HIPAA and AI: What Law Firms Are Getting Wrong

PHI Changes Everything

AI tools need data to work. When that data includes protected health information, every system that touches it becomes subject to HIPAA. Law firms are not covered entities under HIPAA, but they frequently become business associates the moment they handle PHI on behalf of a covered entity or when PHI is present in their case files regardless of the original source. That distinction carries real obligations, including signed Business Associate Agreements, breach notification requirements, and minimum necessary standards for data access.

Consumer AI products, including many popular writing assistants and document summarization tools, are not designed with HIPAA in mind. They may retain user inputs for model training, store conversations on shared infrastructure, or lack the audit logging required under the Security Rule. Using these tools with PHI is not a gray area. It is a violation. Law firms need to evaluate whether an AI vendor will sign a Business Associate Agreement. If the vendor will not, that tool cannot legally touch PHI. Our Cybersecurity practice helps law firms evaluate AI vendors against HIPAA requirements before deployment.

Technical Controls Are Enforceable, Not Optional

HIPAA's Security Rule requires covered entities and business associates to implement access controls, audit controls, integrity controls, and transmission security. When AI is part of the workflow, each of these requirements extends to the AI system. That means encryption at rest and in transit, role-based access so only authorized staff interact with PHI through the AI tool, and comprehensive audit logs that record who accessed what and when.

Before deploying any AI tool in a practice area that touches health information, firms should conduct formal vendor assessments. Review the vendor's security documentation, confirm their data processing and retention policies, verify whether data is used to train models, and confirm geographic data residency if applicable. A signed BAA without documented due diligence provides limited protection if a breach occurs and regulators start asking questions.

Training, Policy, and the Cost of Getting It Wrong

The most hardened technical environment can be undermined by an employee pasting patient records into an unapproved AI tool. HIPAA training must be updated to explicitly address AI use, which tools are approved, what categories of information cannot enter those tools, and what to do when there is uncertainty. Training should be documented. In a breach investigation, the question of whether staff were trained and when becomes part of the record.

Many firms have general data security policies that predate AI adoption entirely. Those policies do not address AI-specific risks such as prompt injection, output hallucination creating false impressions about PHI, or the risk of AI tools caching sensitive content. AI use policies should specify approved tools by name, define permitted use cases, establish review requirements for AI-generated work product touching health information, and assign clear accountability for compliance.

OCR, the HHS office that enforces HIPAA, has demonstrated a consistent willingness to pursue enforcement against business associates. Fines scale with the level of negligence. A law firm that deployed AI without BAAs, without technical controls, and without staff training faces a very different penalty exposure than one that documented a reasonable compliance program and experienced an unforeseen breach. Compliance is not a bureaucratic exercise. It is what separates firms that can continue operating after an incident from those that cannot.