Are Law Firms Covered by HIPAA? Obligations, BAAs, and Risk Mitigation

Applicability of HIPAA to Law Firms

HIPAA regulates covered entities—health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions—and their business associates. Most law firms are not covered entities. However, when you handle a client’s Protected Health Information (PHI) on behalf of a covered entity or another business associate, HIPAA can apply to your firm.

Your status depends on the role you play and how you obtain PHI. If you access PHI to provide legal services to a covered entity, you are typically a business associate. If you receive PHI under a court order or qualified protective order during litigation, you may not be a business associate, but you still must follow the order and safeguard the information.

When a law firm is—and isn’t—a business associate

• Is a business associate: outside counsel defending a hospital in malpractice litigation where PHI is reviewed; compliance counsel performing internal investigations that require PHI access; deal counsel conducting diligence on PHI flows.
• May not be a business associate: receiving PHI via a court order or subpoena in litigation with appropriate protections; representing a patient and obtaining PHI via the patient’s authorization; receiving de-identified data that is not PHI.

Definition of Business Associate

A business associate is any person or entity that performs functions or provides services for or to a covered entity that involve the use or disclosure of PHI. This includes organizations providing legal, accounting, consulting, management, data processing, or similar services when PHI access is part of delivering those services.

Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate—such as eDiscovery vendors, expert witnesses, document hosting platforms, and court reporters—are also business associates. Their obligations “flow down” through written agreements.

Typical law firm scenarios

• Regulatory response and investigations involving PHI (e.g., responding to an OCR inquiry on a breach).
• Employment and medical staff matters that require access to medical records.
• Litigation support, eDiscovery, and subpoena management where PHI is reviewed and produced.
• Contracting, privacy governance, incident response, and Risk Analysis for clients handling PHI.

Business Associate Agreements Requirements

Before a covered entity shares PHI for legal services, it must execute a Business Associate Agreement (BAA) with your firm. A BAA authorizes defined uses and disclosures and obligates your firm to comply with the HIPAA Privacy Rule provisions applicable to business associates and the HIPAA Security Rule for electronic PHI (ePHI).

Core elements a BAA must address

• Permitted and required uses/disclosures of PHI and the “minimum necessary” standard.
• Implementation of appropriate safeguards, including Administrative Safeguards and technical/physical controls for ePHI under the HIPAA Security Rule.
• Breach and security incident reporting to the covered entity without unreasonable delay.
• Downstream obligations: ensuring subcontractors agree in writing to the same restrictions and safeguards.
• Support for individual rights: access, amendments, and accounting of disclosures, as directed by the client.
• HHS access to relevant records for compliance review.
• Return or destruction of PHI at termination, if feasible, and restrictions on retention.
• Termination rights if the business associate materially breaches the BAA.

Negotiation tips for law firms

• Clarify breach definitions, notification timelines, and incident severity tiers.
• Define encryption, audit logging, and access control expectations proportionate to matter sensitivity.
• Address eDiscovery workflows, redaction, and protective orders for PHI in litigation.
• Require client approval for offshore access and detail data residency constraints.
• Align cyber insurance, indemnities, and right-to-audit provisions with your risk profile.

Obligations Under HIPAA for Law Firms

When acting as a business associate, your firm must comply with applicable Privacy Rule requirements and the full Security Rule for ePHI. Practically, that means documented policies, controls, monitoring, and evidence you can show a client or regulator.

Operational duties

• Perform and document an enterprise-wide Risk Analysis; update it when technology, vendors, or services change.
• Implement Administrative Safeguards: assign a security official, train your workforce, apply sanctions for violations, manage role-based access, and maintain BAAs with subcontractors.
• Implement Technical Safeguards: unique user IDs, multi-factor authentication, least-privilege access, encryption in transit and at rest, audit logs, endpoint protection, and data loss prevention.
• Implement Physical Safeguards: secure facilities, clean-desk/device practices, media controls, and secure disposal of paper and devices.
• Support client obligations under the HIPAA Privacy Rule, including responding to access, amendment, and accounting requests as directed.

Incident response and documentation

• Maintain an incident response plan with defined roles, triage, evidence preservation, and notification procedures.
• Document policies, decisions, risk acceptances, training, and audits; retain records for required periods.
• Test backups and recovery to ensure business continuity for PHI-dependent matters.

Risk Mitigation Strategies for Law Firms

Strong HIPAA hygiene is built on people, process, and technology. The goal is to minimize PHI exposure while enabling efficient legal work.

People and process

• Train all staff on PHI handling, minimum necessary, secure sharing, and matter-based segregation.
• Use checklists for intake to determine whether a BAA is required and to map PHI flows early.
• Adopt standardized protective orders and redaction protocols for discovery involving PHI.
• Limit PHI in email; prefer secure portals or matter management systems with access controls.

Technology and controls

• Mandate managed devices, mobile device management, and remote wipe; prohibit unmanaged BYOD for PHI.
• Segment workspaces by client/matter; enable need-to-know permissions and automated retention.
• Encrypt storage and transmissions; disable risky macros and restrict external storage and USB media.
• Vet vendors (hosting, transcription, eDiscovery, experts) and execute BAAs before sharing PHI.
• Establish safe use of collaboration and AI tools; do not input PHI unless the tool is covered by a BAA and configured appropriately.

Compliance Challenges Among Law Firms

Firms struggle with data sprawl across email, local drives, and eDiscovery platforms; remote work and lateral hires add complexity. Matter teams often include co-counsel, experts, and vendors, making downstream oversight and Business Associate Agreements essential but resource-intensive.

Other pain points include aligning clients’ differing BAA templates, balancing discovery obligations with the minimum necessary standard, managing international access, and sustaining consistent training and audits amid demanding billable work.

Penalties for Non-Compliance

Failure to execute required BAAs, implement Security Rule controls, or properly handle PHI can trigger investigations, corrective action plans, monitoring, and monetary settlements. HIPAA’s tiered civil penalty structure accounts for factors like culpability and mitigation efforts; repeated or willful neglect increases exposure.

Criminal liability can arise for knowingly obtaining or disclosing PHI in violation of HIPAA, with higher penalties for offenses involving false pretenses or intent to profit or cause harm. Beyond Civil and Criminal Penalties, you face contract claims, malpractice exposure, reputational damage, and costly incident response.

Conclusion

Most law firms are not covered entities, but many become business associates when their work requires PHI access. By executing sound Business Associate Agreements, performing rigorous Risk Analysis, and implementing Administrative Safeguards and technical controls under the HIPAA Security Rule, you can meet obligations, reduce breach risk, and handle PHI confidently.

FAQs

Are all law firms considered covered entities under HIPAA?

No. Law firms are rarely covered entities. HIPAA applies directly when a firm acts as a business associate—performing services for a covered entity or another business associate that involve PHI. In other contexts, firms may receive PHI via authorizations or court orders and must still safeguard it under those mechanisms.

What obligations do law firms have when acting as business associates?

They must follow applicable provisions of the HIPAA Privacy Rule and the full HIPAA Security Rule for ePHI, including documented policies, workforce training, Risk Analysis, administrative/technical/physical safeguards, breach reporting to the covered entity, and oversight of subcontractors handling PHI.

How do Business Associate Agreements affect law firms?

BAAs define permitted uses/disclosures, require safeguards and incident reporting, flow obligations down to vendors, and set termination and return/destruction terms. They are the legal basis for receiving PHI from covered entities and shape how your firm operationalizes HIPAA compliance on each engagement.

What are the risks of non-compliance with HIPAA for law firms?

Risks include regulatory investigations, civil monetary penalties, potential criminal exposure for intentional misconduct, corrective action plans and monitoring, contractual liability, malpractice claims, reputational harm, and significant costs to investigate and remediate incidents.