Many law firms lack critical security measures that help ensure HIPAA compliance, according to a new poll from Legal Workspace, a leading provider of cloud-based work environments designed specifically for law firms.
The poll, conducted from November 2015 through January 2016, shows that only 13 percent of the 240 law firms had key technology and processes in place to support HIPAA compliance and provide secure environments. This includes items such as executed business associate agreements, email encryption, keeping and reviewing access logs and intrusion detection systems.
The poll targeted attorneys in law firms with practices that would most often fall under HIPAA regulations, including health care, elder law, insurance defense, insurance coverage, medical malpractice, personal injury and products liability.
Under the Health Insurance Portability and Accountability Act of 1996, the Omnibus Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH), lawyers qualify as business associates if they handle any work that involves “protected health information” for covered entities under HIPAA. PHI includes items such as medical history or records, laboratory results and insurance information. The designation of business associate carries a whole host of obligations and compliance measures as well as serious penalties for failing to meet those standards.
“Clearly, the level of security currently enacted by these law firms must be elevated in order to protect each law firm from noncompliance and its clients’ valuable medical information,” said Joe Kelly, founder and CEO of Legal Workspace.
Vendor Roles in HIPAA Compliance
A majority of the polled law firms indicated that they had fundamental security processes in place with vendors to support HIPAA compliance.
Sixty percent indicated that they had executed business associate agreements with all vendors that have access to their systems. Fifty-eight percent said that their off-site backup providers follow HIPAA guidelines including instituting strong processes and technology around training, documentation and access to PHI.
“The vendor role in HIPAA compliance is an often overlooked area of concern from a security point of view. Does the technician troubleshooting your practice management solution have a signed business associate agreement with your firm? Does he/she have the correct training to ensure that HIPAA-related data is safely and appropriately accessed? These questions must be asked in order to ensure that all vendor access is HIPAA compliant,” commented Joe Kelly.
Reviewing and Controlling Access to PHI
While law firms are aware of the need to control access to PHI, only 48 percent of the 240 respondents said that they maintain and review logs of all personnel who access PHI. Slightly less than that – 46 percent – said that they maintain and review logs of PHI on remote devices to ensure the devices are properly erased or destroyed when no longer needed. That means more than half of the law firms polled are not taking a critical step in PHI security and could be in violation of HIPAA.
“Creating, maintaining and reviewing logs are fundamental steps in monitoring ongoing HIPAA compliance. Difficulties arise with the amount of data available and the numerous ways attorneys can access that data, including via remote devices such as laptops, tablets or phones. All vulnerabilities must be addressed – especially on the mobile front – if law firms want to ensure continued compliance,” said Kelly.
Need to Enhance Cybersecurity
Less than half of the polled law firms have adopted key technologies that support an enhanced level of cybersecurity. Forty-five percent said that they have set up encryption for all email including the email server, while the remaining 55 percent said that they have not set it up or are not aware if it is set up. Likewise, 39 percent said they have implemented two-factor authentication, and 45 percent have an infrastructure that includes intrusion detection systems. However, this means a majority of the law firms polled may be lacking these elements that support a heightened level of cybersecurity.
“The technology normally associated with HIPAA compliance can often be viewed as a burden by law firms when it comes to research, budget and execution. The easiest path to HIPAA compliance from a technology perspective is often to work with providers that offer technology that meets HIPAA standards,” shared Kelly.
Legal Workspace will exhibit in booth number 423 during Legaltech New York, February 2-4. The media and attendees are invited to visit the booth for a demonstration of the Legal Workspace HIPAA Compliant Edition. The solution, the latest addition to the company’s product line which includes its secure standard edition, allows small and medium law firms considered business associates by the HIPAA Omnibus Final Rule to meet the necessary security regulations by offering a HIPAA Business Associate Agreement.