HIPAA for Legal Counsel: Do You Need a Business Associate Agreement?

If you represent a health care provider, health plan, or their vendors in the United States, your first HIPAA question is simple: will you create, receive, maintain, or transmit Protected Health Information (PHI) for them? If yes, you are functioning as a business associate and you need a Business Associate Agreement (BAA) before PHI is shared.

This guide explains how HIPAA classifies legal counsel, which engagements trigger a BAA, what must be in that contract, and how to manage subcontractors, exemptions, liability, and sample provisions. Use it as a practical roadmap for legal counsel compliance.

Definition of Business Associate

A business associate is any person or entity that performs functions or activities involving PHI for, or provides services involving PHI to, a Covered Entity (such as a provider, health plan, or clearinghouse) or to another business associate. The definition includes legal services when those services require access to PHI.

Outside counsel typically qualifies as a business associate when the engagement requires PHI to advise, investigate, litigate, or manage regulatory matters. By contrast, in-house counsel is part of the Covered Entity’s workforce and does not need a BAA.

Remember that “access” is broad. You are a business associate if you create, receive, maintain, or transmit PHI—even if you never open the file. Hosting discovery databases, storing medical records, or managing subpoena responses involving PHI are all within scope.

Legal Services Involving PHI

Common legal engagements that involve PHI and therefore require a Business Associate Agreement include the following:

• Defending malpractice or negligence suits, including review of medical records and expert collaboration.
• Responding to federal or state privacy and security investigations, breach analysis, and corrective action planning.
• Employment, medical staff, and peer review matters that rely on patient charts or incident reports.
• eDiscovery and litigation support hosting that stores or processes PHI, even if access is limited to your vendor.
• Contract disputes and reimbursement appeals where record extracts are necessary to prove medical necessity or coverage.

Apply the minimum necessary standard. If your task can be performed with de-identified information, request that instead. If PHI is necessary, get a signed BAA before any transfer and insist on secure intake, encryption, and access controls to prevent unauthorized disclosure.

Business Associate Agreement Requirements

A compliant BAA documents permitted uses and disclosures of PHI and binds you to HIPAA’s Privacy, Security, and Breach Notification Rules. Key requirements you should confirm are present:

• Permitted uses and disclosures limited to the engagement, with explicit prohibitions on selling PHI or using it for marketing without authorization.
• Administrative, physical, and technical safeguards aligned with the Security Rule, including risk analysis, encryption, access management, and audit logging.
• Breach and security incident reporting to the Covered Entity without unreasonable delay and no later than 60 days after discovery, with cooperation on investigation and notices.
• Support for individual rights: access, amendment, and accounting of disclosures when the Covered Entity requests assistance.
• Subcontractor compliance: a written flow-down obligating any vendor that handles PHI to the same restrictions and safeguards.
• Records and access for oversight: retention and availability to regulators for compliance review.
• Termination, return, or destruction of PHI at the end of the engagement, with documentation of disposition and continuing protections if destruction is infeasible.
• Mitigation of harmful effects and procedures to address any unauthorized disclosure.

Strong BAOs also specify minimum necessary practices, encryption at rest and in transit, incident response timelines, and cooperation on audits—practical controls that reduce risk and clarify expectations.

Subcontractor Compliance Obligations

When you engage eDiscovery platforms, expert witnesses, transcriptionists, cloud storage, or court reporters that will handle PHI on your behalf, they become your subcontractors under HIPAA. You must execute written agreements that impose the same Business Associate Agreement obligations on them.

Build a vendor management routine: vet security controls, document due diligence, limit data to the minimum necessary, provision role-based access, and require prompt incident reporting. Maintain an inventory of all subcontractors with PHI access and review their compliance annually.

Exemptions from BAA Requirement

You do not need a BAA in these specific situations:

• In-house counsel: as workforce members, they operate under the Covered Entity’s HIPAA policies rather than a BAA.
• No PHI involved: general corporate advice, routine contracting, or policy drafting performed with de-identified data or without PHI.
• Conduit exception: pure transmission services (for example, postal mail or common carriers) that do not store PHI other than temporarily.
• Required by law or judicial/administrative proceedings: a Covered Entity may disclose PHI pursuant to a court order or subpoena with required safeguards; opposing counsel does not sign a BAA with the disclosing entity.
• Limited Data Set under a data use agreement for specific purposes; a BAA is not required if only a Limited Data Set is shared and the purpose fits HIPAA’s narrow allowances.

Attorney-client privilege does not substitute for a BAA. If your services involve PHI on behalf of a Covered Entity, a Business Associate Agreement remains the correct instrument.

Direct Liability of Business Associates

Since HIPAA’s Omnibus Rule, business associates—and their subcontractors—are directly liable for compliance with the Security Rule and for certain Privacy Rule provisions. You must conduct a security risk analysis, implement policies and training, and maintain documentation that shows ongoing compliance.

Consequences for noncompliance include tiered HIPAA penalties, corrective action plans, oversight by regulators, and contract remedies such as indemnification. Unauthorized disclosure or lax safeguards can also trigger breach notification, reputational damage, and professional responsibility issues.

Sample BAA Provisions

• Permitted Use: “Business Associate may use PHI solely to provide legal services described in the Engagement Letter and for no other purpose, applying the minimum necessary standard.”
• Safeguards: “Business Associate shall implement administrative, physical, and technical safeguards, including encryption of PHI in transit and at rest, multi-factor authentication, and audit logging.”
• Incident Reporting: “Business Associate shall report any security incident or suspected unauthorized disclosure to Covered Entity without unreasonable delay and no later than X business days after discovery.”
• Breach Cooperation: “Parties will coordinate investigation, risk assessment, documentation, and notifications required by law.”
• Subcontractors: “Business Associate shall ensure subcontractor compliance through written agreements imposing obligations no less stringent than this BAA.”
• Access/Amendment/Accounting: “Business Associate shall assist Covered Entity in meeting individual rights within applicable timelines.”
• Audit Rights: “Covered Entity may reasonably audit Business Associate’s relevant policies, procedures, and records relating to PHI.”
• Termination/Disposition: “Upon termination, Business Associate shall return or destroy PHI and certify destruction; if infeasible, protections survive.”
• Insurance/Indemnity: “Business Associate shall maintain cyber/privacy liability insurance and indemnify Covered Entity for damages arising from breach of this BAA.”

Bottom line: if your legal engagement requires PHI, you need a BAA, robust safeguards, and disciplined subcontractor compliance. Align your scoping, intake, and vendor processes with HIPAA from day one to minimize risk and demonstrate legal counsel compliance.

FAQs

When Are Lawyers Considered Business Associates Under HIPAA?

You are a business associate when, on behalf of a Covered Entity or another business associate, you create, receive, maintain, or transmit PHI to deliver your legal services. That includes reviewing records for litigation, handling breach response, or hosting PHI in eDiscovery.

What Are the Key Elements of a Business Associate Agreement?

A BAA should define permitted uses/disclosures, require HIPAA-aligned safeguards, mandate prompt incident and breach reporting, ensure subcontractor compliance, support individual rights, allow oversight, and address termination and PHI disposition. Many agreements also add insurance, indemnity, and audit terms.

Are Attorneys Providing General Corporate Advice Required to Sign a BAA?

No, if you do not access PHI. Work limited to governance, contracts, or strategy that does not involve PHI—and uses only de-identified information—does not trigger a BAA. The moment PHI is necessary for the engagement, a BAA is required.

What Penalties Apply to Business Associates for HIPAA Violations?

Business associates face direct enforcement, including tiered civil monetary HIPAA penalties, corrective action plans, and potential contractual damages. Serious or knowing violations can carry additional sanctions, and any unauthorized disclosure can force breach notification and related costs.