You take client confidentiality seriously. Your engagement letters say so. But one bad workflow is all it takes. A 500 MB MRI sent to the wrong paralegal. A Dropbox link forwarded to a client’s spouse. A free Google Drive account holding ten years of treatment notes. And just like that, your firm is the story.
If you handle medical records, you are already in HIPAA’s orbit. Defend a hospital and you are a business associate. Represent a plaintiff and ABA Rule 1.6 still demands “reasonable efforts.” Either way, one slip-up can mean a federal review, breach notices, or a complaint to the state bar. Most HIPAA failures inside law firms do not start with bad intent. They start with the workflow being faster than the safeguards: a forwarded link here, a personal Dropbox there, a portal nobody fully trusts. The fix is not more disclaimers but a tighter playbook. So before your firm sends another medical record, work through this HIPAA compliant file sharing checklist for law firms. Seven checks. Ten minutes. Worth more than any clause you will ever add to a retainer.
Does HIPAA apply to law firms?
The simple answer is “Yes.” However, the specific rules that apply depend entirely on how your firm obtained the medical records. This is a common point of confusion for many lawyers.
When your firm is a business associate
Defending hospitals, insurance carriers, or healthcare plans places your firm directly in HIPAA’s crosshairs. When you accept protected health information (PHI) from these clients, you are legally classified as a business associate. This status carries two non-negotiable mandates. First, have a signed Business Associate Agreement (BAA) with each covered entity you represent and second, ensure your internal practices are fully compliant with the HIPAA Security Rule. It’s not just about policy, it’s about active encryption, tight access controls and strong audit trails throughout your entire digital environment.
When you are not technically covered (but still on the hook)
Sometimes the medical records come straight from the client. A plaintiff hands you their own medical files, for example. In that case, your firm is usually not a business associate because the records did not come from a covered entity like a hospital or insurer. So HIPAA may not apply to you directly.
The duty to protect those files, however, has not gone away. ABA Model Rule 1.6 still asks lawyers to make “reasonable efforts” to keep client information confidential. Since 2012, the ABA has clarified that “reasonable” includes technology, meaning encryption, controlled access, and a clear audit trail of who saw what.
The takeaway: Even when HIPAA does not strictly apply, the duty of confidentiality does. You still need a secure way to handle medical records.
The HIPAA-compliant file sharing checklist
So what does HIPAA compliant file sharing actually look like in practice? Less polished tech diagram, more daily habit. The seven checks below split into two halves: what your vendor handles, and what your team handles. Walk through them before the next medical record leaves your office. Most firms find a gap on the first pass, and that gap is usually faster to fix than to explain to a client later.
☑ A signed BAA with your file sharing vendor. If your vendor will not sign one, walk away. Free consumer tools like personal Dropbox and free Google Drive do not qualify.
☑ AES-256 encryption, both in transit and at rest. This is the baseline regulators expect. Use TLS 1.2 or higher for files moving across the internet, and AES-256 for files stored on servers.
☑ Multi-factor authentication for every user. The proposed 2024 update to the HIPAA Security Rule makes MFA mandatory for any account that touches ePHI.
☑ Granular access controls. You need folder-level and file-level permissions. Different paralegals should not see each other’s matter files unless you say so.
☑ A secure audit trail. Every view, download, and share should be logged. HIPAA also asks you to keep these records for at least six years.
☑ Access revocation on demand. When opposing counsel finishes with a production set, you should be able to pull access back. Forwarded email links cannot do this.
☑ Data residency you can document. If you serve Canadian clients, you also need to consider PIPEDA and Quebec Law 25. Ask your vendor where the data sits.
Read More: Best Ways to Send Large Files Securely
What happens if you skip the checklist
The penalties are real. HIPAA fines can run from a few hundred dollars per slip-up to tens of thousands, with yearly caps in the millions. You may also need to notify patients, alert your covered-entity client, and brief the state bar.
The harder part comes after. A breach makes the news. Your firm name lives on the first page of Google for years. Your malpractice carrier may raise premiums or decline renewal. Corporate clients who run vendor-security reviews quietly send their next matter elsewhere. And in the matter itself, a leaked treatment note can blow up a settlement before the demand letter is even out.
A single forwarded link can turn into all of that. So treat file sharing as a compliance issue, not just an IT issue. It is the cheapest insurance your firm will ever buy.
Read More: Best HIPAA Compliant Email Providers
How TitanFile meets the HIPAA-compliant file sharing checklist
TitanFile is an award-winning secure file sharing solution built for exactly this use case. We encrypt every file with AES-256 in transit and at rest. TitanFile is ISO 27001, SOC 2 Type II, HIPAA, GDPR, and PIPEDA compliant. Built-in security features include multi-factor authentication (MFA), Single Sign-On (SSO), granular access controls, and detailed audit logs that track every action on every file. You can also choose where your data lives. TitanFile offers data residency in the US, Canada, the EU, Australia, and the Middle East.
Most importantly, your team and your clients can actually use it. The tool is as simple as email, so there is no steep learning curve. That means no excuses for going around the system, and no shadow IT putting your firm at risk.
Want to see how TitanFile fits your firm’s current workflow? Book a demo with our product expert. Or try it yourself first – start a 15-day free trial, no credit card required.
Frequently asked questions
Are personal injury lawyers required to follow HIPAA?
Not directly, in most cases. When a client gives you their own records, you typically are not a business associate. However, ABA Rule 1.6 still requires reasonable safeguards. Most courts now interpret that to include encryption and access controls.
Does my firm need a BAA with every vendor?
Yes, if those vendors touch PHI. That includes your file sharing platform, your document management system, your cloud storage, and any subcontractor that may access medical records.
Is free Google Drive HIPAA-compliant?
No. You need a paid Google Workspace plan with a signed BAA. The free version explicitly excludes HIPAA support.
This article is for general information and does not constitute legal advice. For guidance on your firm’s specific HIPAA obligations, consult qualified counsel.