Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

Download PDFDownload PDF
Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

Lacey Jackson
/
December 12, 2019
Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

MIN
/
December 12, 2019
About the Episode
Episode Highlights
Meet our Guest

What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools are all HIPAA compliant so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.


Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

Blog

Data Security: Should Your Law Firm Be HIPAA Compliant?

Panelists
No items found.
Introduction

Great, thank ya!

You can now access the content.
Download NowDownload Now
Oops! Something went wrong while submitting the form.

What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools are all HIPAA compliant so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.


Panelists
No items found.
Infographic

Data Security: Should Your Law Firm Be HIPAA Compliant?

Learn how recent health data security breaches have impacted law firms across the U.S., and see if your business should be following the rules of HIPAA.
Download InfographicDownload Infographic

What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools are all HIPAA compliant so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.


What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools are all HIPAA compliant so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.


Collecting payments with online forms is easy, but first, you have to choose the right payment gateway. Browse the providers in our gateway credit card processing comparison chart to find the best option for your business. Then sign up for Formstack Forms, customize your payment forms, and start collecting profits in minutes.

Online Payment Gateway Comparison Chart

NOTE: These amounts reflect the monthly subscription for the payment provider. Formstack does not charge a fee to integrate with any of our payment partners.

FEATURES
Authorize.Net
Bambora
Chargify
First Data
PayPal
PayPal Pro
PayPal Payflow
Stripe
WePay
ProPay
Monthly Fees
$25
$25
$149+
Contact First Data
$0
$25
$0-$25
$0
$0
$4
Transaction Fees
$2.9% + 30¢
$2.9% + 30¢
N/A
Contact First Data
$2.9% + 30¢
$2.9% + 30¢
10¢
$2.9% + 30¢
$2.9% + 30¢
$2.6% + 30¢
Countries
5
8
Based on payment gateway
50+
203
3
4
25
USA
USA
Currencies
11
2
23
140
25
23
25
135+
1
1
Card Types
6
13
Based on payment gateway
5
9
9
5
6
4
4
Limits
None
None
Based on payment gateway
None
$10,000
None
None
None
None
$500 per transaction
Form Payments
Recurring Billing
Mobile Payments
PSD2 Compliant

What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools are all HIPAA compliant so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.


What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools are all HIPAA compliant so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.


What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools are all HIPAA compliant so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.


What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools are all HIPAA compliant so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.


What is a data breach?

A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.

What should I know about HIPAA and data security?

When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.

These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.

So, are law firms and attorneys subject to HIPAA?

The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.

If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:

  • is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
  • relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.

In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:

  • Failing to perform an enterprise-wide risk analysis
  • Lack of a risk management process
  • Failure to enter into a HIPAA compliant business associate agreement
  • Insufficient ePHI access controls
  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
  • Exceeding the 60-day deadline for issuing breach notifications
  • Impermissible disclosures of PHI
  • Improper disposal of PHI

The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.

What can I do to maintain HIPAA compliance?

Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.

If you need to gather eDiscovery documents, collect client information, populate contracts and agreements, or gather eSignatures, Formstack has a tool for you. Our Forms, Documents, and Sign tools are all HIPAA compliant so you can rest easy knowing data is being securely collected and managed.

We’re hosting a webinar to help you navigate HIPAA compliance. Watch our webinar
Should Your Business Be HIPAA Compliant now.


Lacey Jackson
Lacey is the Demand Content Strategist at Formstack focused on developing in-depth technical content about the Formstack platform for a variety of industries.
More Articles
Meet The Host
CEO of
Connect
Chris is on a mission to turn people into great leaders. He's passionate about helping problem solvers see more value in the work they do every day.