What is a data breach?
A data breach is a security incident where data is released or accessed without authorization. Since 2014, over 100 law firms have reported data security breaches in the U.S. While differences in reporting requirements across the country make it difficult to gather a comprehensive view of all breaches and related trends, phishing attacks and vendor leaks were a large cause.
What should I know about HIPAA and data security?
When we think of the Health Insurance Accountability and Portability Act (HIPAA), clinic waiting rooms and hospital front desks spring to mind. However, HIPAA doesn’t strictly apply to hospitals and doctors. The rule is comprehensive and addresses security and privacy around electronic transactions, breach notifications, and data access.
These requirements apply to covered entities, which include health plans, healthcare providers, and healthcare clearinghouses. You’re probably thinking, “My law firm doesn’t fall into any of those categories.” And, you’re right. But that doesn’t mean legal organizations are exempt from the requirements and regulations surrounding HIPAA.
So, are law firms and attorneys subject to HIPAA?
The HIPAA rule applies to covered entities (i.e., hospitals) and business associates. In the definition of business associates, HIPAA expressly addresses legal organizations. Law firms and attorneys are considered business associates “when the legal services provided involve disclosure of PHI from a covered entity” or from another business associate to the firm. But a survey conducted by Legal Workspace suggested that the majority of attorneys dealing with health data were not complying with the rules of HIPAA. Failing to comply can lead to hefty fines, such as the one that sent Retrieval-Masters into bankruptcy earlier this year.
If you’re gathering information that is subject to HIPAA, you need to follow HIPAA’s rules. Health information is defined as being "individually identifiable health information" that:
- is created or received by a health plan, health provider, health care clearinghouse, employer, or certain other entities; and
- relates to an individual's past, present, or future physical or mental health condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to the individual.
In recent years, the Department of Health and Human Services has been cracking down on HIPAA violations. The most common (and expensive) violations include:
- Failing to perform an enterprise-wide risk analysis
- Lack of a risk management process
- Failure to enter into a HIPAA compliant business associate agreement
- Insufficient ePHI access controls
- Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
- Exceeding the 60-day deadline for issuing breach notifications
- Impermissible disclosures of PHI
- Improper disposal of PHI
The bottom line is, if your legal organization deals with health data, you need to make sure you’re meeting the requirements outlined by HIPAA.
What can I do to maintain HIPAA compliance?
Take care to follow a few best practices to ensure your business is compliant. Vendor breaches are one of the biggest problems in health data security. Make sure the software and tools you use to manage patient health data meets compliance standards. This might include your CRM, contract management software, or other data collection tool. Following vendor breaches, phishing attacks are another major cause of data security breaches. Make sure your staff understands that phishing attacks may occur and provide examples of what to look out for.