HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Are law firms business associates?

Written by Tshedimoso Makhene | Feb 20, 2025 10:59:32 PM

Law firms can be considered business associates under HIPAA if they perform functions or services on behalf of a covered entity that involves the use or disclosure of protected health information (PHI).

 

When a law firm is a business associate

According to the American Public University, healthcare law firms “help health care providers, including hospitals, nursing homes, and other health care organizations, adhere to various rules that aim to ensure quality patient care and safeguard patient rights. In addition, they guide people in implementing effective risk management strategies, reducing potential liability.” Such services, if they include the handling or exchange of PHI, may render law firms business associates.  

A law firm is a business associate if it provides services like:

  • Legal representation in cases involving PHI (e.g., malpractice defense, patient privacy lawsuits).
  • Contract review for business associate agreements (BAAs).
  • Assisting with HIPAA compliance or regulatory investigations.
  • Handling subpoenas or litigation requiring access to PHI.

In these cases, the law firm must sign a business associate agreement (BAA) with the covered entity to ensure HIPAA compliance.

 

When a law firm is not a business associate

A law firm is not a business associate if:

  • It provides legal services that do not require access to PHI (e.g., employment law, intellectual property cases).
  • It represents an individual patient rather than a covered entity.
  • It receives PHI only as part of a legal process (e.g., a subpoena where PHI is disclosed under a court order).

See also: HIPAA Compliant Email: The Definitive Guide

 

Best practices

Here are some best practices for managing law firms as business associates under HIPAA:

  • Sign a business associate agreement (BAA): Ensure the law firm signs a BAA to outline their responsibilities for protecting PHI and ensuring HIPAA compliance.
  • Conduct due diligence: Verify the law firm’s understanding of HIPAA and review their compliance policies and procedures.
  • Limit PHI access: Disclose only the minimum necessary PHI and define the law firm’s role in accessing and using it.
  • Monitor compliance: Regularly audit the law firm’s adherence to HIPAA rules and ensure appropriate safeguards are in place for PHI.
  • Data security: Use encryption and other security measures when transmitting or storing PHI, ensuring the law firm follows similar practices.
  • Employee training: Train the law firm’s employees on HIPAA requirements and ensure ongoing education on best practices.

 

FAQS

How can I ensure a law firm is compliant with HIPAA?

Conduct due diligence before hiring a law firm, such as reviewing their HIPAA policies, conducting risk assessments, and regularly auditing their compliance practices.

 

What should be done if the relationship with the law firm ends?

The BAA should specify how PHI will be handled at the termination of the relationship, including the return or secure destruction of any PHI in the law firm's possession.
View full post