The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Breach Notification Rules.
HIPAA also applies to vendors and other companies doing business with covered entities, which are classed as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems are capable of touching PHI/PII, those entities are also required to comply with HIPAA Rules.
Are Attorneys Classed as Business Associates of HIPAA-Covered Entities?
According to Legal Workspace, healthcare attorneys may fall under the classification of Business Associate, and as such, they must comply with HIPAA Rules. If a healthcare attorney is provided with healthcare data, it is necessary for that attorney – or his or her law firm – to ensure the necessary technical, administrative, and physical controls are implemented to protect PHI supplied by healthcare clients.
A recent survey conducted by Legal Workspace suggests that many are not. In fact, the majority of health attorneys are not complying with HIPAA Rules and have failed to implement the appropriate technical, administrative, and physical safeguards to keep PHI/PII secure.
Legal Workspace surveyed 240 law firms and questions were asked about the technical controls that had been put in place to keep client data secure. Only 13% of law firms said they had implemented the technology necessary to ensure compliance with HIPAA Rules.
The lack of technical safeguards could potentially leave law firms open to cyber attacks, with law firms much easier targets for hackers than healthcare firms. It could also see them liable to pay fines for non-compliance.
The main areas of concern highlighted by the survey were as follows:
- A lack of email encryption: 55% of law firms had either not implemented email encryption or were unaware if their email server encrypted data. Only 45% claimed to use encryption on email servers
- Only 6 out of 10 law firms had a current Business Associate Agreement (BAA) in place
- Just under half of law firms (48%) said they kept personal health information access logs
- Only 46% reviewed and maintained PHI logs on remote devices and ensured data were securely erased when no longer needed.
- Only 45% used an intrusion detection system
- Only 39% used two-factor authentication
- Only 58% said their off-site data backups complied with HIPAA regulations
The survey was conducted between November, 2015., and January, 2016, and respondents were from law firms that dealt with HIPAA-covered entities, such as those handling insurance coverage, elder care, medical malpractice, product liability, personal injury, and other healthcare legal matters.
According to Legal Workspace partner and CEO, Joe Kelly, “If you own a law firm and think you are complying with HIPAA, I would urge you to re-examine your technology and cyber-security protocols. You may be surprised at the results.”