Adriana Linares is a law practice consultant and legal technology coach. After several years at two of...
Published: | June 23, 2022 |
Podcast: | New Solo |
Category: | Legal Technology , News & Current Events |
Clio, the legal tech services giant, provides options that can help firms comply with federal Health Insurance Portability and Accountability Act (HIPAA) compliance. As many lawyers know – or come to learn – healthcare information can be a third rail. HIPAA regulations create unique knots to untangle when you get anywhere near sensitive healthcare information.
What’s a HIPAA “covered entity,” and how does it affect responsibilities for health records, data protection, and sharing?
What level of security and encryption are required?
And how do new HITECH act vendor data handling regulations affect you?
If you’re representing doctors buying or selling a practice, or representing a nursing home or health provider, it can get messy in a minute.
Attorneys can struggle to comply with all the regulations. But incorporating a comprehensive, firm-wide compliance tech solution can help.
(Plus, learn how to stop misspelling HIPAA, because we’ve all done it).
Got questions or ideas? Don’t forget to hit us up at [email protected]
Topics:
Special thanks to our sponsors Practice Made Perfect, Clio, ALPS Insurance, and CallRail.
[Music]
Intro: New approach, new tools, new mindset, New Solo.
[Music]
Adriana Linares: Welcome to another episode of New Solo on Legal Talk network. We are going to cover a very sexy topic today and I’m pretty excited about it. We’re going to talk HIPAA compliance. My guest today is Joshua Lenon from Clio. Joshua, I recall that your title was once “lawyer-in-residence” but I believe you have added a couple of other important elements to that title of yours?
Joshua Lenon: Yes. Yeah, I’m actually Clio’s registered data protection officer. With the launch of data privacy, it’s kind of a global concern, the European Union requires that an employee at organizations that handle European resident data be registered as a data protection officer with your jurisdiction in question for us, in Europe, that’s Ireland. But the rules and concepts of data privacy and data subject protection actually extended globally. So if you look at Clio’s privacy policy, we deal with customers from all around the world with their clients from all around the world. So we’ve extended my role as registered data protection officer to cover Clio’s privacy compliance a global scale and that includes in the United States, for things like the California Consumer Protection Act.
Adriana Linares: Sure.
Joshua Lenon: The Data Privacy Act of Virginia and even certain federal types of data privacy that include HIPAA, the Health and Information Portable Protection Act. I’m doing that from memory, so hopefully I got that one right — as well as other things like COPPA and children when it comes to their data and making sure that internally we are keeping our eye on how sensitive the data is with us and we’re taking every best step to protect it along the way.
Adriana Linares: This is a big deal and these are very important things that we need to sort of back up and discuss. But before that, I do want you to tell us a little bit about yourself other than having these important roles at Clio before we launch into the technical stuff. You were a lawyer, you started working for Clio and just give us a little bit of your background.
Joshua Lenon: Yeah, absolutely. So, yes. I am a lawyer. I’m licensed in New York. I’ve been practicing for over a decade now. I still think of myself as baby lawyer. There’s still new things to learn every day, but I guess I’m starting to get old hat. I graduated right before the Great Recession in 2008 and as non-baby lawyers know, that was the worst time to go out and find a law job.
Adriana Linares: Yeah.
Joshua Lenon: So I actually walked away from one with Missouri attorney general to follow my significant other up to Canada where I started doing immigration law and running my own little immigration boutique. I was using this new piece of software called Clio to help me run my firm because there was so much I just didn’t know about running a firm and how to practice. Oddly enough, those conversations that I was having with Clio over their support line, over social media, even in-person at conferences, led to us both realizing that Clio could benefit from having an in-house lawyer who was focused not on, “Do we have the right rental agreement for our offices?”
Adriana Linares: Right.
Joshua Lenon: “Are we building our product and software in such a way that it’s useful to lawyers and that we understand their needs right from the get-go as we build?” So I actually participate in virtually every team at Clio in one way or another helping out.
Adriana Linares: Yeah. Well that sounds really exciting. You’re always on your toes and learning new stuff and I know how good you are, which is why I very much appreciate your time here. When I saw that Clio had announced level of HIPAA compliance that they were offering, I thought this would be a really great conversation just in general. So I’m going to ask you some general questions about HIPAA to educate the attorneys who might not be using Clio and maybe they’re using something like Dropbox. I know with Dropbox, you can get a BAA which I’ll ask you to define and just general information. So you started out by telling us that you had become the data privacy expert for Clio, which I love. Did you get a CIPP then?
(00:05:10)
Joshua Lenon: Yeah.
Adriana Linares: Okay.
Joshua Lenon: Yeah I’m CIPP certified in the US and I am also a CIPM, which is a privacy program manager.
Adriana Linares: You are such a nerd.
Joshua Lenon: And I really dig out of this stuff, it’s weird.
Adriana Linares: Yeah.
Joshua Lenon: No.
Adriana Linares: Well I have a CIPT from the IAPP.
Joshua Lenon: Oh nice.
Adriana Linares: Yeah. I’ve got the technical side.
Joshua Lenon: Yeah.
Adriana Linares: You’ve got the legal and administrative side, but probably you could pass the technical part too. I’m sorry guys, Joshua and I just totally nerded out on our International Association of Privacy Professional certifications that we have. Sorry. Just ignore that. So you mentioned the data protection acts of Europe and you know, a lot of our listeners are going to go, “We don’t care. That’s pretty cool, but okay.” But HIPAA is a standard in the United States.
Joshua Lenon: US specific. Yeah.
Adriana Linares: Okay. So tell us specifically about HIPAA at this point and I will say this too, you had mentioned California, you mentioned Virginia and I’m sure all of our listeners know, there is no federal governing laws for privacy protection at this point in the United States. Sometimes it comes up every once in a while. We can’t seem to get there, so you’ve got these forward-thinking states that create them like California and Virginia, but HIPAA is a federal law?
Joshua Lenon: A federal law. Yeah, it’s Health Insurance Portability and Accountability Act. I looked it up because I always get it wrong.
Adriana Linares: That’s a tough one.
Joshua Lenon: Yeah, the one thing that everybody will tell you about HIPAA is we always misspell the acronym.
Adriana Linares: Yeah.
Joshua Lenon: So everybody wants to spell it HIPPA and it’s HIPAA.
Adriana Linares: Yeah.
Joshua Lenon: The first thing about being a HIPAA lawyer is recognizing just how many times you’re going to misspell throughout the day.
Adriana Linares: This is where TextExpander would come in really handy.
Joshua Lenon: Exactly, or your spell check.
Adriana Linares: Yeah.
Joshua Lenon: To like rewrite for you every time, that’s what I ended up doing, is my compute just recognizes when I spell HIPAA wrong and replaces it for me. So Technology Tip No. 1 text replacement. So it came about actually in the ‘90s and has been amended several times. But the idea behind it in terms of data is that the health records really do belong to the patient and that if you are what’s called a “covered entity.”
Adriana Linares: This is an important term.
Joshua Lenon: Yeah.
Adriana Linares: So we’re going to define glossary of terms. This is an important term.
Joshua Lenon: Yeah. If you are a covered entity under HIPAA, you have extra responsibilities when it comes to electronically stored patient health information than if you’re not a covered entity and so covered entities for the most part include hospitals, doctors, insurance companies and what are called healthcare clearinghouses and these are just like record processors that focus specifically on health records. Under HIPAA, you have three duties involved if you’re this covered entity. You have a responsibility to protect the data from an administrative, technical and physical perspective with attendant duties for each of those who can access the information. How can they access it? Is it behind a locked door? Is it encrypted? Is it something that we log information about access so that we can determine if we’re complying with the necessary privacy and security rules that have been put out as governed by HIPAA by the Department of Health and Human Services.
Now, interestingly with the HITECH Act Amendments, they created what’s called the “business associate” and it extended HIPAA responsibilities to any vendor that is servicing a covered entity and handling those same patient health records on behalf of that covered entity and this is where we pull in our audience. If you’re a law firm for a health insurance company, like say you’re an insurance defense firm or you are counsel for, maybe doctors, who are buying and selling practices or you represent the local nursing home. All of these may be covered entities under HIPAA and if the records that they’re holding become a part of the services that you’re providing or the dispute that you’re helping with, you are required under HIPAA to be a business associate and the covered entity is required to kind of contractually require you to live up to HIPAA’s privacy and security rules. So your client gets to tell you how to handle their data from a security perspective.
Adriana Linares: So let me back up a couple quick glossary of terms.
(00:10:01)
Joshua Lenon: Yeah.
Adriana Linares: If we could go back, when you said HITECH, you didn’t mean, “Oh it’s the latest and greatest in high tech.” It is literally an act.
Joshua Lenon: Yes.
Adriana Linares: HI-TECH. So you can go Google that attorneys, but he wasn’t just saying, “Oh, let’s get the latest in technology for protecting data.” It’s another act. You said BA which stands for?
Joshua Lenon: Business associate.
Adriana Linares: Okay, and then PHI, we must as well get that out of the way while we’re covering.
Joshua Lenon: That’s protected health information.
Adriana Linares: Okay.
Joshua Lenon: Sometimes you’ll also see other acronyms to talk about like PII, personally identifiable information. That’s not a HIPAA term, but it often comes up in this context as well.
Adriana Linares: Right, PII, typically we talk about when we’re discussing data breaches and having to report a breach like what triggers a breach.
Joshua Lenon: Exactly.
Adriana Linares: Which by the way all 50 states have a breach trigger notification that can be triggered by the unauthorized access of PII.
Joshua Lenon: Yes.
Adriana Linares: So yes, Nerd City again. Okay, so I think we kind of have an understanding of what type of entities need to work harder on being HIPAA compliant and I wasn’t clear, so help us understand and I know we’ve got a lot of very experienced attorneys that this isn’t going to be interesting for, but I also have a lot of newer attorneys who are just trying to figure out kind of like you did when you started your immigration boutique kind of practice.
Joshua Lenon: Yeah.
Adriana Linares: How do I figure out if my law firm needs to be a BAA, has to have a business associate agreement for working under HIPAA compliance?
Joshua Lenon: You got it. So, this business associate agreement is a contract that usually starts with the covered entity like the hospital or the nursing home or the healthcare clearinghouse, then they make that agreement with their vendor, the law firm. How it comes up in the context of a company like Clio is, if that law firm wants to store PHI in Clio as a vendor to a business associate law firm, right? They can now require Clio to sign that business associate’s agreement with the law firm. It kind of becomes turtles all the way down if you know that phrase, right?
So the hospital has HIPAA requirements. They tell the law firm, “Hey, live up to our HIPAA requirements” and the law firm tells Clio, “Hey, live up to my client’s HIPAA requirements” and it goes all the way down that way. But how do you know if you’re the law firm that needs to be a business associate? It really comes down to, “Are you handling PHI on behalf of your client or are you handling PHI on behalf of somebody who has given that information to your client?”
Adriana Linares: Okay. Like this is back to the covered entity?
Joshua Lenon: Yeah.
Adriana Linares: Okay.
Joshua Lenon: Yeah. So is my client the patient and these are their records? Technically it’s not under HIPAA because the patient’s records belong to themselves. But is my client holding somebody else’s patient’s records? HIPAA is probably a concern. So we get a lot of law firms like legal departments for hospitals, lawyers who are representing certain types of healthcare startups can possibly fall under this. Hospital and insurance defense firms all require a business associate’s agreement with a service like Clio in order to store that information in Clio, that ePHI.
Adriana Linares: Okay.
Joshua Lenon: Interestingly on the flip side, there are a bunch of personal injury lawyers who think they need a HIPPA compliant service and the answer is no, you probably don’t. If you’re representing the patient, they can just always go and get their records but you’ll still encounter HIPAA as a part of your practice because you’re going to be basically subpoenaing those records from a lot of covered entities. So they may have their own HIPAA concerns and they’ll kind of push those on you, but you don’t necessarily need your practice management provider to be HIPAA compliant. It’s a weird flip side.
Adriana Linares: So I guess in a strange way, could it be as easy as and maybe I shouldn’t even make it sound this easy, but if you need to be HIPAA compliant, you’re going to know about it because some entity is going to say, “Hey, we need you to be HIPAA compliant.”
Joshua Lenon: Yeah, your client will tell you.
Adriana Linares: Okay, perfect.
Joshua Lenon: That’s what’s going to happen, and if your client misspells HIPAA, you probably don’t need to be HIPAA compliant.
Adriana Linares: Well that’s great. Well, I’m glad we got the basics out of the way. Let’s take a quick break and listen to some messages from some sponsors and listeners, the voice in one of those sponsor reads might sound very familiar, might sound a lot like today’s guest.
Joshua Lenon: Did you know law firms with growing revenue are twice as likely to use financial reporting tools to track their performance? I’m Joshua Lenon, lawyer-in-residence at Clio and this is just one finding from our recent Legal Trends Report.
(00:15:11)
Understanding your firm’s financial performance helps you make better choices. But unfortunately, 60% of legal professionals are not confident about their knowledge of their firm’s revenue. If you can relate, consider adopting reporting tools to track utilization, realization and collection rates, the three leading metrics to track your firm’s revenue. Don’t worry, if math isn’t your thing, just knowing your firm’s numbers is half the battle. For more information on what firms with growing revenue are doing differently, download Clio’s Legal Trends Report for free at clio.com/trends.
Adriana Linares: Okay, I’m back with Joshua Lenon. We’re trying to sort of understand who does and doesn’t need to be HIPAA compliant and I think we got that pretty cleared. Do you think we covered that Josh?
Joshua Lenon: I think a lot of it. Yeah.
Adriana Linares: Okay, I think we’re good with that. So now I want to ask you about just general, aside from Clio, what are the considerations a lawyer and a law firm should have in meeting HIPAA requirements when they’re sourcing and looking for technology, adding to their software stack and their tech stack? We know Clio is HIPAA-compliant. I don’t know that there are a lot of legal technology companies that have really addressed this quite so head on. So I think it’s important that listeners ask if this is something that you need, and then tell us a little bit Josh, just about things like Dropbox and maybe Box, which I know they have add-ons for BAAs.
Joshua Lenon: Yeah, absolutely. So you’re right. Real technology companies haven’t really addressed this, I think, comprehensively. The issue around that is, it’s actually fairly easy to get the technology right for HIPAA. You get AWS or Microsoft Azure as your backend. They’ll sign a BAA with you and then you can just kind of rely on that for the technology portion. But HIPAA requires more than that, right? It requires both the administrative and the physical protection of data at the same time and really being able to hit all three of those is where things get tough.
So when you look at just storing the records, a service like Dropbox or Box, Amazon Web Services like we talked about, even your Office 365 accounts, you can get a business associate’s agreement from those providers and it will cover for the most part, the technology that you need. It’s then when you turn to something like service and support from those companies where it gets a little more tricky. One thing we had to figure out when starting to offer these business associate’s agreements at Clio was, “How do we handle screen sharing on a support call?”
So our customers they call in, they describe a problem. Sometimes, the best way for the support person to get a handle on it is to ask permission to do screen sharing. So we had to document and make accessible to all of our customer support team, “Is this a HIPPA customer?” because if they are, we want to make sure that we’re not screen sharing because we don’t want to see that health information outside of the normal Clio technology environment and that’s an administrative aspect of HIPAA that turned out to be tricky. It’s why we didn’t offer them for a long time, not because the security and the technology wasn’t there, but we had to shape the rest of the organization around it and make sure everybody knew what they were doing and could see and access the right notices such that we made sure that no protected health information ends up in Clio the organization, rather than Clio the software.
Adriana Linares: Yeah. That’s really interesting.
Joshua Lenon: Yeah.
Adriana Linares: Yeah, that sounds like it could have been a little bit of a pain in the butt for you there, Joshua, but you’ll figure it out.
Joshua Lenon: Yeah.
Adriana Linares: I think there’s an important thing I want to ask you that I probably should ask you the first segment, but I’m going to ask you now.
Joshua Lenon: Okay.
Adriana Linares: There’s no official certification for HIPAA, you sort of self-certify. So can you explain how Clio has done that?
Joshua Lenon: Absolutely. So you’re right, there is no central authority saying.
Adriana Linares: Again, back to these no federal rules or laws, they’re just guidelines. Aw shucks guys, you’ll figure it out.
Joshua Lenon: They’ll tell you when you get it wrong, but no one will tell you when you’re doing it right.
Adriana Linares: Right.
Joshua Lenon: There are third-party services. You could always find somebody who’s willing to give you like an audit like Deloitte. What we turn to was a tool called StandardFusion.
(00:20:02)
It listed 600 different requirements that needed to be checked against Clio’s data operations, needed to be checked against our third-party vendors, needed to be checked against our internal training and procedures and we went through each of those in turn making sure that we lived up to the defined definitions and those definitions came about both from the Acts themselves, as well as different judgments and settlements that have come out of the Department of Health and Human Services.
You better believe, I was reading all the past judgments of law firms that have been implicated for HIPAA violations. Even now that we passed that 670, we’re still constantly reviewing it. There was a really interesting article last week on hospitals that use web sites to allow patients to schedule appointments, and how certain types of marketing software that might be a part of their website might be leaking HIPAA information.
Adriana Linares: No kidding.
Joshua Lenon: Yeah, and as soon as I read that, I turned to our team who handled different things like scheduling, right? Because you can schedule appointments with lawyers and like, “Do we have any of this running?”
Adriana Linares: Right.
Joshua Lenon: And they’re like, “No, we’re good.”
Adriana Linares: You’re on the bat phone right away?
Joshua Lenon: I was.
Adriana Linares: I just worked really hard to get 670 checkmarks guys, how are we on this one?
Joshua Lenon: Well there was a team that did that. I really want to give them full credit.
Adriana Linares: That’s awesome, yes.
Joshua Lenon: But yeah, I was a bit of a pain last Friday afternoon because I read this article and I was like, “I better make sure we are not anywhere close to this” and we’re not and it shows how the lack of guidelines and certifications means that it’s always going to be a moving target.
Adriana Linares: Yeah.
Joshua Lenon: You’ve got to be constantly checking and updating. You can’t just say, “Yeah, 670 we’re done.”
Adriana Linares: See you in 10 years when we need to check in again.
Joshua Lenon: Exactly.
Adriana Linares: You know, I’m looking at your support page about Clio’s HIPAA certification and it just seems like a lot of these things are very logical in what you would look for in a software service that’s helping you protect your client data. You want to make sure that the data is encrypted at rest, meaning inside of Clio servers and when it’s in transit, moving from Clio service to our local computers, obviously you guys have restricted physical access to production servers. Like not any customer support newbie can walk into Clio’s server farm and access data. I mean a lot of these things just make sense. Well congratulations, that’s pretty awesome.
Joshua Lenon: Yeah.
Adriana Linares: Okay. I know you’re going to get a lawyer that says, “Okay I’m going to look at their BAA and I’m going to make some changes to it, send it back over to Joshua Lenon and ask him if this redline — go ahead and accept this redline Clio” so what’s your answer to that?
Joshua Lenon: Unfortunately, we can’t do that. No, and the reason is we’re building to really strict procedures here, right?
Adriana Linares: Yeah.
Joshua Lenon: We don’t want to create any question or variability around that especially organization-wide, right? If you create a redline for one customer, there’s no way that you can tell everybody in the company, “Okay, when Ariana calls in, you can see her protected health information because she’s redlined that provision.”
Adriana Linares: No, that makes total sense, and by the way, Dropbox is the same. I’ve had a lawyer who wanted me to find out if they could modify the Dropbox agreement. I was like, “You’re not going to pay me enough money to get a yes out of Dropbox for you.” So, I think that’s another standard expectation that we should have when dealing with these associate agreements for HIPAA. I just think that’s a reality. Anything else before we take a quick break, Joshua, that is sort of a frequently asked question that you get about HIPAA compliance from attorneys?
Joshua Lenon: Yeah. I think the biggest thing is they need a vendor that’s willing to support them if something goes wrong. So what we’ve done as part of our business associate’s agreement is really just agree to some future provisions that we know the Department of Health and Human Service requires if in the unfortunate event of a data breach ever happens, the attorneys know that we have their back and they’ve got the contract to prove that we’ve committed to these responsibilities. That’s something that is very important that gives comfort not just to the law firms that we’re helping, but to their client who is entrusting this PHI with them. So, definitely make sure that you’ve got the responsive notifications, right? If anything goes wrong, how do they get a hold of me? When do they get a hold of me? But also, if something goes wrong, are they committed to being a partner in the investigation and what does that mean? Like, what will they provide? Who really has like access to the information and how responsive will they be to this further investigation, not just notify me that something seems weird?
(00:25:09)
So it’s that second part that I think is very important to a law firm, not just from a good service perspective, but also will really help with pulling their malpractice insurance provider in and making sure everybody knows their clear responsibilities and that the law firm is protected in the event of a disaster.
Adriana Linares: Well I think that’s a great tip especially for our non-Clio listeners so I just think — and that’s what I’m trying to do too here with this conversation, is give them, anyone who’s not necessarily a Clio user, some advice on what to consider when you are using other services that might have some HIPAA compliance baked in, and I think that’s an excellent tip. Well, let’s take a quick break. I’m going to come back and ask you a couple of very specific questions about Clio and the subscription plan and things like that, but we’ll just cover that in a minute and then I’m going to give you one more chance to think of any other frequently asked questions that we want to make sure and cover. We’ll be right back.
Advertiser: Lawclerk is where attorneys go to hire freelance lawyers. Whether you need a research memo or a complicated appellate brief, our network of freelance lawyers have every level of experience and expertise. Signing up is free and there are no monthly fees, only pay the flat fee price you set. Use rebate code “New Solo” to get $100 Amazon gift card when you complete your next project. Learn more at lawclerk.legal.
Adriana Linares: All right, I’m back for my unfortunate last segment with Joshua Lenon. I always enjoy talking to you. Josh, you’re such a smart guy and articulate everything so well. So, thank you.
I wanted to ask you now specifically a couple things about Clio because it’s an add-on. So you don’t just sign up for Clio and then you get the HIPAA compliance as part of it. It’s something you have to request after finding out that you must meet some standards based on a client of yours saying, “Hey, we have these HIPAA requirement.” So it’s an add-on and first question is going to be very obvious. I’m a multidisciplinary law firm. Only 3 of us do work that requires HIPAA compliance and 10 of us do not, do all of us have to have the add-on?
Joshua Lenon: Yes, we recommend that every user be a part of the add-on because technically, they may have access to the records and so as such, you want to protect your law firm by making sure that, if you have say, your legal secretary call in with a support issue using the screen sharing example, that we use the same data protection approach with that secretary as we would with a managing partner. And so that’s why we need to have every user in your account flagged as HIPAA and that’s what the add-on does.
Adriana Linares: Okay, next question. Because HIPAA is a United States law, then if I am one of your Ireland customers listening to this podcast from the United States because it’s one of the best, do I need HIPAA compliance from Clio?
Joshua Lenon: One, I have no doubt that this is very popular podcast in Ireland. Two, the answer to any legal question is it depends.
Adriana Linares: Of course.
Joshua Lenon: So say you’re with a firm that operates both in the US and in Ireland and handles US health records on behalf of a covered entity, you might need the HIPAA add-on. But if you’re just an Irish law firm handling say property conveyance law in Ireland, you absolutely do not need the HIPAA add-on.
Adriana Linares: Right.
Joshua Lenon: Don’t worry about it.
Adriana Linares: Right, so US-only and how much does it cost?
Joshua Lenon: If you’re using the annual subscription, it’s $15 per user per month. If you’re on month-to-month, it’s $20 per user and that add-on extends the contractual obligations of HIPAA beyond the technology because everybody’s getting the same technology protection regardless of the BAA, but it extends the additional contractual obligations on Clio throughout our whole organization. So you’ve got 800 developers and support agents, accountants, everyone all living up to these added obligations on your behalf and that’s why we have the add-on.
Adriana Linares: That’s really interesting. It almost sounds like the burden is really put on Clio?
Joshua Lenon: I’m not going to lie, there is a burden. Yeah. Right.
Adriana Linares: I mean the burden of protecting. Well, a user’s data with HIPAA is on Clio, but on top of that, now you’ve got this major pressure of federal law that is Clio taking it on. So I would say as I do too many other attorneys that a lot of times we as solos and smalls, we the collective because remember, I’m not a lawyer. We couldn’t possibly afford to do this ourselves, so sometimes you just have to pay a little extra to get that protection for you.
Joshua Lenon: The economies of scale really work in solo and small lawyer’s favor when you’re using cloud services. If it’s Dropbox, if it’s Box, if it’s Microsoft OneDrive, right? You’re getting more dollar per dollar than a big law lawyer is because they’re all paying the same amount.
(00:30:10)
Adriana Linares: Right. So that made me think of something real quick and it’s sort of a divvy up of information. Let’s say, I keep all of my documents in OneDrive and a lot of my work in progress, my details, my drafts, my work in progress, videos, health records, I don’t keep inside Clio, but I keep basic client information that does not contain any PII or any PHI.
Joshua Lenon: Yeah, it would definitely contain PII.
Adriana Linares: Okay. Right. Unless all of my clients are corporations. I don’t have any humans, then I might not have any PII but anyway, okay, hard to not have PII?
Joshua Lenon: Yeah.
Adriana Linares: It’s really hard. I mean an email address is PII?
Joshua Lenon: The definition gets broader and broader with each law. Yeah.
Adriana Linares: Right. Okay, but let’s say I was very good at siloing health records and health information over in OneDrive and I’m using Clio for the very basic things, then would I need HIPAA?
Joshua Lenon: The answer is probably not.
Adriana Linares: Okay, but it depends?
Joshua Lenon: It always depends. There is kind of a tiny exemption called the incidental disclosure rule for HIPAA which talks about how there sometimes can be incidental disclosures of patient health information in a way that’s just kind of minor but necessary. So the chart that the hospital leaves at the end of your bed, right? Technically that’s a disclosure of patient health information but the only people who can really see it are people who go to the hospital. It’s not being broadcast over the internet for example. It’s not your entire record, it might be, “When did the nurse last come in and check on you, or was your medication delivered at the right time?” that kind of thing. That’s an example of an incidental disclosure.
But you better believe that that hospital gathers all of those patient records and puts them under lock and key when they have the whole file and that’s kind of the same approach if you want to use like Microsoft OneDrive or Dropbox and a BAA with them and then have your billing information for your client, right? Your nursing home, your doctor, your hospital, your insurance company and maybe some tiny bits of information, right? Like we’re dealing with the opposing party which is this patient and they’re arguing malpractice based on this particular type of operation. You don’t have all the details including the health records, but you do have some incidental disclosures in Clio and law firms have done that for close to a decade and have been just fine. So it’s really if you want to centralize it, if you want the contractual and well thought-out support that Clio is providing as a part of our business associate’s agreement add-on, it’s there for the taking.
Adriana Linares: Great, I think that’s a very good answer in fair. Joshua, I’ve taken up a lot of your time talking all this great information. I appreciate it very much. I do want to make sure and give you an opportunity to plug Clio Con in case you happen to be listening to this before October 2022.
Joshua Lenon: So Clio Con is the Clio Cloud conference. It’s arguably, I think the best legal technology conference in the world. I’m a little biased because I’ve been to everyone, but we’re actually coming out of the pandemic quarantining of conferences and we’re hosting it live this year in Nashville, Tennessee. I’m very excited. It’s going to be the first conference that I’ve gone to and forever.
Adriana Linares: And for a lot of us.
Joshua Lenon: Yeah, we’re going to have three days of excellent information. If you are a Clio customer or want to be a Clio customer, there’ll be some really both basic and in-depth training on all the different features in Clio and how to maximize your investment in the software, but we’ll also have business and technology tracks, keynote speakers from outside of the legal industry that are going to be sharing wisdom that’s worked for you and some phenomenal entertainment including some of the best music that you’ll be able to find.
Adriana Linares: Yeah.
Joshua Lenon: If you’re not able to attend in person, we will have a virtual offering as well. Actually, some of the sessions that I’m presenting in will be both live and virtual, available for everyone. So please swing by ClioCloudConference.com to just see if it’s the right fit for you. We’ve got our schedule on our keynote speakers available and we’d love to have you come join us.
Adriana Linares: I will add on that even if you’re not a Clio user, it’s a great legal technology conference, not even because of all the great sessions and seminars and entertainment, but the networking opportunities are really amazing. I will be there. Joshua will be there so we can all get together in person and we can nerd out on nerdy things that we love. So yeah, hope to see you all there. Josh, thank you so much. If people want to get a hold of you or connect with you on social media, can you tell them where to do that?
(00:35:13)
Joshua Lenon: Absolutely. I’m most active on Twitter where my handle is @JoshuaLenon, but you can also find me on LinkedIn and I’m always an email away at [email protected].
Adriana Linares: I will say this, you really are very responsive to emails from randos out there, not me necessarily. We’ve known each other a long time, but I really do throw an email at you every once in a while. I copy a client or someone who has a question that I know you would be the best person to answer in Clio and you’re always very responsive. So thank you for sharing your email with us and all this great knowledge and information, I totally appreciate it.
Joshua Lenon: No, it’s always great to speak with you. I’m really looking forward to seeing you in October. It’s been too long and so let’s get together and just catch up.
Adriana Linares: I love it and we will. All right everyone, thanks so much for joining us for another episode of New Solo on the Legal Talk Network. We will see you next month and don’t forget, you can always send me an email with any ideas for future shows at [email protected] and you can find me on all the social media channels as well. See you next time everyone.
[Music]
Notify me when there’s a new episode!
New Solo |
New Solo covers a diverse range of topics including transitioning from law firm to solo practice, law practice management, and more.