Most law firms do not think of themselves as healthcare entities. Many are wrong about the HIPAA implications of their practice.

If your firm handles medical records in personal injury cases, workers' compensation claims, disability claims, healthcare litigation, or any matter where client protected health information passes through your practice, HIPAA may impose significant obligations on how you handle that information. The failure to comply is not just a regulatory problem. It can result in civil penalties, criminal referrals, and client harm that triggers separate malpractice exposure.

This guide covers when HIPAA applies to law firms, what the rules require, how to respond to a breach, and how state privacy laws often go further than the federal standard.

Disclaimer: This article is for general information only and does not constitute legal advice. HIPAA compliance requirements are complex and fact-specific. Consult qualified healthcare law counsel for guidance specific to your practice situation.

When HIPAA Applies to Your Law Firm

HIPAA's Privacy Rule and Security Rule apply to "covered entities" (healthcare providers, health plans, and healthcare clearinghouses) and their "business associates." A business associate is any person or entity that performs functions or activities on behalf of a covered entity that involves the use or disclosure of protected health information (PHI).

Law firms become business associates when they:

Law firms are generally NOT business associates when they receive PHI from or on behalf of their own clients (the patients) rather than from a covered entity. A personal injury attorney who obtains a client's medical records from the treating physician on the client's behalf is typically acting on behalf of the patient, not the covered entity, and HIPAA's business associate rules do not apply in that posture.

The practical question: did you receive the PHI from a covered entity in the course of performing services for that covered entity? If yes, you are likely a business associate and HIPAA's requirements apply. If you received PHI from or on behalf of the patient/client, the analysis is different and often more favorable, though state laws may impose separate requirements.

Business Associate Agreements: What You Need to Sign

If your firm qualifies as a business associate of a covered entity, you must have a Business Associate Agreement (BAA) in place before handling any PHI. The BAA is a contract between the covered entity and the business associate that specifies:

A covered entity that provides PHI to a business associate without a BAA in place is in violation of HIPAA. So is a business associate that receives PHI knowing no BAA exists. If you are routinely receiving PHI from a hospital system or health plan in the course of legal work and there is no BAA in your file, that is a compliance gap that needs to be addressed promptly.

The Three Safeguard Requirements

When HIPAA applies, it requires implementation of three categories of safeguards:

Administrative safeguards: Written policies and procedures for handling PHI, training for all staff who access PHI, a designated privacy officer, and a process for responding to complaints. For a small law firm, this typically means a written HIPAA policy, annual staff training, and documentation of how PHI is received, stored, and destroyed.

Physical safeguards: Controls over physical access to PHI. Files containing PHI must be stored in locked file cabinets. Workstations with access to electronic PHI must be in areas where unauthorized individuals cannot view the screen. Paper PHI must be disposed of by shredding, not recycling.

Technical safeguards: Controls over electronic PHI (ePHI). Encryption of ePHI at rest and in transit, access controls limiting who can view ePHI, audit logs showing who accessed what, and automatic logoff for unattended workstations. Email containing PHI must be encrypted or the recipient must be informed that standard email is not encrypted and given the option of a more secure delivery method.

What Counts as a HIPAA Breach and What to Do

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. Not every incident involving PHI is a reportable breach. There are three exceptions: the unauthorized person who acquired the information could not reasonably have retained it, the unauthorized disclosure was inadvertent between employees, or the risk of harm to the individual is low.

When a breach occurs, the response timeline is:

  1. Discovery and containment: Identify what happened, stop ongoing exposure, and preserve evidence
  2. Risk assessment: Determine whether the incident meets the definition of a reportable breach using the four-factor test (nature of PHI, who received it, whether it was actually acquired or viewed, and mitigation actions taken)
  3. Notification to covered entity: If you are a business associate, notify the covered entity without unreasonable delay and no later than 60 days after discovery
  4. Documentation: Document the incident, the risk assessment, the notification, and any corrective actions taken

The covered entity is then responsible for notifying affected individuals and, in some cases, HHS. As a business associate, your obligation is to notify the covered entity promptly.

State Privacy Laws That Go Further Than HIPAA

HIPAA sets a federal floor, not a ceiling. Several states have enacted health information privacy laws that impose stricter requirements:

California: The California Confidentiality of Medical Information Act (CMIA) applies to any business that maintains medical information and imposes separate obligations that apply regardless of whether the entity is a HIPAA covered entity or business associate. Civil penalties can reach $250,000 per incident for intentional disclosure.

New York: New York's SHIELD Act expanded the definition of private information to include biometric information and expanded breach notification requirements. The NY HITECH Act imposes additional obligations on covered entities doing business in New York.

Texas: The Texas Medical Records Privacy Act extends HIPAA-like obligations to a broader set of entities than the federal law and imposes separate civil and criminal penalties for violations.

If you handle PHI involving clients in multiple states, you need to comply with the most restrictive applicable standard, which may be a state law rather than HIPAA.

Building a HIPAA Compliance Program for a Small Firm

A HIPAA compliance program for a small law firm does not require a compliance officer and a 200-page manual. It requires a few concrete things:

  1. Determine whether your practice is a business associate for any covered entity clients
  2. If yes, confirm BAAs are in place with each covered entity client
  3. Write a one to three page HIPAA policy covering how PHI is received, stored, accessed, transmitted, and destroyed
  4. Train all staff who handle PHI on the policy (document the training)
  5. Implement the technical controls: encryption for email and file storage, access controls, and screen privacy where PHI is visible
  6. Create a breach response plan so you know what to do if something goes wrong

Most law firms manage health information the same way they manage other client documents: stored in the practice management system, transmitted by email, and accessed by whoever needs to see it. That approach works until it does not. The firms that have built proper controls around PHI handling have also found that the same infrastructure that supports HIPAA compliance supports data security generally. If you want to see how that connects to your intake and communication systems, book a free audit call. For related data security guidance, see our post on law firm data security: protecting client confidentiality.