HIPAA Compliant Medical Record Review: What Every PI Attorney Needs to Know

Every personal injury case rests on medical records. Those records contain some of the most sensitive information a person can share, including diagnoses, treatment histories, prescription details, and mental health notes. When your firm sends those records to an outside vendor for review, you are transmitting protected health information (PHI) on behalf of your client. Ensuring that process follows HIPAA compliant medical record review standards is not optional. It is a core part of your ethical and legal duty to your client.

This guide covers what HIPAA compliance actually means in a medical record review context, what obligations fall on the vendors you hire, and how to evaluate whether a legal process outsourcing (LPO) company is truly equipped to handle PHI securely.

Why HIPAA Matters in Personal Injury Litigation

Personal injury law firms are not classified as covered entities under HIPAA. Covered entities are health plans, healthcare clearinghouses, and most healthcare providers. However, your firm regularly receives PHI that originated with covered entities, and you have both an ethical duty and a contractual exposure to manage that PHI responsibly.

When you retain an outside vendor to perform medical record review, that vendor steps into the role of a business associate under HIPAA. A business associate is any person or company that performs a function or activity on behalf of a covered entity or another business associate that involves the use or disclosure of PHI. Medical record review, medical chronology preparation, and billing summary work all qualify.

If your vendor mishandles PHI, the downstream consequences can include a data breach notification obligation, a potential malpractice claim from your client, or regulatory scrutiny of the covered entity that originally produced the records. Even if your firm escapes direct HIPAA liability, the reputational and professional damage of a PHI breach affecting your client is significant.

Key principle: Before you share a single page of client medical records with any outside vendor, that vendor must have a signed Business Associate Agreement (BAA) in place and must be able to demonstrate the safeguards required to protect PHI.

The Three Pillars of HIPAA Compliant Medical Record Review

HIPAA's Security Rule organizes its requirements into three categories of safeguards. A vendor claiming to perform HIPAA compliant medical record review must address all three.

Administrative Safeguards

Administrative safeguards are the policies and procedures that govern how a vendor manages PHI access and handles security incidents. At minimum, a compliant vendor should maintain:

Written HIPAA privacy and security policies that are reviewed and updated regularly
A designated privacy or security officer responsible for compliance oversight
Documented HIPAA training for all staff who handle PHI, with records of training completion
A formal process for reporting and responding to security incidents or breaches
Access management policies that restrict PHI access to only the staff assigned to a matter

Physical Safeguards

Physical safeguards govern the physical environment in which PHI is accessed and stored. For an LPO providing remote record review services, these safeguards include:

Workstations in controlled, private environments where screens are not visible to unauthorized individuals
Screen privacy filters on monitors used to view PHI
No printing of PHI unless the print environment is physically secured
Policies prohibiting the use of personal devices or personal storage media for PHI
Secure disposal procedures for any physical records or printed materials

Technical Safeguards

Technical safeguards cover the technology controls that protect PHI in electronic form. These are the safeguards most attorneys focus on, and rightly so. A HIPAA compliant medical record review vendor must apply:

Encryption for all PHI transmitted over the internet, including file transfers and email attachments
Encryption for PHI stored at rest on servers or workstations
Unique user login credentials for every staff member, with no shared accounts
Audit logging that records who accessed which records and when
Automatic session timeouts to prevent unattended access
Multi-factor authentication for systems that contain PHI

Business Associate Agreements: What the BAA Must Cover

A Business Associate Agreement is not a courtesy document. Under 45 CFR 164.308 and related provisions of the HIPAA Security Rule, a BAA is a legal requirement before PHI changes hands. If you engage a medical record review vendor without a signed BAA, you are operating without a critical compliance safeguard and your vendor has no binding contractual obligation to protect your client's records.

A proper BAA should address the following points:

The permitted uses and disclosures of PHI by the business associate
The requirement that the business associate not use or disclose PHI beyond what the agreement allows
The business associate's obligation to apply appropriate safeguards to protect PHI
The requirement to report any breach or security incident to the covered entity or attorney promptly
The business associate's obligation to flow-down BAA requirements to any subcontractors they use
Provisions for the return or destruction of PHI at the end of the engagement

Pay close attention to the subcontractor clause. If a vendor outsources any portion of the review work to another party, that subcontractor must also operate under a BAA. Ask your vendor directly whether they use subcontractors and demand confirmation that BAAs are in place down the chain.

Questions to Ask Before Sharing Records With Any Vendor

Choosing a medical record review vendor on cost alone is a risk your firm cannot afford. Before you transmit any PHI, get clear answers to the following questions:

Will you sign our BAA before we share any records? A vendor who hesitates, deflects, or proposes to skip a BAA entirely is a vendor you should not use.
Who is your designated HIPAA privacy or security officer? A compliant organization has a named person in this role. If no one can answer this question, that tells you something important about the vendor's compliance posture.
How do you transmit completed work back to our firm? Completed chronologies and summaries containing PHI must be delivered through encrypted channels. Unencrypted email attachments are not acceptable.
How do you receive records from our firm? The vendor should provide a secure file transfer method, not a generic email address.
Do you conduct HIPAA training for your staff, and how frequently? Annual training at minimum is the standard. Ask for documentation if you have concerns.
Do you maintain audit logs of PHI access? Logs should record who accessed which file and at what time.
What is your breach notification process? The vendor should have a defined procedure and be able to state clearly when and how they notify clients of a potential incident.
Do you use subcontractors? If so, are they under BAAs? The answer to the first part of this question must be followed by a clear yes to the second.
What is your data retention and destruction policy? PHI should not sit on a vendor's servers indefinitely after an engagement ends.

Red Flags That an LPO Is Not HIPAA Compliant

Not every vendor marketing medical record review services operates at the same compliance level. Watch for these warning signs before you commit to a relationship:

Refuses to sign a BAA or treats it as unnecessary. This is the clearest possible signal that the vendor does not understand or does not take HIPAA obligations seriously.
Sends PHI via unencrypted email. Standard email is not a secure transmission method for PHI. Any vendor doing this is in violation of HIPAA technical safeguard requirements.
Cannot name a privacy officer or provide documented policies. Compliance requires accountability. If no one at the vendor owns HIPAA compliance, the policies do not exist in any meaningful form.
Uses shared or personal email accounts for client work. Shared accounts make audit trails impossible and create access control failures.
Provides no secure portal or encrypted file transfer option. File delivery should never depend on a standard email attachment when PHI is involved.
Cannot explain how staff are trained on HIPAA. Untrained staff are the most common cause of PHI breaches in outsourcing relationships.
Has no breach notification procedure. A vendor who has never thought about what to do if something goes wrong is one you should not trust with client records.

How HIPAA Compliance Connects to Record Review Quality

Compliance and quality are not separate concerns. A vendor with rigorous HIPAA safeguards typically brings the same discipline to the actual review work. Access controls, audit trails, and documented procedures are signs of an organized operation. That organizational maturity tends to produce more accurate medical chronologies for personal injury cases and cleaner medical billing summaries as well.

Attorneys who treat HIPAA compliance as a checkbox exercise rather than a genuine vendor selection criterion often end up with vendors who cut corners in other areas too. The firms that get the best results from outsourced record review are the ones that vet vendors thoroughly before sending the first file.

What HIPAA Compliant Medical Record Review Looks Like in Practice

A properly structured HIPAA compliant medical record review engagement follows a clear chain of custody from intake to delivery. The attorney's office transmits records through an encrypted portal or secure file sharing service. The vendor receives the files into an access-controlled environment, assigns the matter to a trained reviewer with a unique login, and completes the review without downloading PHI to personal devices or printing records unnecessarily.

The completed chronology, billing summary, or other work product is delivered back through an encrypted channel. The vendor retains no copies of the source records beyond the agreed period, and any retained copies are stored encrypted and purged according to the data retention policy in the BAA.

Throughout this process, every access event is logged. If the attorney ever needs to verify who handled a matter, the vendor can produce that audit trail. That level of accountability is what distinguishes a genuine HIPAA compliant operation from a vendor that simply uses the term as marketing language.

At Healix Support, HIPAA compliance is built into every engagement. We sign a BAA before receiving any records, transmit all files through encrypted channels, and maintain the administrative, physical, and technical safeguards that the HIPAA Security Rule requires. Our team handles PHI for US personal injury law firms with the same rigor that protects your clients and your practice.

Frequently Asked Questions

Does HIPAA apply to personal injury law firms?

Personal injury law firms are not covered entities under HIPAA, but they regularly receive protected health information (PHI) from covered entities such as hospitals and providers. When a firm shares that PHI with a third-party vendor for review or analysis, the vendor becomes a business associate under HIPAA and must sign a Business Associate Agreement (BAA). Firms that handle PHI carelessly can face ethical and liability exposure even if they are not directly regulated by HIPAA.

What is a Business Associate Agreement and do I need one?

A Business Associate Agreement (BAA) is a written contract required by HIPAA whenever a covered entity or business associate shares PHI with a vendor or subcontractor who performs services on its behalf. If you send client medical records to an LPO or record review company, you need a signed BAA with that vendor before any records are transmitted. Without a BAA, you have no contractual guarantee that the vendor handles PHI according to HIPAA standards.

What are the three HIPAA safeguard categories a vendor must follow?

HIPAA requires three categories of safeguards for PHI. Administrative safeguards include written policies, employee training, and a designated privacy officer. Physical safeguards cover secure facilities, locked workstations, and screen privacy controls. Technical safeguards require encryption in transit and at rest, access controls, audit logs, and automatic session timeouts. A credible medical record review vendor should be able to demonstrate compliance across all three categories.

What are red flags that an LPO vendor is not HIPAA compliant?

Key red flags include: refusing to sign a BAA, sending files via unencrypted email, inability to name a designated privacy contact, no documented employee HIPAA training, use of shared or personal email accounts for PHI, and no audit trail for who accessed records. If a vendor cannot answer basic questions about their data security practices, that alone is a sufficient reason to look elsewhere.

How does Healix Support protect PHI during medical record review?

Healix Support operates under a signed Business Associate Agreement with every law firm client. PHI is transmitted exclusively through encrypted channels, stored in access-controlled environments, and handled only by trained staff. We maintain written HIPAA policies, conduct regular privacy training, and apply strict need-to-know access controls. Completed work products are delivered securely, and source records are not retained beyond the engagement unless the client requests it.

Work With a HIPAA-Compliant Medical Record Review Team

Healix Support handles PHI with strict HIPAA protocols. We deliver attorney-ready medical record reviews for US personal injury law firms.

Request a Free Sample Contact Us