HIPPA Compliance for Law Firms

hp_autonomyOn September 23, 2013,  the U.S. Department of Health and Human Services for “business associates,” such as law firms, to comply with new standards regarding patient information as established in the Health Insurance Portability and Accountability Act’s Privacy, Security, Enforcement and Breach Notification Rules (the “HIPAA Omnibus Rule“).

Law firms that are ignoring this regulation are more than likely not in compliance and therefore in danger of being audited and fined by U.S. Department of Health and Human Services.   Of even more immediate importance is the fact that if your law firm is ignoring this requirement, your personal health related information may be at risk of being made public.


Law Firm Poll Regarding HIPPA Compliance


In an interesting article by William Caraher, CIO of von Briesen & Roper titled, “HIPAA Compliance With HP Autonomy iManage v9.0,” published on December 3, 2013 on the Law Technology News Site, Mr. Caraher contends that HP Autonomy provides a way to encrypt law firm data in order to be in compliance with the HIPPA requirements.

Other software vendors are taking a more investigative approach with machine learning and predictive analytics that provide law firms with the ability to monitor unstructured data in search of potential HIPPA compliance issues.

Over the next couple of weeks I will be  investigating these tools and publishing the results of my findings.

The full text of Mr. Caraher’s article are as follows:

September 23 has come and gone. That was the deadline set by the U.S. Department of Health and Human Services for “business associates,” such as law firms, to comply with new standards regarding patient information as established in the Health Insurance Portability and Accountability Act’s Privacy, Security, Enforcement and Breach Notification Rules (the “HIPAA Omnibus Rule”).

There is a misconception that compliance with the new HIPAA rules is a complicated and costly endeavor. Nothing could be further from the truth, especially for firms and corporate law departments with existing document management systems. Many of these systems have enhanced security and encryption features already built in. Using the included mechanisms and controls from your DMS vendor may not only satisfy but also go above and beyond the requirements to secure protected health information.
Von Briesen & Roper’s answer to HIPAA compliance was free. We enabled HP Autonomy iManage v9.0 HIPAA encryption, which fully complies with the new rules and regulations. Because version 9 is an included upgrade with the maintenance agreement for HP Autonomy’s WorkSite DMS, this did not cost the firm an extra dime. This analysis will describe the encryption features in the latest release of WorkSite.

A law firm can comply with HIPAA requirements using WorkSite version 9, which now supports 128-bit AES (Advanced Encryption Standard) encryption for files stored (“at rest”) on the server and copied to client desktops (“in transit”). With a few coordinated in-place upgrades to the back-end servers and user systems, a firm can be compliant in a matter of days. Most firms that have invested in enterprise-class DMS subscribe to the annual maintenance agreements that include free software upgrades. To their credit, HP Autonomy has always included major and minor software updates for maintenance subscribers. A few legal software vendors out there like to charge for “forklift upgrades,” which really grinds our gears and budgets.

When you enable the encryption feature in WorkSite, users can use a new metadata flag to indicate that files need encryption. When that encryption flag is set, the DMS takes immediate action to secure the file. Encrypted files are moved to a special Windows EFS (Encrypted File System) partition on the document store server. Once moved, encrypted files can only be accessed by native FileSite, DeskSite or other HP Autonomy authorized application programming interfaces. The conversation between the client and server is encrypted either by enabling HTTPS communication or utilizing the default Transmission

Control Protocol (TCP) over an encrypted Remote Procedure Call (RPC).
The great thing about all of this is that once enabled, encryption is seamless and does not involve the end user. Users need not save any additional passwords or store special decryption keys on their local hard drive. The new WorkSite automatically enforces security policies, utilizing trusted logins and Active Directory to ensure that the user access lists govern permissions when opening encrypted files.

Third-party tools that try to directly access flat file stores or create separate indexes will not have access to WorkSite-encrypted documents. Also, anyone browsing the document store server EFS partition will find encrypted files in an unreadable state. If you have many third-party tools that are integrated with your DMS, be sure they are utilizing the HP Autonomy API and not work-around tactics to access your data.

Critics of embedded DMS encryption will say the end user’s temporary folders are the weak link and thus DMS encryption cannot be relied upon for HIPAA compliance. While it is true that the temporary directories might save copies of decrypted health information, the best practice regarding laptop security is to encrypt the complete hard drive of the end user. So, the health information “at rest” on the laptop is still HIPAA-compliant.
HP Autonomy has confirmed that client-side encryption of local working directories (NRPortabl and NRTEcho folders) are not part of their version 9 encryption feature set. If you secure the disk with BitLocker or another full-disk encryption product, then you are compliant. Users often export files to their desktop or check out files to another local directory, so full-disk encryption is a best practice even when other DMS vendors say their temporary files are encrypted.

HP Autonomy provides a solid and virtually free software product to solve the HIPAA compliance dilemma of firms that have protected health information on their servers. Firms that have only written policy around their best practices may find themselves out of compliance. The WorkSite v9.0 encryption is solid and transparent to the end user.


About Charles Skamser
Charles Skamser is an internationally recognized technology sales, marketing and product management leader with over 25 years of experience in Information Governance, eDiscovery, Machine Learning, Computer Assisted Analytics, Cloud Computing, Big Data Analytics, IT Automation and ITOA. Charles is the founder and Senior Analyst for eDiscovery Solutions Group, a global provider of information management consulting, market intelligence and advisory services specializing in information governance, eDiscovery, Big Data analytics and cloud computing solutions. Previously, Charles served in various executive roles with disruptive technology start ups and well known industry technology providers. Charles is a prolific author and a regular speaker on the technology that the Global 2000 require to manage the accelerating increase in Electronically Stored Information (ESI). Charles holds a BA in Political Science and Economics from Macalester College.