Law Firms are not Complying with HIPAA Rules: Survey

A recent survey carried out by Legal Workspace suggests that many are not. In fact, most health attorneys are not in adherence with HIPAA Rules and have failed to implement the appropriate technical, administrative, and physical measures to keep PHI/PII secure.

Legal Workspace surveyed 240 law firms and questions were posed about the technical controls that had been put in place to keep client data secure. Only 13% of law firms said they had put in place the technology necessary to ensure compliance with HIPAA Rules.

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered bodies are required to comply with HIPAA Privacy, Security, and Breach Notification Rules.

HIPAA also applies to vendors and other companies doing business with covered bodies, which are classified as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems that touch PHI/PII, those bodies are also required to comply with HIPAA Rules.

The lack of technical security measures could potentially leave law firms open to cyberattacks, with law firms much easier targets for hackers than healthcare firms. It could also see them liable to pay penalties for non-compliance.

The main areas of concern focused on by the survey were as follows:

  • No email encryption: 55% of law firms had either not implemented email encryption or were unaware if their email server encrypted data stored. Only 45% claimed to use encryption on email servers
  • Only 6 out of 10 law firms had a current Business Associate Agreement (BAA) in operation
  • Under half of law firms (48%) said they kept personal health information access logs
  • Only 46% reviewed and maintained PHI logs on remote devices and ensured data were safely erased when no longer required
  • Only 45% used an intrusion detection measures
  • Only 39% implemented two-factor authentication
  • Only 58% said their off-site data backups adhered with HIPAA regulations

The survey was carried out between November, 2015., and January, 2016, and respondents were from law firms that dealt with HIPAA-covered bodies, such as those handling insurance coverage, elder care, medical malpractice, product liability, personal injury, and other healthcare legal issues.

Legal Workspace partner and CEO, Joe Kelly made that point that “If you own a law firm and think you are complying with HIPAA, I would urge you to re-examine your technology and cyber-security protocols. You may be surprised at the results.”


According to Legal Workspace, healthcare attorneys may be classified as a Business Associate, and as such, they must be in adherence with HIPAA Rules.  If a healthcare attorney is given access to healthcare data, it is necessary for that attorney – or his or her law firm – to make sure the necessary technical, administrative, and physical controls are in place to protect PHI supplied by healthcare clients.