In February of 2021, University of Pittsburgh Medical Center (UPMC) announced that the protected health information of over 36,000 patients may have been accessed by hackers. UPMC contracted with Charles J. Hilton & Associates, P.C. (CJH), a law firm concentrating in healthcare reimbursement and accounts receivable law, to collect on “slow-paying, underpaid, and wrongfully denied insurance accounts receivables.” UPMC routinely sent PHI to CJH so CJH could provide the legal services. In April of 2020, hackers gained access to CJH employee email accounts, compromising patients’ names, dates of birth, and other protected health information.

Law Firms and HIPAA

Legal Billing HIPAA

The cyberattack on the legal billing firm raises a question that should have an easy answer: are law firms subject to HIPAA? 

HIPAA applies to healthcare providers and their HIPAA business associates. A HIPAA business associate is an entity that creates, receives, maintains, or transmits electronic protected health information (ePHI) on behalf of a provider. While law firms and legal billing firms do not provide healthcare, many law firms and legal billing firms act as HIPAA business associates to hospitals, hospices, nursing homes, urgent care centers, and doctor offices.

Since CJH, as a legal billing firm, received ePHI from UPMC on a routine basis, CJH is a business associate of UPMC. As a HIPAA business associate, CJH is required to comply with the HIPAA Security Rule. CJH is also required to comply with the HIPAA Privacy Rule in performing whatever Privacy Rule functions it agreed to perform in its contract (called a business associate agreement) with UPMC.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

Cyberattack on Legal Billing Firm: The Consequences

The HIPAA Breach Notification Rule requires that a business associate notify a healthcare provider of a data breach. CJH has provided this HIPAA data breach notification, and has also notified patients who may have been affected by the breach. The HIPAA data breach notification must also be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), which will, after receiving the report, conduct an investigation of the breach. Both UPMC and CJH may face potential fines depending on the outcome of the investigation.

UPMC, as a healthcare provider, must ensure unauthorized individuals do not access PHI. An unauthorized disclosure is a violation of the HIPAA Privacy Rule.  

CJH, the legal billing firm, discovered in June of 2020 that its system had been compromised for almost three months in 2020. A forensics investigation revealed that the compromised patient accounts contained a treasure trove of PHI including names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, trip numbers, Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, among other PHI. 

As a HIPAA business associate, CJH must comply with the administrative, technical, and physical safeguards requirements of the HIPAA Security Rule. If OCR finds that CJH failed to do so, OCR can fine CJH directly. Before 2013, business associates were not directly liable for data breaches. The 2013 HIPAA Omnibus Rule made HIPAA business associates directly liable for Security Rule compliance.

Law firms, like any other entity that fits the definition of a HIPAA business associate, must follow the law and comply with the HIPAA data breach notification to ensure that ePHI is kept safe. Since the compliance date of the Privacy Rule in April 2003, OCR has received over 252,539 HIPAA complaints. To date, OCR has settled or imposed a civil money penalty in 93 cases, resulting in a total dollar amount of $129,758,482.00. CJH may join this company – making it clear that law firms, just like any other business, must adhere to the language in their own contracts and use the HIPAA data breach notification rule.

HIPAA Protects You

Protect your business from expensive breaches and fines!