HIPAA: It’s not just for clients anymore.

In the Spring of 2003, it seemed that along with the April showers and May flowers grew HIPAA. There was special training. Reviews were undertaken to determine if a particular company or office was a Covered Entity and whether certain information was Protected Health Information. Also, there were special forms to be signed for everything from refilling a prescription to scheduling surgery.

Now that the hoopla has subsided, there are serious questions about how the statute and regulations will affect lawyers. These are not questions about counseling Covered Entities or assisting clients. These are questions about attorneys as Business Associates of their clients and the extent to which the Department of Health and Human Services (DHHS) may review the attorneys’ internal practices, books, and records.

An article in the North Dakota Law Review by Gerald E. DeLoss, from Barnwell Whaley Patterson & Helms, LLC, examines these issues in detail. (HIPAA Requirements for Lawyers – Business Associate Contracts, 79 North Dakota Law Review 41 (2003)) This article is available in the Law Library, WestLaw or LEXIS.

The Health Insurance Portability and Accountability Act was enacted in 1996. The Standards for Privacy of Individually Identifiable Health Information (45 CFR Pts. 160 and 164) (the Privacy Rule) were published in November 1999 by DHHS. There were several deadlines for implementation with April 14, 2003 being one compliance date. Other requirements were postponed until April 14, 2004.

A Covered Entity is (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a transaction. But the Privacy Rule also governs Business Associates, and that term has been broadly defined. The regulation (45 C.F.R. 160.103(I)(A)-(ii) (2002) (http://hhs.gov/ocr/hipaa/contractprov.html) lists legal services among the types of Business Associates regulated by the Privacy Rule. Many aspects of legal practice involve the use or disclosure of health information.

The Privacy Rule requires that the Covered Entity establish a contract or memorandum of understanding with Business Associates concerning their use of Protected Health Information. Minimum standards for the contract are established and a model contract is offered. These minimum provisions require that Protected Health Information be made available to and that requested amendments be made for individuals. There is a limited exemption for information complied in reasonable anticipation of or for use in a civil, criminal, or administrative action or proceeding. Also, the DHHS can review internal practices, books and records of business associates. There is no exception for legal action or proceedings.

Mr. DeLoss identifies four potential problem areas for attorneys counseling Covered Entities. First, the conflict of Attorney-Client and Work Product Privileges with the requirement for broad DHHS access is problematic.There is an additional concern that DHHS access is not limited to Protected Health Information, but applies broadly to internal practices, books, and records.

Second, the Privacy Rule requires that the information released to Business Associates be the minimum necessary. Determining the minimum necessary for disclosure prior to disclosure can be extremely difficult in legal representation.

Third, the contract is to require that the Business Associate return or destroy the information. If the information is not destroyed or returned, safeguards must be in place to protect against use or disclosure.

Fourth, there is a potential for conflicts of interest in negotiating and drafting the Business Associates contract. Other conflicts may arise in responding to a DHHS request for information.

Professional responsibility is a matter of state law but the Privacy Rule preempts state law. The questions are raised and discussed in this article. The answers will only be known after Court review.



Although nearly all of you will be unaffected, the Law Library changed Circulation Policies and Procedures. The changes relate to overdue books and collecting fines or lost book replacement charges. Fines begin to accrue on Reference materials on the first day after they are due. For Circulating Materials, fines begin when the materials have been overdue two weeks. All fines are $1.00 per day and the maximum fine is the replacement cost of the book.

Materials overdue one month will be replaced and the replacement cost billed to the member. Even if the item is later returned, the member is responsible for the actual cost to the library. Circulation privileges are suspended when fines begin to accrue. Privileges are not reinstated until the item is returned and all fines or replacement costs are paid. Unpaid charges will be billed with the membership renewal. Since we are using a computer system for membership, even a lapse in membership will not result in the waiver of the fines.

Just a reminder, Law Library materials may be recalled. Usually materials are recalled when they have been superseded. Any materials recalled are to be returned within 2 business days. Fines accrue on recalled items two days after recall, even if the initial circulation period has not expired.


During August and September the Law Library tested a new coffee machine. The new machine offers more variety. Coffee will be on the honor system, please pay 50 cents per cup at the Circulation Desk. We currently offer coffee and tea, including decaffeinated. The exact selection stocked will depend upon use.

Electronic Filing

The United States District Court for the Southern District of Ohio has implemented electronic filings. Electronic Case Filing can be done on the Law Library computers but the person making the filing will have to have an account. The Law Library PACER account can not be used for filings.

Anderson Publishing/LexisNexis

Anderson Publishing Company has been merged into LexisNexis Matthew Bender. The first change was that the billing is handled by LexisNexis Matthew Bender. As materials are reprinted the new logo will appear. The search software changed for Ohio Law on Disk.

Ordinances Online

Certain Hamilton County municipalities are releasing their ordinances only on the Internet. The Law Library has ordinances for each Hamilton County municipality, which may be confirmed by checking the catalog on our website. If the ordinances you seek are available on the web, there is a link directly from the catalog to the website.

Had you noticed...?

In order to inform you of the Cincinnati Law Library’s holdings, this column will feature brief reviews of new, important or under-utilized publications.

The Law Library and legal researchers generally are relying on internet sites for research. Most HIPAA research was done prior to the legal publishers releasing books on the topic.

Many of the HIPAA websites are now either missing or have not been updated since June. However, there are sample forms available from:

Oregon Association of Hospitals and Health Systems () offers a decision grid for determining if a person or organization is a Business Associate.

Alliant Health Plans () includes a Spanish Language Authorization Form.

The State of Ohio () established a HIPAA Statewide Project and the website has some current information.

The Southern HIPAA Administrative Regional Process (SHARP) () has an extensive collection of document templates.

Findlaw (https://healthcare.findlaw.com/) has a site with general medical links, including HIPAA resources. This is an extensive set of links including Advance Care Directives. The currency of each link should be considered separately.

Totidem Verbis ?

Great Constitutional provisions must be administered with caution. Some play must be allowed for the joints of the machine, and it must be remembered that legislatures are ultimate guardians of the liberties and welfare of the people in quite as great a degree as the courts.

Oliver Wendell Holmes, Missouri, Kansas & Texas Railway Co. of Texas v. May, 194 U.S. 267, 270 (1904)