3 Simple Steps to Make Sure Your Law Firm is HIPAA-Compliant

HIPAA Risk Assessment Quiz

If any of your clients are involved with health care, you know how highly regulated the field is.  You may think you are complying with all the regulations and have lock-tight security measures in place at your law firm.  But you could be wrong.

Thirty-two percent of breaches in recent years were caused by IT incidents or hacking.  Either due to lax security practices or cyberattacks, personally identifiable information such as medical records and payment history was open to unauthorized third parties.

When you work with PHI, you need to keep your firm steps ahead of hackers and away from accidental data breaches – and be aware of your responsibilities.  As a law firm “business associate” handling PHI, you need to understand what the government expects of you, and where you may be vulnerable.

Security for PHI is governed under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Omnibus Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH).  Under these rules, “covered entities” such as health plans, health care clearinghouses and medical providers can share PHI with their business associates, including law firms.

If your firm receives any personal health information from a client who is a covered entity, you become a business associate.  When that happens, you need to execute a business associate agreement (BAA) that guarantees your firm will keep the information safe and only use it for the purposes for which you were engaged.  BAAs carry very high expectations and severe penalties for failure to comply.

For example, imagine that you have a support issue with your document management system, which contains electronic patient health information.  Your first instinct may be to call the solution provider’s support line, but allowing any access to that information – even in a support capacity – can mean noncompliance with HIPAA.

What’s more, data can be lurking in all sorts of places, including copy machines.  And if you’re ever tempted to step away from your laptop in a public place – no matter how safe – doing so can violate HIPAA.

Here are three steps that business-associate law firms should take when handling personal health information:

Step 1: Conduct a Risk Assessment

Once you become a business associate, you need to identify risks in your current practices, technology and controls.  Fortunately, you don’t need to reinvent the wheel.  The Department of Health and Human Services Office for Civil Rights offers some basic information about HIPAA, including summaries of the act’s privacy and security requirements and sample contracts for business associates.

Your IT auditor should look at three specific areas to identify the potential risks in each one:

  • Physical safeguards. This involves limiting access to facilities and electronic information at offices.  It also includes protecting servers and backup data.
  • Technical safeguards. Business associates need to protect electronic PHI through IDPS (intrusion detection protection systems), encryption and key management, HIPAA-level security auditing, two-factor identification, passwords and other methods.
  • Administrative safeguards. Your firm will need to designate a security officer, responsible for maintaining privacy and security policies, procedures and systems. You will also need to develop policies limiting access to PHI, and an emergency response plan in case of accidental or deliberate incidents that can compromise data such as a natural disaster or data breach.

Step 2: Create the Necessary Documentation

Once the risk analysis highlights gaps, it’s time to shore up those weaknesses and codify processes and procedures.  You may be able to adapt current policies and procedures, or you may need to create new ones.  Every law firm is unique, so these documents can’t be completely cut and pasted from other sources.

Your documents should lay out the processes involved in maintaining the confidentiality, integrity and availability of electronic PHI.  This includes the physical, technical and administrative safeguards.  It should explicitly describe processes for creating passwords and encrypting data, maintenance, access logs, security audits and other factors.

The policies should include a plan for steps to take when the firm suspects or knows that a data breach has occurred, such as notifying the covered entity.  You will also need procedures for responding to emergencies: systems failures, natural disasters and other incidents.

Step 3: Conduct Compliance Training for the Firm

Training should offer an overview of HIPAA, as well as the act’s Omnibus Rule.  It should also include information on HITECH, which was enacted to promote the adoption and meaningful use of health information technology.  In part, Subtitle D of HITECH addresses privacy and security concerns associated with electronically transmitting health information.

Along with outlining legal requirements, training should clarify what the firm expects from attorneys and staff in terms of ensuring privacy and security.

Training can be done online in less than an hour in some cases.  Training isn’t something you can do once and forget about, though.  As long as you remain a business associate, you should conduct a risk assessment every year and periodically train and refresh users on their obligations and best practices.

When it comes to government standards around security and privacy, HIPAA ranks among the most stringent.  And the penalties for failing to comply can be severe.  Fines can reach $1.5 Million per year.

Planning ahead, understanding your obligations and finding the right IT team can go a long way toward avoiding problems.

Redeem your free HIPAA security consultation HERE.

Phillip Long – CISSP, CEO of , along with his team of marketing and information technology experts, will walk you through an overview of what your business should be doing to protect your data and plan your digital marketing strategies.


is the technology leader on the Gulf Coast and is comprised of four divisions: Information Technology, Web Design & Digital Marketing, Office Equipment and Business Consulting. Together these divisions help local businesses exceed expectations and allow them to group to their full potential while minimizing risks. To learn more about , visit


You may reach out to us at:
Phone: 251-405-2527


Tips to Maintain ePHI Security on Mobile Devices