Law Firms and HIPAA Compliance: When You’re a Business Associate

Law firms and HIPAA compliance converge whenever your legal services require access to client Protected Health Information (PHI). This guide explains when you are a business associate, how Business Associate Agreements work, your direct liability under the HIPAA Privacy Rule and HIPAA Security Rule, and how to manage vendors.

Use it to align with Covered Entity clients, reduce Subcontractor Liability, and implement a practical Legal Compliance Framework that stands up to scrutiny.

Law Firms as Business Associates

Your firm becomes a business associate when it creates, receives, maintains, or transmits PHI for or on behalf of a Covered Entity or another business associate. The label follows the data and your role, not just the client’s industry.

Once you qualify, HIPAA obligations attach to your people, processes, and systems that touch PHI, including email, eDiscovery platforms, cloud storage, and mobile devices.

Key triggers

• Using PHI while delivering legal services to a hospital, physician group, or health plan.
• Hosting or storing ePHI in firm systems or with vendors, even temporarily.
• Reviewing medical records for compliance audits, billing disputes, or investigations.
• Receiving PHI under litigation holds, discovery plans, or regulatory requests.

What “on behalf of” means

If PHI enables you to perform work for the client as a Covered Entity, you act “on behalf of” that client. Incidental exposure alone is not enough, but routine or systematic access is.

Examples of Law Firms as Business Associates

• Defending a hospital in malpractice suits while reviewing patient charts and expert files.
• Advising a health plan on HIPAA Privacy Rule compliance and state privacy laws.
• Conducting internal investigations that require sampling medical records or claims data.
• Managing eDiscovery platforms that host PHI for litigation or government inquiries.
• Negotiating provider contracts or acquisitions where diligence includes PHI sets.
• Handling revenue cycle, coding, or reimbursement appeals that involve PHI.
• Serving as outside privacy/security counsel overseeing risk analyses and remediation.

Non-Business Associate Scenarios

Not every engagement makes your firm a business associate. Focus on whether PHI is involved and whose interests you serve.

• Representing an individual patient; disclosures to you are authorized by the patient, not made on behalf of a Covered Entity.
• Receiving only de-identified data that excludes HIPAA identifiers.
• Advising a company that is not acting for a Covered Entity and does not share PHI.
• Matters where no PHI is created, received, maintained, or transmitted (for example, purely corporate governance work without data access).

If PHI becomes necessary later, pause and execute a Business Associate Agreement before proceeding.

Business Associate Agreements

A Business Associate Agreement (BAA) is the contract that defines how your firm may use and protect PHI. Treat it as the operational backbone of your Legal Compliance Framework.

Required elements to include

• Permitted/required uses and disclosures and adherence to the minimum necessary standard.
• Administrative, physical, and technical safeguards aligned to the HIPAA Security Rule.
• Obligation to report breaches and security incidents to the Covered Entity without unreasonable delay.
• Flow-down requirements so subcontractors sign equivalent BAAs.
• Support for individual rights (access, amendment, accounting) where applicable.
• HHS audit/cooperation terms and documentation retention duties.
• Return or destruction of PHI at termination, or continued protections if return is infeasible.
• Termination for cause upon material breach of HIPAA obligations.

Law-firm-friendly refinements

• Clear breach-notification timelines (early notice after discovery, detailed notice after risk assessment).
• Encryption in transit and at rest, key management, and secure file transfer expectations.
• Limits on offshore storage and expert-witness handling of PHI.
• Right to audit vendors used for PHI matters and defined remediation timelines.
• Allocation of forensics and notification costs after a breach.

Direct Liability Under HIPAA

Law firms face direct HIPAA liability independent of client contracts. You must meet Security Rule requirements and specific Privacy Rule provisions that apply to business associates.

Where liability attaches

• Failure to implement Security Rule safeguards (risk analysis, access controls, encryption, and more).
• Impermissible uses/disclosures of PHI or violations of minimum necessary.
• Untimely breach notification to the Covered Entity.
• Failure to bind subcontractors to the same HIPAA restrictions and safeguards.
• Failure to provide information needed for individual access, amendments, or accounting when applicable.
• Failure to cooperate with HHS/OCR investigations or to maintain required documentation.

Enforcement can include tiered civil penalties, corrective action plans, and ongoing monitoring, alongside contractual and reputational consequences.

Best Practices for Law Firms

Build a right-sized Legal Compliance Framework that mirrors how your teams actually handle PHI. Make controls practical, testable, and accountable.

Governance and risk management

• Appoint a privacy lead and security officer with clear decision authority.
• Perform and update an enterprise risk analysis at least annually.
• Inventory PHI data flows across matters, systems, and locations; classify and label PHI.
• Require a signed BAA at matter intake before PHI is received.

Safeguards that work in practice

• Least-privilege access, strong authentication, device encryption, and mobile device management.
• Secure collaboration: encrypted email, secure portals, DLP, vetted eDiscovery hosting, and logging.
• Harden laptops and cloud storage; segment PHI workspaces; enable audit trails and alerts.
• Retention and secure destruction rules tailored to litigation holds and client requirements.

People and response

• Role-based training for attorneys, staff, experts, and contract reviewers.
• Tabletop exercises to test incident response and client notification workflows.
• Vendor due diligence and monitoring; verify Subcontractor Liability and insurance coverage.

Subcontractor Business Associates

Vendors that handle PHI for your matters—cloud hosts, court reporters, eDiscovery providers, transcription and translation services—are subcontractor business associates. The same HIPAA duties follow the data.

What to require from subcontractors

• Signed BAAs mirroring your promises to the Covered Entity.
• Security Rule alignment: encryption, access controls, logging, and incident response.
• Prompt breach and security-incident notice with actionable details.
• Right to audit or obtain independent assessments; defined remediation timelines.
• Clear data location and subcontracting chains; restrictions on unapproved offshore processing.
• Evidence of insurance and explicit Subcontractor Liability terms.

Ongoing oversight

• Maintain a PHI vendor inventory and review it quarterly.
• Collect annual control attestations or reports from high-risk vendors.
• Document PHI handoffs and ensure secure return or destruction at matter close.

Conclusion

When your firm handles PHI for a Covered Entity, you are operating as a HIPAA business associate. Use the BAA as your playbook, extend equivalent controls to subcontractors, and prove compliance through a disciplined, auditable framework.

FAQs.

When Are Law Firms Considered Business Associates Under HIPAA?

You are a business associate when you create, receive, maintain, or transmit PHI for or on behalf of a Covered Entity or another business associate. Common triggers include litigation support, compliance advice, investigations, and hosting eDiscovery that contains PHI.

What Are the Requirements for Business Associate Agreements with Law Firms?

BAAs must define permitted uses/disclosures, require Security Rule safeguards, mandate breach reporting, impose minimum necessary, flow down terms to subcontractors, support individual rights where applicable, allow HHS access, and address return or destruction of PHI at termination.

How Does HIPAA Affect Law Firms Handling Subpoenas?

HIPAA permits disclosures for judicial or administrative proceedings with the right process, such as a court order or satisfactory assurances (notice to the individual or a qualified protective order). Even then, disclose only the minimum necessary and follow your client’s and BAA’s procedures.

What Are the Penalties for Law Firms Not Complying with HIPAA?

Penalties follow HIPAA’s tiered civil monetary structure based on culpability and may include corrective action plans and monitoring. Serious violations can also trigger criminal liability for knowing misuse of PHI, as well as contractual and reputational consequences.