As legal professionals, lawyers hold a significant responsibility to uphold industry-specific regulations, especially those related to safeguarding clients’ sensitive information, such as medical records, and maintaining their privacy.
The Health Insurance Portability and Accountability Act (HIPAA) is an important consideration for law firms that specialize in health law or handle health-related cases. This is a federal law that entrusts parties with access to sensitive healthcare information, such as law firms, to ensure its privacy and security.
HIPAA isn’t just a best practice — it’s an important law with serious consequences for violations. Security breaches involving HIPAA can come with significant financial and regulatory effects, as well as damage to the firm’s reputation.
Learn more about HIPAA-compliant services, violations, and how you can ensure that your law firm is compliant.
What Is HIPAA?
HIPAA is a federal law that requires healthcare providers and business associates to safeguard protected health information (PHI). This law was enacted to protect sensitive patient health information from disclosure without the patient’s consent or knowledge.
Overview of HIPAA Rights
HIPAA protects the privacy and security of identifiable healthcare information and safeguards rights to an individual’s ability to access and obtain their information.
Any organization that has access to health records must follow HIPAA. These are called “covered entities” and include:
-
Health insurance companies, health plans, and government healthcare programs
-
Health care clearinghouses
-
Healthcare providers like physicians and hospitals
HIPAA obligations aren’t limited to healthcare professionals, however. Law firms often deal with health information or insurance information with sensitive client data, making them “business associates.” This means that lawyers must implement the appropriate physical, technical, and administrative safeguards to protect this information.
In addition, law firms must ensure that everyone who has contact with PHI ensures compliance. This means that third parties like subcontractors, expert witnesses, or practice management software providers must also be compliant.
Must All Firms Comply with HIPAA?
All law firms in America must comply with HIPAA, especially if they access PHI from covered entities.
Though HIPAA is usually associated with healthcare, law firms outside of the industry may access or process PHI on behalf of their clients, and thus bound by HIPAA. This may include attorneys working in elder law, malpractice, insurance, and personal injury law.
Risks of HIPAA Non-Compliance
Violating HIPAA can have serious consequences for a law firm, whether accidental or intentional. These violations are often fines, but the amount depends on how serious the violation is.
Types of HIPPA violations include the following:
Tier One: $120 to $30,113 per violation. These occur when the non-compliant party was unaware, and could not have been aware, of the violation.
Tier Two: $1,205 to $60,226 per violation. These occur when the non-compliant party was unaware of the violation, but there’s reasonable cause for a penalty.
Tier Three: $12,045 to $60,226 per violation. Tier three fines are used when the violation was caused by willful neglect but were fixed quickly.
Tier Four: $60,226 per violation. These fines could be applied when the violation was caused by willful neglect that was not corrected quickly.
If a law firm violates HIPAA multiple times in one year, the fines can be $1,806,757 per violation.
Fines aren’t the only problem with violating HIPAA. Reported HIPAA violations can be devastating to client relationships and trust, and it may be more difficult for firms to get legal malpractice insurance or comply with professional conduct rules.
Common HIPAA Violations
HIPAA is serious, but the rules aren’t always that simple. Some of the common HIPAA violations may include:
-
Inappropriate disclosure or disposal of PHI
-
Failing to obtain satisfactory assurances from third-party vendors or associates
-
Failing to enter into HIPAA-compliant business associate agreements
-
Insufficient firm-wide risk management practices
-
Failing to report a HIPAA breach or missing the 60-day deadline to issue a breach notification
Law Firm’s Guide to HIPAA Compliance
Protecting PHI and staying HIPAA compliant begins with understanding what’s expected of your firm under HIPAA and the safeguards you must have in place.
-
Implement policies and procedures to prevent and detect HIPAA violations.
-
Train all staff members on HIPAA compliance.
-
Control access to systems with PHI using encryption, passwords, and other technical safeguards.
-
Maintain physical security of offices, data, networks, and technology and limit access within your firm.
Using Law Firm Software to Operate in HIPAA Compliance
HIPAA compliance for law firms is challenging, but law practice management software can help. If you implement law firm software, the provider is considered a business associate and must maintain HIPAA compliance with PHI, or else your firm can be on the hook.
Unfortunately, not all legal practice management software assists with HIPAA compliance. It’s important to choose legal technology that has a business associate agreement, rigorous internal testing, and a demonstrated commitment to HIPAA compliance.
PracticePanther offers industry-leading legal security and data encryption with military-grade technology to make it virtually impossible for unauthorized parties to access sensitive data. You can also configure access by roles or to specific IP addresses to keep information on a “need-to-know” basis.
You can also use legal document management software to store and manage all your documents and case files in one secure location. Since PracticePanther is cloud-based, you can monitor them from anywhere, and securely transfer information between your firm and your clients.
HIPAA Compliance Checklist
All law firms should have a HIPAA checklist to ensure compliance. This includes:
-
Enter business associate agreements with clients and subcontractors.
-
Ensure compliance with administrative, physical, and technical requirements. This includes training staff on how to deal with PHI and create compliance policies and procedures, implementing security measures to protect physical systems with PHI, and using stringent cybersecurity measures to protect data.
-
If a HIPAA breach occurs, notify the Office for Civil Rights (OCR) quickly and cooperate fully with the investigation.
-
Consider law practice management software that comes with legal-specific security controls to assist with HIPAA compliance and securing your data.
Safeguard Your Clients and Your Firm
When a client comes to your firm, they rely on you to protect their sensitive information. HIPAA compliance is a must for any firm that handles PHI on behalf of clients, not just for the firm itself but for any business associates. By understanding your obligations under HIPAA, and relying on a HIPAA checklist, you can ensure compliance to protect your firm and your client’s privacy.