HIPAA and Law Firms: Covered Entity vs. Business Associate Explained

Definition of Covered Entities

Who is a covered entity

Under HIPAA, covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. If you do not fit one of these categories, you are not a covered entity—even if you handle health information—unless you act on behalf of one in a role that creates Business Associate obligations.

Protected Health Information (PHI) basics

Protected Health Information is individually identifiable health information in any form—paper, oral, or electronic. De-identified data is not PHI, and HIPAA does not apply to it. When PHI is in electronic form (ePHI), the HIPAA Security Rule imposes specific safeguard requirements in addition to the HIPAA Privacy Rule’s use and disclosure standards.

Role of Business Associates

What is a business associate

A business associate is any person or organization that performs services for or on behalf of a covered entity (or another business associate) that involve the creation, receipt, maintenance, or transmission of PHI. Your permitted uses and disclosures of PHI are defined by HIPAA and limited by the applicable Business Associate Agreements.

Common business associate services

Typical functions include claims processing, data analysis, IT hosting, cloud storage, eDiscovery support, legal consulting, and compliance services. “Mere conduits” that do not persistently store PHI, such as traditional mail carriers, are not business associates; in contrast, most hosted or cloud solutions maintain PHI and therefore fall within business associate scope.

Subcontractor compliance

Any subcontractor that creates, receives, maintains, or transmits PHI on a business associate’s behalf is itself a business associate. You must ensure subcontractor compliance by flowing down HIPAA obligations and executing appropriate agreements before sharing PHI.

Law Firms as Business Associates

When law firms become business associates

Law firms become business associates when legal service access to PHI is necessary to represent a covered entity or another business associate. Examples include malpractice defense, regulatory investigations, employment disputes involving medical records, compliance audits, eDiscovery, and transactions or litigation where PHI appears in exhibits or discovery.

When law firms are not business associates

Your firm is not a business associate when representing an individual patient directly, or when representing a provider in matters that do not require access to PHI. If PHI is unnecessary, structure the engagement to avoid receiving PHI and memorialize that limitation in the engagement letter.

Practical intake considerations

Screen matters early to determine whether PHI will be exchanged. If PHI is in scope, execute a Business Associate Agreement before receipt, identify the minimum necessary PHI, and design a secure matter workspace to segregate and protect that information.

Business Associate Agreements

Core clauses your BAA should contain

• Permitted uses and disclosures: Specify how your firm may use PHI and prohibit uses outside the HIPAA Privacy Rule and the engagement’s needs.
• Safeguards: Require administrative, physical, and technical safeguards consistent with the HIPAA Security Rule for ePHI and reasonable safeguards for all PHI.
• Breach Notification Requirements: Define prompt notification timeframes, reportable details, cooperation duties, and forensic preservation expectations.
• Subcontractor compliance: Mandate that all subcontractors agree in writing to the same restrictions and safeguards before receiving PHI.
• Access, amendment, and accounting: Commit to support the covered entity’s obligations to provide individual access, amendments, and an accounting of disclosures when applicable.
• Return or destruction: Require secure return or destruction of PHI at termination, with limited retention only where legally required and subject to ongoing protections.
• Right to audit and HHS access: Allow reasonable verification of compliance and require making relevant records available to the Secretary of Health and Human Services.

BAA drafting tips for law firms

• Align definitions with the HIPAA Privacy Rule and HIPAA Security Rule to avoid gaps or conflicts with your cybersecurity program.
• Set realistic yet prompt breach notice timeframes and designate roles for triage, client notification coordination, and documentation.
• Address encryption, retention periods, data mapping, and secure disposal so workflows remain consistent across matters and vendors.

Direct Liability of Business Associates

What “direct liability” means

Business associates are directly liable under HIPAA for impermissible uses and disclosures of PHI, for meeting Security Rule safeguard requirements for ePHI, for providing timely breach notification to covered entities, and for executing and honoring Business Associate Agreements. Liability also extends to failing to ensure subcontractor compliance or to provide required access and information to covered entities or HHS.

Consequences for noncompliance

Enforcement can include corrective action plans, civil monetary penalties, and reputational harm. Contractual liability under BAAs, professional discipline risks, and litigation exposure commonly follow, especially when investigations reveal inadequate safeguards or delayed breach reporting.

Compliance Responsibilities

Program foundation

• Risk analysis and risk management: Identify where PHI resides, evaluate threats and vulnerabilities, and implement prioritized mitigations.
• Policies and procedures: Document Privacy Rule and Security Rule practices, including acceptable use, access control, device security, and incident response.
• Workforce training: Train attorneys, staff, and contract professionals on minimum necessary, secure sharing, and breach reporting procedures.

Security Rule safeguards in practice

• Administrative: Role-based access, vendor oversight, contingency planning, and periodic evaluations.
• Physical: Controlled facility access, media controls, secure off-site storage, and clean-desk protocols.
• Technical: Strong authentication, encryption in transit and at rest, logging and monitoring, endpoint protection, and secure file transfer.

Privacy Rule practices for law firms

• Minimum necessary: Collect and store only the PHI you need for the legal task, and redact when feasible.
• Use and disclosure: Limit internal sharing to those assigned to the matter; document any disclosures outside the covered entity.
• Client coordination: Align discovery plans with minimum necessary principles and protective orders to reduce PHI exposure.

Breach Notification Requirements

• Detection and triage: Define how potential incidents are identified, escalated, and contained.
• Risk assessment: Evaluate the nature and extent of PHI involved, the unauthorized recipient, whether PHI was actually acquired or viewed, and mitigation steps.
• Timelines and content: Notify the covered entity without unreasonable delay and within the BAA’s timeframe, supplying all required details and cooperating on downstream notices.

Subcontractor compliance and vendor management

• Due diligence: Assess eDiscovery platforms, court reporters, translators, and cloud providers for HIPAA-aligned controls before onboarding.
• Contracting: Execute BAAs with all downstream vendors handling PHI and include audit rights and incident cooperation terms.
• Monitoring: Review logs, DLP alerts, and access recertifications; remediate findings promptly.

State Law Considerations

HIPAA preemption and more stringent state laws

HIPAA sets a federal floor. If a state law is more stringent—such as special protections for mental health, HIV, genetic, or reproductive health information—you must follow the stricter standard. Build a matter-by-matter matrix to flag heightened requirements early.

State breach notification and professional rules

Most states impose specific breach notice timelines and content requirements that operate alongside HIPAA. Coordinate HIPAA and state notifications to avoid inconsistent messaging. Also account for state professional responsibility rules on client confidentiality and technological competence when designing safeguards for PHI.

Conclusion

For law firms, the key is clarity: know when you are a business associate, execute sound Business Associate Agreements, and run a HIPAA program that satisfies the Privacy Rule, Security Rule, and Breach Notification Requirements. With disciplined subcontractor compliance and attention to stricter state laws, you can deliver effective legal services while protecting PHI.

FAQs

Are law firms considered covered entities under HIPAA?

No. Law firms are not covered entities because they are not health plans, health care clearinghouses, or providers conducting standard electronic transactions. A firm becomes subject to HIPAA as a business associate only when its services involve creating, receiving, maintaining, or transmitting PHI for a covered entity or another business associate.

When do law firms become business associates?

Law firms become business associates when legal service access to PHI is necessary for the engagement—such as malpractice defense, regulatory responses, audits, eDiscovery, or transactions where PHI appears in records. The trigger is handling PHI on behalf of a covered entity or business associate, not merely working with a health care client.

What are the HIPAA compliance obligations for law firms?

As business associates, law firms must implement HIPAA Security Rule safeguards for ePHI, comply with applicable HIPAA Privacy Rule provisions, meet Breach Notification Requirements to covered entities, and ensure subcontractor compliance. Firms must also follow the terms of their Business Associate Agreements and maintain policies, training, and documentation that demonstrate compliance.

Do law firms need Business Associate Agreements when handling PHI?

Yes. Before receiving PHI from a covered entity or another business associate, a law firm must execute a Business Associate Agreement that defines permitted uses and disclosures, required safeguards, breach notification terms, subcontractor obligations, and return or destruction of PHI at the end of the engagement.