HIPAA Compliance for Law Firms Handling Medical Records and Healthcare Cases
TLDR
A law firm becomes subject to HIPAA when it functions as a business associate — when it receives, maintains, or transmits PHI on behalf of a covered entity. This commonly applies to: healthcare organizations' in-house or retained legal counsel who access patient records, personal injury and medical malpractice defense attorneys who receive medical records in discovery, and legal firms retained by hospitals or health systems. Attorney-client privilege does not exempt a firm from HIPAA requirements when PHI is involved — both obligations apply independently.
When law firms become business associates
Law firms are not covered entities under HIPAA. A hospital is a covered entity. A medical practice is a covered entity. A law firm is not — unless it receives protected health information while performing services for one of those organizations.
That qualifier catches a lot of firms off guard.
A personal injury defense firm that receives a plaintiff’s medical records during discovery is handling PHI. A hospital’s outside counsel who reviews patient complaint files is handling PHI. An in-house legal team at a health system that accesses patient records to evaluate a potential claim is handling PHI. In each case, the firm qualifies as a business associate and HIPAA applies directly.
The HIPAA Omnibus Rule (2013) made business associates directly liable for compliance violations. A law firm cannot treat HIPAA exposure as its healthcare client’s problem. If a firm loses a hard drive containing medical records, OCR can investigate and fine the firm independently, regardless of what the covered entity client does.
What HIPAA requires from law firms
The requirements are the same ones that apply to any business associate: a signed BAA with each covered entity client before handling any PHI, technical safeguards for storing and transmitting records, minimum necessary use of patient information, documented staff training, and a breach notification procedure.
The BAA is the starting point. A law firm cannot lawfully receive medical records from a hospital without one. Many firms operating in healthcare litigation have never signed a BAA — they received records because opposing counsel sent them, not because of any formal agreement with a covered entity. That fact pattern is a HIPAA violation for both parties.
Minimum necessary use is the rule that trips up litigation teams most often. Attorneys and paralegals should access only the PHI directly relevant to the matter at hand. A paralegal reviewing records for a billing dispute should not have access to a patient’s full medical history. Document management systems must be configured to enforce this at the access level, not just as a policy on paper.
The medical records in discovery problem
Discovery in healthcare litigation generates large volumes of PHI moving between parties. Defense counsel receives plaintiff medical records. Expert witnesses receive records for review. Co-counsel at other firms receive records. Each transfer is a potential compliance gap.
Standard email is not an acceptable transmission method for unencrypted medical records. HIPAA’s Security Rule requires encryption in transit for electronic PHI. Firms that routinely exchange medical records via plain email — which is most of them — are operating outside HIPAA’s technical safeguard requirements.
The fix is not complicated: encrypted email (most enterprise email platforms support this), a secure file sharing platform with a signed BAA, or a HIPAA-compliant legal file transfer service. The barrier is usually awareness, not cost.
Expert witnesses who receive PHI for case review are also business associates. If a law firm retains a medical expert and sends them patient records, the firm should have a BAA in place with that expert before transmission.
Document management and file storage
Law firms store medical records in case management systems, document repositories, and on local workstations. Each of these is a potential Security Rule compliance gap.
Standard legal document management platforms vary in their HIPAA support. Some offer BAAs; many do not. Before storing medical records in any system — cloud or on-premise — a firm handling PHI should confirm that the vendor offers a signed BAA and has documented their HIPAA compliance configuration.
Local storage on attorney workstations is the highest-risk scenario. Encrypted hard drives are a Security Rule requirement. A laptop containing unencrypted medical records that gets lost at an airport is a reportable breach.
Staff training for legal teams
Every attorney, paralegal, and administrative staff member who accesses PHI must receive HIPAA training before handling patient records. Training must cover what PHI is, minimum necessary use, how to handle physical records (printed medical records left on a desk are a common gap), secure communication protocols, and how to report a potential incident.
Training must be documented. Date, attendees, and content covered. If OCR asks for training records, “we did training” is not a sufficient answer.
How PHIGuard supports law firm HIPAA programs
The administrative overhead of running a HIPAA compliance program at a law firm is real: tracking which staff members have completed training, documenting BAA status with each healthcare client, managing incident response workflows when something goes wrong.
PHIGuard handles the task management and compliance tracking layer. BAA documentation, staff training completion, compliance workflow coordination: these are administrative tasks that require a compliant tool, and most law firms default to whatever project management or email system is already in use.
At $20/month flat (up to 10 staff on the Practice plan), PHIGuard gives healthcare-adjacent law firms a BAA-backed environment for managing the operational side of their HIPAA program, without per-user pricing that scales with headcount.
Manage your practice tasks in one place.
Try PHIGuard free — no credit card required.
Source: HHS.gov — Business Associates
| Requirement | Applies to Law Firms? | Notes |
|---|---|---|
| Business Associate Agreement | Yes — when serving covered entity clients | Must be signed before handling any PHI |
| Security Rule (technical safeguards) | Yes | Encrypted email, secure file storage, access controls |
| Privacy Rule | Yes | Minimum necessary use of PHI |
| Breach notification | Yes | Must notify covered entity clients within contractually specified timeframes |
| Staff HIPAA training | Yes | All staff accessing PHI must be trained |
Top Law Firms Segments by Establishment Count
| Segment | Establishments |
|---|---|
| Healthcare defense litigation firms | 15,000 |
| Personal injury firms handling medical records | 80,000 |
| In-house healthcare legal teams | 5,000 |
| Healthcare regulatory counsel | 2,000 |
| Total — LAWFIRM | 450,000+ |
Key Compliance Considerations — Law Firms
Law firms are not inherently covered entities under HIPAA. A law firm becomes a business associate when it performs services for a covered entity and in doing so accesses PHI. Attorney-client privilege does not exempt law firms from HIPAA requirements when they handle PHI. The ABA and state bar associations have addressed HIPAA duties separately from attorney confidentiality obligations — both apply independently.
Common Workflows — Law Firms
Healthcare litigation and medical record review activity tracks with general litigation cycles. Year-end often sees increased settlement activity. Compliance risk for law firms is elevated during discovery phases of healthcare litigation when medical records are transmitted between parties.
Ready to manage your law firms practice tasks in one place?
Is a law firm a covered entity under HIPAA?
When does a law firm need to sign a BAA with a healthcare client?
Can a law firm use standard email to send medical records?
Does attorney-client privilege protect law firms from HIPAA violations?
Keep reading
What Is a HIPAA Covered Entity? Definition, Types, and Obligations
A HIPAA covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Learn which practices qualify and what compliance requires.
What Is a Business Associate Agreement (BAA)? HIPAA Explained
A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.
10 HIPAA Violation Examples Small Practices Actually Encounter
Real HIPAA violation examples that small medical practices run into — from emailing PHI to the wrong patient to using task management tools without a BAA. What each one means and how to avoid it.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.