HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Survey Indicates Law Firms are not Complying with HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Breach Notification Rules.

HIPAA also applies to vendors and other companies doing business with covered entities, which are classed as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems are capable of touching PHI/PII, those entities are also required to comply with HIPAA Rules.

Are Attorneys Classed as Business Associates of HIPAA-Covered Entities?

According to Legal Workspace, healthcare attorneys may fall under the classification of Business Associate, and as such, they must comply with HIPAA Rules.  If a healthcare attorney is provided with healthcare data, it is necessary for that attorney – or his or her law firm – to ensure the necessary technical, administrative, and physical controls are implemented to protect PHI supplied by healthcare clients.

A recent survey conducted by Legal Workspace suggests that many are not. In fact, the majority of health attorneys are not complying with HIPAA Rules and have failed to implement the appropriate technical, administrative, and physical safeguards to keep PHI/PII secure.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Legal Workspace surveyed 240 law firms and questions were asked about the technical controls that had been put in place to keep client data secure. Only 13% of law firms said they had implemented the technology necessary to ensure compliance with HIPAA Rules.

The lack of technical safeguards could potentially leave law firms open to cyberattacks, with law firms much easier targets for hackers than healthcare firms. It could also see them liable to pay fines for non-compliance.

The main areas of concern highlighted by the survey were as follows:

  • A lack of email encryption: 55% of law firms had either not implemented email encryption or were unaware if their email server encrypted data. Only 45% claimed to use encryption on email servers
  • Only 6 out of 10 law firms had a current Business Associate Agreement (BAA) in place
  • Just under half of law firms (48%) said they kept personal health information access logs
  • Only 46% reviewed and maintained PHI logs on remote devices and ensured data were securely erased when no longer needed.
  • Only 45% used an intrusion detection system
  • Only 39% used two-factor authentication
  • Only 58% said their off-site data backups complied with HIPAA regulations

The survey was conducted between November, 2015., and January, 2016, and respondents were from law firms that dealt with HIPAA-covered entities, such as those handling insurance coverage, elder care, medical malpractice, product liability, personal injury, and other healthcare legal matters.

According to Legal Workspace partner and CEO, Joe Kelly, “If you own a law firm and think you are complying with HIPAA, I would urge you to re-examine your technology and cyber-security protocols. You may be surprised at the results.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.