Survey Shows Law Companies are not Complying with HIPAA Regulations

The Health Insurance Portability and Accountability Act (HIPAA) deals with health insurers, healthcare providers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Infringement Announcement Laws.

HIPAA additionally applies to vendors as well as other firms carrying out business with covered bodies, which are classified as HIPAA Business Associates. In case a Business Associate is provided with the Protected Health Information of patients or health plan members, or their systems or software are able to touch PHI/PII, those entities are additionally needed to abide by HIPAA Laws.

Are Lawyers Classified as Business Associates of HIPAA-Covered Bodies?

As per Legal Workspace, healthcare lawyers might fall under the category of Business Associate, and as such, they should abide by HIPAA Laws.  If a healthcare lawyer is provided with healthcare data, it’s obligatory for that lawyer – or her or his law company – to make sure the necessary administrative, technical, as well as physical controls, are applied to safeguard PHI provided by healthcare customers.

The latest survey carried out by Legal Workspace indicates that many are not. Actually, the majority of health lawyers aren’t abiding by HIPAA Laws and have failed to apply the correct administrative, technical, and physical protections to keep PHI/PII safe.

Legal Workspace analyzed 240 law companies and questions were asked concerning the technical controls which had been set up to keep customer data safe. Just 13% of law companies said they had applied the technology necessary to make sure compliance with HIPAA Rules.

The lack of technical precautions might possibly leave law companies vulnerable to cyberattacks, with law companies much easier targets for hackers compared to healthcare companies. It might also see them liable to pay penalties for non-compliance.

The main matters of concern emphasized by the survey were as under:

  • A lack of email encryption: 55% of law companies had either not applied email encryption or were unconscious if their email server encrypted data. Just 45% declared to use encryption on email servers
  • Just 6 out of 10 law companies had a present Business Associate Agreement (BAA) in place
  • Only below half of law companies (48%) said they had personal health information access logs
  • Just 46% maintained and reviewed PHI logs on distant devices and made sure data were securely deleted when no more required.
  • Just 45% utilized an incursion recognition system
  • Just 39% utilized two-factor verification
  • Just 58% stated their off-site data backups abide by HIPAA rules

The survey was carried out between November, 2015, and January, 2016, and accused were from law companies who do business with HIPAA-covered entities, like those dealing with personal injury, product liability, medical malpractice, elder care,            insurance coverage, as well as other healthcare legal matters.

As per Joe Kelly, Legal Workspace partner and CEO, “If you have a law company and think you are abiding by HIPAA, I would advise you to re-examine your cyber-security and technology procedures. You might be astonished at the results.”

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.