According to a new survey conducted by Legal Workspace, many law firms are not adhering to HIPAA cybersecurity standards and are not keeping protected health information secure. Data is not being protected by encryption, intrusion detection systems are not being implemented, logs of data access not being kept, and when they are, those logs are not being maintained and reviewed.
Adhering to HIPAA cybersecurity standards is not mandatory for law firms, as they are not covered by HIPAA legislation. However, that is not always the case. If a legal firm has healthcare clients and comes into contact with PHI, then the law firm is classed as a business associate of a HIPAA-covered entity. That would mean the firm was covered by the Health Insurance Portability and Accountability Act of 1996.
Consequently, those firms would then need to adhere to HIPAA cybersecurity standards and ensure PHI provided to the firm was properly protected at all times.
What information is classed as PHI? Any patient health data, insurance information, medical test results, or personally identifiable information of patients. Should those data be provided to a law firm, then the firm would need to enter into a business associate agreement with the covered entity. The survey results indicate that only 60% of law firms who have healthcare clients have signed a business associate agreement. The 40% who have not would be in violation of HIPAA rules. That would have implications not only for the law firm, but also the law firms clients.
Adherence to HIPAA Cybersecurity Standards by Law Firms
The survey was conducted on 240 law firms in the United States that had healthcare clients and dealt with issues related to HIPAA. The legal firms were involved in medical insurance claims, dealt with elder law, took product liability cases, or personal injuries claims. The companies took cases that required the firm to receive, store, and view data classed as PHI under HIPAA.
The firms were asked whether they complied with HIPAA cybersecurity standards, and the technology they had implemented to ensure PHI was safeguarded; in accordance with the HIPAA Security Rule. Alarmingly, only 13% of the law firms had implemented the necessary technology to ensure compliance with HIPAA.
Some of the key findings of the survey are detailed below:
- 58% of respondents were not backing up data in accordance with HIPAA rules
- 48% of respondents were not maintaining logs of persons who accessed PHI
- 39% of respondents were not using two-factor authentication to control access to PHI
- 55% of respondents did not encrypt email communications containing PHI or were not aware if they did
- 46% maintained and monitored access logs of PHI on remote devices, and took steps to ensure that PHI was securely and permanently erased when no longer required
- 55% did not have an intrusion detection system in place
Under HIPAA Rules, a failure to implement administrative, physical, and technical safeguards to keep PHI secure could result in a fine of up to $1.5 million being issued. Business associates can be fined directly, but also the covered entity for failing to ensure their business associates are in compliance with HIPAA rules.