skip to content

HIPAA Compliance at Everlaw

by Lisa Hawke

Security Lock

Reading Time — 1 minute

Security within an organization requires constant attention and continuous improvement. At Everlaw, the privacy and security of our customers’ information is of utmost importance. We recently announced that Everlaw achieved a SOC 2 Type 2 certification in Security, Availability, and Confidentiality. For a company to receive this certification, it must have policies and practices that satisfactorily protect the client’s data, and it must also provide detailed evidence and pass independent testing.

We are pleased to share that Everlaw is also compliant with the Health Insurance Portability & Accountability Act (HIPAA) protecting health information. But don’t just take our word for it—we underwent an independent third-party audit and detailed risk analysis to ensure we are in full compliance with all established standards. We wanted to bring the same level of rigor to evaluating our compliance with HIPAA that we applied to our SOC 2 evaluation.

Cloud Service Providers and HIPAA

The HIPAA rules are aimed at health plans, health care providers, and other “covered entities” that collect certain protected health information (PHI).  Everlaw, as a legal technology company classified as a cloud service provider (CSP) under the HIPAA Rules, does not collect PHI as part of normal business operations. However, according to guidance provided by HHS, when “a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI … on its behalf, the CSP is a business associate under HIPAA.” Therefore, CSPs like Everlaw may enter into HIPAA-compliant business associate agreements (BAAs), agreeing to fully comply with the requirements of the HIPAA Rules.

HIPAA Privacy and Security Rules

HIPAA Rules establish a set of standards to ensure that individually identifiable health information is kept private and secure. The Privacy Rule sets national standards for the protection of PHI, generally, whereas the Security Rule protects PHI that is created, received, maintained or transmitted in electronic form (“ePHI”) by a covered entity or their business associate(s).

HIPAA Compliance Evaluation

Business associates, under the HIPAA Rules, are required to perform a periodic evaluation to determine that their policies and procedures meet the security requirements. According to HHS, this compliance evaluation can be performed internally or by an external organization. HHS does not endorse or otherwise recognize private organizations’ “certifications,” and it is a business decision to conduct the evaluation internally or to engage a third party for auditing purposes.

By undergoing an independent audit for our HIPAA compliance evaluation, Everlaw provides assurance to our existing customers, as well as potential new customers, that we comply with HIPAA business associate standards in protecting PHI and ePHI.

Our successful completion of this external HIPAA compliance evaluation illustrates Everlaw’s ongoing commitment to create and maintain the most stringent controls for the protection and security of our customers’ information.

Lisa Hawke, a former environmental scientist and lawyer specializing in privacy, security and compliance, has written articles for publication in TechCrunch, Bloomberg Law, LegalTech News, Above the Law, SCCE Magazine, Ethikos, and the Suffolk University Law Review.