In February of 2021, University of Pittsburgh Medical Center (UPMC) announced that the protected health information of over 36,000 patients may have been accessed by hackers. UPMC contracted with Charles J. Hilton & Associates, P.C. (CJH), a law firm concentrating in healthcare reimbursement and accounts receivable law, to collect on “slow-paying, underpaid, and wrongfully denied insurance accounts receivables.” UPMC routinely sent PHI to CJH so CJH could provide the legal services. In April of 2020, hackers gained access to CJH employee email accounts, compromising patients’ names, dates of birth, and other protected health information.

Law Firms and HIPAA

Legal Billing HIPAA

The cyberattack on the legal billing firm raises a question that should have an easy answer: are law firms subject to HIPAA? 

HIPAA applies to healthcare providers and their HIPAA business associates. A HIPAA business associate is an entity that creates, receives, maintains, or transmits electronic protected health information (ePHI) on behalf of a provider. While law firms and legal billing firms do not provide healthcare, many law firms and legal billing firms act as HIPAA business associates to hospitals, hospices, nursing homes, urgent care centers, and doctor offices.

Since CJH, as a legal billing firm, received ePHI from UPMC on a routine basis, CJH is a business associate of UPMC. As a HIPAA business associate, CJH is required to comply with the HIPAA Security Rule. CJH is also required to comply with the HIPAA Privacy Rule in performing whatever Privacy Rule functions it agreed to perform in its contract (called a business associate agreement) with UPMC.

Let’s Simplify Compliance

Are you a law or billing firm that needs help with HIPAA compliance? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Cyberattack on Legal Billing Firm: The Consequences

The HIPAA Breach Notification Rule requires that a business associate notify a healthcare provider of a data breach. CJH has provided this HIPAA data breach notification, and has also notified patients who may have been affected by the breach. The HIPAA data breach notification must also be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), which will, after receiving the report, conduct an investigation of the breach. Both UPMC and CJH may face potential fines depending on the outcome of the investigation.

UPMC, as a healthcare provider, must ensure unauthorized individuals do not access PHI. An unauthorized disclosure is a violation of the HIPAA Privacy Rule.  

CJH, the legal billing firm, discovered in June of 2020 that its system had been compromised for almost three months in 2020. A forensics investigation revealed that the compromised patient accounts contained a treasure trove of PHI including names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, trip numbers, Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, among other PHI. 

As a HIPAA business associate, CJH must comply with the administrative, technical, and physical safeguards requirements of the HIPAA Security Rule. If OCR finds that CJH failed to do so, OCR can fine CJH directly. B