HIPAA Compliance When Handling Pharmacy Lien Data

James Wong — Founder & Pharmacist, LienScripts | March 29, 2026 | 8 min read

Attorneys receive protected health information through pharmacy lien documentation. This guide covers what attorneys can share, who they can share it with, and what safeguards are required when handling pharmacy lien data under HIPAA.

This post is for informational purposes only and does not constitute legal advice.

HIPAA compliance in the pharmacy lien context refers to the obligations attorneys and their staff have when receiving, storing, and sharing protected health information (PHI) contained in pharmacy lien documentation — including dispensing logs, POGOS reports, medication histories, and clinical narratives. While attorneys are not covered entities under HIPAA, they receive PHI from covered entities (pharmacies) and may be bound by business associate agreements or state privacy laws that impose equivalent obligations.

• Pharmacy lien documentation contains PHI that is subject to HIPAA and state privacy protections
• Attorneys receive PHI under the treatment-payment-healthcare operations exception or through client authorization, and must handle it accordingly
• LienScripts generates a POGOS (Pharmacy-Organized General Occurrence Summary) report for every case, providing pharmacist-signed documentation for demand packages
• Improper disclosure of pharmacy lien data can expose the attorney to state bar discipline, malpractice claims, and damage to the client relationship

[!KEY] Attorneys are not HIPAA covered entities, but they handle PHI from covered entities and are bound by client confidentiality rules, state privacy laws, and potentially business associate agreements that create equivalent obligations when handling pharmacy lien data.

What Pharmacy Lien Data Is Protected

PHI in Pharmacy Documentation

Pharmacy lien documentation routinely contains the following categories of protected health information:

• Patient identifiers — Name, date of birth, address, case number
• Medication records — Every prescription filled, including medication name, dosage, frequency, and prescriber
• Diagnosis information — Clinical narratives connecting medications to diagnoses
• Treatment history — Chronological medication timeline revealing the treatment arc
• Financial information — Pricing, lien amounts, payment history

All of this information is PHI under HIPAA and confidential client information under attorney ethics rules.

Sensitive Medication Categories

Some pharmacy lien records contain particularly sensitive information:

• Psychiatric medications — Reveal mental health diagnoses
• HIV/STI medications — Subject to enhanced state protections in most jurisdictions
• Substance use medications — Subject to 42 CFR Part 2 protections in addition to HIPAA
• Reproductive health medications — Subject to enhanced protections in some states

According to James Wong, PharmD, founder of LienScripts, "Attorneys often don't realize that the pharmacy lien dispensing log may reveal diagnoses the client has not disclosed to anyone else. A prescription for buprenorphine tells the reader about a substance use history. A prescription for antiretrovirals tells them about an HIV diagnosis. These records require heightened handling."

What Attorneys Can Share — and With Whom

With the Insurance Carrier (Demand Package)

Attorneys may share pharmacy lien documentation with the opposing insurance carrier as part of the demand package, provided:

• The client has authorized the disclosure (typically through the representation agreement or a specific HIPAA authorization)
• The disclosure is limited to information relevant to the claim
• Non-injury-related medications are excluded or redacted

[!TIP] Before including the full pharmacy dispensing log in a demand package, review it for medications unrelated to the injury. Redact non-injury prescriptions to avoid disclosing sensitive health information that is not relevant to the claim and could prejudice the client.

With Co-Counsel or Referring Attorneys

Sharing pharmacy lien data with co-counsel or referring attorneys requires:

• A legitimate need related to the client's case
• Client authorization (express or implied through the co-counsel arrangement)
• Secure transmission methods

With Expert Witnesses

Pharmacy data shared with expert witnesses (medical experts, life care planners, pharmacist experts) should be:

• Limited to information necessary for the expert's analysis
• Transmitted securely
• Subject to a confidentiality agreement if the expert is not already bound by professional obligations

With Staff and Paralegals

Internal sharing with staff and paralegals is permitted for case management purposes, but:

• Staff should be trained on PHI handling requirements
• Access should be limited to staff working on the specific case
• Physical and electronic security measures should be in place

What Attorneys Must Not Share

With Other Clients

Never share one client's pharmacy lien data with another client, even in a similar case, for comparison purposes.

Publicly or in Marketing

Never use specific client pharmacy data in marketing materials, case studies, or social media without explicit written consent and de-identification.

With Third Parties Without Authorization

As Amar Lunagaria, PharmD, LienScripts' Chief Pharmacist explains, "The most common HIPAA-adjacent violation we see is attorneys sharing pharmacy lien data with third-party funding companies, medical marketing firms, or case referral networks without client authorization. Even if the attorney is not a covered entity, state bar confidentiality rules prohibit this disclosure."

[!KEY] When in doubt about whether a disclosure is permitted, default to the most restrictive standard — client confidentiality under your state bar rules, which typically requires express authorization for any disclosure not directly related to case prosecution.

Safeguards for Pharmacy Lien Data

Electronic Security

• Store pharmacy lien documents in encrypted case management systems
• Use secure email or client portals for transmitting pharmacy records
• Do not send unencrypted pharmacy dispensing logs via standard email
• Implement access controls limiting who can view pharmacy records

Physical Security

• Store printed pharmacy records in locked files
• Shred pharmacy documents when no longer needed
• Do not leave pharmacy dispensing logs visible in common areas

Retention and Destruction

• Retain pharmacy lien documents for the period required by your state bar rules
• Destroy pharmacy records securely after the retention period
• Document the destruction for compliance records

Business Associate Agreements

If your firm has a business associate agreement (BAA) with a pharmacy lien provider, review it for:

• Permitted uses and disclosures
• Security requirements
• Breach notification obligations
• Return or destruction of PHI at case conclusion

State-Specific Considerations

California

California's Confidentiality of Medical Information Act (CMIA) provides protections beyond HIPAA. Attorneys handling pharmacy lien data in California must comply with both HIPAA-derived obligations and CMIA requirements.

Other States

Many states have their own health information privacy laws that may impose additional requirements. Review your jurisdiction's specific rules for handling pharmacy and medication records.

How LienScripts Protects PHI

The LienScripts platform uses encrypted data transmission, role-based access controls, and HIPAA-compliant storage for all pharmacy lien data. Attorney portal access is limited to case-specific information, and all data sharing occurs through secure channels.

For more on compliance considerations, visit for attorneys.

Related Resources

• Audit-Proof Pharmacy Lien Documentation
• Pharmacy Lien Client Disclosure and Informed Consent