Austin Archuleta, Founder & AI Solutions Architect — Updated June 27, 2026
What makes AI tools HIPAA compliant, why consumer chatbots are not, and how to use AI safely with protected health information in your law firm.
Quick Answer
AI can be HIPAA compliant for law firms—but only when purpose-built with specific safeguards. A signed Business Associate Agreement (BAA) with every vendor in your data chain is the baseline requirement. Beyond that, compliant AI requires encrypted storage, role-based access controls, audit logging, and data minimization. Consumer AI chatbots—including standard ChatGPT and similar tools—do not offer BAAs and are not compliant for use with protected health information.
HIPAA (the Health Insurance Portability and Accountability Act) sets federal standards for protecting protected health information (PHI)—any individually identifiable information related to a person's health status, medical history, or healthcare payments.
Law firms are not inherently covered entities under HIPAA, but many become business associates when they receive PHI from clients or healthcare providers in the course of legal representation. Personal injury firms, workers' compensation practices, medical malpractice attorneys, disability claim advocates, and any firm handling client medical records fall into this category.
As a business associate, your firm must sign BAAs with any vendor that processes PHI on your behalf—and that includes any AI system that touches client health data. The stakes are real: HIPAA civil penalties range from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category, plus potential criminal liability for willful neglect.
A BAA is a contract required under HIPAA between your firm and any vendor that processes protected health information on your behalf. Before an AI tool touches a single client record containing health data, your firm needs a signed BAA from that vendor. No BAA = HIPAA violation, regardless of how secure the vendor's infrastructure actually is.
PHI must be encrypted using modern standards—AES-256 for stored data, TLS 1.2 or higher for data in transit. This means the data is unreadable even if intercepted or if storage media is compromised. Consumer AI tools often transmit and store data without giving users control over the encryption or key management at the storage layer.
Only authorized personnel should be able to access PHI—and different roles should have different levels of access. The AI system must enforce these controls programmatically, not rely on policy alone. An intake coordinator should not have access to the same medical records visible to a case attorney.
HIPAA requires a complete audit trail of who accessed PHI, when, and what they did with it. Every read, write, and deletion must be logged and retained. HIPAA-compliant AI systems maintain immutable logs of all data interactions—logs that may be required in a breach investigation or compliance audit.
Collect and retain only the minimum PHI necessary for the specific purpose. An AI intake system should not retain raw audio of client calls longer than required, should extract structured data and discard the rest, and should have defined retention periods with automatic deletion. Consumer AI tools have none of these controls.
No. Consumer AI chatbots—including the free and standard paid tiers of ChatGPT, Google Gemini, and similar tools—do not offer Business Associate Agreements. Without a BAA, entering any protected health information into these tools is a potential HIPAA violation, regardless of how the rest of your system is configured.
This is not a technicality. When you type a client's injury details, medical history, or insurance information into a consumer chatbot, that data may be used to improve the AI model, stored on servers without firm-specific access controls, and handled by a vendor with no contractual HIPAA obligations. If that data is ever accessed inappropriately, your firm—not the chatbot provider—bears the liability.
Enterprise API agreements from vendors like OpenAI and Anthropic do include HIPAA BAA options—but BAAs must be explicitly negotiated and signed before any PHI is processed, and the application built on top of the API must also implement all required application-layer safeguards. A BAA from the AI provider alone is necessary but not sufficient.
| Feature | Consumer AI Chatbot | HIPAA-Compliant AI System |
|---|---|---|
| Business Associate Agreement | Not available | Required and signed |
| Data used for AI training | May be used without opt-out | Contractually excluded |
| Encryption at rest | Not guaranteed | AES-256 minimum |
| Encrypted transmission | Varies | TLS 1.2+ enforced |
| Role-based access controls | None | Enforced at application layer |
| PHI audit trail | None | Immutable access log |
| Data minimization | None | Retention limits enforced |
| Safe for client health data | No | Yes, when properly built |
A 24/7 voice AI that conducts structured intake interviews—capturing injury details, medical history, insurance information, and incident facts—without human staff on the line. When built on BAA-covered infrastructure with encrypted storage and access controls, it handles PHI compliantly. Qualified leads route to the right attorney with a structured brief; raw call data is discarded after extraction.
Personal injury, workers' compensation, and medical malpractice cases involve voluminous medical records that take attorney time to review. A HIPAA-compliant AI can extract key facts—diagnosis codes, treatment dates, provider names, treatment gaps, and damages-relevant findings—and generate a structured summary. The summary replaces the raw record for workflow purposes, minimizing staff exposure to full PHI.
AI can organize, classify, and extract data from medical bills, treatment notes, imaging reports, and insurance correspondence automatically. Structured extraction enables faster chronology building, damages calculation, and settlement preparation. The AI processes documents on BAA-covered infrastructure and stores only extracted structured data—not document images—wherever possible.
Encrypted client portals let clients share medical records, sign documents, and communicate securely without relying on unencrypted email. Email is not HIPAA compliant without additional encryption—a client who sends medical records to your standard email inbox is exposing PHI. A purpose-built secure portal eliminates this risk and creates an audit trail of all document exchanges.
Moon Sherpa Labs builds legal intake automation on BAA-covered infrastructure with end-to-end compliance controls. See how we built the intake system for Archuleta Law Firm—23% more cases signed in Q1 alone.
AI can be HIPAA compliant for law firms when purpose-built with the right safeguards: a signed BAA with the AI vendor, encrypted storage and transmission of PHI, role-based access controls, audit logging, and data minimization. Consumer AI chatbots—including free tiers of ChatGPT and similar tools—do not sign BAAs and are not compliant for use with client health data. Consult qualified legal counsel to confirm your firm's specific obligations.
No. Standard consumer ChatGPT does not offer Business Associate Agreements. Entering client health details into a consumer chatbot is a potential HIPAA violation regardless of your other practices. Enterprise API agreements from OpenAI and other vendors can include BAA options—but those agreements must be explicitly signed before any PHI is processed, and the application layer must also implement all required safeguards.
A Business Associate Agreement (BAA) is a contract required under HIPAA between your firm and any vendor that processes PHI on your behalf. It obligates the vendor to protect that data according to HIPAA standards and outlines liability in a breach. Without a signed BAA, sharing PHI with any vendor—including an AI system—is a HIPAA violation regardless of the vendor's actual security practices. You need a BAA from every vendor in your data chain: AI model provider, cloud infrastructure, and any storage or communication services.
Enterprise AI platforms that offer HIPAA BAAs include Azure OpenAI Service, AWS Bedrock, and Google Cloud Vertex AI. A BAA alone does not make a system compliant—the application layer must also implement encryption, access controls, audit logging, and data minimization. Purpose-built legal AI systems deploy on these platforms with all required application-layer controls. See how Moon Sherpa Labs builds HIPAA-compliant legal intake systems →
Moon Sherpa Labs builds legal intake and document processing systems on BAA-covered infrastructure—so your firm gets the efficiency of AI without the compliance risk of consumer tools. Book a free 30-minute strategy call.