When you outsource medical record retrieval, the goal is to save time and money by freeing staff to focus on advancing the case. But if your vendor is not HIPAA compliant, or commits a HIPAA violation, your firm remains liable. That’s why choosing a partner who truly understands the HIPAA privacy rule and actively protects PHI is critical. At Rob Levine Legal Solutions, we are HIPAA compliant, SOC 2 Type 1 and 2 certified, so you can trust that sensitive information is handled with the same care and security as it is within your firm.
What Is HIPAA?
The Health Insurance Portability and Privacy Act of 1996 (HIPAA), also referred to as the HIPAA law or HIPAA privacy rule, is a federal privacy law that provides individuals with the right to understand and control how their private health information is used. Under this law, individuals must give consent for their information to be shared and when that information is shared, the parties it is shared with must take steps to protect that information.
HIPAA applies to personal injury firms as they receive clients’ health information related to injuries sustained in the claim and applies to Rob Levine Legal Solutions as our medical record retrieval service requests, collects, organizes, and delivers the records on behalf of our clients. Both the law firms and our medical record retrieval service are considered business associates as defined by HIPAA.
What Is SOC 2 and Why Does It Have Two Types?
SOC stands for System and Organization Controls. SOC 2 is a certification certain business in the healthcare, finances, SaaS, or cloud services industries can receive after an audit evaluates their systems and controls to determine whether they are designed to protect PHI information. SOC 2 certification primarily focuses on five trust services criteria identified by the Association of International Certified Public Accountants, who established the framework for SOC 1, 2, and 3. The SOC 2 criteria are:
- Security: The ability to protect sensitive information and systems against unauthorized access, information disclosure, or other damage or mishandling.
- Availability: Information and systems can meet the organization’s service objectives and are available for operation. In other words, this confirms that the information and systems in place can keep the promises the organization has made about what they can do and their availability.
- Confidentiality: The organization properly collects, uses, retains, discloses and disposes of non-personal information and data.
- Processing Integrity: The systems perform their functions timely, accurately, completely, validly, and in a way that meets the organization’s objectives.
- Privacy: The organization properly collects, uses, retains, discloses, and disposes of peoples’ personal information.
While these are the five criteria, not all are necessarily required. Security is the only one that is required for all SOC 2 audits. The other four are included based on the organization’s purpose. In our case, all five were necessary due to the nature of medical record retrieval.
Type 1 and Type 2
Businesses can be audited and certified for SOC 2 Type 1, SOC 2 Type 2, or both. SOC 2 Type 1 is an audit of the controls’ designs, while SOC 2 Type 2 is an assessment of the controls’ operational effectiveness over a period of time. Think of Type 1 as a photograph and Type 2 as a video: Type 1 shows the controls are in place while Type 2 shows they work over time.
We Are Type 1 and 2 Certified
Rob Levine Legal Services underwent the auditing process to receive SOC 2 certification, beginning with a Type 1 audit. This provides evidence that we have controls in place to ensure that the PHI information, and all other information, entrusted to us, is kept confidential, secure, available as appropriate, and is properly used, kept, disclosed, or disposed of.
We then underwent the Type 2 audit, proving that our systems and controls work over time. These two certifications combined provide our clients with the peace of mind of knowing that when they outsource their medical records requests to us, the information will be protected as securely as if they handled the retrieval themselves.
What Is the Difference Between HIPAA and SOC 2?
The HIPAA law is a federal law that must be followed by covered entities. Being HIPAA compliant is not optional for those entities, and a HIPAA violation can result in:
- Significant civil and criminal penalties and fines
- Disciplinary actions
- Potential imprisonment
- Loss of professional licensure
- A severely damaged reputation
SOC 2 is not a law. It is a completely voluntary certification that an organization can opt to receive as a show of good faith to their potential and current clients. Being SOC 2 Type 1 and SOC 2 Type 2 compliant provides the organization with an opportunity to prove to their clients through an independent third-party audit that they have implemented systems and controls that will ensure their HIPAA compliance.
Benefits of Being HIPAA Compliant and SOC 2 Type 1 Certified
There are several benefits to being both HIPAA compliant, SOC 2 Type 1, and SOC 2 Type 2 certified. The most obvious benefit of HIPAA compliance is avoiding the negative consequences of a HIPAA violation. Other benefits of HIPAA compliance include:
- Enhanced data security
- Increased patient or client trust
- Improved operational efficiency.
SOC 2 Type 1 certification also has several benefits:
- Instills confidence with potential customers by showing them our commitment to data security
- Establishes trust with existing customers and stakeholders by showcasing our proactive approach to high information protection standards and data security
- Meets initial compliance validation requirements that potential clients may have
- Meets prerequisites for any future partnerships we may explore
SOC 2 Type 2 has additional benefits, including:
- Aligns with various data protection regulations, such as HIPAA and General Data Protection Regulation (GDPR), which simplifies and streamlines the compliance process and reduces the risk of regulatory penalties
- Reduces the likelihood and potential impact of security incidents, preventing data breaches and the associated financial impacts, which keeps our costs lower and allows us to provide our services at affordable prices
What Our Compliances and Certifications Mean for You and Your Clients
For your firm and your clients, selecting a record retrieval partner that is HIPAA compliant, SOC 2 Type 1 and 2 certified provides more than peace of mind—it provides protection. These standards signal that client health information is handled with care, consistency, and accountability, reducing compliance risk while reinforcing client trust. With safeguards in place behind the scenes, your firm can focus on advancing cases efficiently and confidently, knowing sensitive information is protected at every step. Contact Rob Levine Legal Solutions today to discuss how we can assist your firm.
