A practical guide for life care planners, Medicare Set-Aside drafters, legal nurse consultants, vocational experts, and the attorneys, carriers, and TPAs who hire them.
By Nathan Gunn, MD, CEO and Co-Founder, SecondLook Health
Published April 25, 2026
Not legal advice. This post is general information for educational purposes. It is not legal advice and does not create an attorney-client relationship between you and SecondLook Health. HIPAA, state law, and agency guidance change over time, and the applicability of any rule to a specific engagement depends on the facts of that engagement. Always consult a healthcare attorney licensed in your jurisdiction before relying on this analysis for any specific matter.
HIPAA almost certainly does not apply to your work as an independent clinical consultant. Four reasons:
The rest of this post walks through each of the four, with the regulation cited line by line. If you read nothing else, read the playbook section near the end.
HIPAA follows the entity, not the data. It is a status-based regulation. The rule reaches certain organizations and the contractors those organizations hire. Once medical records leave a covered organization through a permitted disclosure (a subpoena, an authorization, a workers' comp claim) they don't carry HIPAA with them. (To be clear, they may carry other obligations). That is the single sentence everyone gets wrong, and it is the engine of every argument below.
HIPAA only applies to three categories of organizations, plus the contractors those organizations hire. The categories are health plans, healthcare clearinghouses, and healthcare providers who send specific kinds of electronic transactions like insurance claims. That's it. The full list is in 45 CFR 160.103, which is the regulation that defines the terms HIPAA uses.
This is statutory, not interpretive. Workers' compensation carriers, automobile liability insurers, property and casualty insurers, life insurers, and disability income insurers are all classified as "excepted benefits" under 42 U.S.C. 300gg-91(c)(1), and 45 CFR 160.103 specifically excludes them from the definition of "health plan." The Department of Health and Human Services has written this in plain English: in its Workers' Compensation Disclosures FAQ, HHS notes that "the Privacy Rule is not intended to impede the flow of health information" in workers' comp claims. Translation: HIPAA was deliberately written to leave workers' comp alone.
A law firm is not a health plan, a clearinghouse, or a healthcare provider. Neither is an MSA vendor or a consulting firm. So in their own right, none of them are covered entities. The records they hold are not HIPAA-protected by virtue of being held by them.
But here is the asterisk that matters. If a law firm represents a covered entity (a hospital being sued for malpractice, a health plan defending a denial, a covered provider in a regulatory matter), the firm becomes a business associate of that covered entity under 45 CFR 160.103, which expressly names "legal services... to or for such covered entity" as a business associate function. The firm signs a BAA with its client. When the firm then hires you to review records, you become a subcontractor business associate of the firm, and the firm flows the BAA down to you. That is the chain the HIPAA Omnibus Rule was designed to create.
So, the question is not "is the firm a covered entity" (no). It is "is the firm a business associate of a covered entity in this engagement, and am I being pulled into that chain?" The answer turns on who the firm represents in the matter, not on what kind of firm it is.
Defense firms in medical malpractice cases representing hospitals are commonly BAs of those hospitals. Plaintiff firms suing those same hospitals are typically not, because they receive records through subpoena, authorization, or discovery rather than through a BA relationship with the hospital. Workers' comp defense firms are typically not BAs because their clients (carriers, employers) are not covered entities. Defense firms representing self-insured health plans usually are. The pattern follows the client, not the firm.
Most consultants think "the records came from a hospital, so they're PHI forever." Wrong. PHI is a status that attaches to records when they are held by a covered entity or a business associate. Once a covered entity makes a permitted disclosure, the records leave HIPAA's reach. They may still be confidential AND they may still be protected by state law, contract, or professional ethics, but they are no longer HIPAA-regulated in the recipient's hands. This is the central misunderstanding in the consultant world. Once you see it, the rest of the analysis falls into place.
"What about a hybrid entity?" Some insurance companies sell both health insurance (covered) and workers' comp or auto (not covered). Under 45 CFR 164.504(a)-(c), they can firewall the lines as a "hybrid entity." HIPAA reaches the health plan side and the workers' comp side stays excluded. Liberty Mutual's auto claims department doesn't become HIPAA-regulated because Liberty Mutual sells health insurance somewhere else.
"I'm a nurse, doesn't my license make me HIPAA-regulated?" No. HIPAA is functional, not professional. It looks at what an organization does in a specific role, not what licenses the people in that role hold. A physician moonlighting as a life care planner for a plaintiff firm isn't billing insurance for that work. They're not a covered provider in that capacity. Your license doesn't drag HIPAA along with it.
"When does HIPAA actually reach me?" Three scenarios. First, you sign a Business Associate Agreement (BAA) with a covered entity. Second, your client is a covered entity (a hospital quality department, a health plan). Third, you yourself are a covered provider doing standard electronic billing in a separate role. If none of those three apply, HIPAA isn't in the picture.
Most people think "HIPAA-compliant" means "meets a specific technical security standard." It doesn't. The HIPAA Security Rule, which lives at 45 CFR 164.302-318, is structured as goals plus implementation specifications. Some specifications are "required." Most are "addressable," which means each organization decides what's reasonable based on its size, complexity, and risk. There is no rule that says "use AES-256 encryption at rest, rotate keys every 90 days." There is no rule that says "require multi-factor authentication." Those are best practices the industry has converged on. They are not, today, in the regulation.
Speaking at HIMSS 2026 in Las Vegas, Paula Stannard, the Director of the HHS Office for Civil Rights, the federal agency that enforces HIPAA, made a striking concession. She acknowledged that under the current Security Rule, organizations have treated optional security controls as actually optional, and that the result has been weaker security across the regulated industry. (The way TechTarget reported it and Govinfosecurity reported it, her words were that small and mid-sized regulated entities have treated addressable specifications as optional, and that this has produced "much more lax security.)
HIPAA's clearest, most deterministic rule is buried in 45 CFR 164.514(b)(2): the Safe Harbor de-identification standard. Strip these 18 identifiers from a record and the data is no longer PHI:
Strip those, and the record is no longer regulated by HIPAA.
The Safe Harbor is the only place in HIPAA's security framework where you get a deterministic checklist. The technical security controls such as encryption strength, authentication mechanisms, key management are left to your judgment based on a documented risk analysis. That's the gap the proposed 2025 NPRM (Notice of Proposed Rule Making) is trying to close.
In January 2025, HHS published a Notice of Proposed Rulemaking that would change all of this. It would eliminate the "addressable" category entirely, mandate encryption at rest and in transit, mandate multi-factor authentication, mandate written asset inventories, and require 72-hour incident response. The cost was estimated at over $9 billion in the first year. As of April 2026, the Trump administration is still working through more than 4,700 public comments and has not finalized it. The current rule still applies; if the proposed rule lands, this section of this post is going to need a rewrite.
A Business Associate Agreement (BAA) is the contract a covered entity signs with a contractor (a "business associate") who handles PHI on the covered entity's behalf. The required content is set out at 45 CFR 164.504(e): permitted uses and disclosures of PHI, the obligation to safeguard it, breach notification timelines, the obligation to flow these terms down to subcontractors, individual access rights, return or destruction of PHI at termination, and access for HHS audits. That's the menu.
It allocates breach consequences and process. If something goes wrong, the BAA tells you who has to notify whom, on what timeline, who pays for which costs, and what evidence has to be turned over to investigators. It's a contract about consequences, not a manual about how to build secure systems. The substantive security obligations come from the Security Rule itself, which since the HITECH Act of 2009 and the HIPAA Omnibus Rule of 2013 applies to business associates directly. Signing a BAA is partly an acknowledgment that those rules now apply to you.
Most BAAs include indemnification clauses. Most clinical consultants assume those clauses are mandatory. They aren't. HIPAA itself doesn't require indemnification in a BAA. It's a commercial term that some organizations push hard for and others don't. Read carefully before signing. An overbroad indemnity clause can shift far more financial risk to you than HIPAA itself ever would.
Some BAA requests you receive are substantively required by the regulation. If a law firm representing a hospital hires you to review records in a malpractice case, the firm is a business associate of the hospital, you are a subcontractor business associate of the firm, and the BAA flow-down is required by HIPAA. Sign it; that is the system working as designed.
The trap is the BAA request that is not substantively required, where a firm or vendor asks you to sign defensively or as a matter of internal policy when no covered entity is in the chain.
Before HITECH (2009), business associates only had contract liability. If they messed up, the covered entity could sue them. After HITECH, business associates are directly liable to the federal government for Security Rule violations. OCR can investigate you, fine you, and impose corrective action plans. Penalties scale up to $2.13 million per violation category per year at the willful-neglect tier. The "safe" choice creates the federal regulatory risk.
Once you sign a BAA, every vendor you use that touches the records becomes your subcontractor. Cloud storage, transcription, document management, even a fax service in some cases. Every one of them needs its own BAA with you, and the obligations have to flow down. Most independent consultants never do this. If you sign a BAA and use Dropbox without a separate BAA with Dropbox, you're out of compliance with the BAA you just signed.
If HIPAA isn't your problem, what is? Five things, in roughly the order you should worry about them.
Most states have their own medical-records confidentiality statutes that apply regardless of HIPAA status. California's Confidentiality of Medical Information Act (Cal. Civ. Code § 56 et seq.) is the most prominent example, and it explicitly reaches non-HIPAA-covered organizations including some workers' comp actors. New York, Texas, Illinois, and Florida all have analogous statutes. These laws are sometimes stricter than HIPAA, not weaker. If you operate in a state with one of these statutes, that's the regulation that's actually governing your work.
All 50 states have breach notification laws. They trigger when personal information is exposed, regardless of whether that information was HIPAA-protected. Timelines vary widely (30 days, 45 days, 60 days, "without unreasonable delay"), and so do the kinds of information they cover. If you handle medical records and someone steals your laptop, you may have a state-law notification obligation even if HIPAA never reached you.
Most state workers' comp statutes impose their own confidentiality requirements on claim records. These are separate from HIPAA, often broader, and rarely well-understood by the consultants who handle the records. The starting move, when you take a workers' comp engagement, is to read the relevant state's workers' comp confidentiality provision before assuming you know the rules.
Whatever the engagement letter or retainer says, that's what you're bound to. Read it. If your client wants you to follow a security standard stricter than HIPAA, you're going to follow that standard whether or not HIPAA applies. If they want you to indemnify them for breaches, the contract controls. The contract is doing more work than HIPAA is in almost every consultant engagement.
ICHCC for life care planners. AALNC for legal nurse consultants. ABVE and IARP for vocational experts. Each has its own confidentiality and competence requirements that survive the end of any contract. These can be the basis for a complaint, a sanction, or a credentialing review long after the case closes. Read the ethics code for your credential. Most consultants haven't read theirs in years, if ever.
Read these out loud the next time someone tells you HIPAA applies to a situation it doesn't.
Almost certainly no. The defense firm isn't a covered entity. The workers' comp carrier paying the bills isn't a covered entity. You're a consultant for a non-covered client. HIPAA isn't reaching this engagement. Worry about state law and your contract.
Probably yes, and you probably will sign regardless. The most common scenario where a defense firm asks a clinical consultant for a BAA is medical malpractice defense, where the firm represents a hospital. In that case the firm is a business associate of the hospital, you become a subcontractor business associate of the firm, and the flow-down BAA is required by HIPAA. The firm is not being defensive; rather, they're doing what the regulation requires.
The two scenarios where the request is more questionable are workers' comp defense (the firm's client is a carrier, which is not a covered entity) and personal injury defense for self-insured employers or auto carriers. In those cases, the BAA may be a matter of firm policy rather than a regulatory requirement.
You can ask a clarifying question without picking a fight: "I want to make sure I understand the scope. Is the firm acting as a business associate of one of its clients on this matter, and is the BAA flowing down from that arrangement?" The answer tells you which scenario you're in.
Either way, before signing, three things to look at carefully:
For you, no. Neither of you is a covered entity, and HIPAA isn't reaching either side of that exchange. State law might, and common sense definitely does: unencrypted email of medical records is a bad practice independent of whether it's a HIPAA violation. Don't accept it.
Now HIPAA reaches you. Hospitals are covered entities. You'll be a business associate. Sign the BAA, read it carefully, and understand that you've now become directly liable for Security Rule compliance. Make sure your vendors (cloud storage, transcription, anything that touches the records) have downstream BAAs with you.
You need a vendor with strong, audited, actual security. "HIPAA-compliant" is a vague label. It doesn't mean the vendor encrypts data at rest. It doesn't mean they have multi-factor authentication. It doesn't mean they've had a third-party security audit. Practically, ask if they are SOC 2 Type II compliant, what security controls they've actually implemented, and what enterprise clients they serve today.
Yes. Plaintiffs and defense attorneys love asking expert witnesses about HIPAA, often because they don't understand it themselves.
The technically correct answer that you won’t remember is: "HIPAA didn't apply to my work in this case because none of the parties involved were covered entities. The applicable rules were [state confidentiality statute / professional ethics code / contract terms]." That's the correct, defensible, technically accurate answer.
The practical answer is a short, calm, accurate sentence you can deliver under pressure: "My handling of records in this case was governed by my contract with [the firm] and by my professional standards. I followed those." That's true. It's short. It doesn't volunteer a legal opinion you're not qualified to give. And it doesn't open a line of questioning about HIPAA's reach, because you didn't claim HIPAA reached you.
If opposing counsel presses with "But isn't this protected health information under HIPAA?", a defensible answer is: "I'm not a lawyer, so I can't speak to how HIPAA applies. What I can speak to is how I handled the records, which was according to my contract and my professional standards." That answer respects the limit of your expertise (you're a clinician, not a healthcare attorney), redirects to what you do know (your own conduct), and ends the legal-framework question without a confrontation.
Do not volunteer a HIPAA analysis on the stand. Even if you're right, you're testifying outside your area of expertise, which is something opposing counsel will use against you.
We work with both kinds of clients: covered entities (hospitals, health plans) and the much larger universe of non-covered entities (workers' comp carriers, MSA vendors, individual consultants). If you hand us a BAA, we sign it and operate as your business associate. If you don't, our security posture is the same anyway. We maintain SOC 2 Type II attestation, which is the closest thing the industry has to a prescriptive, audited security standard, and it doesn't depend on whether you're HIPAA-regulated.
***
HIPAA is narrower the world believes. The framework that does apply to your work is broader and messier: state law, contract, professional ethics, and the security posture you actually maintain. Worry about that second list. Stop worrying about HIPAA unless someone hands you a BAA.
If you have a case in front of you and you want a second look at the medical records, you can upload a case for free at app.secondlookhealth.ai/register. For a one-page methodology fact sheet describing how SecondLook handles records and security, click here for a dynamic HIPAA Applicability Decision.
All sources hyperlinked to their primary text where available. Federal regulations linked to the official Electronic Code of Federal Regulations (eCFR). Statutes linked to law.cornell.edu. Federal Register notices linked to federalregister.gov. Agency guidance linked to the agency's own URL.
