HIPAA Questions? Call (415) 294-5250


Law Offices HIPAADue to changes in the HIPAA regulations, lawyers can be categorized as a Business Associate if they handle protected health information (PHI). This means that there are more stringent protocols enforced for these law firms. These changes were put into place in January 2013. Recently, Legal Workspace conducted a survey to determine what percentage of healthcare law firms were complying with the HIPAA regulations as they were designed. Here are some of the findings.


  • Approximately 87 percent of the 240 law firms surveyed, stated that they had not implemented the technology requirements that were outlined in the HIPAA regulations.
  • Over half of the law firms surveyed did not have protocols put into place to detect intrusion onto their networks.
  • It is unclear how many of the 55 percent of respondents did not know their email server was encrypted vs. how many did not have encryption for their email.
  • 42 percent stated they have noncompliant off-site data backups.

Record Keeping

  • 52 percent of the law firms do not keep access logs for the PHI.
  • 60 percent of the firms had a current agreement in place that is required for the Business Associates
  • A little under half had PHI on a remote device and made sure it was erased completely when it was not needed anymore.

These survey results have determined that law firms need to reevaluate their protocols and procedures that are in place regarding the safeguarding of protected health information. The firms are leaving themselves liable for cyberattacks which could lead to PHI being compromised. Firms need to protect their networks as well as every device that is connected with the network. It is important to make sure that there is no unnecessary data left on mobile devices as this could compromise the patient’s privacy.