Law Firms are not Complying with HIPAA Rules: Survey

by | Feb 3, 2016

A recent survey carried out by Legal Workspace suggests that many are not. In fact, most health attorneys are not in adherence with HIPAA Rules and have failed to implement the appropriate technical, administrative, and physical measures to keep PHI/PII secure.

Legal Workspace surveyed 240 law firms and questions were posed about the technical controls that had been put in place to keep client data secure. Only 13% of law firms said they had put in place the technology necessary to ensure compliance with HIPAA Rules.

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered bodies are required to comply with HIPAA Privacy, Security, and Breach Notification Rules.

HIPAA also applies to vendors and other companies doing business with covered bodies, which are classified as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems that touch PHI/PII, those bodies are also required to comply with HIPAA Rules.

The lack of technical security measures could potentially leave law firms open to cyberattacks, with law firms much easier targets for hackers than healthcare firms. It could also see them liable to pay penalties for non-compliance.

The main areas of concern focused on by the survey were as follows:

  • No email encryption: 55% of law firms had either not implemented email encryption or were unaware if their email server encrypted data stored. Only 45% claimed to use encryption on email servers
  • Only 6 out of 10 law firms had a current Business Associate Agreement (BAA) in operation
  • Under half of law firms (48%) said they kept personal health information access logs
  • Only 46% reviewed and maintained PHI logs on remote devices and ensured data were safely erased when no longer required
  • Only 45% used an intrusion detection measures
  • Only 39% implemented two-factor authentication
  • Only 58% said their off-site data backups adhered with HIPAA regulations

The survey was carried out between November, 2015., and January, 2016, and respondents were from law firms that dealt with HIPAA-covered bodies, such as those handling insurance coverage, elder care, medical malpractice, product liability, personal injury, and other healthcare legal issues.

Legal Workspace partner and CEO, Joe Kelly made that point that “If you own a law firm and think you are complying with HIPAA, I would urge you to re-examine your technology and cyber-security protocols. You may be surprised at the results.”


According to Legal Workspace, healthcare attorneys may be classified as a Business Associate, and as such, they must be in adherence with HIPAA Rules.  If a healthcare attorney is given access to healthcare data, it is necessary for that attorney – or his or her law firm – to make sure the necessary technical, administrative, and physical controls are in place to protect PHI supplied by healthcare clients.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy