Lately there’s been a lot of chatter throughout the legal industry about the rapid expansion and inclusion of technology in an industry that’s notoriously both information-heavy and also traditionalist in its methods. But lawyers aren’t the only ones who have been dragging their feet. Until recently, doctors and hospitals still had files upon files of paper patient records, faxing and mailing them from one office to another, to insurance companies and back. In the first half of the decade, healthcare administration went through a tech boom of its own. In 2009, the US Congress enacted the Health Information Technology for Economic and Clinic Health Act (HITECH) to be implemented in full by 2014.
As part of the American Recovery and Reinvestment Act following the 2008 economic collapse, the mandated widespread adoption of electronic health records (EHR) was meant to invest in domestic IT services and stimulate a struggling economy, but the results stimulated much more than just healthcare IT and data storage. It also stimulated a growing need for e-discovery and data redaction across EHR, creating a whole new kind of ESI for law firms to navigate – and you could even say this has been a major contributing factor to the recent legal technology spike. These files are being stored in large numbers, shared between providers and insurance companies, and constantly updated throughout the lifetime of the patient. On top of that, the strict regulations of the Health Insurance Portability and Accountability Act (HIPAA) mean that companies and doctors face steep penalties if any of their patients’ highly sensitive medical records are compromised.
Now that this data is being stored electronically, doctors and healthcare companies aren’t the only ones at the mercy of HIPAA. Because hospitals don’t have complex IT systems in place, HIPAA regulations have to allow for business partnerships outside the healthcare industry to accommodate data storage, legal representation, and other services that might require the disclosure of personal health information (PHI). These partnerships require a business associate agreement – or BAA – to ensure that all parties involved follow HIPAA regulations and are held accountable. That means, for example, a service provider who offers cloud storage to an insurance company or hospital would now fall under HIPAA purview. HIPAA would regulate the service provider in areas like data ownership and location, protocol after termination, as well as privacy controls – such as ensuring information is properly redacted in the case of a lawsuit or any other instance when private information is shared with a third party.
Given the sensitive and personal nature of PHI, the Department of Health and Human Services added the Omnibus Rule in 2013, further regulating the use and disclosure of PHI, breach notification requirements, and BAA compliance and accountability. Those companies who have a BAA with HIPAA entities are on a tight leash, and one of the best ways to ensure compliance is to ensure that PHI is properly safeguarded wherever it is stored and especially anytime it is shared or disclosed. The most foolproof way to ensure the protection of PHI is by redacting any and all non-relevant information, which can be a lengthy and expensive process. Thankfully, as legal technology advances, there are eDiscovery tools being developed that help automate these processes. For example, our automated redaction tool, Blackout saves time, money, and manpower by identifying and redacting PHI across large data sets. HIPAA is one of the heaviest hammers of regulation enforcement, but the growing ranks of eDiscovery tools available to assist the organizations that fall under HIPAA’s shadow make the task of staying compliant far less daunting.
For further reading on this topic: