Legal Intake Call Recording Compliance: Wiretap Laws, HIPAA & Best Practices

Q: Do law firms need consent to record intake calls?

Yes. At minimum, federal law (the Electronic Communications Privacy Act, 18 U.S.C. § 2511) requires that at least one party to the call consent to recording — this is satisfied when the firm's own staff records the call. However, 13 states (including California, Florida, and Illinois) require the consent of ALL parties. If a prospective client is calling from or is located in a two-party consent state, you must disclose that the call is being recorded before any substantive conversation begins and obtain express consent. A compliant opening disclosure protects you in all 50 states.

Q: Does HIPAA apply to legal intake call recordings?

HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. Law firms are generally not HIPAA covered entities. However, when intake calls discuss medical conditions, treatment history, or medical records — which is standard in PI, mass tort, and workers' comp intake — the recording contains protected health information (PHI) under HIPAA's definition, even if your firm isn't a covered entity. Best practice is to apply HIPAA-equivalent security standards to any recording containing medical information: encrypted storage, access controls, retention policies, and breach notification protocols. Courts have found law firms liable under state medical privacy statutes even without direct HIPAA coverage.

Q: How long should law firms retain intake call recordings?

Retention requirements vary by purpose. For quality assurance, 30–90 days is typical. For potential evidence in signed cases, recordings should be retained for the duration of the matter plus the applicable statute of limitations for malpractice claims (typically 3–7 years post-resolution). For rejected or non-retained intake calls, retention of 1–2 years is standard practice to document non-attorney-client-relationship creation. Your retention policy should be documented, consistently applied, and defensible — inconsistent retention creates discovery risks.

Q: What should intake call recording disclosures say?

A compliant disclosure for all-party consent states should: (1) notify the caller that the call is being recorded, (2) state the purpose (quality assurance or legal documentation), and (3) give the caller an opportunity to object. Example: 'This call may be recorded for quality assurance and training purposes. If you prefer not to be recorded, please let us know now and we can continue without recording.' The disclosure should appear before any intake questions begin. Using an automated disclosure at call answer — before a live agent picks up — is the most defensible approach.

Call recording is one of the highest-value tools in a legal intake operation — and one of the most compliance-sensitive. Recordings allow supervisors to score calls, identify missed qualifications, train staff on objection handling, and document exactly what a prospective client was told. But getting it wrong exposes law firms and intake vendors to wiretap claims, state privacy violations, and HIPAA-adjacent liability.

This guide covers the full compliance framework: federal and state wiretap law, the all-party consent states you can't ignore, how to handle recordings that contain medical information, storage standards, retention policies, and how to write a disclosure that actually protects you.

The Legal Foundation: Federal Wiretap Law

Call recording is governed at the federal level by the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510–2523, which prohibits the intentional interception of wire communications without consent. The key federal requirement is one-party consent: if at least one party to the communication consents to the recording, federal law is satisfied. In a business context, this means a firm's own agent recording the call with knowledge of the recording satisfies the federal standard.

Federal law sets a floor, not a ceiling. States are free to impose stricter requirements — and 13 do.

Two-Party (All-Party) Consent States

These states require that all parties to a conversation consent before it can be lawfully recorded:

State	Statute	Key Risk Factor
California	Penal Code § 632	Civil action + up to $5,000 per violation; class action risk
Florida	§ 934.03	Criminal and civil penalties; felony for willful violations
Illinois	720 ILCS 5/14-2	Class 4 felony; recent class action activity against businesses
Maryland	CL § 10-402	Criminal penalties; civil action
Massachusetts	G.L. c. 272, § 99	No business-use exception; broad enforcement
Pennsylvania	18 Pa.C.S.A. § 5703	Wiretapping and Electronic Surveillance Control Act
Washington	RCW 9.73.030	Civil damages per violation; injunctive relief available
Connecticut, Michigan, Montana, Nevada, New Hampshire, Oregon	Various	All-party consent required

Why this matters for PI intake specifically: If you're running inbound PI campaigns nationally — mass tort, workers' comp, MVA — you will receive calls from California, Florida, Illinois, Pennsylvania, and Washington constantly. A blanket all-party disclosure on every call is the only operationally sustainable approach.

Writing a Compliant Recording Disclosure

A disclosure that satisfies all-party consent requirements in every state must: (1) inform the caller the call is being recorded, (2) be delivered before any substantive conversation, and (3) give the caller an opportunity to object.

IVR / Auto-Attendant Disclosure (Recommended)

The most defensible approach is an automated audio disclosure triggered before a live agent connects:

"Thank you for calling [Firm Name]. To serve you better, this call may be recorded for quality assurance and documentation purposes. If you prefer not to be recorded, please press 1 now and you'll be connected to an agent without recording. Otherwise, please hold for the next available intake specialist."

Live Agent Disclosure (Backup)

When recording begins after the agent connects (e.g., in an outbound callback scenario):

"Hi, this is [Agent Name] calling from [Firm Name]. Just so you know, this call is being recorded for quality and documentation purposes. Is it okay if we proceed?"

For outbound calls, explicit verbal consent ("Yes, that's fine") should be captured on the recording before continuing to substantive intake questions.

HIPAA and Health Information in Recordings

PI intake calls routinely collect medical information: diagnosis, treatment history, treating physicians, hospitalization records, prescription medications, and prognosis. This is protected health information (PHI) under HIPAA's definition — regardless of whether your firm is a covered entity.

Law firms are not HIPAA covered entities, but several courts and state attorneys general have applied state medical privacy statutes to PI intake recordings. More practically: a data breach involving intake call recordings that contain medical information creates significant exposure even without direct HIPAA liability.

HIPAA-Equivalent Standards for Intake Recordings

Encryption at rest and in transit: Recordings stored on any cloud platform (AWS S3, Google Cloud, Azure) should use AES-256 encryption. Transmission should use TLS 1.2 or higher.
Access controls: Role-based access — only supervisors, quality reviewers, and authorized attorneys should be able to retrieve recordings. Log all access.
Business Associate Agreements: Any vendor who processes, stores, or transmits your intake recordings should sign a BAA-equivalent data processing agreement covering breach notification, data security standards, and use limitations.
Breach notification policy: Even without direct HIPAA coverage, document a written policy for how you would respond to unauthorized access to recordings containing medical information.

Retention Policy Framework

Recording Category	Recommended Retention	Rationale
QA / training samples	30–90 days	Limit exposure from recordings no longer needed operationally
Rejected / non-retained calls	1–2 years	Documents that no attorney-client relationship was formed
Retained client intake calls	Duration of matter + 5–7 years	Evidence of representations made at intake; malpractice defense
Calls with disputed consent / complaints	7 years minimum	Preserve evidence for any regulatory or civil action

The single most common retention mistake is inconsistency. If your written policy says recordings are deleted after 90 days but discovery reveals you kept some recordings for 3 years, the inconsistency itself becomes evidence of selective retention — worse than either policy applied uniformly.

When You Use an Outsourced Intake Vendor

If your law firm uses a third-party intake vendor, the compliance obligations don't transfer — they multiply. You're responsible for ensuring your vendor's recording practices satisfy your disclosure obligations, and the vendor is handling data collected on your behalf.

Contracts with outsourced intake vendors should specify:

Whether calls are recorded, and who retains the recordings
Required disclosure language (the vendor should use language that protects your firm, not just theirs)
Data security standards and encryption requirements
Retention and deletion schedules
Incident notification timeframes for any breach or access event
Ownership of recordings and any derived data

HQ Intake compliance posture: All HQ Intake calls include an automated pre-connection disclosure satisfying all 50 states. Recordings are encrypted at rest (AES-256), access-logged, and available to client firms for the contracted retention period. Our BAA-equivalent DPA is available on request.

Frequently Asked Questions

Do law firms need consent to record intake calls?

Yes. At minimum, federal law requires one-party consent — satisfied when your own staff records the call. However, 13 states require all-party consent. If callers may be located in California, Florida, Illinois, Pennsylvania, or any of the other two-party consent states, you must disclose recording and obtain consent before substantive conversation begins.

Which states require two-party consent for phone call recording?

As of 2026, 13 states require all-party consent: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. California and Florida are the most frequently litigated and carry the most significant penalties.

Does HIPAA apply to legal intake call recordings?

Law firms are generally not HIPAA covered entities. However, intake recordings containing medical information are subject to state medical privacy statutes. Applying HIPAA-equivalent security standards (encryption, access controls, breach notification) is best practice and significantly reduces exposure under any applicable state framework.

How long should law firms retain intake call recordings?

QA recordings: 30–90 days. Non-retained intake calls: 1–2 years to document non-formation of attorney-client relationship. Retained client intake calls: duration of the matter plus 5–7 years. Whatever policy you adopt, apply it consistently — inconsistent retention is worse than either extreme.

What should intake call recording disclosures say?

A compliant disclosure must: (1) notify the caller that the call is being recorded, (2) state the purpose, and (3) give the caller an opportunity to object. Delivering the disclosure via automated IVR before a live agent connects is the most defensible approach. For outbound callbacks, the agent must deliver the disclosure verbally and capture verbal consent on the recording.

Intake That's Built Compliant From Day One

HQ Intake handles recording compliance, TCPA disclosures, and data security — so your firm focuses on winning cases, not managing risk.

Talk to Our Team