[{"data":1,"prerenderedAt":1028},["ShallowReactive",2],{"\u002Fnow\u002Fhipaa-for-legal":3,"\u002Fnow\u002Fhipaa-for-legal-surround":1017},{"id":4,"title":5,"api":6,"authors":7,"body":13,"category":1003,"date":1004,"description":1005,"extension":1006,"features":6,"fixes":6,"highlight":6,"image":1007,"improvements":6,"meta":1009,"navigation":1010,"path":1011,"seo":1012,"stem":1015,"__hash__":1016},"posts\u002F3.now\u002Fhipaa-for-legal.md","HIPAA Compliance for Law Firms Handling PHI (2026)",null,[8],{"name":9,"to":10,"avatar":11},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":12},"\u002Fimages\u002Fjustinleapline.png",{"type":14,"value":15,"toc":975},"minimark",[16,20,23,26,31,34,92,95,118,122,125,169,172,176,179,184,187,219,223,226,281,284,296,300,303,307,324,328,345,349,363,367,381,385,399,403,406,437,440,490,494,497,517,521,524,562,565,569,572,614,617,621,624,708,711,715,777,781,784,845,848,852,855,900,913,917,923,929,935,941,947,950,953],[17,18,19],"p",{},"Law firms have been surprisingly late adopters of serious HIPAA programs. Partly because \"we're just lawyers, we don't process PHI\" was a defensible position in the 1990s. It is not a defensible position in 2026. If you represent hospitals, health plans, physician groups, healthtech companies, or individuals in health-related litigation, you handle PHI — and when you do, HIPAA applies.",[17,21,22],{},"The 2009 HITECH Act made this explicit by sweeping legal services and other Business Associates directly under HIPAA enforcement. OCR can come after your firm. State attorneys general can come after your firm. Your own clients will require BAAs and audit your controls. And your firm's existing security posture — designed around attorney-client privilege, which is a different thing — is probably not enough.",[17,24,25],{},"This guide is for managing partners, general counsel, CIOs, and risk leaders at law firms with meaningful healthcare-adjacent practices. It covers what's specific about HIPAA for law firms and how to build a program that protects both clients and the firm itself.",[27,28,30],"h2",{"id":29},"when-hipaa-applies-to-your-firm","When HIPAA Applies to Your Firm",[17,32,33],{},"Your firm is a Business Associate if, in the course of providing legal services to a Covered Entity or another Business Associate, you create, receive, maintain, or transmit PHI on their behalf. Practically, that covers:",[35,36,37,45,51,57,63,69,75,81,86],"ul",{},[38,39,40,44],"li",{},[41,42,43],"strong",{},"Health system litigation defense."," Medical malpractice, patient injury, billing disputes.",[38,46,47,50],{},[41,48,49],{},"Health plan defense and advice."," ERISA claims, denied benefit cases, provider disputes.",[38,52,53,56],{},[41,54,55],{},"Healthtech transactional work."," M&A due diligence reviews that include patient data.",[38,58,59,62],{},[41,60,61],{},"Medical device and pharma work"," involving patient data.",[38,64,65,68],{},[41,66,67],{},"Healthcare fraud and regulatory matters."," Qui tam defense, OIG investigations.",[38,70,71,74],{},[41,72,73],{},"Healthcare bankruptcy"," with patient data in asset dispositions.",[38,76,77,80],{},[41,78,79],{},"Patient-facing personal injury"," involving medical records.",[38,82,83],{},[41,84,85],{},"Health plan and benefits counsel.",[38,87,88,91],{},[41,89,90],{},"HIPAA compliance advice itself"," when handling client PHI for review.",[17,93,94],{},"If any of these describe meaningful parts of your practice, you're a Business Associate for those matters. You need BAAs and a HIPAA program.",[17,96,97,98,103,104,103,108,112,113,117],{},"For the foundational material, start with the ",[99,100,102],"a",{"href":101},"\u002Fframeworks\u002Fhipaa","HIPAA framework hub",", the ",[99,105,107],{"href":106},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule page",[99,109,111],{"href":110},"\u002Fframeworks\u002Fhipaa\u002Fbusiness-associate-agreements","Business Associate Agreements page",", and our ",[99,114,116],{"href":115},"\u002Fnow\u002Fhipaa-compliance-healthtech","HIPAA compliance for healthtech startups guide"," for background context.",[27,119,121],{"id":120},"the-law-firm-hipaa-nuance","The Law Firm HIPAA Nuance",[17,123,124],{},"Law firms have unique structural features that make HIPAA compliance genuinely different from a clinical app or a healthtech startup:",[35,126,127,133,139,145,151,157,163],{},[38,128,129,132],{},[41,130,131],{},"Multiple clients, multiple BAAs."," Every healthcare client wants their own BAA, often with bespoke terms.",[38,134,135,138],{},[41,136,137],{},"Attorney-client privilege and work product protections"," layer with HIPAA protections; the intersection creates complexity.",[38,140,141,144],{},[41,142,143],{},"Matter-centric data organization."," Firms organize around matters, not patients. PHI ends up in document management systems, email folders, review platforms, and discovery databases — all organized by matter.",[38,146,147,150],{},[41,148,149],{},"E-discovery and litigation holds"," create PHI retention and replication obligations that compete with \"minimum necessary.\"",[38,152,153,156],{},[41,154,155],{},"External experts, consultants, and vendors"," routinely receive PHI as part of case work. Each relationship needs compliance discipline.",[38,158,159,162],{},[41,160,161],{},"Lateral partner movements"," move practice groups with their institutional knowledge and, sometimes, matter data.",[38,164,165,168],{},[41,166,167],{},"Protective orders"," in litigation create court-ordered handling requirements layered on HIPAA.",[17,170,171],{},"Your program has to accommodate all of this without breaking the lawyers' workflows.",[27,173,175],{"id":174},"baa-management-at-a-law-firm","BAA Management at a Law Firm",[17,177,178],{},"The operational heart of law firm HIPAA compliance is BAA management. Patterns that work:",[180,181,183],"h3",{"id":182},"client-facing-baas","Client-Facing BAAs",[17,185,186],{},"Every healthcare client (covered entity or BA higher in the chain) will require a BAA. Your firm needs:",[35,188,189,195,201,207,213],{},[38,190,191,194],{},[41,192,193],{},"Standard firm BAA template"," drafted by a partner with both health law and legal ethics expertise",[38,196,197,200],{},[41,198,199],{},"Negotiation playbook"," for common deviations (breach timelines, audit rights, indemnification)",[38,202,203,206],{},[41,204,205],{},"Hard limits"," on terms your firm cannot accept (e.g., unlimited indemnification, waiver of privilege, unreasonable audit rights)",[38,208,209,212],{},[41,210,211],{},"Centralized BAA repository"," tied to client and matter",[38,214,215,218],{},[41,216,217],{},"Annual review process"," to update BAAs when clients or circumstances change",[180,220,222],{"id":221},"subcontractor-baas","Subcontractor BAAs",[17,224,225],{},"When your firm subcontracts work that touches PHI, BAAs flow down:",[35,227,228,234,240,246,252,258,264,269,275],{},[38,229,230,233],{},[41,231,232],{},"E-discovery vendors"," (Relativity hosting providers, discovery consultants)",[38,235,236,239],{},[41,237,238],{},"Translation services"," for medical records",[38,241,242,245],{},[41,243,244],{},"Expert witnesses"," (medical, actuarial, industry)",[38,247,248,251],{},[41,249,250],{},"Court reporters and transcription services"," that handle depositions involving PHI",[38,253,254,257],{},[41,255,256],{},"Printing and document services"," that process medical records",[38,259,260,263],{},[41,261,262],{},"Mailing services"," that handle record-heavy transmissions",[38,265,266],{},[41,267,268],{},"IT vendors and managed service providers",[38,270,271,274],{},[41,272,273],{},"Cloud services"," (Microsoft 365, Google Workspace with BAA, document management SaaS)",[38,276,277,280],{},[41,278,279],{},"Practice management tools"," that store matter data",[17,282,283],{},"Inventory every one. Know which have BAAs signed. Audit annually.",[17,285,286,287,291,292,295],{},"For the BAA legal requirements, see our ",[99,288,290],{"href":289},"\u002Fglossary\u002Fbaa","BAA glossary entry"," and the ",[99,293,294],{"href":110},"BAA framework page",".",[27,297,299],{"id":298},"technical-safeguards-for-law-firms","Technical Safeguards for Law Firms",[17,301,302],{},"Baseline technical safeguards adapted for the law firm environment:",[180,304,306],{"id":305},"access-controls","Access Controls",[35,308,309,312,315,318,321],{},[38,310,311],{},"Role-based access that aligns with matter teams, not just seniority",[38,313,314],{},"\"Chinese wall\" technical controls for conflicts and ethical walls — enforced technically, not just by policy",[38,316,317],{},"Attorney and staff access reviews at regular cadence",[38,319,320],{},"Strong authentication (MFA for all remote access, no exceptions)",[38,322,323],{},"Privileged access for system administrators with additional controls",[180,325,327],{"id":326},"encryption","Encryption",[35,329,330,333,336,339,342],{},[38,331,332],{},"TLS 1.2+ for all email and file transfer",[38,334,335],{},"AES-256 at rest on document management systems, email archives, backups",[38,337,338],{},"Encrypted laptops for all attorneys and staff (not \"encouraged\" — enforced)",[38,340,341],{},"Encrypted mobile devices with MDM",[38,343,344],{},"Encrypted USB and physical media with documented policies for use",[180,346,348],{"id":347},"email-and-messaging","Email and Messaging",[35,350,351,354,357,360],{},[38,352,353],{},"Client email addresses that accept encrypted transmission (Microsoft 365 with S\u002FMIME or Mimecast)",[38,355,356],{},"Secure file transfer for large PHI transmissions (Citrix ShareFile, Kiteworks, or similar)",[38,358,359],{},"No consumer messaging apps (SMS, WhatsApp, iMessage personal) for PHI",[38,361,362],{},"Clear policies on texting with clients who include PHI",[180,364,366],{"id":365},"document-management","Document Management",[35,368,369,372,375,378],{},[38,370,371],{},"Matter-level access controls",[38,373,374],{},"Audit logging at document access granularity",[38,376,377],{},"Retention policies that comply with both HIPAA and bar retention requirements",[38,379,380],{},"Disposal procedures for paper and electronic media",[180,382,384],{"id":383},"remote-work","Remote Work",[35,386,387,390,393,396],{},[38,388,389],{},"VPN for all remote access",[38,391,392],{},"Endpoint management with encryption, patching, and monitoring",[38,394,395],{},"Home office policies addressing physical security",[38,397,398],{},"Printer and paper record policies for remote workers",[27,400,402],{"id":401},"e-discovery-and-litigation-support","E-Discovery and Litigation Support",[17,404,405],{},"E-discovery is where law firms most often stumble on HIPAA. The competing pressures:",[35,407,408,414,420,425,431],{},[38,409,410,413],{},[41,411,412],{},"Litigation hold"," requires preservation of large PHI-containing datasets",[38,415,416,419],{},[41,417,418],{},"Discovery obligations"," require production to opposing counsel",[38,421,422,424],{},[41,423,167],{}," govern downstream handling",[38,426,427,430],{},[41,428,429],{},"Minimum necessary"," under HIPAA pushes toward less handling",[38,432,433,436],{},[41,434,435],{},"Court deadlines"," push toward faster handling",[17,438,439],{},"Patterns that work:",[35,441,442,448,454,460,466,472,478,484],{},[38,443,444,447],{},[41,445,446],{},"Dedicated e-discovery platform with HIPAA controls"," (Relativity via HIPAA-compliant host, Nuix, Casepoint)",[38,449,450,453],{},[41,451,452],{},"Clear hosting decisions"," — HIPAA-compliant hosts only",[38,455,456,459],{},[41,457,458],{},"Segregated matter data"," in dedicated review environments",[38,461,462,465],{},[41,463,464],{},"Reviewer training"," on both attorney-client privilege and HIPAA",[38,467,468,471],{},[41,469,470],{},"Third-party reviewer agreements"," that include BAA terms",[38,473,474,477],{},[41,475,476],{},"Protective order templates"," that include HIPAA-aware language",[38,479,480,483],{},[41,481,482],{},"Audit logging"," of reviewer activity",[38,485,486,489],{},[41,487,488],{},"Production tracking"," with chain of custody",[180,491,493],{"id":492},"medical-records-in-litigation","Medical Records in Litigation",[17,495,496],{},"In personal injury, malpractice, and health-related cases, medical records flow in volume. Controls:",[35,498,499,502,505,508,511,514],{},[38,500,501],{},"Receipt in HIPAA-compliant transmission",[38,503,504],{},"Storage in matter-dedicated secure storage",[38,506,507],{},"Access logged at reviewer granularity",[38,509,510],{},"Copies tracked (who has what, where)",[38,512,513],{},"Destruction at matter close with documentation",[38,515,516],{},"BAAs with any firm outside your direct employment handling the records",[27,518,520],{"id":519},"workforce-training-for-law-firms","Workforce Training for Law Firms",[17,522,523],{},"HIPAA workforce training for a law firm differs from clinical training:",[35,525,526,532,538,544,550,556],{},[38,527,528,531],{},[41,529,530],{},"Attorney-specific content"," — privilege and HIPAA intersection, ethical obligations, matter-specific responsibilities",[38,533,534,537],{},[41,535,536],{},"Paralegal and staff content"," — document handling, e-discovery, e-mail practices, physical records",[38,539,540,543],{},[41,541,542],{},"IT staff content"," — technical safeguards, incident handling, access management",[38,545,546,549],{},[41,547,548],{},"Contractor and vendor content"," — sometimes delivered by the firm, sometimes relied on via contract",[38,551,552,555],{},[41,553,554],{},"New-matter onboarding"," — matter-specific briefings for teams handling unusually sensitive PHI",[38,557,558,561],{},[41,559,560],{},"Incident-driven training"," — after a near-miss or breach, targeted training to affected teams",[17,563,564],{},"Annual general training plus role-based training plus matter-specific briefings plus phishing simulation. Track completion. Retain evidence.",[27,566,568],{"id":567},"incident-response-at-a-law-firm","Incident Response at a Law Firm",[17,570,571],{},"When a law firm experiences a HIPAA incident, it has to handle:",[35,573,574,580,586,592,597,603,609],{},[38,575,576,579],{},[41,577,578],{},"HIPAA breach notification obligations"," flowing through client BAAs and directly",[38,581,582,585],{},[41,583,584],{},"Attorney-client privilege considerations"," during investigation (privilege-protected investigations, who knows what, when)",[38,587,588,591],{},[41,589,590],{},"Client notification obligations"," under BAA terms",[38,593,594],{},[41,595,596],{},"Firm reputation management",[38,598,599,602],{},[41,600,601],{},"Potential bar ethics implications"," (client confidentiality is a separate ethics obligation)",[38,604,605,608],{},[41,606,607],{},"State AG notification"," where applicable",[38,610,611],{},[41,612,613],{},"Cyber insurance coordination",[17,615,616],{},"Your incident response plan should include outside counsel engagement for privilege preservation, forensics firms on retainer, and a clear framework for client communications.",[27,618,620],{"id":619},"cloud-and-saas-tools-in-law-firms","Cloud and SaaS Tools in Law Firms",[17,622,623],{},"Modern law firm practice runs on cloud tools. Compliance treatment:",[625,626,627,640],"table",{},[628,629,630],"thead",{},[631,632,633,637],"tr",{},[634,635,636],"th",{},"Tool Category",[634,638,639],{},"HIPAA Considerations",[641,642,643,652,660,668,676,684,692,700],"tbody",{},[631,644,645,649],{},[646,647,648],"td",{},"Email (M365, Google Workspace)",[646,650,651],{},"BAA required, Business plan minimum, configuration critical",[631,653,654,657],{},[646,655,656],{},"Document management (iManage, NetDocuments, Worldox)",[646,658,659],{},"HIPAA-compliant deployment required",[631,661,662,665],{},[646,663,664],{},"Practice management (Clio, Litify, Time Matters)",[646,666,667],{},"BAA where available, matter data controls",[631,669,670,673],{},[646,671,672],{},"E-discovery (Relativity, Nuix)",[646,674,675],{},"HIPAA-compliant hosting only",[631,677,678,681],{},[646,679,680],{},"Video conferencing (Zoom, Teams)",[646,682,683],{},"HIPAA-compliant tier and configuration",[631,685,686,689],{},[646,687,688],{},"Chat \u002F collaboration (Slack, Teams)",[646,690,691],{},"Risk-based decisions; Slack Enterprise with BAA available",[631,693,694,697],{},[646,695,696],{},"Transcription (Otter, others)",[646,698,699],{},"Often NOT HIPAA-compliant; careful review",[631,701,702,705],{},[646,703,704],{},"AI tools (ChatGPT, Claude, Copilot)",[646,706,707],{},"Consumer tiers NOT compliant; enterprise tiers with BAA available",[17,709,710],{},"Assume nothing. Every tool your attorneys use with PHI needs an affirmative compliance decision.",[27,712,714],{"id":713},"common-pitfalls-for-law-firms","Common Pitfalls for Law Firms",[35,716,717,723,729,735,741,747,753,759,765,771],{},[38,718,719,722],{},[41,720,721],{},"\"We're lawyers, not healthcare providers.\""," This defense ended in 2009. HITECH made you directly liable.",[38,724,725,728],{},[41,726,727],{},"Ethics-only thinking."," Attorney-client privilege is not the same as HIPAA. Both apply; different obligations.",[38,730,731,734],{},[41,732,733],{},"Partner email habits."," Partners who refuse to use secure channels, forward emails to personal accounts, or email from unmanaged devices.",[38,736,737,740],{},[41,738,739],{},"Administrative staff without training."," Assistants and paralegals who don't know what PHI looks like.",[38,742,743,746],{},[41,744,745],{},"Weak e-discovery vendor management."," Hosting providers without HIPAA documentation, reviewer agreements without BAA terms.",[38,748,749,752],{},[41,750,751],{},"Lateral partner data transfer."," Partners moving firms with their matter data and institutional knowledge — often informally.",[38,754,755,758],{},[41,756,757],{},"Paper records."," Still a law firm reality. Locked file rooms, shredding policies, matter-close destruction — all documented.",[38,760,761,764],{},[41,762,763],{},"Printer and copier data."," Multi-function devices store images. Lease returns without data wipe are reportable incidents.",[38,766,767,770],{},[41,768,769],{},"Client site work."," Attorneys working from client offices with client systems need matter-specific policies.",[38,772,773,776],{},[41,774,775],{},"Insurance as compensating control."," Cyber insurance is not a control; it's financial risk transfer. You still need the controls.",[27,778,780],{"id":779},"cost-and-timeline-expectations","Cost and Timeline Expectations",[17,782,783],{},"A mid-sized firm (50–300 attorneys) with meaningful healthcare practice:",[625,785,786,796],{},[628,787,788],{},[631,789,790,793],{},[634,791,792],{},"Line Item",[634,794,795],{},"Typical Annual Cost",[641,797,798,806,814,822,830,838],{},[631,799,800,803],{},[646,801,802],{},"HIPAA program staffing (partner + specialist)",[646,804,805],{},"$300K–$750K",[631,807,808,811],{},[646,809,810],{},"HIPAA-specific tooling (BAA tracking, training, monitoring)",[646,812,813],{},"$50K–$200K",[631,815,816,819],{},[646,817,818],{},"Enhanced security stack (MFA, encryption, DLP, monitoring)",[646,820,821],{},"$100K–$400K",[631,823,824,827],{},[646,825,826],{},"Penetration testing and security assessment",[646,828,829],{},"$30K–$100K",[631,831,832,835],{},[646,833,834],{},"Cyber insurance",[646,836,837],{},"$50K–$250K (plus deductible)",[631,839,840,843],{},[646,841,842],{},"Outside counsel and consultants",[646,844,813],{},[17,846,847],{},"Timeline to materially mature a weak program: 12–18 months. Timeline to build from scratch: 18–24 months.",[27,849,851],{"id":850},"getting-started","Getting Started",[17,853,854],{},"If your firm has healthcare practice but no HIPAA program:",[856,857,858,864,870,876,882,888,894],"ol",{},[38,859,860,863],{},[41,861,862],{},"Inventory healthcare-related matters"," and identify where PHI exists",[38,865,866,869],{},[41,867,868],{},"Pull existing client BAAs"," and assess gaps",[38,871,872,875],{},[41,873,874],{},"Assess technical controls"," against Security Rule requirements",[38,877,878,881],{},[41,879,880],{},"Audit vendor relationships"," for PHI exposure and BAA coverage",[38,883,884,887],{},[41,885,886],{},"Identify a firm HIPAA lead"," with authority (typically a partner with health law background)",[38,889,890,893],{},[41,891,892],{},"Build a 12-month program roadmap"," and get management committee buy-in",[38,895,896,899],{},[41,897,898],{},"Deliver workforce training"," at all levels",[17,901,902,903,907,908,912],{},"Our ",[99,904,906],{"href":905},"\u002Fnow\u002Fhipaa-breach-prevention","HIPAA breach prevention guide"," and ",[99,909,911],{"href":910},"\u002Fnow\u002Fcompliance-playbook-regulated-industries","compliance playbook for regulated industries"," are useful companion reads.",[27,914,916],{"id":915},"faq","FAQ",[17,918,919,922],{},[41,920,921],{},"Q: Is our cyber insurance enough to cover HIPAA liability?","\nA: No. Cyber insurance transfers financial risk for some incidents; it does not satisfy HIPAA's requirement to implement controls. OCR fines, state AG settlements, and reputational damage will not be fully covered regardless of policy.",[17,924,925,928],{},[41,926,927],{},"Q: Do we need a BAA with our opposing counsel in a case involving PHI?","\nA: Typically no — opposing counsel is not acting on your client's behalf. Protective orders govern their handling. But if you're co-counsel or have another business relationship, revisit the analysis.",[17,930,931,934],{},[41,932,933],{},"Q: Can we use ChatGPT or Claude for healthcare-related legal research?","\nA: Only with HIPAA-covered services (Azure OpenAI, AWS Bedrock, Claude for Enterprise with BAA, etc.) and only if PHI is actually going into the tool. For general research that doesn't expose PHI, consumer tools may be appropriate. Develop clear firm policies.",[17,936,937,940],{},[41,938,939],{},"Q: What happens if a partner takes matter data with them when they leave?","\nA: Depending on circumstances, it can be a HIPAA breach, a bar ethics violation, a breach of your client's BAA with your firm, and grounds for litigation. Your offboarding process must address matter data transfer with client consent.",[17,942,943,946],{},[41,944,945],{},"Q: Does HIPAA apply to work we do for plaintiffs in medical cases?","\nA: Yes, once you're handling medical records. The PHI origin (covered entity's records about the plaintiff) and your handling create Business Associate obligations to the extent you're working with records in a way that creates BA status — and even when you're not strictly a BA, the records often come with protective orders that create parallel obligations.",[948,949],"hr",{},[17,951,952],{},"Law firms handling PHI in 2026 can no longer treat HIPAA as a client matter. It's a firm matter. Building a mature HIPAA program protects your clients, satisfies your regulators, preserves your insurance posture, and safeguards the firm's future.",[17,954,955,956,958,959,958,962,112,964,968,969,295],{},"For more, see the ",[99,957,102],{"href":101},", ",[99,960,961],{"href":106},"Security Rule",[99,963,294],{"href":110},[99,965,967],{"href":966},"\u002Findustry\u002Flegal","legal industry resources",". Ready to run HIPAA on a modern platform? ",[99,970,974],{"href":971,"rel":972},"https:\u002F\u002Fepiski.app",[973],"nofollow","Start with episki",{"title":976,"searchDepth":977,"depth":977,"links":978},"",2,[979,980,981,986,993,996,997,998,999,1000,1001,1002],{"id":29,"depth":977,"text":30},{"id":120,"depth":977,"text":121},{"id":174,"depth":977,"text":175,"children":982},[983,985],{"id":182,"depth":984,"text":183},3,{"id":221,"depth":984,"text":222},{"id":298,"depth":977,"text":299,"children":987},[988,989,990,991,992],{"id":305,"depth":984,"text":306},{"id":326,"depth":984,"text":327},{"id":347,"depth":984,"text":348},{"id":365,"depth":984,"text":366},{"id":383,"depth":984,"text":384},{"id":401,"depth":977,"text":402,"children":994},[995],{"id":492,"depth":984,"text":493},{"id":519,"depth":977,"text":520},{"id":567,"depth":977,"text":568},{"id":619,"depth":977,"text":620},{"id":713,"depth":977,"text":714},{"id":779,"depth":977,"text":780},{"id":850,"depth":977,"text":851},{"id":915,"depth":977,"text":916},"practices","2026-04-14","A practical HIPAA guide for law firms handling protected health information in 2026 — Business Associate status, BAAs with clients, litigation support, e-discovery, and matter data protection.","md",{"src":1008},"\u002Fimages\u002Fblog\u002Fhipaa-breach-prevention.jpg",{},true,"\u002Fnow\u002Fhipaa-for-legal",{"title":1013,"description":1014},"HIPAA Compliance for Law Firms Handling PHI (2026 Guide)","HIPAA for law firms with healthcare-adjacent work in 2026 — Business Associate status, client BAAs, litigation support, e-discovery, protective orders, and matter data controls.","3.now\u002Fhipaa-for-legal","kLEFlRmkKdUeepLsDR0uMqJmcwBBWtHI__a3XLK0k7k",[1018,1023],{"title":1019,"path":1020,"stem":1021,"description":1022,"children":-1},"HIPAA Compliance for Healthtech API Providers (2026)","\u002Fnow\u002Fhipaa-for-healthtech-apis","3.now\u002Fhipaa-for-healthtech-apis","A practical HIPAA guide for API-first healthtech companies in 2026 — BAA chains, developer-facing compliance, audit logging at scale, and serving regulated customers as infrastructure.",{"title":1024,"path":1025,"stem":1026,"description":1027,"children":-1},"ISO 27001 Certification in 2026: What's Actually Involved","\u002Fnow\u002Fiso27001-certification-guide","3.now\u002Fiso27001-certification-guide","A practical walkthrough of ISO 27001 certification — from ISMS design through Stage 2 audit, including timelines, costs, and common pitfalls.",1776395331238]