Skip to main content

Legal

HIPAA & Business Associate Agreements

Last updated: May 26, 2026

Short version. Most CourtFlow customers do not need a Business Associate Agreement (BAA) because court filings are not Protected Health Information (PHI) and CourtFlow is not a HIPAA Business Associate of an ordinary litigation firm. For the narrow case where you are a HIPAA-covered entity or business associate yourself and you intend to route PHI through CourtFlow — most commonly, plaintiff-side medical-malpractice or personal-injury practices that pull medical records into case files — CourtFlow will execute a BAA on the Firm plan and above. Email privacy@courtflow.ai to request one.

1. Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the HITECH Act, regulates the use and disclosure of Protected Health Information (PHI) by "covered entities" (health plans, healthcare providers, and healthcare clearinghouses) and their "business associates" — third parties that create, receive, maintain, or transmit PHI on behalf of a covered entity. A Business Associate Agreement (BAA) is the written contract that HIPAA (45 C.F.R. § 164.504(e)) requires between a covered entity and a business associate.

Law firms generally engage with PHI under HIPAA in two ways: as a business associate of a covered entity (defense-side healthcare clients) or as a third party that receives PHI in the course of litigation (plaintiff-side personal injury or medical malpractice, requesting medical records as litigation evidence). The HHS Office for Civil Rights has long taken the position that an attorney providing legal services to a covered entity that requires the disclosure of PHI is a business associate.

2. CourtFlow's Default Posture

CourtFlow AI is a court-email and case-management platform built around the routine work product of litigation practice: court filings, dockets, deadlines, calendars, briefs, and similar materials. The ordinary content that flows through the platform is not PHI as defined at 45 C.F.R. § 160.103. CourtFlow does not, by default, hold itself out as a HIPAA Business Associate, and our Acceptable Use Policy instructs customers not to upload PHI without first executing a BAA with us.

3. When You May Need a BAA With CourtFlow

You may need a BAA with CourtFlow if any of the following apply to your practice:

  • You are a HIPAA-covered entity (a healthcare provider, health plan, or clearinghouse) and you intend to use CourtFlow to process documents that contain PHI.
  • You are a business associate of a covered entity (for example, a law firm whose engagement letter with a healthcare-provider client requires HIPAA-compliant handling of PHI) and your downstream use of CourtFlow would route the covered entity's PHI through our platform — requiring a subcontractor BAA under 45 C.F.R. § 164.502(e)(1)(ii).
  • You routinely include medical records or other PHI in case files that CourtFlow processes — for example, plaintiff-side medical-malpractice or personal-injury practices where medical records are central to the work product.

You probably do not need a BAA if your matters touch healthcare only incidentally (e.g., a routine slip-and-fall personal-injury case where medical records may or may not be requested in discovery) and the bulk of the files CourtFlow processes are court filings, contracts, motions, and similar non-PHI materials.

4. Availability

CourtFlow will execute a Business Associate Agreement with customers on the Firm plan and above on request, at no additional cost. The BAA is offered on the Firm plan because that tier's seat allowance and feature set generally fit the staffing of a practice that handles PHI at scale; if you are on a smaller plan and have a documented need, contact us and we will discuss.

5. Scope of the BAA

The BAA will cover PHI created, received, maintained, or transmitted by CourtFlow on behalf of the customer through the signed-in Service. It will not cover:

  • Public tools. The free filing analyzer at /try, the court rules reference at /rules, the public probate intake portal, and the sales chat widget are public surfaces and may not be used to submit PHI under any circumstances.
  • Customer-controlled storage. Documents that CourtFlow files to your own Google Drive or OneDrive sit in your own storage account and are governed by your BAA (if any) with Google or Microsoft, not by your BAA with CourtFlow.
  • Third-party AI providers without their own BAA. Where AI processing of PHI is in scope, only model providers that themselves offer a BAA will be used for the affected workloads. As of the date of this page, Google Cloud's Gemini API is BAA-eligible for HIPAA-regulated workloads under the Google Cloud BAA; the Anthropic Claude API used for the sales chat and certain internal automation is not BAA-eligible and will not be used to process PHI under any circumstances.

6. Form of Agreement

CourtFlow has a standard BAA template that meets the regulatory requirements at 45 C.F.R. § 164.504(e) and includes the minimum content specified by 45 C.F.R. § 164.314(a). The template addresses permitted uses and disclosures, required safeguards, subcontractor flow-down, breach notification (consistent with the 72-hour internal commitment in our DPA §8), customer access to PHI, amendment and accounting of disclosures, and return-or-destroy obligations at termination. Customers may also propose their own BAA template; CourtFlow will review reasonable templates in good faith but reserves the right to negotiate material terms.

7. How to Request a BAA

  1. Email privacy@courtflow.ai from an address listed on the account, with the subject line "BAA request — [firm name]."
  2. Briefly describe your covered-entity or business-associate status and the nature of the PHI you expect to process through CourtFlow (volume, source, sensitivity).
  3. If your firm has a preferred BAA template, attach it. Otherwise indicate that you would like to receive CourtFlow's standard template.

We will respond within five (5) business days with either the executable template or a brief negotiation outline. Most BAA executions complete within ten (10) business days end-to-end.

8. Before a BAA Is in Place

Do not upload, paste, transmit, or otherwise process PHI through CourtFlow until an executed BAA is in place between your firm and CourtFlow AI, Corp. Doing so may expose your firm to HIPAA liability and is a violation of our Acceptable Use Policy. If you have inadvertently routed PHI through CourtFlow without a BAA, contact privacy@courtflow.ai as soon as you discover it; we will work with you to assess and, where appropriate, delete the affected records.

BAA requests and HIPAA questions

Email privacy@courtflow.ai with the subject line "BAA request" or "HIPAA question."