“A Warning to Law Firms and Litigants: Unlawful Disclosure of PHI in Litigation Can Lead to Trouble” —

• “The handling of sensitive data with appropriate care in litigation is a critical aspect of legal practice. Recent ABA Formal Opinions 477 and 483 discuss requirements for securing protected client information and lawyers’ obligations after a cyberattack. Conduct during litigation is no different. Unless stated otherwise by statute, the context of litigation does not effect a person’s legal duties when handling sensitive data. In Menorah Park Ctr. for Senior Living v. Rolston, 2019 Ohio App. LEXIS 2175 (May 30, 2019 Ohio Ct. App.), a plaintiff of a small-claims matter is learning this lesson the hard way.”
• “Menorah Park attached to its complaint non-redacted copies of several account billing statements that included descriptions of medical services provided, dates the services were rendered, medical procedure codes, charges, credits, and balances.”
• “Rolston opposed the motion, arguing that her claim was not preempted and that, in any event, Menorah Park’s disclosure was unlawful under HIPAA because, by filing non-redacted copies of the statements, Menorah Park had not undertaken ‘reasonable efforts’ to limit the disclosure of the protected health information (PHI) to the ‘minimum necessary’ for the purpose of collecting payment.”
• “The Court of Appeals appeared to reject the contention that the disclosure of Rolston’s medical information was authorized under HIPAA, noting that Menorah Park had used non-redacted copies of the account statements.”
• “There are several implications that arise from this decision, the first being that law firms and litigants must undertake care when handling personal information, even an adversary’s in litigation… The clear lesson here is to take care when handling sensitive data.”

And for those looking for a refresher, Thomson Reuters recently published: “Understanding HIPAA compliance for law firms” —

• “The definition of business associate under HIPAA’s regulations expressly includes attorneys who perform legal services for a HIPAA-covered entity (for example, a health plan), if the attorneys are not members of the covered entity’s workforce. For purposes of HIPAA’s privacy and security requirements, the definition applies if the legal services provided involve disclosure of PHI from the covered entity (or from another business associate) to the attorney.”
• “An attorney who is a business associate must comply with HIPAA’s requirements as applicable to business associates (for example, by providing satisfactory assurances to the covered entity that it will safeguard PHI).”
• “HIPAA non-compliance may result in severe penalties and correction requirements. HHS has taken an aggressive approach to enforcing HIPAA’s requirements in recent years. HHS’s enforcement actions have resulted in numerous highly publicized settlement agreements with noncompliant covered entities, and typically require significant monetary payments and stringent corrective actions.”