Handling PHI in Legal Services: HIPAA Business Associate Obligations Checklist

Legal practices routinely encounter Protected Health Information (PHI) through discovery, claims management, and counseling. This guide explains how handling PHI in legal services intersects with HIPAA, outlines Business Associate obligations, and provides a practical checklist you can apply immediately.

Definition of Business Associate

A Business Associate (BA) is any person or entity, other than a Covered Entity’s workforce, that creates, receives, maintains, or transmits PHI to perform services or functions for, or on behalf of, a Covered Entity (such as a health plan, provider, or clearinghouse). Under the HIPAA Privacy Rule and HIPAA Security Rule, subcontractors that handle PHI for a BA are also considered BAs and must meet the same safeguards.

In short, if an organization’s work for a Covered Entity requires access to PHI—whether for operations, administration, technology, or professional services—it is a BA and must comply with HIPAA’s standards and Breach Notification Requirements.

Examples of Business Associates

• Outside counsel and law firms providing litigation, investigations, regulatory advice, or contract support involving PHI.
• E-discovery, forensics, and legal support vendors processing data that includes PHI.
• Cloud service providers, document repositories, and email archiving platforms that store or transmit PHI.
• IT managed service providers, help desks, and security operations centers with PHI system access.
• Consultants, auditors, actuaries, and claims administrators handling PHI on behalf of Covered Entities.
• Court reporting, records retrieval, and copying services receiving PHI for legal matters.

Requirement for Business Associate Agreements

Before a Covered Entity shares PHI with a vendor or service provider, the parties must execute a Business Associate Agreement (BAA). The BAA documents the permitted uses and disclosures of PHI and the safeguards the BA will maintain. A BA must also have written Subcontractor Agreements (downstream BAAs) with any subcontractor that creates, receives, maintains, or transmits PHI on its behalf.

Absent a signed BAA, PHI should not be disclosed. Limited “conduit” services (for example, pure couriers) generally do not require BAAs, but entities that persistently store PHI—such as most cloud services—are BAs and do.

Key Provisions in Business Associate Agreements

• Permitted uses/disclosures: Clear purposes and a commitment to the minimum necessary standard.
• Safeguards: Agreement to implement administrative, physical, and technical controls consistent with the HIPAA Security Rule.
• Breach Notification Requirements: Prompt reporting to the Covered Entity without unreasonable delay and within a defined timeframe; processes to assess and document incidents.
• Subcontractor Agreements: Flow-down obligations requiring subcontractors to protect PHI to the same extent.
• Support for individual rights: Cooperation with access, amendment, and accounting requests as delegated by the Covered Entity.
• Return or destruction: Secure return or destruction of PHI at contract end, if feasible.
• Access for oversight: Agreement to make relevant records available for regulatory oversight when required by law.
• Mitigation and sanctions: Duties to mitigate harmful effects and discipline workforce members who violate HIPAA-related policies.

Many BAAs also include practical terms such as audit rights, specific incident-reporting timelines, cyber insurance requirements, and indemnification. While not mandated by HIPAA, these provisions help align expectations and reduce risk.

Obligations of Business Associates

Obligations under the HIPAA Privacy Rule

Use and disclose PHI only as permitted by the BAA or as required by law. Apply the minimum necessary standard, maintain policies and procedures, and assist the Covered Entity with individual rights requests when delegated.

Obligations under the HIPAA Security Rule

Conduct a risk analysis; implement risk management and appropriate administrative, physical, and technical safeguards (for example, access controls, encryption, auditing, secure disposal, and contingency plans). Train workforce members with access to PHI and document all safeguards.

Breach Notification Requirements

Establish an incident response process to identify, investigate, and document potential breaches. Perform a risk assessment considering the nature of PHI, the unauthorized recipient, whether the PHI was actually viewed or acquired, and mitigation steps. Notify the Covered Entity without unreasonable delay and within the contractually required timeframe so downstream notifications can occur on time.

Applicability to Legal Services

Lawyers and law firms are BAs when retained by a Covered Entity (or another BA) and their work involves creating, receiving, maintaining, or transmitting PHI—such as defending malpractice claims, managing subpoenas, running internal investigations, or advising on compliance. E-discovery platforms, expert witnesses, and records vendors engaged by the firm that handle PHI are downstream BAs and require Subcontractor Agreements.

Lawyers are typically not BAs when representing individual patients (since services are not for or on behalf of a Covered Entity) or when services for a Covered Entity do not require PHI access. Always confirm the engagement’s scope and data flows to determine BA status before work begins.

Compliance Checklist for Business Associates

• Confirm BA status for each engagement and document the basis for handling PHI.
• Execute a Business Associate Agreement before receiving PHI; ensure Subcontractor Agreements for all downstream vendors.
• Map PHI data flows and systems; limit collection to the minimum necessary.
• Perform a HIPAA Security Rule risk analysis and implement a risk management plan.
• Designate privacy and security leads with defined roles and escalation paths.
• Adopt written policies and procedures covering Privacy Rule and Security Rule obligations.
• Implement access controls, strong authentication, and role-based permissions.
• Encrypt PHI in transit and at rest; secure mobile devices and removable media.
• Enable audit logging, monitoring, and alerting for PHI systems.
• Harden endpoints and servers; patch, vulnerability-scan, and test regularly.
• Train workforce members initially and at least annually; keep attendance records.
• Use secure collaboration tools for e-discovery, file transfer, and videoconferencing.
• Screen and manage vendors; document due diligence and contract reviews.
• Prepare an incident response plan aligned to Breach Notification Requirements, with defined timelines and contact lists.
• Maintain procedures for responding to access, amendment, and accounting requests.
• Apply retention schedules and secure disposal for paper and electronic media.
• Test backups and disaster recovery; verify recoverability of PHI systems.
• Review BAAs, policies, and technical safeguards at least annually and after major changes.
• Document everything: risk analyses, decisions, training, incidents, and remedial actions.

This HIPAA Business Associate Obligations Checklist helps legal teams align engagements, contracts, and controls so PHI is handled lawfully and securely throughout the matter lifecycle.

FAQs.

When are lawyers considered HIPAA business associates?

Lawyers are business associates when a Covered Entity (or another BA) retains them and their work requires creating, receiving, maintaining, or transmitting PHI—such as litigation, investigations, regulatory counseling, or contract work involving PHI. If representing an individual patient or providing services that do not involve PHI, the lawyer is generally not a BA.

What are the key requirements of a Business Associate Agreement?

A BAA must define permitted uses and disclosures of PHI, require minimum necessary practices, mandate administrative/physical/technical safeguards under the HIPAA Security Rule, set Breach Notification Requirements and timelines, flow down obligations to subcontractors, support individual rights as delegated, and address termination, return or destruction of PHI, and cooperation with oversight.

How must lawyers protect PHI under HIPAA?

Law firms must implement written policies, workforce training, and layered security controls (access management, encryption, logging, secure disposal, and contingency planning); use PHI only as allowed by the BAA and the HIPAA Privacy Rule; assess incidents promptly; and notify the Covered Entity without unreasonable delay if a breach is suspected.