Are Law Firms Covered Entities Under HIPAA? Status, Definitions, Examples

Short answer: no—law firms are not covered entities under HIPAA. Most firms interact with Protected Health Information (PHI) as business associates when they provide services to healthcare clients, which triggers duties under the Privacy Rule, the HIPAA Security Rule, and a Business Associate Agreement (BAA).

Understanding where your firm sits—covered entity versus business associate—determines the safeguards you must implement, how you handle Data Breach Notification, and the scope of your legal compliance program across paper, electronic, and Health Information Technology workflows.

HIPAA Covered Entities Definitions

Covered entities are organizations directly engaged in healthcare delivery or administration that handle PHI in standardized electronic transactions. They include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically for billing, eligibility, referrals, or similar transactions.

Examples of covered entities are hospitals, physician practices, pharmacies, dental clinics, and telehealth providers. Law firms do not fit these categories; they become subject to HIPAA only when they function as business associates for a covered entity or another business associate.

Because many covered entities rely on Health Information Technology (EHRs, patient portals, e-prescribing), PHI often exists as electronic PHI (ePHI), invoking the HIPAA Security Rule’s technical, administrative, and physical safeguards.

Role of Law Firms as Business Associates

A law firm becomes a business associate when it performs services for a covered entity (or another business associate) that require access to PHI. Common scenarios include defending malpractice claims, conducting internal investigations, advising on compliance matters, managing breach response, or handling discovery that contains PHI.

In these engagements, the firm must sign a Business Associate Agreement (BAA) that specifies permitted uses and disclosures of PHI, required safeguards, breach reporting duties, and downstream obligations for subcontractors. If the firm does not need PHI to perform the work, it is not a business associate for that engagement.

Business Associate HIPAA Compliance Requirements

Core obligations that apply to business associates

• Business Associate Agreement: Execute and honor a BAA that limits PHI use to defined purposes, prohibits unauthorized disclosures, and mandates subcontractor compliance.
• Privacy Rule alignment: Use and disclose only the minimum necessary PHI and support covered-entity obligations such as access, amendment, and accounting where applicable.
• HIPAA Security Rule: Implement administrative, physical, and technical safeguards for ePHI—risk analysis, risk management, access controls, encryption, audit logging, device/media controls, and contingency planning.
• Policies, training, and documentation: Adopt written policies, train your workforce, manage sanctions for violations, and keep evidence of compliance activities.
• Vendor and subcontractor oversight: Ensure any service provider that can access PHI signs a compliant BAA and is appropriately vetted.
• Data lifecycle management: Apply retention schedules, secure transmission and storage, and defensible disposal for PHI in email, case repositories, and archives.
• Data Breach Notification: Report breaches of unsecured PHI to the covered entity without unreasonable delay and no later than 60 days after discovery, with details sufficient for the covered entity’s notifications.

Examples of Business Associates in Healthcare

• Law firms and eDiscovery vendors that process case files containing PHI.
• Cloud service providers hosting ePHI (storage, backup, or collaboration tools).
• Billing services, claims processors, and third-party administrators.
• IT managed service providers, cybersecurity firms, and email encryption platforms.
• Consultants, auditors, and compliance advisors who review PHI.
• Medical transcription, scanning, and secure shredding companies.
• Analytics, registry, or research support vendors that receive PHI under a BAA.

Law Firm Obligations Under HIPAA

Practical safeguards for legal practices

• Access control and minimum necessary: Limit PHI access to assigned matter teams; use role-based permissions in document and case-management systems.
• Secure communication: Encrypt email and file transfers, apply DLP for outbound messages, and use vetted platforms for client portals and eDiscovery.
• Workforce readiness: Train attorneys, paralegals, and staff on the Privacy Rule, Security Rule, and incident reporting; reinforce with periodic simulations.
• Device and remote work security: Enforce MFA, endpoint encryption, screen locks, and secure disposal of paper notes and media.
• Matter intake and scoping: Determine up front whether PHI is necessary; if so, ensure a BAA is in place before collection or review.
• Incident response: Maintain an incident playbook, evidence preservation steps, breach risk assessment methods, and rapid notification procedures.
• Subcontractor controls: Require BAAs with experts, court reporters, and vendors who may handle PHI, and verify their safeguards.

Exemptions for Law Firms in Legal Counsel Role

Law firms are not covered entities, and they are not business associates when services do not require PHI. For example, advising on corporate governance, drafting contracts that exclude PHI, or representing an individual client unrelated to a covered entity’s operations generally falls outside HIPAA’s business associate scope.

Receiving information that has been properly de-identified, or PHI disclosed via a valid authorization or court order for purposes not performed on behalf of a covered entity, may also place the firm outside business associate status for that matter. Even then, ethical duties, confidentiality rules, and other privacy laws still apply.

Distinction Between Covered Entities and Business Associates

The dividing line is role-based: covered entities create, receive, maintain, or transmit PHI as part of care delivery or plan operations; business associates support those activities on the entity’s behalf. Law firms support their clients’ operations, so when PHI access is necessary, they are business associates—not covered entities.

Quick classification test

• If you deliver healthcare or run a health plan, you are likely a covered entity.
• If you provide services to a covered entity and need PHI to perform them, you are a business associate.
• If you can perform the engagement without PHI, you are neither for that scope.

Conclusion

Law firms are not covered entities under HIPAA, but they frequently act as business associates when work requires PHI. That status brings Privacy Rule limits, Security Rule safeguards, BAAs, and rigorous breach response. Classify each engagement, restrict PHI to the minimum necessary, and align your legal compliance program with the firm’s Health Information Technology footprint.

FAQs

Are law firms considered covered entities under HIPAA?

No. Covered entities are health plans, healthcare clearinghouses, and providers engaged in standard electronic transactions. Law firms generally do not fit these categories and, when handling PHI for a client, they act as business associates instead.

What responsibilities do law firms have as business associates?

They must sign a Business Associate Agreement, follow the Privacy Rule’s minimum necessary standard, implement HIPAA Security Rule safeguards for ePHI, oversee subcontractors with BAAs, maintain policies and training, and provide timely Data Breach Notification to the covered entity if unsecured PHI is compromised.

When are law firms exempt from HIPAA rules?

When services do not require PHI, when data is properly de-identified, or when disclosures occur under a valid authorization or court order for purposes not performed on behalf of a covered entity. Other confidentiality and privacy obligations may still apply.

How do law firms safeguard PHI according to HIPAA?

By conducting risk analyses, enforcing role-based access and encryption, using secure email and file transfer, logging and auditing activity, training staff, managing vendors via BAAs, and maintaining incident response procedures aligned to HIPAA’s breach notification standards.