HIPAA Security Tip #22: Effective Use Of Legal Counsel

By Iseman Cunningham Riester & Hyde LLP

The HIPAA Security Rule is a Federal regulation with potentially serious consequences for those who do not comply. The rule also touches on a number of operational areas with specific legal implications, such as contracts, employment issues, incident reporting, etc. For these reasons, a legal counselor is essential to any HIPAA Security compliance effort.

At the same time, even large health care organizations are mindful of their budgetary limitations. Using a lawyer for work that can be accomplished by consultants or in-house staff can quickly deplete resources allocated for HIPAA compliance.

At an absolute minimum, legal counsel should:

  • Review the risk analysis policy and the risk analysis itself.
  • Review and comment on policies and procedures regarding:
    • Access Termination Procedures;
    • Security Incident Procedures;
    • Evaluation; and
    • Disposal and Data Backup and Storage
  • Review all business associate agreements.
  • Review written training materials.
  • Review documentation for any addressable standard or implementation specification the Covered Entity determines NOT to implement.

Ideally, legal counsel would be involved in developing and drafting the above items as well, and would have general input into the overall implementation process. Legal issues have a nasty habit of popping up in unexpected places, and a lawyer can’t spot an issue without first having an opportunity to see it.

Involve counsel early even if a limited role is envisioned. A detailed workplan, developed in conjunction with counsel, can help ensure that the legal bases are covered without killing your implementation budget. Above all, select a legal advisor with demonstrated HIPAA familiarity and enough comfort with information technology to work effectively with IT staff or an outside IT consultant.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive

No posts to display