Document Processing Under HIPAA: What Every Law Firm Needs to Know in 2026

Let's get something out of the way: if your law firm handles medical records, you almost certainly have HIPAA obligations. A lot of attorneys think HIPAA only applies to doctors and hospitals. It doesn't. And getting this wrong is expensive.

HIPAA penalties are tiered. The smallest fine for a "didn't know" violation starts at $137 per record (2024 inflation-adjusted minimum, per the HHS Office for Civil Rights), with an annual cap of $34,464 per violation category. Larger settlements published on the HHS Breach Portal regularly run into seven figures — the median resolution agreement in 2023–2024 OCR enforcement actions was over $1 million. For a firm handling thousands of medical record pages, those numbers add up fast. And that's before you factor in the reputational damage of telling your clients their health information was exposed.

This isn't meant to scare you. It's meant to inform you. HIPAA compliance for law firms isn't that complicated once you understand what's actually required. Let's walk through it.

Are you a business associate? (Probably yes.)

Under HIPAA, a "business associate" is any person or organization that performs functions or activities on behalf of a covered entity (doctors, hospitals, insurers) that involve the use or disclosure of protected health information (PHI).

If your firm receives medical records from a healthcare provider as part of litigation, you're handling PHI. If you hired a record retrieval company, a summarization service, or use a cloud tool to process those records, those vendors are your subcontractors and they need Business Associate Agreements too.

The chain looks like this: Hospital sends records to your firm (you're a business associate). Your firm sends records to a cloud OCR service (they're your subcontractor, also a business associate). Everyone in that chain is responsible for protecting the data.

What HIPAA actually requires you to do

HIPAA's requirements for business associates boil down to four big categories:

1. Safeguard PHI at rest and in transit

PHI sitting on your computer needs to be protected. PHI being sent to someone else needs to be encrypted in transit. The specifics:

• Encryption at rest: Files containing PHI should be encrypted when stored. HIPAA doesn't mandate a specific algorithm, but the industry standard is AES-256, which is what NIST (the National Institute of Standards and Technology) recommends. If someone steals your laptop but the files are encrypted with AES-256, it's not a reportable breach under the HIPAA Breach Notification Rule.
• Encryption in transit: If you're sending PHI over the internet (email, cloud upload, file transfer), it needs to be encrypted. TLS 1.2 or higher for web transfers. End-to-end encryption for email. Or better yet: don't send it over the internet at all.

2. Control who can access PHI

Not everyone in your firm should have access to every client's medical records. HIPAA requires "minimum necessary" access, meaning people should only see the PHI they need for their specific job function.

In practice, this means:

• Password-protected computers (yes, that means lock screens when you walk away)
• Role-based access to case files
• Audit trails showing who accessed what and when
• Secure disposal of records when they're no longer needed

3. Have a Business Associate Agreement with every vendor

Every company that touches your clients' medical records needs a signed BAA. This includes:

• Record retrieval services
• Summarization and review vendors
• Cloud storage providers (yes, including Google Drive and Dropbox)
• OCR and document processing services
• IT managed service providers who can access your systems
• Shredding companies

No BAA = no HIPAA compliance. Full stop. If a vendor won't sign a BAA, you shouldn't be sending them medical records.

4. Report breaches promptly

If PHI is exposed, you have 60 days to notify affected individuals and HHS (the Department of Health and Human Services). If the breach affects 500 or more people, you also have to notify the media. Yes, the media.

This is why prevention is so much cheaper than response. A single breach notification costs, on average, $220 per record in administrative costs alone. For a firm that exposed 1,000 patient records, that's $220,000 before any fines or lawsuits.

The five most common HIPAA violations at law firms

Based on published HHS enforcement actions and legal-industry compliance guidance, these are the violations that trip up law firms most often:

1. Uploading medical records to cloud services without a BAA

Google Drive, Dropbox, OneDrive, generic cloud OCR tools. If you're uploading medical records to any of these without a BAA in place, you're out of compliance. Some of these services do offer BAAs (Google Workspace, Microsoft 365), but you have to actively request and sign them. The default consumer plans typically don't include one.

2. Emailing unencrypted medical records

Standard email (Gmail, Outlook) is not encrypted end-to-end. Sending medical records as email attachments without encryption is a HIPAA violation. This happens all the time. Attorney asks paralegal to "send over the records," paralegal attaches a PDF to a regular email, and now PHI is sitting unencrypted on multiple mail servers.

3. Shared network drives without access controls

If your firm has a shared drive where everyone can access every case file, that violates the "minimum necessary" standard. The receptionist doesn't need access to medical records. The attorney working on a contract dispute doesn't need access to your PI client's surgical reports.

4. No encryption on laptops and portable devices

Lawyers travel. They take laptops to court, to depositions, to client meetings. If that laptop contains medical records and it's not encrypted, a stolen laptop becomes a reportable breach. Full disk encryption (BitLocker on Windows, FileVault on Mac) is free and solves this entirely.

5. No audit trail for record access

HIPAA requires that you be able to show who accessed PHI and when. If someone asks "Who looked at the Johnson file last Tuesday?", you need to be able to answer that question. Most basic file sharing setups don't provide this. You need either a document management system with audit logging or a processing tool that tracks access events.

How offline processing reduces most of the risk

Here's why we're such strong advocates of desktop-based processing: it removes the most dangerous attack surface entirely.

When records are processed on your local machine:

• No transmission risk. PHI does not travel over the internet. No email, no cloud upload, no API call. Network access is limited to license verification only.
• No vendor chain. There's no third-party processor to evaluate, no BAA to negotiate (for the processing step), and no subcontractor who might get breached.
• Encryption at the point of creation. Good desktop tools encrypt output files immediately. The plaintext only exists in memory during processing. If someone copies the output file, they get an encrypted blob, not readable records.
• Physical access only. The only way to access the records is to be physically sitting at the computer (or have remote access to it). That's a much smaller attack surface than "anyone on the internet who can guess a password."

This doesn't mean desktop processing solves everything. You still need locked screens, disk encryption, access controls, and audit logging. But it reduces the entire category of network-based and vendor-based risk, which is where the vast majority of HIPAA breaches occur.

AES-256 encryption explained (simply)

You'll see "AES-256" mentioned in a lot of compliance conversations. Here's what it actually means, without the computer science jargon.

AES stands for Advanced Encryption Standard. The 256 refers to the key length in bits. Together, they describe a method of scrambling data so that it's unreadable without the correct key.

How unreadable? If you tried every possible key combination to break AES-256 encryption, and you could try a trillion combinations per second, it would take longer than the age of the universe to crack it. It's the same standard the U.S. government uses for classified information.

For law firms, the practical implication is simple: if your output files are encrypted with AES-256, and someone steals your hard drive or your laptop, the data is safe. Under the HIPAA Breach Notification Rule, encrypted data that gets exposed is not a reportable breach, because it's considered "unsecured PHI" only if it's not encrypted to NIST standards.

That's a massive difference. Stolen laptop with unencrypted medical records = breach notification to every affected patient, HHS, and potentially the media. Stolen laptop with AES-256 encrypted records = not a reportable breach.

Your HIPAA compliance checklist for record processing

Here's a practical checklist you can work through this week:

1. Inventory your tools. List every software tool and service that touches medical records. Cloud tools, email, shared drives, OCR services, review vendors.
2. Check for BAAs. For each tool/vendor, confirm you have a signed BAA. If not, get one or stop using the service.
3. Enable disk encryption. Turn on BitLocker (Windows) or FileVault (Mac) on every computer that handles medical records.
4. Set up access controls. Restrict case file access to people who need it. Use folder permissions at a minimum.
5. Encrypt output files. Make sure any reports, spreadsheets, or extracted data from medical records are encrypted at rest.
6. Stop emailing unencrypted records. Use encrypted file transfer or, better yet, process everything locally so there's nothing to send.
7. Document everything. HIPAA compliance isn't just about doing the right things. It's about being able to prove you did them. Keep records of your policies, BAAs, training, and risk assessments.

None of this is rocket science. Most of it is free or nearly free. The expensive part is the breach that happens when you don't do it.

All posts