HIPAA Requirements for Healthcare Attorneys: A Practical Compliance Guide

As a healthcare attorney, you routinely touch information that is tightly regulated. This guide explains when HIPAA applies to your practice, what agreements and safeguards you must have in place, and how to meet the HIPAA Privacy Rule and Security Rule in a law firm environment while honoring your professional duty of confidentiality.

HIPAA Applicability to Attorneys

When HIPAA applies

HIPAA applies to you when you handle Protected Health Information (PHI) for or on behalf of a covered entity or another business associate. That includes reviewing medical records, advising on patient care disputes, negotiating payer contracts with embedded PHI, e-discovery involving PHI, incident response, or compliance counseling that requires access to identifiable health data.

Common scenarios

• Outside counsel to a hospital, physician group, health plan, or health IT vendor that provides services involving PHI—here, you act as a business associate.
• In-house counsel employed by a provider or plan—here, you are part of the covered entity’s workforce and must follow internal HIPAA policies.
• Coordinating with expert witnesses, e-discovery vendors, or cloud platforms that receive PHI from your firm—these are subcontractor business associates and must also be bound by HIPAA requirements.

When HIPAA does not directly apply

• Representing an individual patient where PHI comes from the client (not a provider or plan) generally does not make you a business associate; however, state privacy laws and ethics rules still apply.
• Matters using only de-identified data or a limited data set under a proper data use agreement typically fall outside business associate status.

Definition of Covered Entities

Covered entities are organizations directly regulated by HIPAA. They are:

• Health plans, including group health plans and insurers.
• Healthcare clearinghouses that process nonstandard health information into standard formats.
• Healthcare providers that conduct standard electronic transactions (for example, electronic claims, eligibility, or remittance advice).

You will often advise these entities or their vendors. Understanding their obligations informs your own, especially the Minimum Necessary Standard and the boundaries of permissible use and disclosure under the HIPAA Privacy Rule.

Attorneys as Business Associates

A business associate is a person or entity that performs services for a covered entity (or another business associate) that involve creating, receiving, maintaining, or transmitting PHI. Legal services that require PHI—litigation defense, audits, internal investigations, billing disputes, incident response, or regulatory submissions—place you squarely in business associate territory.

Key implications for your practice include:

• You must sign a Business Associate Agreement before receiving PHI.
• You must implement PHI Security Controls proportionate to the risks in your environment.
• Your downstream vendors that touch PHI are subcontractor business associates and must sign parallel agreements and adopt comparable safeguards.

Business Associate Agreements

A Business Associate Agreement (BAA) is the contract that authorizes your access to PHI and allocates responsibilities. Ensure your BAA includes, at minimum:

• Permitted and required uses and disclosures of PHI, aligned with the Minimum Necessary Standard.
• Administrative Safeguards, physical safeguards, and technical safeguards (for example, access controls, encryption, audit logging, and device/media controls).
• Obligations to report security incidents and suspected or confirmed breaches, with timelines and required breach content elements.
• Flow-down requirements so all subcontractors with PHI agree to equivalent restrictions and safeguards.
• Support for individual rights: access, amendments, and accounting of disclosures when you hold designated record set information.
• Restrictions on marketing, sale of PHI, and any research-related uses, if applicable.
• Return or destruction of PHI at termination, or documentation of why destruction is infeasible and how protections will continue.
• Right of the covered entity to terminate for material breach and the duty to make internal practices, books, and records available to authorities when required.

Negotiate clarity around e-discovery workflows, secure file transfer, remote work, and cross-border storage to avoid ambiguity about where PHI can reside and who may access it.

HIPAA Compliance Requirements for Attorneys

Build a risk-based program

• Conduct and document a HIPAA risk analysis tailored to a law firm’s systems and matter types. Map PHI data flows—intake, review platforms, email, shared drives, mobile devices, archives, and matter closeout.
• Implement risk management measures and track them to closure. Reassess when you adopt new tools or vendors.

Implement Administrative Safeguards

• Adopt written policies and procedures covering acceptable use, remote work, email and messaging, matter intake, e-discovery, and incident response.
• Train all workforce members initially and at least annually; include phishing simulations and role-based guidance for partners, litigation staff, and IT.
• Manage vendor risk: perform diligence, require BAAs, set security expectations, and review attestations or audit reports.
• Apply the Minimum Necessary Standard to every workflow—limit who can see PHI and how much they see.

Apply PHI Security Controls

• Access controls: unique IDs, multi-factor authentication, least-privilege permissions, prompt account revocation, and matter-based segregation of files.
• Encryption: full-disk encryption on laptops and mobile devices, encryption in transit and at rest for email, file shares, and cloud repositories.
• Audit controls and monitoring: log access to PHI repositories, review anomalies, and retain logs per policy.
• Integrity and availability: secure backups, tested restoration, versioning in document systems, and anti-malware/EDR protections.
• Device and media controls: secure disposal, wiping of loaners, and policies for removable media and home printers.

Operational practices for law firms

• Secure communications: use encrypted portals or secure email for PHI; avoid consumer messaging apps lacking BAAs.
• E-discovery: segregate PHI collections, apply protective orders, use privacy screens/redactions, and restrict reviewer access.
• Matter management: label PHI matters, restrict distribution lists, and document client approvals for any non-routine disclosures.
• Incident response: maintain a playbook, practice tabletop exercises, and pre-arrange breach counsel/forensics under privilege.
• Data minimization and retention: collect only necessary PHI, set defensible retention schedules, and purge data at matter close consistent with the BAA.

Attorney's Duty of Confidentiality

Your professional responsibility to maintain client confidences complements HIPAA. Align both by:

• Using the Minimum Necessary Standard to narrow PHI in pleadings, exhibits, and expert packets; redact where feasible.
• Relying on HIPAA-compliant authorizations or qualified protective orders for disclosures in litigation; avoid overbroad subpoenas.
• Preserving privilege and work product while implementing the HIPAA Privacy Rule; document legal bases for each disclosure.
• Obtaining informed client direction when HIPAA permits but does not require a disclosure.

Ethics rules may allow limited disclosures to prevent harm or respond to claims against the lawyer; ensure any such disclosure also complies with HIPAA’s allowable uses and disclosures.

Breach Notification Requirements

If PHI is impermissibly used or disclosed, you must perform a breach risk assessment. Unless you can demonstrate a low probability of compromise, treat the event as a breach. As a business associate, you must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Timely, accurate notification is central to Data Breach Notification obligations.

Risk assessment factors

• Nature and extent of PHI (identifiers involved and likelihood of re-identification).
• Unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which risks were mitigated (for example, verified destruction or retrieval).

Contents of business associate notice to the covered entity

• Brief description of what happened, including dates of occurrence and discovery.
• Types of PHI involved.
• Steps individuals should take to protect themselves, if known.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Identification of each affected individual, to the extent possible.

Leverage encryption to qualify for the security “safe harbor” so that a loss of properly encrypted PHI is not a reportable breach. Maintain breach logs, incident tickets, forensic reports, and client communications to demonstrate compliance.

In parallel, evaluate whether separate state data breach laws apply independently to your firm for personal information beyond PHI; coordinate your timelines and content with the covered entity to avoid conflicting notices.

Done well, your breach readiness—policies, training, technical controls, and rehearsed communications—reduces risk and speeds response.

In summary, treat HIPAA as a practical framework: limit PHI to the minimum necessary, lock down systems with right-sized controls, bind vendors with strong BAAs, and prepare for incidents before they happen. This approach allows you to deliver timely, effective legal services while protecting clients and patients.

FAQs

When do HIPAA requirements apply to healthcare attorneys?

HIPAA applies when you create, receive, maintain, or transmit PHI for or on behalf of a covered entity or another business associate. Common triggers include defense of providers or plans, compliance reviews that require record access, e-discovery with medical records, and incident response. If you represent an individual patient and receive PHI directly from that client, HIPAA typically does not regulate you as a business associate, though other laws and ethics rules still govern confidentiality.

What is a Business Associate Agreement?

A Business Associate Agreement is the contract that authorizes your access to PHI and sets the rules for using, disclosing, safeguarding, and returning or destroying that information. It requires Administrative Safeguards and other PHI Security Controls, mandates reporting of security incidents and breaches, flows obligations to subcontractors, and ensures you can support individual rights such as access and amendments when applicable.

How must attorneys protect PHI under HIPAA?

You must implement a risk-based security program: policies, training, least-privilege access, multi-factor authentication, encryption in transit and at rest, logging and monitoring, secure backups, device/media controls, and vetted vendors under BAAs. Apply the HIPAA Privacy Rule and the Minimum Necessary Standard to limit PHI in your matters, and integrate secure workflows for email, file transfer, and e-discovery.

What are the breach notification obligations for attorneys?

As a business associate, you must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach, supplying details about what happened, PHI types involved, affected individuals, and mitigation steps. You must also assess risk using HIPAA’s factors, document your analysis, and coordinate any additional state Data Breach Notification duties that may independently apply to your firm.