Law Firms Are Often Non-Compliant With HIPAA

According to a survey by Legal Workspace, only 13 percent of 240 responding law firms actually possess the required technology to process and maintain compliance with HIPAA.

"For an industry that is traditionally hyper-concerned with protecting client information, legal is clearly not keeping up with business standards regarding technology and security," said Joe Kelly of Legal Workspace.

HIPAA and Lawyers

One of the most widely known features of the Health Insurance Portability and Accountability Act of 1996 is the rather draconian view it has on protecting the confidentiality of patient health records. Under the current language of HIPAA, any professional that handles work that contains "protected health information" is considered a business associate under the jurisdiction of HIPAA. This means that even lawyers are covered by a federal law, not just doctors, clinics, nurses, and the like.

The Scope

Kelly's survey questioned attorneys from November 2015 and January of 2016. These attorneys handled HIPAA-related cases such as elder law, healthcare law, insurance, med-mal, PI, etc. Across the board, HIPAA violations were common. Some of the more glaring offenses include:

• Only 45 percent of firms have infrastructure that includes intrusion detection.
• 55 percent of firms do not have email encryption set up or are not aware if it is set up.
• Only about half of firms actually review their logs to ensure that devices are properly wiped or destroyed to protect sensitive information.

One can only imagine what the compliance levels will be for businesses which do not regularly handle HIPAA-heavy cases but are still nonetheless required to maintain compliance with the Act.

Who, Me?

Most lawyers are unaware that HIPAA may apply to them. Joe Kelly sees trouble on the horizon not only because of what he sees as "glaring and troublesome" non-compliance with the federal law, but also because of aggravating factors like lax-cybersecurity at law firms. "Law firms are now walking targets for hackers," he says. He argues that law firms are "weak links", allowing unauthorized access to sensitive information from SSNs to contracts negotiations.

Kelly urges all law firms to re-examine their tech and cyber-security controls. If you think your firm is HIPAA compliant, you're probably wrong.

FindLaw has an affiliate relationship with Indeed, earning a small amount of money each time someone uses Indeed's services via FindLaw. FindLaw receives no compensation in exchange for editorial coverage.

Related Resources:

• Need recruiting help? Find it here. (Indeed)
• The New HIPAA Privacy Rule: What Is It and Who Should Care? (FindLaw)
• Federal Laws Lag Behind Tech Privacy Breaches (FindLaw's Technologist)
• Controversial Cybersecurity Law Passed as Appropriations Rider (FindLaw's Technologist)
• Do Medical Privacy Laws Apply to Health Tracking Apps? (FindLaw's Law & Daily Life)