a BAA with any private investigator to whom he discloses PHI (see paragraph (d) above)? What information must he maintain to be able to provide an individual with an accounting of disclosures of the individual’s PHI (see paragraph (g) above)? How must he maintain his books and records so he can make the requisite portions available to HHS without breaching his ethical obligations of confidentiality, both to the clients to whom the PHI is related and to other clients?

In one area, HHS has issued comments to the Privacy Rules that are particularly helpful. The comments to the Privacy Rules clarify that a BAA must make the Business Associate responsible for ensuring that any person to whom it delegates a function, activity or service which is within its Business Associate contract with the Covered Entity agrees to abide by the restrictions that apply to the Business Associate under the BAA.14 To that end, a Business Associate will need to consider the purpose for which PHI is being disclosed in determining whether the recipient of such information must be bound to the restrictions and conditions of the BAA. For example, where a Covered Entity has a Business Associate contract with a lawyer, and the lawyer discloses PHI to an expert witness in preparation for litigation, the lawyer would have no responsibility under HIPAA with regard to uses or disclosures by the expert witness, because such witness is not undertaking the functions, activities or services that the Business Associate lawyer has agreed to perform.15

Finally, a Covered Entity must be authorized to terminate a BAA if the Covered Entity determines that the Business Associate has violated a material term of the BAA.16 In connection with the termination of the BAA, the Covered Entity may take reasonable steps to cure a material breach by the Business Associate or end the practice of the Business Associate that constituted the material breach.17 However, if such steps are not successful, the Covered Entity is required to terminate the contract, if feasible, or if the termination is not feasible, the Covered Entity is required to report the problem to HHS. This requirement raises the specter of the termination of a contingent fee agreement because the lawyer disclosed certain PHI in violation of the terms of a BAA. Lawyers will now need to address the consequences of such terminations in their engagement letters.

b. Recommended Provisions

In addition to the provisions in a BAA required by the Privacy Rules, there are a number of provisions that lawyers may want to include in a BAA. Foremost among these is a provision allocating the parties’ risks for failure by the lawyer to comply with the requirements of the BAA. As a Business Associate is not directly covered by HIPAA as a Covered Entity, a Business Associate would not be held directly liable for its failure to comply with HIPAA. Accordingly, the Business Associate will want to limit, or exclude completely, his liability for a failure to comply with the requirements of the BAA. However, from the client Covered Entity’s point of view, the client will want the Business Associate to be fully liable for any failure on his part to comply with the requirements of the BAA.

A lawyer must carefully consider how to negotiate such an allocation of risk with his client. The lawyer must determine how hard to push the issue and whether the nature of the relationship with the client can support allocating risk to the client. The lawyer must decide where on the traditional spectrum of risk he will draw a line in the sand: excluding any liability; limiting his liability only for intentional actions, only for gross negligence, or only for negligence; or accepting liability for any actions. In addition to questions of how much financial risk, both from liability and from losing a client, the lawyer thinks is acceptable, the lawyer must also address the actual issues raised by entering a BAA with a client.

B. Ethical Considerations

1. Entering a Business Transaction with a Client

Rule 1.8(a)18 of the New Hampshire code of Professional Responsibility states that a lawyer shall not enter into a business transaction with a client unless:

  1. The transaction and terms are: (i) fair and reasonable to the client; and (ii) agreed to by the client after consultation;
  2. The client is given the reasonable opportunity to seek the advice of independent counsel in the transaction; and
  3. The client consents in writing to the essential terms of the transaction.

The question squarely presented here is executing a BAA the same as entering a "business transaction" as used in Rule 1.8(a) or is it merely a variation on entering a traditional engagement letter? The Rules do not, of course, do anything as helpful as define "business transaction." Moreover, there appears to be little, if any, other guidance in this area.

Traditional engagement letters address the scope of the legal services to be provided by the lawyer and the fee to be paid by the client. A BAA, on the other hand, does not need to address the scope of legal services to be provided. Many HIPAA experts, for example, are advising Covered Entities with existing contracts with Business Associates not to rewrite the entire contract to comply with the Privacy Rules but merely to add a Business Associate Agreement Addendum to supplement the existing contract. A sample Business Associate Agreement Addendum is attached hereto as Exhibit I. In addition, a BAA goes well beyond addressing the scope of legal services to be provided. In whatever form, a BAA contains provisions addressing the lawyer’s duties with regard to safeguarding, and accounting for, the PHI he is to receive. The actions he takes in fulfilling these duties are not legal services and, in fact, go beyond his traditional ethical duties of confidentiality. Thus, while it is not certain, the better argument appears to be that executing a BAA is entering a business transaction, and Rule 1.8(a) is applicable.

At first glance, this result does not appear desirable because the added requirements of Rule 1.8(a) must be met for each BAA. However, as discussed is below, this result supports the conclusion that a lawyer can avoid the strictures on limiting his liability contained in Rule 1.8(h) and can limit his liability for breaches of a BAA if to do so would be "fair and reasonable," and the other requirements of Rule 1.8(a) are met.

2. Limiting Liability to A Client

Rule 1.8(h)19 states that a lawyer shall not make an agreement prospectively limiting the lawyer’s liability to a client for malpractice unless permitted by law and the client is independently represented in making the agreement. The question here therefore turns on whether a lawyer would be committing "malpractice" if she fails to comply with the terms of a BAA concerning safeguarding, or accounting for, PHI. If so, the lawyer must comply with Rule 1.8(h) if she attempts to limit, or exclude, her liability for disclosing PHI in violation of the terms of a BAA.

Black’s Law Dictionary defines "malpractice" as "[a] lawyer’s failure to render professional services with the skill, prudence, and diligence that an ordinary and reasonable lawyer would use under similar circumstances."20 A BAA need not, and does not if it is in the form of a Business Associate Agreement Addendum, set forth the professional services that a lawyer is to provide for his client. As discussed above, the BAA goes beyond a traditional engagement letter, in which the scope of professional services is addressed, and addresses other duties, which constitute a business transaction.

The duties of the lawyer, as spelled out in the BAA, to safeguard, and account for, PHI are not traditional professional services. Accordingly, a client should be able to bring a breach of contract action against a lawyer for a violation of the terms of the BAA but not a malpractice action. This distinction can be seen more clearly in comparing the non-legal services of safeguarding PHI received from a client and the legal services of advising a client on meeting all of HIPAA’s requirements on safeguarding PHI.

Thus, the better argument here appears to be that the duties of a lawyer, as contained in a BAA, for safeguarding, and accounting for, PHI are not legal services. As such, the lawyer can, without complying with Rule 1.8(h), negotiate with a client for limiting the lawyer’s liability for failure to comply with the requirements imposed by a BAA.


The requirements that HIPAA and the Privacy Rules impose on Covered Entities for safeguarding, and accounting for, PHI are not directly applicable to lawyers. However, before obtaining any PHI from client Covered Entities, lawyers should advise their clients, or risk their clients’ wrath, that they should execute a BAA with the lawyer. The BAA will impose on the lawyer many of the requirements contained in the Privacy Rules on safeguarding, and accounting for, PHI. The lawyer should also consider negotiating limitations on his liability for failure to comply with the requirements, keeping in mind that such limitations must comply with Rule 1.8(a) of the Code of Professional Responsibility.

Exhibit 1 - Business Associate Agreement



Pub.L. 104-191 (Aug. 21, 1996), codified at 42 USCA §§1320d-1329d-8.


45 C.F.R. Parts 160 & 164.


45 C.F.R. Part 142.


This article does not purport to be a complete discussion of HIPAA or the Privacy or Security Rules. Moreover, any state statutes or regulations not expressly cited herein are beyond the scope of this article.


See 45 C.F.R. 164.508(c).


See 45 C.F.R. 164.508(b)(2).


See 45 C.F.R. 164.512(e).


See id.


See 45 C.F.R. 160.103.


See 45 C.F.R. 164.502(c)(1).


See 45 C.F.R. 164.502(e)(2).


See 45 C.F.R. 164.504(e)(2) and (e)(4)


See 45 C.F.R. 164.504(e).


See 65 Fed. Reg. 82462, 82506 (Dec. 28, 2000).


See id.


See 45 C.F.R. 164.504(e)(2).


See 45 C.F.R. 164.504(e)(1).


All Rules cited hereafter are Rules of the New Hampshire Code of Professional Responsibility.




Black’s Law Dictionary, Pocket Edition (1996), p. 400.


Attorney Paul Remus is the Chair of the HIPAA Compliance Group at Devine, Millimet & Branch.

Attorney Renelle L’Huillier is a member of the HIPAA Compliance Group at Devine, Millimet & Branch.

Both of them will be pleased to answer questions about HIPAA, preferably while jogging at lunchtime.


NHLAP: A confidential Independent Resource

Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store
Lawyer Referral Service | Law-Related Education | NHBA•CLE | NHBA Insurance Agency | NHMCLE
Search | Calendar

New Hampshire Bar Association
2 Pillsbury Street, Suite 300, Concord NH 03301
phone: (603) 224-6942 fax: (603) 224-2910
© NH Bar Association Disclaimer