This is an older version of our website! Go to for a more accessible and streamlined experience.
Visit the New Knowledge Center

Clio and HIPAA

At Clio, we are committed to ensuring that the data you store and process is always protected.

Clio has successfully completed an internal HIPAA attestation examination, which means that we now help our customers fulfill their Protected Health Information (PHI) obligations as we store and process data in a manner consistent with HIPAA standards.

If your law firm is required to be HIPAA compliant, we can enter into a Business Associate Agreement (BAA) with your organization and help you better support your clients while protecting any ePHI data you possess.

What is PHI? In accordance with, PHI stands for Protected Health Information. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

Questions? For more information about our HIPAA attestation report or entering into a BAA, reach out to our team at

Will all users on an account need a HIPAA add-on?

Yes. Each user account must be configured with a HIPAA add-on for the BAA to be applicable if the account has been identified to contain PHI.

How is the HIPAA add-on different from Clio's subscription plans?

Law firms entering into a BAA have written assurances that Clio will support their specific reporting requirements when it comes to PHI. These agreed obligations differentiate the HIPAA add-on from Clio's subscription plans.

Can I get the HIPAA add-on outside of the United States?

No. The HIPAA offering is only available for customer accounts hosted in the United States due to the applicability and jurisdiction of the Department of Human and Health Services.

Can I redline or edit the Clio BAA?

No. The Clio BAA complies with all of the mandatory language and is taken directly from the HIPAA regulations. Any additional terms and conditions that might be sought by a customer would be unrelated to HIPAA and over and above what it required to comply with the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”). As such, Clio will not accept any edits to the BAA.

Is Clio HIPAA Certified?

There is no official HIPAA certification. Clio completes an annual self assessment of our processes, configuration and control mechanisms to validate our compliance with the legislation. HIPAA plans and other Clio offerings include the following protection mechanisms:

    • Data encryption in transit and at rest.
    • Restricted physical access to production servers.
    • Strict logical system access controls.
    • Mirrored data center facilities with daily backups to mitigate disaster situations.
    • Configurable administrative controls available to the customer:
      • Grant explicit authorization to customer files to read, download, and edit.
      • Monitor access.
      • Reporting trail of account activities on both users and content.
      • Formally defined and tested breach notification policy.
      • Training of employees on security policies and controls.
      • Highly restricted employee access to customer data files.
    • 99.9% uptime Service Level Agreement.
      Tip: Check out Clio's current status and uptime percentages at this link.
Was this article helpful?
This information is confusing or wrong
This isn't the information that I was looking for
I don't like this functionality