If your law firm provides legal services to a client and you receive patient data from your clients in the process of providing legal services, you are a Business Associate of your client according to HIPAA law. Before you can receive patient data from your clients, your law firm need to execute a business associate agreement (BAA) that guarantees your firm will keep the information safe and only use it for the purposes for which you were engaged. BAAs carry very high expectations and severe penalties for failure to comply.
Its important you take note on HIPAA rule of 2013 (Section 13401 and 13404 of the HITECH Act) which requires Health and Human Services (HHS) to consider healthcare Business Associates like the healthcare covered entities. That means your law firm is considered like a healthcare entity. When you work with patient health information, you need to keep your firm steps ahead of cyber criminals and away from accidental data breaches.
From November 2015 to January 2016 a survey on law firms conducted by Legal Workspace found that many law firms are not Complying with HIPAA law. The majority of attorneys who deal with personal heath information of their clients have failed to implement the appropriate technical, administrative, and physical safeguards to keep client’s data secure. Legal Workspace surveyed 240 law firms and questions were asked about the technical controls that had been put in place to keep client data secure. Only 13% of law firms they surveyed said they had implemented the technology necessary to ensure compliance with HIPAA law.
The penalties for violating HIPAA are serious. Under the act’s tiered penalty structure, the amount of fines increases with the level of culpability, with a maximum of $1.5 million per year for the same violation. The different levels are:
- Violation due to reasonable cause and not due to willful neglect
- Violation due to willful neglect but is corrected within the required time frame
- Uncorrected violation due to willful neglect
Keep this in mind each law firm is unique, there are several areas that present common challenges. Encrypting personal health information is a must. Encryption and security policies are two of the best ways to keep data secure. When working with hosting providers and vendors who handle data, attorneys must make sure that those companies are HIPAA-compliant.
It is important you work with a trusted, knowledgeable partner such as Fastcomcorp who has turnkey products and services that can aid law firms to be HIPPA compliant.