Ohio Rule 1.6 Confidentiality & Client Data Protection for Law Firms
Insurers, client contracts, and ethics rules expect strong safeguards for medical records. This page outlines the controls and documentation used to support renewals, audits, and confidentiality obligations.
Built for Ohio law firms handling medical records with no internal IT staff.
- • Your cyber insurance broker asked for proof of MFA, backups, and training completion records
- • A hospital or corporate client asked about your security controls before sending cases
- • You have a file retention policy somewhere, but nothing enforcing it in your case management system
- • You handle medical records but couldn’t document your Ohio Rule 1.6 safeguards if asked
- • You’re relying on “we’re careful” instead of evidence you could hand to an insurer or bar counsel
The Compliance Reality for Ohio Law Firms
Law firms handling medical records face strong security expectations from multiple directions—even without Business Associate obligations.
Ohio Prof. Conduct Rule 1.6
Prohibits disclosure of “any information relating to representation” including medical records in case files. Requires reasonable efforts to prevent inadvertent disclosure.
Cyber Insurance Application Requirements
Underwriters mandate documented MFA, encryption, backups, and workforce training for coverage and renewals.
Client Contract Security Requirements
Large referral sources increasingly require documented controls before sending cases.
Confidentiality Safeguards Used in Healthcare Environments
Using strong safeguards (encryption, access controls, audit logs) is the baseline insurers and ethics bodies expect when medical records are involved.
Ohio File Retention Guidance (OBLIC)
OBLIC provides practice management guidance on file retention. Retention periods vary by matter type; documented policies with enforcement support malpractice defense.
Technology Safeguards and Reasonable Efforts
Ethics guidance expects attorneys to use reasonable safeguards to prevent unauthorized disclosure when using technology, including secure access controls, encryption, and monitoring.
Your Quarterly Evidence Package
✓ Privileged access documentation
✓ Password manager status
✓ SOC monitoring summaries
✓ Patch & vulnerability summary
✓ Vulnerability scan results
✓ Secure remote access config
✓ Backup test results
✓ Business continuity & disaster recovery plan
✓ Encrypted email configuration
✓ Retention/hold settings
✓ Phishing simulation results
✓ Policy acknowledgment records
Updated quarterly. Ready for insurance renewals, client audits, and documentation requests.
What Happens When Client Data Is Breached
Documented safeguards matter when facing bar investigations, insurance claims, or client contract audits.
Bar Discipline Under Ohio Rule 1.6
Confidentiality breaches can trigger investigation. Documented safeguards demonstrate “reasonable efforts” under the rule.
Cyber Insurance Claim Review
Claims may be reviewed against the controls stated on the application. Evidence matters most when an incident occurs.
Malpractice Exposure
When an incident occurs, documentation and timelines matter. Evidence supports reporting and post-incident review.
“Capstone handles all of my law firm’s IT needs and has since we opened in April 2020. The team responds quickly and addresses whatever issues we encounter efficiently and completely. We will continue to use Capstone for years to come. I cannot recommend them highly enough.”
Controls Mapped to Requirements
Each safeguard addresses specific compliance drivers. We implement the controls, document them quarterly, and provide evidence packages for insurance applications and audits.
Why law firms need this: Your case management system stores client medical records. Proper configuration controls who can access which files and creates audit trails for compliance verification.
What we implement: Role-based access controls, encrypted folders for sensitive records, audit logging, retention enforcement aligned with your schedule. Learn more about managed IT services →
Satisfies: Ohio Rule 1.6(c), Client Contract Requirements, Cyber Insurance Documentation
Why law firms need this: Prompt detection supports notification obligations and limits impact.
What we implement: 24/7 SOC monitoring, SIEM correlation, email filtering, documented incident response procedures. Learn more about cybersecurity services →
Satisfies: Ohio Rule 1.6(c) Reasonable Safeguards, Cyber Insurance Monitoring Requirements
Why law firms need this: Recoverability drives business continuity and reduces downtime after ransomware or accidental deletion.
What we implement: Encrypted backups, offline/immutable options, recovery testing with documentation, retention rules and legal holds. Learn more about backup and recovery →
Satisfies: Ohio File Retention Guidance, Cyber Insurance Backup Requirements, Disaster Recovery Expectations
Why law firms need this: Human error remains a common entry point for incidents. Training supports the “reasonable efforts” standard and insurance documentation.
What we implement: Training cadence + phishing simulations, completion records, policy acknowledgment tracking. Learn more about security training →
Satisfies: Ohio Rule 1.6(c) Reasonable Efforts, Cyber Insurance Training Requirements
Why law firms need this: Sensitive records move through email daily; configuration and retention controls reduce risk.
What we implement: Security hardening, MFA enforcement, secure messaging options, retention holds for litigation, documented configuration evidence.
Satisfies: Cyber Insurance Email Security Requirements, Client Contract Provisions, Ohio Rule 1.6(c)
What Your Cyber Insurance Underwriter Requires
Cyber insurance applications require documented proof of specific safeguards. We implement these controls and provide evidence packages for applications and renewals.
Multi-Factor Authentication
What insurers ask: “MFA enforced on email, case management, and remote access?”
What we document: Configuration evidence and enrollment verification for users.
Endpoint Detection & Response
What insurers ask: “EDR on all devices?”
What we document: Deployment reports and alerting evidence.
Offline / Immutable Backups
What insurers ask: “Are backups offline/immutable and tested?”
What we document: Backup configuration + recovery test results with timestamps.
Security Awareness Training
What insurers ask: “Do all staff complete training?”
What we document: Completion records and phishing results.
What Law Firms Receive
Specific deliverables for attorneys, managing partners, insurance underwriters, and client contract audits.
Ohio Rule 1.6 Compliance Documentation
Documentation showing reasonable safeguards to protect confidential client information: implemented controls, access restrictions, encryption, and training records. Defense package for inquiries.
Evidence Packages for Insurance Applications
Documentation proving MFA, EDR, encrypted backups, email protections, and workforce training are implemented—with exports and reports underwriters expect.
Case Management System Configuration
Security setup for your legal CMS: role-based access controls, encrypted storage for sensitive records, audit logging, and retention rules aligned to your schedule.
File Retention Policy with Enforcement
Documented retention policy aligned with Ohio guidance, retention rules customized to your schedule, legal hold support, and defensible destruction procedures.
Policy Library & Acknowledgment Tracking
Policies customized for law firms (Confidentiality, Medical Record Handling, Acceptable Use, Incident Response) with dated acknowledgment tracking for staff.
Weekly Status Reports
Every Monday: system status, threats blocked, backup verification, and items needing attention—written for non-technical readers.
“Could not ask for better IT / technical support! Capstone has been our go-to for years and we have always been 100% satisfied with the excellent service.”
Common Questions from Ohio Law Firms
The evidence pack is pre-formatted documentation proving your controls are implemented and active:
- MFA verification: Screenshots showing MFA enabled on email, case management, and remote access. Configuration exports. Enrollment verification for every attorney and staff member.
- EDR coverage: Agent deployment reports showing protection on every endpoint. Threat detection logs from the past quarter.
- Backup testing: Recovery test results with timestamps. Restoration verification. Configuration showing immutability/offline safeguards.
- Training documentation: Completion certificates for every staff member. Phishing simulation results showing click rate trends over time. Policy acknowledgment records.
- Email security: Protection configuration and quarterly summaries showing outcomes.
Evidence packages are updated quarterly so documentation is current when your insurance renewal arrives or a client requests a security audit.
You’re correct that law firms receiving medical records under patient authorization typically aren’t Business Associates. But three other forces still require strong safeguards:
- Ohio Rule 1.6: Requires reasonable efforts to protect all client information including medical records.
- Cyber insurance applications: Underwriters require documented MFA, encryption, backups, and training.
- Referral source contracts: Medical providers and corporate clients increasingly require documented controls before sending cases.
The distinction matters for certain legal notification obligations, but insurers and clients still evaluate the same core safeguards.
Ohio OBLIC provides guidance on file retention, with periods varying by matter type and risk. We implement policy-based retention enforcement in your case management system:
- Documented policy: Written retention policy aligned with Ohio guidance and your firm’s risk tolerance
- Policy-based enforcement: Retention rules in your CMS, automated flagging when matters approach retention limits
- Legal hold support: Process to suspend destruction for active matters or anticipated litigation
- Client notification: Procedures for notifying clients before file destruction per Ohio ethics recommendations
- Secure destruction: Documented destruction process with certificates of destruction
This creates a defensible position if questioned about destroyed files during malpractice claims or ethics investigations.
We configure security controls for the major legal case management platforms including Clio, FileVine, PracticePanther, MyCase, CasePeer, and others. Each platform has different settings and plan requirements for advanced controls.
What we configure: Role-based access controls, encrypted storage for sensitive records, audit logging, and policy-based retention enforcement.
Contract requirements: Where required by a client or vendor agreement, we help validate eligibility and document the controls in place.
Based in Springfield, serving Dayton, Columbus, and Cincinnati since 2004. Response times depend on issue severity:
- Critical issues (firm-wide outage, suspected breach): Immediate response, 24/7 monitoring
- Urgent issues (attorney unable to work): Same-day response
- Standard requests (new user setup, software questions): Next business day
You’ll have direct contact with our team—not a call center. Most issues are resolved remotely; we come on-site when needed.
We’ve been serving Ohio law firms since 2004. Three things differentiate us:
- Documentation focus: Every control we implement gets documented. When your insurance application arrives or a client requests your security controls, evidence is already current.
- Compliance-first approach: We map controls to specific requirements (Ohio Rule 1.6, insurance applications, client contracts) rather than selling generic security bundles.
- Law firm experience: We understand case management systems, e-discovery workflows, file retention, and confidentiality obligations attorneys face.
We focus on mapped safeguards and defensible documentation that stays current for renewals, audits, and client questionnaires.
Your clients trust you with sensitive medical information. Ohio Rule 1.6, cyber insurance requirements, and referral source contracts all expect documented safeguards protecting that data. Schedule a legal IT security assessment to understand where you stand and what documentation you need.
Schedule Your Legal IT Security Assessment
30-minute call to review your current safeguards, documentation gaps, and what you’d need for insurance renewals or client contract audits.
15-minute assessment to identify safeguards and documentation gaps
Talk to our team directly
Send your insurance application or security questionnaire for review
