HIPAA Compliance Ignored by Healthcare Lawyers

healthcare-lawyers-ignore-hipaaHIPAA applies to more than doctors, hospitals, and insurers.

Anyone that handles protected health information (PHI) as part of doing work for a healthcare organization has to comply. That means a huge number of professionals -- including healthcare lawyers -- are on the hook.

Except many lawyers do not live up to their obligations under HIPAA.

In a recent survey, only 13% of law firms said they complied with HIPAA guidelines despite working in a HIPAA-related field, such as elder law, healthcare, insurance, medical malpractice, and others.

The survey questioned 240 law firms in these fields and was completed in January by Legal Workspace, a cloud-based service provider for law firms, and was reported by Legaltech News.

Although fewer than 1 in 5 law firms complied overall, the results are not as grim when each requirement is reviewed.

Related: HIPAA Regulations for IT Compliance – Guidelines straight from the federal register

The number of law firms surveyed who met each requirement:

  • Intrusion detection systems: 45%
  • Two-factor authentication: 39%
  • Email encryption, including all email servers: 45%
  • Logs of employees who access PHI: 48%
  • Logs of PHI on remote devices: 46%

As you can see, for each requirement, more than half of the law firms surveyed did not comply.

HIPAA PHI compliance is not the only question, either. The results are also concerning from a security perspective. Since fewer than half of the firms use PHI, for example, this raises a question:

Are they providing adequate security for any of their clients?

healthcare-lawyers-easy-targetHealthcare lawyers the next targets?

Healthcare network security took a beating last year.

The industry’s largest data breach in history, which resulted in more than 80 million records stolen, was announced by insurance giant Anthem in February.

But 2015 was just getting started.

Premera Blue Cross later reported a breach that affected 11 million members, Excellus BlueCross BlueShield reported one that affected more than 10 million.

Almost 35% of the U.S. population may have been affected in 2015 healthcare data breaches, according to this chart from Forbes of the major ones last year.


This trend is likely to push healthcare organizations to tighten security for PHI.

Other factors are driving them as well, such as the next round of HIPAA audits from the Office of Civil Rights (the agency that enforces HIPAA), which are expected to begin in early 2016.

Related: HIPAA Regulations for IT Compliance – Guidelines straight from the federal register

As healthcare networks tighten up, attackers and data thieves may look for easier ways to breach them rather than head-on. They may begin to target weaker third-parties, such as business associates, and use them as a bridge to steal PHI.

Remember the Target breach? That was an example of how poor security at a third-party partner (in this case an HVAC company) can invite a data breach disaster for a company.

Healthcare lawyers who are given trusted access to PHI and who do not have strong network security may be an attacker’s best bet to breach a healthcare organization.

Lawyers need to secure HIPAA PHI


HIPAA applies to anyone that handles PHI as part of working with a healthcare organization. Whether a firm dispenses

medicine, processes medical bills, or simply fixes the electricity – if it has access to medical data, then it is liable under HIPAA and needs to comply.

It’s possible that many healthcare lawyers do not realize that they are liable because they are not “covered entities” under HIPAA.

A covered entity is “covered” by HIPAA and has to comply. This includes health insurers, care providers, clearinghouses, and similar organizations.

A third party that works for a covered entity and either creates, receives, maintains, or transmits PHI, is considered a business associate under HIPAA.

For example, a law firm that works for a doctor’s office is likely a business associate if it has any access to PHI.

Related: HIPAA Regulations for IT Compliance – Guidelines straight from the federal register

Business associates need to enter a “business associate agreement” with the covered entity. Often called a HIPAA BAA, the agreement outlines the relationship between the companies and requires the associate to agree to protect PHI within the bounds of regulations.

The trouble with business associates is that they are often responsible for data breaches. According to one official, they are responsible for 60% of major PHI breaches that affect more than 500 people.

“It’s become clear business associates have a disproportionate impact,” said the official, David Holtzman, a health information privacy specialist at the OCR.

What can IT providers do?

As an IT service provider, your response can vary by your goals and the types of clients you have (or want to have).

If you have healthcare clients – you can help protect them. Suggest that they ask business associates to prove that they are HIPAA compliant and provide adequate security for the PHI they handle.

You can also suggest that they amend their BA agreement to limit their liability in the event of a breach that involves the associate.

If you have law firm clients – ask if they work with clients who are covered by HIPAA and if they have access to medical records, insurance documents, or even something as seemly innocuous as a patient's full name. All of this is protected health information that attorneys are obligated to protect.

If your clients are exposed, suggest that they adopt security best practices that also fit HIPAA IT requirements, such as the use of IDS/IPS and security awareness training.

This can also be an opportunity to win new clients among the law firms in your area. Send them some information about HIPAA business associates, or even send the results of the survey described in this blog post, to convince them that if they handle HIPAA PHI then they need to start following the rules.

More law firms in healthcare need to meet their obligations under HIPAA or they and their clients may end up on the OCR’s list of shame.

Related resources

Top 3 Causes of Health Data Breaches

Healthcare IT: 4 tips to get more small business clients in healthcare

HIPAA Security: Most business associates suffer data breaches

HIPAA Hazards: Avoid the business associate trap

Written by Calyptix

 - February 8, 2016

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram