Does HIPAA Apply to Lawyers? (w/Examples) + FAQs

Yes, HIPAA can apply to lawyers, but only when a lawyer’s work brings them inside the federal privacy rules as a “business associate” of a covered entity, or when the lawyer’s firm itself performs functions that touch protected health information (PHI). The Health Insurance Portability and Accountability Act of 1996 does not name “lawyers” as a regulated class, yet the HIPAA Privacy Rule at 45 CFR Part 164 pulls attorneys in the moment they create, receive, maintain, or transmit PHI on behalf of a hospital, health plan, or healthcare clearinghouse.

The problem sits at the intersection of attorney-client privilege, state bar confidentiality duties, and federal privacy law. When a lawyer represents a doctor, hospital, insurer, or self-insured employer health plan, the lawyer often handles medical charts, billing records, and claims files. Under the HITECH Act of 2009, Congress extended direct civil and criminal liability to business associates, which means a law firm can face federal penalties for the same conduct that once only exposed its client.

The stakes are high and growing. The HHS Office for Civil Rights reported more than 725 large healthcare breaches in 2023 alone, affecting over 133 million individuals, and law firms sit squarely in the crosshairs as soft targets for ransomware and phishing.

• ⚖️ When HIPAA legally applies to your law practice and when it does not
• 📝 How to draft, sign, and audit a HIPAA-compliant Business Associate Agreement
• 💰 The full civil and criminal penalty tiers, updated for 2024 inflation adjustments
• 🏥 Real fact patterns in personal injury, med mal, estate, employment, and healthcare regulatory work
• 🛡️ State privacy overlays in California, New York, Texas, and beyond that stack on top of HIPAA

The Federal HIPAA Framework Explained in Plain English

HIPAA is not one rule. It is a stack of federal regulations built on the statute at 42 USC 1320d and implemented through the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule. Each rule has its own hooks that can catch a law firm.

The Privacy Rule controls who can use and disclose PHI. The Security Rule controls how electronic PHI must be protected technically, physically, and administratively. The Breach Notification Rule forces fast reporting when PHI is exposed. The Enforcement Rule tells OCR how to investigate and fine.

Who Counts as a Covered Entity

A covered entity is defined at 45 CFR 160.103 as a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically in connection with a standard transaction. Hospitals, physician practices, dentists, psychologists, pharmacies, Medicare, Medicaid, and most employer-sponsored group health plans all qualify.

A lawyer is not a covered entity simply by practicing law. A solo attorney writing a will does not become a covered entity because a client happens to mention a heart condition. The line is crossed when the lawyer performs a covered function for a covered entity, which is the business associate path. A misconception lawyers often hold is that representing a doctor on a malpractice matter automatically makes the firm a covered entity. That is wrong. The firm is a business associate, not the covered entity, and the distinction changes which rules apply and how.

Who Counts as a Business Associate

Under 45 CFR 160.103, a business associate is any person or entity that performs functions or activities on behalf of a covered entity that involve access to PHI. OCR guidance explicitly names lawyers as business associates when legal services require access to PHI.

The consequence of that status is direct federal liability, not just contractual exposure. A real example: a small New York law firm representing a hospital in a billing dispute receives patient ledgers by email. The moment those ledgers hit the firm’s server, HIPAA attaches. A common misconception is that attorney-client privilege shields the firm from HIPAA. Privilege protects communications in litigation, but it does not override 45 CFR 164.502(e)’s business associate requirements.

What Counts as Protected Health Information

PHI is individually identifiable health information held or transmitted by a covered entity or business associate, in any form. The 18 HIPAA identifiers include names, addresses, dates, Social Security numbers, medical record numbers, biometric data, and full-face photos. If a lawyer’s file has a plaintiff’s name next to a diagnosis code, it is PHI.

The consequence of ignoring PHI status is steep. A lawyer who emails unencrypted PHI to opposing counsel may trigger a reportable breach. An example: an employment lawyer receives FMLA medical certifications from a corporate client’s group health plan and forwards them by regular Gmail. That single email can launch an OCR investigation. A misconception is that stripping the patient’s name makes the file safe. It does not, because 17 other identifiers can re-identify the individual.

When HIPAA Applies to Lawyers: The Trigger Points

A lawyer falls under HIPAA when one of three triggers fires. First, the lawyer is retained by a covered entity and will access PHI to do the job. Second, the law firm itself provides a service that makes it a covered entity, which is rare but possible for firms that run their own self-insured health plan for employees. Third, the lawyer is a subcontractor to another business associate and touches PHI downstream.

Representing Healthcare Providers

When a firm defends a hospital in a medical malpractice suit, reviews staff privilege disputes, or negotiates a physician employment agreement that includes patient-panel data, HIPAA attaches. The OCR business associate guidance makes this explicit.

The consequence of skipping a BAA in this setting is both a HIPAA violation for the hospital and for the firm. An example: Attorney Sarah Chen at a regional firm represents a 200-bed hospital in a wrongful-death defense. She pulls the decedent’s full chart. Without a signed BAA, the hospital has violated 45 CFR 164.502(e)(1) and Sarah’s firm has accepted PHI outside the federal framework. A misconception is that the litigation hold and protective order in court substitutes for a BAA. They do not; OCR has stated a protective order is not a BAA.

Representing Health Plans and Insurers

Group health plans, HMOs, and long-term care insurers are covered entities. Lawyers who handle ERISA appeals, subrogation, or benefit denials for these plans routinely see PHI. The DOL ERISA rules sit alongside HIPAA, not instead of it.

The consequence of mishandling plan PHI is dual liability under ERISA fiduciary rules and HIPAA. An example: Attorney Marcus Rivera represents a self-insured employer’s group health plan in a denied-claim appeal. The claim file contains mental health records. Mishandling those records can trigger HIPAA penalties and fiduciary breach claims. A misconception is that the plan sponsor (the employer) and the plan are the same entity. HIPAA treats them separately, and the firewall between them is strict.

Personal Injury and Medical Malpractice Plaintiffs’ Work

Plaintiffs’ lawyers usually receive PHI through a signed HIPAA authorization from their own client, or through a subpoena under 45 CFR 164.512(e). That pathway generally does not convert the plaintiffs’ firm into a business associate, because the firm is representing the patient, not the provider.

The consequence of confusing these roles is often unnecessary paperwork or, worse, overlooking real HIPAA duties on the defense side. An example: Attorney Priya Desai represents a car-crash plaintiff and requests medical records using her client’s signed authorization. Her firm is not a business associate of the hospital. However, the same records sent to defense counsel’s firm may trigger business associate status on the defense side if the defense firm represents the hospital. A misconception is that all lawyers in a med-mal case are subject to HIPAA equally; they are not.

Estate Planning, Elder Law, and Guardianship

Estate planners and elder law attorneys regularly handle powers of attorney for healthcare, HIPAA authorizations, and advance directives under state analogs to the Uniform Health-Care Decisions Act. These documents authorize disclosure but do not typically make the lawyer a business associate of the client’s doctor.

The consequence of sloppy HIPAA authorization drafting is that hospitals will reject the form, delaying care decisions. An example: Attorney Jordan Park drafts a POA for an 82-year-old client. If the HIPAA authorization does not meet the six core elements of 45 CFR 164.508(c), hospitals can refuse to release records. A misconception is that a standard durable POA automatically includes HIPAA authority. It does not unless drafted to include the specific HIPAA elements.

Employment Law and Workers’ Compensation

Employment lawyers touch PHI through ADA accommodation files, FMLA certifications, and workers’ comp medical reports. EEOC guidance requires employers to keep medical files separate, but that does not, by itself, trigger HIPAA. HIPAA applies to the group health plan side of an employer, not the employer as employer.

The consequence of conflating the two roles is severe. An example: Attorney Lauren Mitchell advises an HR director who emails a sick-leave medical note to four managers. That disclosure may violate the ADA and state privacy law, though it may or may not be a HIPAA violation depending on whether the information came from the group health plan. A misconception is that all workplace medical information is PHI. It is not; PHI is a defined HIPAA term tied to covered entities.

The Business Associate Agreement in Depth

The Business Associate Agreement is the contract that binds a law firm to HIPAA on behalf of a covered entity. OCR publishes a sample BAA that lawyers can adapt. A BAA is not optional; it is required by 45 CFR 164.504(e).

Required Elements of a BAA

A valid BAA must describe permitted and required uses of PHI, forbid uses beyond those allowed, require appropriate safeguards, require breach reporting, require subcontractor BAAs, require access and amendment rights, require the return or destruction of PHI at termination, and allow HHS audits.

The consequence of missing any required element is that the BAA fails and both sides sit unprotected. An example: a firm’s BAA omits subcontractor flow-down. The firm then outsources e-discovery to a vendor. That vendor touches PHI with no BAA, and both the firm and the hospital are exposed. A misconception is that signing any BAA template is enough. OCR has fined entities for using defective templates.

Scenarios That Force a BAA

Fees and Drafting Economics

BAA drafting and negotiation adds real cost. Large healthcare systems often require firms to accept the system’s form BAA without changes, which shifts liability toward the firm. Smaller firms sometimes try to negotiate caps on breach-related indemnity. The American Health Law Association publishes negotiation checklists.

The consequence of accepting a one-sided BAA is uncapped indemnity exposure that can exceed malpractice policy limits. An example: Attorney Rafael Gomez signs a hospital’s BAA with unlimited indemnity. His firm later suffers a phishing breach, and the hospital’s notification costs alone exceed $800,000. A misconception is that malpractice insurance covers all HIPAA breaches. Many policies exclude regulatory fines entirely.

Penalties and Enforcement: What Lawyers Risk

OCR enforces HIPAA civilly. The DOJ handles criminal HIPAA cases under 42 USC 1320d-6. State attorneys general also have HITECH authority to sue under 42 USC 1320d-5(d).

Civil Monetary Penalty Tiers

The 2024 inflation-adjusted penalty table sets four tiers. The lowest tier covers violations the entity did not know about and could not have known about with reasonable diligence. The top tier covers willful neglect that is not corrected within 30 days.

Tier 1 penalties start around $137 per violation and cap near $68,928 per violation. Tier 4 penalties start around $68,928 per violation and reach a $2,067,813 annual cap for identical violations, per OCR’s 2024 notice. The consequence of a willful-neglect finding is catastrophic: a firm that ignores a known vulnerability can face the top tier. A misconception is that first-time offenders get a free pass. OCR has imposed seven-figure settlements on first-time reported breaches when the underlying facts showed willful neglect.

Criminal Penalties

Criminal HIPAA violations at 42 USC 1320d-6 carry up to 1 year in prison for knowing disclosure, up to 5 years for false pretenses, and up to 10 years for intent to sell or use for commercial advantage. Fines reach $250,000 for the worst cases.

The consequence of crossing into criminal territory is personal liability for the individual lawyer, not just the firm. An example: a paralegal sells celebrity medical records to a tabloid; the supervising attorney who knew and did nothing can face criminal exposure. A misconception is that corporate-entity status shields individual lawyers. It does not in criminal cases.

Recent Enforcement Snapshots

OCR’s enforcement highlights list multi-million-dollar settlements against business associates. The 2023 Lifespan settlement and the Advocate Health settlement illustrate the pattern. Law firms have been named in breach reports filed by covered-entity clients.

The consequence of appearing on OCR’s “Wall of Shame” for breaches affecting 500 or more people is reputational harm that outlives the fine. A firm listed publicly loses healthcare clients quickly. A misconception is that settling with OCR ends the exposure. Class actions by patients often follow.

State Privacy Laws That Stack on HIPAA

HIPAA sets a federal floor. States can go higher under the preemption rule at 45 CFR 160.203. Lawyers must run a preemption analysis, not assume HIPAA alone controls.

California Confidentiality of Medical Information Act

The CMIA at Cal. Civ. Code 56 applies to providers, contractors, and corporations that handle medical information. It covers more than HIPAA, including lawyers acting as contractors, and it provides a private right of action.

The consequence of a CMIA violation is a civil penalty up to $25,000 per violation plus $1,000 nominal damages per person. An example: a California firm representing a clinic mismanages a file drive and exposes 2,000 records; CMIA exposure alone can reach millions. A misconception is that HIPAA preempts CMIA. It does not; CMIA is stricter and controls.

New York SHIELD Act

The New York SHIELD Act expands data-breach notification and requires reasonable security for private information, which includes health data. Law firms doing business in New York fall under it.

The consequence is additional notification duties and New York attorney general enforcement. An example: a Manhattan firm suffers a ransomware attack touching client medical files; the SHIELD Act triggers a separate notification track. A misconception is that HIPAA’s breach notification is enough; New York requires its own notices.

Texas HB 300

Texas HB 300 defines “covered entity” more broadly than HIPAA and requires biennial training for anyone who handles PHI. Law firms that routinely handle Texas patient data fall inside.

The consequence of skipping HB 300 training is civil penalties up to $250,000 per violation. An example: a Houston firm onboards a healthcare client without training associates; an audit surfaces noncompliance. A misconception is that online HIPAA CLEs automatically satisfy HB 300. They often do not.

Illinois, Florida, Washington, and Beyond

Illinois’ BIPA reaches biometric data often tied to health files. Florida’s FIPA sets breach notification. Washington’s My Health My Data Act went further in 2024, regulating consumer health data outside HIPAA entirely.

The consequence of missing a state overlay is multi-jurisdictional liability. An example: a national firm with clients in five states must comply with all five plus HIPAA. A misconception is that the strictest state sets the rule everywhere; each state’s law applies to its residents’ data.

Real Scenarios Lawyers Face

Scenario One: The Subpoena Trap

A defense firm issues a subpoena for a plaintiff’s pre-accident medical records. 45 CFR 164.512(e) allows the provider to respond only with satisfactory assurances, which means notice to the patient or a qualified protective order.

The consequence of skipping the assurances is that the hospital must refuse. An example: Attorney David Kim issues a subpoena without a protective order; the hospital rejects it, delaying discovery by months. A misconception is that a subpoena alone compels production. It does not under HIPAA.

Scenario Two: The Ransomware Event

A mid-sized firm representing three hospitals suffers a ransomware attack. Under OCR ransomware guidance, a ransomware event affecting PHI is presumed a breach unless a low-probability-of-compromise analysis proves otherwise.

The consequence is a 60-day breach notification clock under 45 CFR 164.410. An example: Attorney Nina Patel’s firm must notify each hospital within 60 days; the hospitals then notify patients and OCR. A misconception is that paying the ransom eliminates the reporting duty. It does not.

Scenario Three: The Departing Associate

An associate leaves a firm and takes client files containing PHI to her new firm. The transfer without proper safeguards is a disclosure outside the BAA.

The consequence is a HIPAA breach at the origin firm and a Model Rule 1.9 conflict analysis at the new firm. An example: Attorney Elena Ruiz leaves her firm with a thumb drive of hospital files; both firms face investigation. A misconception is that the associate’s personal ethics duty substitutes for HIPAA safeguards. It does not.

Mistakes to Avoid

1. Skipping the BAA because the client is a long-standing relationship. The consequence is direct federal liability for both sides.
2. Using personal email or unencrypted attachments for PHI. The consequence is a presumptive breach under the Breach Notification Rule.
3. Assuming attorney-client privilege shields all PHI disclosures. The consequence is a misplaced defense when OCR investigates.
4. Forgetting subcontractor BAAs with e-discovery, cloud, translation, or courier vendors. The consequence is derivative liability for every downstream touch.
5. Relying on a generic cyberliability policy without regulatory coverage. The consequence is uncovered OCR fines and response costs.
6. Ignoring state privacy overlays like CMIA or HB 300. The consequence is parallel state enforcement on top of HIPAA.
7. Failing to train all staff, not just lawyers. The consequence is easy phishing compromise and willful-neglect findings.
8. Storing closed files with PHI indefinitely. The consequence is expanded breach scope and longer retention risk.
9. Using personal devices without mobile device management. The consequence is lost-phone breaches with no remote wipe.
10. Confusing a protective order with a BAA. The consequence is a structural HIPAA gap OCR will find.

Do’s and Don’ts for Law Firms

Do’s

• Do run a written risk analysis under 45 CFR 164.308(a)(1), because OCR asks for it first in every investigation.
• Do encrypt PHI at rest and in transit using NIST FIPS 140-2 modules, because encryption creates a breach safe harbor.
• Do train every employee annually, because human error drives most breaches.
• Do maintain an incident response plan with a 60-day notification clock, because the Breach Notification Rule is unforgiving.
• Do execute BAAs before any PHI moves, because retroactive BAAs do not cure past violations.

Don’ts

• Don’t email PHI to personal accounts, because it creates a presumptive breach.
• Don’t let partners opt out of HIPAA training, because OCR expects universal compliance.
• Don’t keep PHI longer than client engagement requires, because retention expands breach scope.
• Don’t accept hospital BAAs without reading indemnity clauses, because unlimited indemnity can dwarf the engagement fee.
• Don’t assume your IT vendor is HIPAA-compliant, because you must verify and sign a subcontractor BAA.

Pros and Cons of Representing Covered Entities

Pros

• Stable, recurring revenue from hospitals and health plans, because healthcare is a large and regulated sector.
• Premium rates for specialized healthcare regulatory counsel, because the rules are technical.
• Long client relationships, because switching healthcare counsel is costly for covered entities.
• Cross-sell opportunities into labor, tax, and transactional work, because healthcare clients have broad legal needs.
• Skill moat that new competitors cannot easily cross, because HIPAA expertise takes years to build.

Cons

• Direct HIPAA liability under HITECH, because firms are now business associates with their own exposure.
• Expensive cybersecurity infrastructure, because the Security Rule demands administrative, physical, and technical controls.
• Restrictive BAAs with unlimited indemnity, because large systems push risk downstream.
• Breach notification stress, because a single ransomware event can trigger months of work.
• State privacy overlays, because CMIA, HB 300, and SHIELD add complexity on top of federal rules.

Key Rulings and Guidance Lawyers Should Know

Byrne v. Avery Center for Obstetrics & Gynecology, 314 Conn. 433 (2014), held that HIPAA can inform the standard of care in state negligence claims, even though HIPAA has no private right of action. The Connecticut Supreme Court opinion shows how HIPAA can still reach lawyers indirectly through tort duties.

ABA Formal Opinion 483 requires lawyers to take reasonable steps to prevent data breaches and to notify clients of actual breaches, independent of HIPAA. The consequence is that even non-HIPAA lawyers owe breach duties. A misconception is that ABA 483 and HIPAA are the same standard; ABA 483 is broader in some ways and narrower in others.

The 2013 Omnibus Rule made business associates directly liable and expanded subcontractor flow-down. Every lawyer handling PHI today operates under the post-Omnibus framework.

Process: Building a HIPAA Compliance Program at a Law Firm

Step 1: Scope Your Exposure

Identify every engagement that touches PHI. List covered-entity clients, business-associate clients, and plaintiff matters involving medical records. The consequence of incomplete scoping is blind spots OCR will exploit.

Step 2: Appoint Privacy and Security Officers

45 CFR 164.530(a) and 45 CFR 164.308(a)(2) require designated officers. The consequence of not naming them is an automatic finding in an OCR audit.

Step 3: Conduct a Written Risk Analysis

Document threats, vulnerabilities, likelihood, and impact. Update annually. The consequence of no written risk analysis is the single most-cited deficiency in OCR enforcement.

Step 4: Implement Safeguards

Encrypt, segment networks, enforce multi-factor authentication, and log access. The consequence of weak controls is both a breach and a willful-neglect finding.

Step 5: Train and Retrain

Train new hires within a reasonable time and retrain annually. Document every session. The consequence of undocumented training is a presumed failure to train.

Step 6: Prepare Incident Response

Build a playbook that maps to the 60-day clock. Pre-engage breach counsel and a forensics vendor. The consequence of improvising during a breach is missed deadlines and higher penalties.

FAQs

Are all lawyers subject to HIPAA?

No. Only lawyers who create, receive, maintain, or transmit PHI on behalf of a covered entity or another business associate fall inside HIPAA. Most general-practice lawyers do not.

Does HIPAA apply to personal injury lawyers?

No, not directly in most cases. Plaintiffs’ PI lawyers usually obtain medical records using the client’s own HIPAA authorization, which does not make the firm a business associate of the provider.

Do criminal defense lawyers need HIPAA training?

No, not as a rule. Criminal defense work rarely triggers business associate status, but lawyers still owe ethical confidentiality duties under state bar rules and should handle medical evidence carefully.

Is a Business Associate Agreement always required?

Yes, whenever a lawyer will access PHI to provide legal services to a covered entity. 45 CFR 164.504(e) makes the BAA mandatory before PHI is shared.

Can a law firm face HIPAA fines directly?

Yes. Since the HITECH Act and the 2013 Omnibus Rule, business associates, including law firms, can be fined directly by OCR under the four-tier civil penalty structure.

Does attorney-client privilege override HIPAA?

No. Privilege protects communications in litigation but does not exempt a law firm from business associate duties, BAA requirements, or breach notification rules.

Must a lawyer encrypt email containing PHI?

Yes, as a practical matter. Encryption is addressable under the Security Rule, but unencrypted PHI email is treated as a presumptive breach unless risk analysis justifies another control.

Does HIPAA preempt state privacy law?

No. HIPAA sets a federal floor, and stricter state laws like CMIA, HB 300, and the SHIELD Act stack on top under 45 CFR 160.203.

Can a subpoena force a hospital to release PHI to a lawyer?

No, not by itself. Under 45 CFR 164.512(e), the hospital needs satisfactory assurances of notice to the patient or a qualified protective order.

Do lawyers need to notify clients of a data breach?

Yes. Business associate firms must notify the covered-entity client within 60 days under 45 CFR 164.410, and ABA Formal Opinion 483 adds independent ethical duties.

Are paralegals and legal assistants covered by HIPAA?

Yes, through the firm. When a firm is a business associate, every employee touching PHI is bound by the firm’s HIPAA obligations and must be trained and supervised.

Does malpractice insurance cover HIPAA penalties?

No, usually not. Most legal malpractice policies exclude regulatory fines; separate cyberliability coverage with regulatory endorsements is typically required.