Do Law Firms Qualify as Covered Entities? Requirements and Compliance Guide

If you work with medical records or advise healthcare clients, you’ve likely asked: “Do law firms qualify as covered entities?” This requirements and compliance guide explains when HIPAA applies to law firms, how “business associate” status works, what must be in a business associate agreement, and how to manage subcontractor compliance and state-law overlap when handling protected health information (PHI).

HIPAA Covered Entities Overview

Covered entity definition

Under HIPAA, “covered entities” are: (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who transmit health information electronically in connection with standard transactions (such as claims, eligibility, referrals, or remittances). This covered entity definition focuses on an organization’s role in healthcare transactions—not merely on whether it holds medical information.

What counts as PHI

Protected health information is individually identifiable health information, in any form or medium, created or received by a covered entity or business associate. PHI includes data like names, addresses, dates, medical record numbers, and clinical details when linked to an individual.

Privacy and Security Rule basics

The HIPAA Privacy Rule governs permitted uses and disclosures of PHI and grants individual rights (access, amendment, and accounting). The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI), including risk analysis, access controls, and incident response. These Rules apply directly to covered entities and, in many cases, to their business associates.

Law Firms as Non-Covered Entities

Most law firms are not covered entities because they do not provide healthcare services or conduct HIPAA standard transactions. Simply receiving medical records in litigation or advising a healthcare client does not convert a firm into a covered entity.

Examples where a firm remains a non-covered entity include representing individual plaintiffs in injury cases, defending providers without accessing PHI beyond litigation needs, or advising on corporate governance unrelated to PHI. Even as non-covered entities, firms must protect client information under professional conduct rules, court orders, and applicable state privacy and data security laws.

Law Firms as Business Associates

A law firm becomes a business associate when it creates, receives, maintains, or transmits PHI on behalf of a covered entity (or another business associate) to perform services such as legal advice, regulatory counseling, investigations, e‑discovery, or breach response. In these scenarios, HIPAA obligations attach because the firm is handling PHI for the covered entity’s operations.

A firm is not a business associate when it represents an individual patient against a provider, or when services do not involve PHI (for example, negotiating a lease for a clinic with no PHI access). The trigger is functional: access to PHI on behalf of a covered entity or business associate.

Business Associate Agreements for Law Firms

Core BAA requirements

• Permitted uses and disclosures: Specify how the firm may use PHI and prohibit uses beyond the business associate agreement and the HIPAA Privacy Rule.
• Safeguards: Require implementation of administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including risk analysis and workforce training.
• Breach and incident reporting: Mandate prompt reporting of security incidents and breaches, with timelines and required content.
• Subcontractor compliance: Obligate the firm to ensure subcontractors that handle PHI agree to equivalent restrictions and safeguards.
• Individual rights: Support access, amendment, and accounting of disclosures when the covered entity must fulfill these requests.
• Minimum necessary: Limit PHI use and disclosure to what is reasonably necessary for the engagement.
• Return or destruction: Require return or destruction of PHI at termination, if feasible, or continuing protections if not.
• Audit and cooperation: Permit oversight by the covered entity and cooperation with regulatory investigations.

Negotiation tips for law firms

• Scope precisely: Define the categories of PHI, data flows (including e‑discovery), and systems the firm will access.
• Security baseline: Document encryption, access controls, logging, device management, and vendor risk management.
• Incident playbook: Align incident response steps, notification triggers, and evidence preservation.
• Remote work and BYOD: Clarify requirements for remote access, mobile devices, and home printing or storage.
• Retention strategy: Tie record retention to legal holds and client instructions; avoid over-retention of ePHI.
• Cross-border limits: Address any restrictions on storing or accessing PHI outside the United States.

Direct HIPAA Liability for Business Associates

Business associates, including law firms, have direct liability under HIPAA for compliance failures. This includes implementing Security Rule safeguards, using or disclosing PHI only as permitted, providing breach notifications to covered entities, and ensuring subcontractor compliance. Direct liability also extends to failing to provide access to PHI when required or failing to disclose PHI to regulators as mandated.

Consequences can include civil penalties, corrective action plans, and reputational harm. Practically, firms should perform regular risk analyses, remediate identified gaps, maintain sanctions policies, and test incident response to reduce exposure.

Subcontractors and HIPAA Compliance

When a law firm engages vendors—such as e‑discovery platforms, expert witnesses handling records, forensic firms, or cloud services—those subcontractors may also be business associates. The firm must flow down contractual obligations and verify subcontractor compliance.

Due diligence checklist

• Confirm a written business associate agreement with each subcontractor that will handle PHI.
• Evaluate security controls: encryption at rest and in transit, identity and access management, logging, and vulnerability management.
• Review breach history, certifications or assessments, and incident response capabilities.
• Limit access by role, enforce minimum necessary, and monitor activity via audit logs.
• Set retention, return, and destruction requirements aligned with the primary BAA and litigation holds.

State Laws Affecting Law Firms Handling PHI

HIPAA preemption is nuanced: state laws that are more stringent than HIPAA generally control. For law firms, this means obligations can vary by jurisdiction. Commonly implicated laws include medical privacy statutes (for example, California’s Confidentiality of Medical Information Act), broad consumer privacy regimes (such as California’s CPRA or Colorado’s CPA), data security laws (for example, New York’s SHIELD Act), specialized healthcare privacy laws (like Washington’s consumer health data rules), and state breach notification statutes.

Key implications for firms:

• Stricter state rules on consent, disclosures, or patient access may exceed HIPAA baselines.
• Breach notification triggers, timelines, and required content differ across states and may apply even when HIPAA does not.
• Professional responsibility and evidence rules intersect with privacy obligations, especially in discovery and expert engagements.
• Multi-state matters require mapping where PHI originated, where it is stored, and which state regimes apply.

Conclusion

Most law firms are not covered entities, but they frequently act as business associates when handling PHI for healthcare clients. To stay compliant, execute a robust business associate agreement, implement Security Rule‑grade safeguards, manage subcontractor compliance, and account for state laws that may be more stringent than HIPAA. Clear scoping, strong controls, and disciplined incident response are the foundation of defensible compliance.

FAQs

Are law firms considered covered entities under HIPAA?

Generally no. Law firms do not qualify as covered entities because they are not health plans, healthcare clearinghouses, or providers conducting HIPAA standard transactions. However, they may still handle PHI under other roles.

When do law firms become business associates under HIPAA?

A law firm becomes a business associate when it creates, receives, maintains, or transmits PHI on behalf of a covered entity (or another business associate) to perform services like legal advice, compliance, investigations, or e‑discovery.

What are the compliance requirements for law firms acting as business associates?

They must comply with the HIPAA Security Rule, applicable parts of the HIPAA Privacy Rule, and the terms of the business associate agreement. Core requirements include risk analysis, safeguards for ePHI, minimum necessary practices, breach reporting, and subcontractor compliance.

Do law firms need to sign business associate agreements?

Yes, if the engagement involves PHI on behalf of a covered entity or another business associate. The agreement defines permitted uses of PHI, required safeguards, reporting duties, and end-of-engagement data handling.