Legal Disclaimer
This guide provides general information about HIPAA compliance for educational purposes only. It does not constitute legal advice. Consult with a healthcare compliance attorney for guidance specific to your practice.
Personal injury attorneys. Medical malpractice firms. Disability lawyers. Workers' compensation practices. If your firm touches medical records — and most do — HIPAA affects how you collect, store, transmit, and delete client documents. Most firms aren't as compliant as they think they are.
The consequences of non-compliance aren't theoretical. The HHS Office for Civil Rights issued $135 million in HIPAA penalties in 2023 alone — including multiple settlements with law firms and their technology providers. This guide walks you through exactly what HIPAA requires for document collection, and how to get there without a six-figure compliance project.
Does HIPAA Even Apply to Law Firms?
Short answer: it depends on your relationship with the data. The longer answer requires understanding two key HIPAA categories:
Covered Entities are healthcare providers, health plans, and healthcare clearinghouses. Most law firms are not covered entities.
Business Associates are entities that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a covered entity. Here's where law firms often get caught.
If your firm receives medical records directly from a hospital or health plan — even on behalf of your client — you may qualify as a Business Associate and be subject to HIPAA requirements. If your client gives you their own medical records, the picture is more nuanced but not necessarily clear.
The safest posture: assume HIPAA-equivalent standards apply to any medical records that pass through your firm. The downside of over-compliance is minimal. The downside of under-compliance can be catastrophic.
The Six HIPAA Requirements That Affect Document Collection
1. Encryption in Transit and at Rest
Every document containing PHI must be encrypted when transmitted (email is not encrypted by default) and when stored. The standard is AES-256 encryption for stored data and TLS 1.2 or higher for transmission.
❌ Non-compliant practices
- Clients emailing medical records to you as attachments
- Storing records in unencrypted local drives or standard Dropbox
- Using file-sharing links that don't require authentication
✅ Compliant alternatives
- Encrypted client portals with authenticated access
- AWS S3 with server-side AES-256 encryption (CaseHug's approach)
- HIPAA-compliant cloud storage with BAA
2. Business Associate Agreements (BAAs)
Every technology vendor that handles PHI on your behalf must have a signed Business Associate Agreement. This is a contractual requirement — not a checkbox. The BAA defines what the vendor can do with the data, their security obligations, and what happens in case of a breach.
Common BAA gaps we see:
- Using consumer Google Drive or Dropbox (no BAA available on free/standard plans)
- Document management systems that offer a BAA but haven't signed one with you
- Email providers without HIPAA-compliant configurations
3. Minimum Necessary Access
HIPAA requires that access to PHI be limited to the minimum necessary to accomplish the intended purpose. This means:
- Paralegals who don't need to see medical records shouldn't have access
- Client portals should expire automatically and not remain accessible indefinitely
- Sharing links should not be forwarded to others without authentication controls
4. Audit Trails
Every access to PHI must be logged: who accessed it, when, from where. This includes internal access by staff, not just client uploads. Most generic document storage systems don't provide adequate audit trails.
What a proper audit trail looks like: timestamp, user ID, IP address, action performed (view, download, modify, delete). This log must be retained for a minimum of six years.
5. Data Retention and Disposal
HIPAA sets minimum retention requirements (6 years for BAA and HIPAA policies; state law governs medical record retention for covered entities). Equally important: secure disposal. Documents must be permanently deleted — not just moved to trash — in ways that prevent reconstruction.
For law firms, this means having a documented data retention policy and a system that actually enforces it. "We delete old files when we remember to" is not a retention policy.
6. Breach Notification
If PHI is compromised — a document emailed to the wrong person, a database breach, a stolen laptop — HIPAA requires notification within 60 days of discovery. For breaches affecting more than 500 individuals in a state, the media must also be notified.
Most law firms have no breach response plan. This is a significant compliance gap.
The Compliance Checklist for Document Collection
Encrypted client portal for document uploads (no email attachments)
Business Associate Agreement with every technology vendor
Automatic link expiration on client portal access
Complete audit trail: who accessed what, when, from where
Role-based access controls limiting who sees PHI
Written data retention policy (documented, enforced)
Secure deletion capability for expired documents
Breach notification procedure (written, rehearsed)
Staff HIPAA training (annual, documented)
US-only data storage (required for most state courts)
What CaseHug Handles for You
HIPAA compliance is not the same as security — it's a specific regulatory framework with specific requirements. CaseHug was built with HIPAA as a constraint, not an afterthought:
- AES-256 encryption for all stored documents, TLS 1.3 in transit
- Signed BAA available for all Firm plan subscribers
- Automatic link expiration — client portal access expires per your settings
- Complete audit trail — every access logged with IP, user, timestamp, action
- US-only storage on AWS us-east-1
- Configurable data retention with automatic secure deletion
- Role-based access so staff only see what they need
What CaseHug doesn't handle: your internal staff training, your written policies and procedures, and your breach response plan. Those are your responsibility — but they're not hard to get right.
Getting Compliant Without Hiring a Consultant
For most law firms, getting to defensible HIPAA compliance for document collection doesn't require a $40,000 compliance project. Here's the practical path:
- 1
Audit your current document collection touchpoints
List every way client documents come into your firm. Email? Text? Physical mail? Each one needs a compliance answer.
- 2
Sign BAAs with every technology vendor
Google Workspace (Business tier+), your practice management software, document storage, and any intake tools. If they won't sign a BAA, they shouldn't handle your PHI.
- 3
Move client uploads to an encrypted portal
This eliminates the biggest compliance gap for most firms — unsecured email attachments.
- 4
Write a two-page data retention policy
When data is deleted. Who approves exceptions. How deletion is logged. Two pages is enough.
- 5
Do 30-minute annual HIPAA training for staff
Document it. Keep records. The bar is low — HHS just wants evidence you tried.
The Bottom Line
HIPAA compliance for law firms isn't optional if you touch medical records — but it's also not as complex as most attorneys fear. The biggest gap is almost always the same: collecting documents via unencrypted email or consumer-grade file sharing tools.
Fix that first. Sign your BAAs. Write your retention policy. Train your staff. You'll be ahead of 80% of law firms and meaningfully protected against the most common compliance failures.
HIPAA-compliant intake, out of the box
CaseHug includes encryption, audit trails, BAA, and automatic expiration. Start compliant on day one.