When HIPAA applies to legal services

However, HIPAA’s applicability extends to legal services when those services involve access to, use, or disclosure of protected health information (PHI). According to Innovations in Clinical Neuroscience study ‘HIPAA Compliance: A Common Sense Approach’, “Coverage under HIPAA is triggered by specific transactions with health plans done electronically. Only ‘covered entities’ are required to comply with HIPAA and thus are subject to the government’s enforcement of HIPAA…Even the entities that are not covered can have liability exposure for breach of confidentiality under the criminal provisions of HIPAA as well as under state law.”

Legal professionals who represent covered entities or work with PHI when providing legal advice or services may fall under HIPAA regulations as business associates. It means that when a law firm or attorney receives PHI from a healthcare provider to assist in matters such as compliance, litigation, or regulatory advice, they are required to protect that information according to HIPAA standards. 

Legal professionals as business associates 

Legal professionals become business associates under HIPAA when they perform functions or activities on behalf of covered entities that involve the use or disclosure of PHI. According to HIPAA regulations, a business associate is any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Legal professionals qualify as business associates when they provide legal services that require access to PHI. 

For example, a law firm hired by a hospital to conduct internal audits or respond to HIPAA breach investigations would be considered a business associate because the firm handles PHI in the course of providing these services. In such cases, HIPAA mandates that the covered entity and the legal professional enter into a business associate agreement (BAA) that outlines the responsibilities and safeguards the legal professional must uphold to protect PHI. An excerpt from Patient Confidentiality notes, “These third-party entities must provide the hospital with a business associate agreement that the requirements of HIPAA are understood and are being followed.”

However, if legal professionals provide services that do not require access to PHI, they are not considered business associates under HIPAA.

Legal services that do not trigger HIPAA applicability

According to a study published in Frontiers in Reproductive Health ‘Medical-legal partnerships: An integrated approach to advance health equity and improve health outcomes for people living with HIV,’ “One communication challenge specifically mentioned was the sharing of information among MLP partners without compromising attorney-client privilege or violating HIPAA regulations.”

The factor determining HIPAA applicability is whether the legal service requires the lawyer or law firm to create, receive, maintain, or transmit PHI on behalf of a covered entity. If the legal service is purely administrative or unrelated to patient health information, HIPAA’s privacy and security rules do not apply.

Legal services that do not involve access to, use, or disclosure of PHI generally do not trigger HIPAA applicability. For example, legal counsel providing general corporate advice, contract negotiation unrelated to healthcare data, intellectual property matters, or employment law services that do not require handling PHI would fall outside HIPAA’s scope. Legal professionals advising on matters such as real estate transactions, estate planning, or criminal defense that do not involve PHI are not subject to HIPAA regulations.

What happens if no BAA is signed 

Suppose no Business Associate Agreement (BAA) is signed between a covered entity and a legal professional or any other business associate who handles protected health information (PHI). Compliance and legal risks may arise. HIPAA requires that covered entities must have a BAA in place with any business associate before disclosing PHI. 

The absence of a BAA means there is no formal contractual obligation for the business associate to comply with HIPAA’s privacy and security requirements. This gap can lead to unauthorized disclosures or mishandling of PHI without clear accountability or remediation procedures.

A journal article ‘Top Five HIPAA Lessons Learned: A Review of HHS Resolution Agreements’ published in the peer-reviewed Innovations in Clinical Neuroscience, provides notable instances of the consequences of a lack of enforcement of a BAA: 

• “Advanced Care Hospitalists PL agreed to pay $500,000 to OCR and adopt a corrective action plan to settle potential HIPAA violations. Advanced Care provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida. In 2011, Advanced Care contracted with an individual for medical billing services. Although he appeared to be representing Doctor’s First Choice Billings, the individual provided billing services without the owner’s permission. Eventually, Advanced Care was notified that the PHI of over 9,000 individuals had been publicly viewable on First Choice’s website. Upon investigation, OCR found patient information had been improperly disclosed to First Choice as the two parties had never entered into a BAA.
• The Center for Children’s Digestive Health (CCDH) paid HHS $31,000 to settle potential HIPAA violations and agreed to a corrective action plan. CCDH is a small, pediatric healthcare provider that operates in Illinois. HHS began an investigation of business associate, FileFax, Inc., which stored records containing protected health information for CCDH. Although CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed BAA prior to Oct. 12, 2015.
• Pagosa Springs Medical Center, a critical access hospital, agreed to pay $111,400 to OCR and adopt a corrective action plan to settle potential HIPAA violations. In addition to other violations, OCR found that Pagosa had impermissibly disclosed the ePHI of at least 557 to a web-based scheduling calendar vendor without a first having a BAA in place.”

Litigation and discovery: navigating HIPAA

HIPAA’s Privacy Rule governs the disclosure of protected health information (PHI) in litigation and legal discovery primarily through its “required by law” and “judicial and administrative proceedings” provisions. 

According to a journal article written by Dr Bryan A. Liang ‘Patient Information Privacy: HIPAA Provisions and Patient Safety Issues,’ “Exceptions to authorization requirements include use for health oversight activities, public health activities, and research. Additionally, law enforcement, legal proceedings, marketing, public safety and welfare circumstances, and listing in facility patient directories require no or limited patient approval. 

It is important to note, however, that the use and disclosure of patient information must be performed under the restrictions and requirements of the HIPAA rules.” Covered entities may release PHI in response to a valid court order or, if no court order exists, when the requesting party provides either: 

• Satisfactory assurances that the individual whose PHI is sought received timely notice of the request, or 
• A qualified protective order that limits the use and mandates the return or destruction of the PHI at the end of the proceeding. These mechanisms aim to balance the judiciary’s need for evidence with individuals’ privacy rights under HIPAA.

Covered entities include health plans, health care providers, and health care clearinghouses, as well as their business associates. PHI subject to these disclosure rules encompasses any information that identifies an individual and relates to their health condition, health care provision, or payment for health care.

De-identified data, which have had all identifiers removed according to the Privacy Rule’s standards, fall outside HIPAA’s scope and remain discoverable under ordinary legal processes. Entities seeking protection for non-PHI information, such as proprietary provider data or registry metadata, cannot invoke HIPAA to block discovery.

Satisfactory assurances under the Privacy Rule require covered entities to obtain from the requesting party a written statement and documentation showing a good-faith attempt to notify the individual or to secure a protective order. Notice must include enough detail about the legal proceeding to allow the individual to object, and the individual must have a reasonable opportunity to do so before disclosure occurs. 

A qualified protective order must prohibit PHI use beyond the litigation, require return or destruction of PHI after the case, and may be either a court-issued order or a stipulation filed with the court. HIPAA’s protections coexist with other legal doctrines and statutes. State physician–patient privilege laws, for example, can independently bar the introduction of medical records or testimony in court and generally exempt privileged information from discovery. 

Certificates of Confidentiality issued by HHS protect identifiable research data from compelled disclosure in legal or administrative proceedings, but only for studies that have specifically applied for and received such Certificates. The Patient Safety and Quality Improvement Act creates a separate privilege for patient safety work product reported to certified Patient Safety Organizations, but it does not extend to underlying medical records or reports kept outside those systems.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Can protected health information (PHI) be disclosed during a lawsuit or legal proceeding?

Yes, HIPAA allows PHI to be disclosed during legal proceedings under specific conditions.

What is a "qualified protective order" under HIPAA?

A qualified protective order is a court or administrative order that:

• Prohibits parties from using or disclosing PHI for any purpose other than the litigation or proceeding.
• Requires the return or destruction of PHI at the end of the litigation.

Does HIPAA preempt state laws regarding medical privacy in litigation?

Not necessarily. HIPAA sets a federal baseline for privacy protections, but state laws that are more stringent still apply. Courts must reconcile HIPAA with state evidentiary rules, privilege doctrines, and health privacy statutes.