Compliance

    HIPAA for Legal Teams Handling PHI

    JE
    Judicio Editorial TeamLegal Technology Experts
    Jun 16, 2026Updated Jun 22, 20269 min read
    A legal team handling protected health information under HIPAA - BAAs, minimum necessary, and safeguards

    TL;DR: Legal teams handle protected health information (PHI) far more than they realise - in personal-injury, medical-malpractice, mass-tort, and employment matters. If you handle PHI for a covered entity you may be a business associate, which means business associate agreements, the minimum-necessary rule, and HIPAA's safeguards apply. Before sending PHI to any AI vendor, confirm the contractual terms - including BAA availability - and consider de-identification.

    HIPAA is usually thought of as a healthcare rule, but it reaches lawyers more often than many realise. Any matter that touches medical records can bring protected health information across your desk, and in some engagements the law firm itself becomes a business associate with direct HIPAA obligations. Add AI tools to the mix and a new question appears: can you put PHI into a vendor's system at all, and under what terms? This guide explains when HIPAA applies to legal teams, what it requires, and how to handle PHI responsibly when AI is part of the workflow. It is general information, not legal advice.

    What is HIPAA, and what counts as PHI?

    HIPAA - the Health Insurance Portability and Accountability Act - sets federal standards in the United States for protecting health information. Its Privacy Rule and Security Rule are enforced by the Department of Health and Human Services, whose HHS Office for Civil Rights publishes the official guidance. Protected health information, or PHI, is individually identifiable health information held or transmitted by a covered entity or its business associate - broadly, health data tied to an identifiable person. Covered entities are health plans, healthcare clearinghouses, and most healthcare providers; business associates are the vendors and service providers - including, sometimes, law firms - that handle PHI on their behalf.

    PHI shows up across a surprising range of practice areas. Anywhere medical condition, treatment, or billing data is in play, HIPAA may be implicated - either because you are a business associate of a covered-entity client or because the records are simply sensitive personal data you must protect.

    Practice areaTypical PHI encountered
    Personal injuryTreatment records, imaging, bills, and provider notes
    Medical malpracticeCharts, operative reports, and expert medical records
    Mass tort and product liabilityPlaintiff medical histories at scale
    Employment and disabilityFMLA, ADA, and workers-compensation medical records
    Estate and elder lawDiagnoses, care records, and capacity assessments

    When is a law firm a business associate?

    A law firm becomes a business associate when it creates, receives, maintains, or transmits PHI in the course of providing services to a covered entity - for example, defending a hospital, advising a health plan, or handling claims for a provider. Business-associate status brings direct HIPAA obligations, not just contractual ones: you must safeguard PHI under the Security Rule and limit its use and disclosure under the Privacy Rule. Importantly, not every matter involving medical records makes you a business associate - representing an injured plaintiff and obtaining records through discovery, rather than on behalf of a covered entity, is a different posture - but the underlying confidentiality and security expectations still apply.

    The distinction is worth pinning down at intake, because it changes your obligations. If a client is a covered entity and you handle PHI to serve them, plan for business-associate status from the outset - including the BAAs you will need with your own downstream vendors, the safeguards you must document, and the breach-reporting duties that attach. If instead you obtain medical records as a plaintiff's representative through discovery, HIPAA may not make you a business associate at all, but protective orders, court rules, and your own professional confidentiality duties still govern how you store, share, and dispose of the records. Either way, the volume of medical data in modern litigation means the question is not whether you will hold sensitive health information but how carefully you will handle it.

    What is a business associate agreement?

    A business associate agreement (BAA) is the contract HIPAA requires between a covered entity and a business associate, and between a business associate and its subcontractors. It defines how PHI may be used and disclosed and commits the parties to safeguard it. The chain matters: if you are a business associate and you pass PHI to a downstream vendor that handles it on your behalf, that vendor generally needs to be under a BAA too. This is the crux for AI tools - a vendor that will process PHI on your behalf typically must be willing and able to do so under a BAA, and you should confirm that before any PHI is uploaded rather than assuming it.

    What does the minimum-necessary standard require?

    The minimum-necessary standard requires limiting the use, disclosure, and request of PHI to the least amount needed to accomplish the purpose. For a legal team, that is both a rule and good hygiene: request the relevant records rather than an entire medical history, scope access so only the people who need PHI can see it, and avoid copying PHI into more systems than necessary. Applied to AI, minimum-necessary argues for de-identifying where you can and for uploading only the records a task actually requires.

    Designed well, minimum-necessary and an AI workflow reinforce each other rather than pull apart. Rather than loading a complete medical file to answer a narrow question, upload only the records the task requires, and use role-based access so the PHI is visible only to the people working the matter. The same instinct applies to outputs: a chronology or a review summary should surface the facts you need without copying every identifier into a new document that then has to be secured in its own right. Building the workflow around the least data needed is both a compliance posture and a practical way to shrink the blast radius if anything is ever exposed - there is simply less PHI sitting in fewer places.

    What safeguards does HIPAA require?

    The Security Rule organises protections into three categories - administrative, physical, and technical safeguards. A legal team handling PHI should be able to point to controls in each, and should expect the same of any vendor in the chain.

    Safeguard typeExamples
    AdministrativeRisk analysis, workforce training, access management, and BAAs
    PhysicalFacility access controls and device and media controls
    TechnicalAccess controls, encryption, audit controls, and integrity checks

    Can you use AI vendors with PHI?

    Can you use AI tools with PHI? Yes, but only on the right terms. The governing questions are whether a BAA is in place with the vendor, how the vendor secures and segregates the data, whether it uses your data to train models, and where the data is hosted. Before sending PHI to any AI vendor, confirm what terms the vendor can offer for PHI - including whether a BAA is available - and do not assume it from a general security page. If the necessary agreement is not in place, do not upload PHI. Where possible, reduce the risk at the source by de-identifying records first. Our overview of AI for regulatory compliance covers the GDPR and HIPAA backdrop together; this post is specifically about handling PHI.

    How does de-identification reduce risk?

    De-identification removes the identifiers that make health information PHI, and properly de-identified data falls outside HIPAA's restrictions. HIPAA recognises two routes: the expert-determination method, where a qualified expert certifies the re-identification risk is very small, and the safe-harbor method, which removes a defined list of identifiers such as names, dates more specific than a year, and granular geographic detail. For legal work, de-identification is a powerful risk-reducer - for instance, when you want AI to analyse patterns across records without exposing individual identities. Be careful, though: free-text medical records can hide identifiers in narrative, so de-identification must be done thoroughly, not superficially.

    De-identification is also not all-or-nothing in practice. Even where you ultimately need identified records, removing or masking identifiers for an initial AI-assisted pass - spotting patterns, building a chronology, screening a large set for relevance - can keep exposure low during the bulk of the work, with fully identified data reserved for the narrower steps that genuinely require it. The aim is to keep PHI out of systems, and out of view, wherever the task does not strictly need it. Where re-identification risk is a live concern, the expert-determination route exists precisely so a qualified statistician can stand behind the judgement rather than leaving it to a checklist.

    What should you verify with Judicio before sending PHI?

    Judicio's general posture is buyer-friendly: it does not train its models on your uploads, hosts on Google Cloud Platform, and provides role-based access with a full audit trail. But PHI deserves a specific, explicit check rather than reliance on a general posture. Treat Judicio as you would any vendor that might handle PHI: confirm what contractual terms it can offer for PHI - including BAA availability - and request its data processing agreement and security documentation, then verify those terms meet your obligations before you upload anything. If your matter requires arrangements a vendor cannot provide, do not send PHI to it, and consider de-identifying the records first. The honest rule of thumb is simple: verify the agreement before the data leaves your control.

    How do you get started?

    Start by spotting PHI in your own caseload: which matters involve medical records, and in which of them are you acting for a covered entity. For those, make sure BAAs are in place up and down the chain, apply minimum-necessary, and document your safeguards. Before adding any AI tool to a PHI workflow, run the vendor question first - what terms can you offer for PHI - and de-identify wherever the task allows.

    You can evaluate Judicio on non-PHI work, or on properly de-identified data, with a 7-day free trial - 500 credits, no credit card required - and raise PHI-specific requirements with us before uploading any protected data. Professional access is $200 per month for 5,000 credits; contact us with your diligence questions. For adjacent guidance, see AI for healthcare law and data security for law firms using AI. This article is general information, not legal advice.

    Frequently Asked Questions

    HIPAA reaches a law firm when it creates, receives, maintains, or transmits protected health information while providing services to a covered entity - for example, defending a hospital or health plan - which can make the firm a business associate. Even when you are not a business associate, handling clients' medical records still demands careful confidentiality and security.

    A BAA is a contract required by HIPAA between a covered entity and a business associate - and between a business associate and its subcontractors - that sets out how PHI may be used and protected. If you handle PHI as a business associate, you generally need a BAA in place with anyone downstream who touches that PHI on your behalf, including vendors.

    Only if the arrangement satisfies HIPAA. Before sending PHI to any AI vendor, confirm what terms the vendor can offer for PHI - including whether a BAA is available - and do not assume it. If the necessary agreement is not in place, do not upload PHI, and consider de-identifying the records first to reduce what counts as PHI.

    It requires you to limit the use and disclosure of PHI to the least information needed for the purpose. In practice, that means not collecting or sharing an entire medical file when a relevant excerpt will do, and scoping access so only the people who need PHI can see it. It is both a HIPAA rule and good risk hygiene.

    Treat Judicio like any vendor that might handle PHI: confirm what terms it can offer for PHI, including BAA availability, and request its data processing agreement and security documentation. Judicio does not train on your uploads, hosts on Google Cloud Platform, and provides role-based access with a full audit trail - but for PHI specifically, verify the contractual terms before you upload.

    TopicsComplianceHIPAAHealthcare LawData SecurityLegal AI

    Ready to Transform Your Legal Workflow?

    Try Judicio free for 7 days — no credit card required.

    Start Free Trial

    Related Articles

    Get started

    Bring cited AI to your practice

    Run your first review free in minutes — or book a demo and see Judicio on your own matters.

    Free trial · No credit card required