top of page

HIPAA Compliance for Law Firms: What Your Practice Needs to Know

  • Writer: Shay
    Shay
  • 3 hours ago
  • 7 min read


HIPAA compliance for law firms — SNL-Tech Services, Columbia MD
HIPAA compliance for law firms

The Assumption That Puts Law Firms at Risk

A law firm reached out to me because they were dealing with an email spoofing problem. Unauthorized parties were sending messages that looked like they came from the firm's own domain. Clients were receiving fake emails. The firm had no idea how long it had been happening.


When I got into their environment, the email issue was just the beginning.


All company files lived on one staff member's computer. Everyone logged in with the same shared username and password. There was no way to track who accessed what, no cloud backup, and no audit trail. If a document was deleted or changed, there was no way to know when it happened or who did it.


And this firm handles personal injury and workers' compensation cases. That means they receive medical records. Lab results. Treatment notes. Protected Health Information, or PHI.

They had no idea they might be operating as a HIPAA Business Associate.


HIPAA Compliance for Law Firms: Who Actually Needs to Pay Attention

HIPAA is not just for hospitals and doctor's offices. If your firm receives or stores medical information as part of its legal work, you may have compliance obligations that go well beyond basic data hygiene.


This is especially relevant for firms handling personal injury, workers' compensation, medical malpractice, insurance defense, or employment law matters involving disability or medical leave. If your opposing counsel sends you medical records as an email attachment, or a client's treatment facility faxes over discharge notes, your systems are now holding PHI. That matters.


I see this across the DMV area, from small solo practices in Columbia, MD to mid-size firms operating out of Northern Virginia and Washington DC. The assumption is almost always the same: "HIPAA is a healthcare problem, not a legal one." That assumption is one of the most common gaps I find.


What "Business Associate" Actually Means for Your Firm

When a covered entity, like a hospital or insurance company, shares PHI with your firm so you can do your job, your firm becomes what HIPAA calls a Business Associate. That is not an accusation. It is a classification. And it comes with real responsibilities.


Business Associates are required to protect PHI using administrative, physical, and technical safeguards. They are also required to sign a Business Associate Agreement, or BAA, with each covered entity they work with. And if they use cloud services like Microsoft 365 to store or transmit that information, they need a BAA with Microsoft as well.


Most law firms have never signed one. Not because they are being reckless, but because no one told them they needed to.


What We Found and What We Fixed

When I started working with the personal injury firm, the first step was understanding what we were actually dealing with. What I found was a setup that created risk at every layer.

Files stored on a single machine meant there was no redundancy and no accountability. Shared credentials meant there was no way to trace user actions. No audit logging meant there was no way to prove compliance if a question ever came up. No backup meant that one hard drive failure could wipe out years of case files.


Here is what we implemented to move them toward a HIPAA-aligned environment:

  • A secure NAS file server with proper shared drive access

  • Individual user accounts for every staff member, replacing the shared login

  • Role-based access controls to restrict sensitive case files to authorized users

  • File audit logging to track access, changes, and deletions

  • OneDrive for Business to back up key workstations

  • A firewall with UTM protection and logging enabled

  • Managed switches for better visibility across the network

None of these changes were exotic or expensive. They were foundational. The kind of thing that should have been in place from day one.


Microsoft 365 and the Email Security Layer

The spoofing issue that brought this firm to me turned out to be a symptom of a larger problem. Their Microsoft 365 environment had no real protections in place.

Fixing the spoofing meant more than just blocking bad emails. It meant building a security foundation that could also support HIPAA requirements around data transmission and identity verification.


Here is what we put in place on the Microsoft 365 side:

  • A custom mail flow rule to block spoofed internal senders

  • Disabled legacy authentication protocols like POP and IMAP, which are common entry points for credential attacks

  • Enabled Microsoft Defender for Office 365 to catch phishing, suspicious links, and malicious attachments

  • Configured user impersonation protection for high-risk mailboxes

  • Enforced multi-factor authentication across all accounts

  • Set up sensitivity labels and data loss prevention policies to flag and restrict sharing of health-related content

  • Configured SPF, DKIM, and DMARC to authenticate the firm's sending domain

I am also working through whether this firm qualifies as a HIPAA Business Associate, which will determine whether a BAA with Microsoft is required. If it is, that paperwork needs to happen before PHI continues to flow through their inboxes.


Microsoft gives you the tools to do this right. But nobody turns them on for you.


The Treatment Facility Audit That Started This Conversation

Before I began working with this law firm, I was conducting a HIPAA compliance audit for a treatment facility. What I found there was almost identical in spirit, just in a different type of organization.


The facility had no audit logging. No BAA with Microsoft. No email protections in place. They believed they were compliant. But if something had gone wrong, they would have had no way to prove they had done anything to protect their patients' data.


Law firms fall into the same trap. Long-standing workflows, shared credentials, and a general sense that "we've always done it this way" create gaps that look small until they become a breach or an audit.


Why Compliance Is About More Than the Regulations

Even if your firm ultimately does not qualify as a HIPAA Business Associate, the steps involved in achieving compliance are simply good practice. Secure file access. Individual user accounts. Audit logging. Encrypted email. These are things every firm should have regardless of regulatory requirements.


The firms I work with across Maryland, Virginia, Pennsylvania, and the broader DMV area are not trying to cut corners. Most of the time, they just do not know what they are missing. And that is exactly where I come in.


My Services Include

  • HIPAA compliance assessments and gap analysis

  • Microsoft 365 security configuration and hardening

  • Email security setup including SPF, DKIM, DMARC, and anti-spoofing rules

  • Secure file server setup with role-based access and audit logging

  • Business Associate Agreement review support

  • Multi-factor authentication and identity protection

  • Ongoing managed IT support for law firms and professional services organizations


Frequently Asked Questions

Is HIPAA compliance for law firms actually required?

It depends on what types of cases your firm handles. If you receive, store, or transmit Protected Health Information as part of your legal work, your firm may qualify as a HIPAA Business Associate. That classification comes with specific requirements, including safeguards and signed agreements with the covered entities you work with.


What is a Business Associate Agreement and does my firm need one?

A BAA is a contract between a covered entity, like a hospital or insurance company, and any third party that handles PHI on their behalf. If your firm qualifies as a Business Associate, you need a BAA with each covered entity you work with. You may also need one with your technology vendors, including Microsoft if you use Microsoft 365 to store or transmit PHI.


What types of law firms are most at risk for HIPAA violations?

Personal injury, workers' compensation, medical malpractice, insurance defense, and employment law firms that handle disability or ADA-related cases are the most commonly affected. These practice areas routinely involve medical records, treatment notes, and other forms of PHI.


What happens if a law firm violates HIPAA? Penalties can range from fines to reputational damage depending on the nature and extent of the violation. More importantly, without proper controls in place, your firm may not even know a breach occurred. That is the real risk. No audit trail means no visibility.


How do I know if my Microsoft 365 setup is HIPAA compliant?

The default Microsoft 365 configuration is not HIPAA compliant out of the box. You need to enable specific security features, configure data loss prevention policies, enforce MFA, and sign a BAA with Microsoft through your admin portal. Most firms have not done any of this.


What is the difference between SPF, DKIM, and DMARC, and why do they matter?

These are three email authentication protocols that work together to verify that emails sent from your domain are actually coming from you. Without them, anyone can send an email that looks like it came from your firm. Setting them up is one of the most important steps you can take to protect your clients and your reputation.


Can shared logins and passwords create a HIPAA violation?

Yes. HIPAA requires that access to PHI be traceable to individual users. Shared credentials make that impossible. If your firm uses a single login for multiple people, you cannot demonstrate who accessed what or when, which is a direct gap in the technical safeguard requirements.


Do I need to do a full HIPAA audit to find out where my firm stands?

Not necessarily. A focused assessment can identify your highest-risk areas quickly. I work with law firms in Columbia, MD, Northern Virginia, and throughout the DMV region to conduct practical gap reviews that prioritize action over paperwork.


What should I do first if I think my firm might need to be HIPAA compliant?

Start by taking stock of what PHI you receive, where it is stored, and who has access to it. Then evaluate your current technical controls: authentication, access management, logging, and email security. If you are not sure where to start, that is exahttps://www.snl-techservices.com/contactctly what I help firms figure out.


How long does it take to bring a law firm into HIPAA alignment?

It depends on the size of the firm and the current state of their systems. Some firms can make meaningful progress in a few weeks with the right support. Others need a phased approach over several months. Either way, the work is manageable when you take it one layer at a time.


Let's Find Out Where Your Firm Actually Stands

Based in Columbia, MD and serving businesses across Maryland, Pennsylvania, Virginia, West Virginia, Delaware and the broader DMV Area, I help law firms and professional services organizations understand their compliance obligations and build the technical foundation to meet them.


If you are not sure whether HIPAA applies to your firm or whether your current systems would hold up under scrutiny, I am happy to walk through it with you.

Contact me today to schedule a conversation.

Comments

bottom of page