Skip To Content
Launching April 29…Deposition Insights™ - AI-Enabled Deposition Summaries Learn more

HIPAA-Compliant Safeguards

March 21, 2022

Record Retrieval

HIPAA-Compliant Safeguards for Your Record Retrieval Partners

When law firms work with third parties to retrieve medical records, it’s essential that HIPAA-compliance is a part of the conversation. Law firms should take steps to ensure that their business associates always adhere to strict HIPAA guidelines. Keeping a close eye on a vendor’s policies and procedures can help law firms to avoid hefty penalties for HIPAA violations that may be caused by an external partner.

To stay compliant, law firms should perform risk assessments to ensure their partners meet the standards required by HIPAA. As a requirement of the US Department of Health and Human Services HIPAA Privacy Rule, your service provider’s risk assessment must document the administrative, physical, and technical safeguards in place necessary for compliance. Review the following safeguards with your service provider to make sure they comply with the rules and regulations.

Administrative Safeguards

Ask your records retrieval provider if they:
  • Identify a security official who is responsible for implementing procedures to prevent security violations, including HIPAA privacy training
  • Provide limited access to ePHI to authorized staff only along with security awareness training, e.g., how to set up multi-factor authentication processes, create strong passwords, escape email phishing attempts, address security breaches, etc.
  • Outline procedures to identify, respond to, mitigate, and document a security incident and the resulting outcomeCreate emergency response plans for data backup and recovery
  • Establish guidelines to handle disclosure of a data breach

HIPAA-Compliant Record Retrieval

Physical Safeguards

Ask your records retrieval provider if they:
  • Ensure all physical office spaces, networks, and data are securely locked
  • Prevent unauthorized entry/exit of the premises, e.g., key fob, smart card, keyless entry systems
  • Make sure staff is cautious about not leaving documents, computers, laptops, or mobile devices that contain ePHI unattended or in public view

Technical Safeguards

Ask your records retrieval provider if they:
  • Monitor access to systems that contain ePHI
  • Encrypt data and employ password protection so that PHI is securely created, stored, and transmitted
  • Use software that tracks ePHI system activity
Author Image

Brandy Patrick

Records Division President

Brandy Patrick is the President of the Record Retrieval Division of Lexitas. Ms. Patrick has over 17 years of experience in sales, operations, and mergers & acquisitions. Ms. Patrick is a thought leader in the industry, providing deep knowledge of HIPAA and the complex laws impacting record retrieval. Prior to her current role, Ms. Patrick was President of America First Legal Services, a premium record retrieval company acquired by Lexitas.


Related Resources

Understanding HIPAA for law firms


Record Retrieval

Understanding HIPAA Compliance For Law Firms

In this whitepaper we explore HIPAA, how it applies to law firms, best practices law firms can act on to protect themselves from violations and penalties.

Read More
Custom Medical Record Retrieval Solution Saves Firm $250,000

Case Studies

Record Retrieval

Custom Medical Record Retrieval Solution Saves Firm $250,000

Lexitas designed a custom solution to speed medical record retrieval and data entry, saving the firm over $250,000.

Read More
How Lexitas Data Security Ensures High Service Levels


Court Reporting

How Lexitas Data Security Ensures High Service Levels

As a fast-growing company, providing high levels of service and security are very important to us and our clients.

Read More