On this page
Unleash your genius.
Get genius ideas, actionable tips, and smart solutions in your inbox once a month.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Data Security: Should Your Law Firm Be HIPAA Compliant?

Lacey Jackson
December 12, 2019
Min Read

What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools maintain critical security features so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.

Formstack '23 Fall Release: Your Questions Answered

We’ve compiled answers to commonly asked questions during the Fall ‘23 Release webinar.
Read more
Lacey Jackson
Lacey is a Product Marketing Manager at Formstack who is dedicated to creating content that showcases the power of the Formstack Platform. When she’s not creating Formstack Builders tutorials, she can be found reading, playing board games, or strolling with her dog. Lacey is a graduate of Franklin College.
More Articles