Does HIPAA apply to cash-pay medical practices?

Yes. HIPAA applies to covered entities regardless of payment method. If your practice conducts any electronic transactions covered by HIPAA (such as electronic prescribing or submitting electronic claims for any patients), HIPAA applies to all protected health information you handle, including for cash-pay patients. Even practices that are 100% cash-pay may be covered entities if they transmit health information electronically in connection with HIPAA-covered transactions.

Do I need a BAA with my compounding pharmacy?

Yes. If a compounding pharmacy receives protected health information from your practice (patient names, addresses, prescriptions, medical information), they are acting as a business associate and you need a Business Associate Agreement. This applies to all pharmacy partners, whether 503A or 503B. The BAA establishes the pharmacy's obligations for protecting PHI, reporting breaches, and limiting use of the information.

What are the HIPAA requirements for telehealth visits?

Telehealth platforms used for patient consultations must be HIPAA-compliant. This means the platform must encrypt communications, provide access controls, offer a Business Associate Agreement, and maintain audit logs. Consumer-grade video tools (FaceTime, Zoom free version, Google Hangouts) are not HIPAA-compliant unless specifically configured. The HHS temporary telehealth enforcement discretion from the pandemic has expired; full HIPAA enforcement applies to telehealth.

What happens if my practice has a data breach?

HIPAA breach notification rules require you to notify affected individuals within 60 days of discovering the breach. If the breach affects 500 or more individuals, you must also notify HHS and prominent media outlets. For breaches affecting fewer than 500 individuals, you submit an annual report to HHS. Document the breach, your investigation, and remediation steps. Consider engaging a healthcare privacy attorney and a forensics firm for significant breaches.

What is the minimum necessary standard?

The minimum necessary standard requires that when using or disclosing PHI, you limit the information to the minimum amount needed to accomplish the purpose. For example, when sending a prescription to a pharmacy, send only the information needed to fill the prescription, not the patient's entire medical record. This principle applies to internal access as well: staff should only have access to the PHI they need for their specific job functions.

HIPAA Compliance for Cash-Pay Medication Programs

A common misconception among cash-pay medical practices is that HIPAA does not apply when patients pay out of pocket. This is incorrect. HIPAA obligations exist based on the nature of your practice and the transactions you conduct, not the payment method used by individual patients.

For practices running cash-pay peptide therapy, GLP-1 weight loss, TRT, or HRT programs, HIPAA compliance is not optional. This guide covers what small practices need to know and do to maintain compliance without building an enterprise-scale compliance department.

Does HIPAA Apply to Your Cash-Pay Practice?

The short answer: almost certainly yes.

Who Is a Covered Entity?

Under HIPAA regulations (45 CFR Parts 160 and 164), covered entities include:

Health care providers who transmit any health information in electronic form in connection with a HIPAA-covered transaction
Health plans
Health care clearinghouses

The key phrase is “transmit any health information in electronic form in connection with a covered transaction.” Covered transactions include:

Electronic prescribing (e-prescribing)
Submitting electronic claims to insurers
Eligibility inquiries
Referral authorizations
Payment and remittance advice

If your practice does any of these electronically, even for a single patient, HIPAA applies to all PHI in your practice, including cash-pay patient data.

The “All Cash” Exception (Rare)

A practice that truly never conducts electronic HIPAA-covered transactions might not technically be a covered entity. However, this is extremely rare in modern medicine. If you use electronic prescribing (which most practices do, and many states require), you are conducting covered transactions. If you submit claims for even one patient, you are a covered entity.

Even if you believe you are not a covered entity, state privacy laws likely impose similar obligations. The safest approach is to treat all patient data as if HIPAA applies.

Protected Health Information in Cash-Pay Programs

Understanding what constitutes protected health information (PHI) is essential for compliance.

What Is PHI?

PHI is individually identifiable health information that is held or transmitted by a covered entity. In a cash-pay medication program, PHI includes:

Patient names, addresses, phone numbers, email addresses
Dates of service, dates of birth
Medical histories and intake form responses
Prescription information (medication, dose, prescriber)
Lab results
Clinical notes and assessments
Payment information linked to health services
Communication records (emails, text messages, portal messages)
Photographs (if used clinically)

PHI in Cash-Pay Program Workflows

In a typical cash-pay medication program, PHI flows through several touchpoints:

Patient intake: Online forms collect medical history, demographics, and treatment goals
Clinical review: Provider evaluates patient information and makes prescribing decisions
Prescription transmission: Prescription data is sent to compounding pharmacy
Pharmacy fulfillment: Pharmacy receives patient information for dispensing and shipping
Follow-up communications: Practice contacts patient for check-ins, refills, and results
Billing and payment: Payment processing linked to health services

Each touchpoint requires appropriate HIPAA safeguards.

Electronic Health Records Requirements

HIPAA does not mandate that practices use a specific EHR system. However, any system used to store, process, or transmit PHI must meet HIPAA’s Security Rule requirements.

Security Rule Requirements

The HIPAA Security Rule requires covered entities to implement:

Administrative safeguards:

Security management process (risk analysis and risk management)
Assigned security responsibility (designated security officer)
Workforce security (access authorization, clearance procedures)
Security awareness training for all staff
Security incident procedures
Contingency plan (backup, disaster recovery, emergency mode)
Evaluation (periodic assessment of security policies)

Physical safeguards:

Facility access controls
Workstation use policies
Workstation security
Device and media controls (disposal, reuse, accountability)

Technical safeguards:

Access controls (unique user identification, emergency access, automatic logoff, encryption)
Audit controls (hardware, software, and procedural mechanisms to record and examine access)
Integrity controls (mechanisms to authenticate ePHI)
Transmission security (encryption of PHI in transit)

Practical Implementation for Small Practices

For a small practice running a cash-pay medication program, this translates to:

Use HIPAA-compliant software: Any platform that handles PHI (intake forms, clinical management, communication tools) must meet Security Rule requirements. Verify that vendors provide a Business Associate Agreement and can document their security controls.

Encrypt data at rest and in transit: Patient data stored in databases should be encrypted. Communications containing PHI (emails, messages) should use encryption. HTTPS is required for web-based systems.

Implement access controls: Each staff member should have unique login credentials. Access should be role-based (front desk sees scheduling; clinical staff sees medical records; billing sees payment information).

Maintain audit logs: Systems should log who accessed what information and when. This is essential for breach investigation and routine compliance monitoring.

Regular backups: Patient data must be backed up regularly with tested restoration procedures.

The NIST Cybersecurity Framework provides a complementary structure for organizing your security program, and HHS has published guidance on NIST alignment with HIPAA.

Business Associate Agreements (BAAs)

BAAs are legally required contracts between covered entities and their business associates. In cash-pay medication programs, you likely have multiple business associates.

Who Needs a BAA?

Any entity that creates, receives, maintains, or transmits PHI on behalf of your practice requires a BAA. Common business associates in cash-pay programs include:

Compounding pharmacies: Receive patient names, addresses, prescriptions, and medical information
Practice management software: Stores patient records, clinical notes, and communications
Telehealth platforms: Transmit and may store patient audio/video and clinical information
Payment processors: Handle payment data linked to health services
Email and communication tools: If used to communicate PHI (appointment reminders, lab results)
Cloud storage providers: If PHI is stored in cloud-based systems
IT service providers: If they have access to systems containing PHI
Billing services: If outsourced billing handles patient data

BAA Requirements

Under 45 CFR 164.504(e), a BAA must include:

Description of permitted uses and disclosures of PHI
Requirement that the business associate not use or disclose PHI beyond what the contract permits
Requirement to implement appropriate safeguards
Requirement to report breaches to the covered entity
Requirement to ensure subcontractors agree to the same restrictions
Requirement to make PHI available for individual access requests
Requirement to make PHI available for amendments
Requirement to provide accounting of disclosures
Requirement to make internal practices available to HHS for compliance determination
Requirement to return or destroy PHI at contract termination

Practical Steps

Inventory all vendors that receive, store, or process PHI
Request BAAs from each vendor; most HIPAA-compliant vendors have standard BAAs available
Review BAA terms to ensure they meet the requirements above
Maintain a BAA log documenting all executed agreements, dates, and renewal schedules
Verify compliance annually by confirming vendors maintain their security certifications and practices

If a vendor refuses to sign a BAA, you cannot use that vendor for PHI-related purposes. This is a non-negotiable HIPAA requirement.

Telehealth-Specific HIPAA Considerations

Many cash-pay medication programs include telehealth consultations, whether for initial evaluations, follow-ups, or prescription renewals. Telehealth introduces specific HIPAA considerations.

Platform Requirements

A HIPAA-compliant telehealth platform must provide:

End-to-end encryption: Video and audio streams must be encrypted
Access controls: Provider and patient authentication
BAA availability: The platform vendor must sign a BAA with your practice
Audit logging: Recording of session metadata (who connected, when, duration)
Data storage: If recordings or transcripts are stored, they must be encrypted and access-controlled
Secure messaging: Any chat or messaging features must be encrypted

Post-Pandemic Enforcement

During the COVID-19 public health emergency, HHS exercised enforcement discretion regarding telehealth HIPAA compliance, allowing providers to use non-compliant platforms temporarily. This discretion has ended. As stated in HHS OCR guidance, full HIPAA enforcement now applies to all telehealth services.

Platforms that are NOT HIPAA-compliant (without specific configuration and a BAA):

Standard Zoom (free version)
FaceTime
Google Meet (consumer version)
Facebook Messenger
Standard Skype

Platforms that offer HIPAA-compliant configurations (verify current status):

Zoom for Healthcare (with BAA)
Doxy.me
VSee
Google Workspace (Healthcare edition with BAA)
Microsoft Teams (Healthcare configuration with BAA)

Telehealth Documentation

For each telehealth encounter, document:

Platform used for the consultation
Verification of patient identity
Patient’s physical location at time of encounter (for state licensing compliance)
Clinical content of the encounter
Any technical issues that may have affected the consultation

Breach Notification Procedures

Despite best efforts, breaches can occur. Having a breach response plan is both a HIPAA requirement and a practical necessity.

What Constitutes a Breach?

A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the information. Under 45 CFR 164.402, a breach is presumed unless the covered entity can demonstrate a low probability that PHI was compromised based on a risk assessment considering:

The nature and extent of PHI involved
The unauthorized person who used or received the PHI
Whether PHI was actually acquired or viewed
The extent to which the risk has been mitigated

Notification Requirements

For breaches affecting fewer than 500 individuals:

Notify affected individuals within 60 days of discovery
Submit an annual breach report to HHS (due within 60 days of the end of the calendar year)
Document the breach and your response

For breaches affecting 500 or more individuals:

Notify affected individuals within 60 days of discovery
Notify HHS within 60 days of discovery
Notify prominent media outlets serving the affected area
Document the breach and your response

Individual notification must include:

Description of the breach (what happened, when)
Types of information involved
Steps individuals should take to protect themselves
What the practice is doing to investigate and mitigate
Contact information for questions

Building a Breach Response Plan

Every practice should have a documented breach response plan that includes:

Detection procedures: How will you identify that a breach has occurred?
Initial response: Who is notified internally? What immediate steps are taken to contain the breach?
Investigation: How will you assess the scope and nature of the breach?
Risk assessment: Applying the four-factor test to determine if notification is required
Notification: Templates and procedures for notifying individuals, HHS, and media (if applicable)
Remediation: Steps to prevent recurrence
Documentation: Recording all aspects of the breach and response

The HHS Breach Notification Rule guidance provides detailed requirements.

Minimum Necessary Standard

The minimum necessary standard is a core HIPAA principle that many small practices overlook. It requires limiting PHI access and disclosure to the minimum amount needed for a given purpose.

Application in Cash-Pay Programs

Internal access: Staff should only access the PHI they need for their specific role. A front desk coordinator scheduling follow-ups does not need access to full clinical notes. A billing specialist does not need access to medical histories.

Pharmacy communications: When transmitting prescriptions to compounding pharmacies, send only the information necessary for dispensing: patient name, date of birth, shipping address, prescription details, relevant allergies, and pertinent medical information. Do not send entire patient charts.

Third-party disclosures: When sharing PHI with business associates, limit the information to what is necessary for the specific service they provide.

Patient communications: When sending appointment reminders or follow-up messages, use the minimum information necessary. An appointment reminder does not need to include the specific medication or diagnosis.

Implementation Steps

Role-based access: Configure your systems so each role has access only to relevant information
Disclosure policies: Document what information is shared with each business associate and why
Staff training: Ensure all team members understand the minimum necessary principle
Periodic audits: Review access logs to identify potential over-access patterns

Practical Compliance Roadmap for Small Practices

HIPAA compliance does not require enterprise-scale infrastructure. Here is a practical roadmap for a small cash-pay practice:

Phase 1: Foundation (Week 1-2)

Designate a Privacy Officer and Security Officer (can be the same person in small practices)
Conduct a risk analysis identifying where PHI exists and potential vulnerabilities
Inventory all systems, vendors, and workflows that handle PHI
Verify BAAs are in place with all business associates

Phase 2: Policies and Procedures (Week 2-4)

Develop written privacy and security policies
Create breach notification procedures
Document minimum necessary standards for each role
Establish workforce sanction policy for violations

Phase 3: Technical Controls (Week 2-4)

Implement encryption for data at rest and in transit
Configure role-based access controls
Enable audit logging on all systems containing PHI
Set up automatic session timeouts and screen locks
Implement secure backup procedures

Phase 4: Training and Culture (Week 4-6)

Conduct HIPAA training for all workforce members
Distribute privacy and security policies
Establish incident reporting procedures
Post reminders in clinical areas about PHI handling

Phase 5: Ongoing Maintenance

Annual risk analysis update
Annual workforce training
Periodic access reviews and audit log analysis
BAA renewal tracking
Policy updates when regulations change or operations evolve

Common Mistakes in Cash-Pay Practice HIPAA Compliance

Mistake 1: “We’re all cash, so HIPAA doesn’t apply”

As discussed above, this is almost never true. Electronic prescribing alone makes most practices covered entities.

Mistake 2: Using consumer communication tools for PHI

Texting patients from personal phones, emailing lab results through Gmail, or using consumer video platforms for consultations all create HIPAA violations. Use HIPAA-compliant communication tools with proper BAAs.

Mistake 3: No BAA with software vendors

Every platform that touches PHI needs a BAA. This includes your practice management system, email marketing tools (if used for patient communications), scheduling software, and any cloud storage.

Sending entire patient charts to pharmacies when only the prescription is needed, or giving all staff full access to all records, violates the minimum necessary standard.

Mistake 5: No breach response plan

Many small practices have no documented plan for what to do when a breach occurs. When a breach happens (and statistically, it will), the 60-day notification clock starts ticking immediately. Having a plan ready prevents scrambling and potential deadline violations.

Mistake 6: Ignoring physical security

HIPAA includes physical safeguards. Screens visible to other patients in waiting areas, unattended workstations with open patient records, and paper documents in unsecured areas are all potential violations.

HHS Enforcement: What Small Practices Should Know

The HHS Office for Civil Rights (OCR) enforces HIPAA. Small practices are not exempt from enforcement actions.

Enforcement Trends

According to OCR enforcement data:

OCR investigates complaints from patients and breach reports
Settlement amounts have ranged from $100,000 to over $5 million for covered entities
Common findings include failure to conduct risk analysis, lack of BAAs, insufficient access controls, and failure to encrypt portable devices
Small practices have been included in enforcement actions (Right of Access enforcement was specifically targeted at smaller providers)

How to Minimize Enforcement Risk

Conduct and document your risk analysis: This is the single most common deficiency found in OCR investigations
Have BAAs in place: Missing BAAs are easily identified and commonly cited
Train your workforce: Document that training occurred
Respond to patient requests: Right of access requests must be fulfilled within 30 days
Report breaches timely: Late breach notification increases penalties

How Karpa Health Supports HIPAA Compliance

Karpa Health is built with HIPAA compliance as a foundational requirement. The platform provides:

BAA execution: Karpa signs a Business Associate Agreement with every practice
Encrypted data handling: All patient data is encrypted at rest and in transit
Role-based access controls: Configurable access levels for different practice roles
Audit logging: Comprehensive activity logs for compliance monitoring
Secure patient intake: HIPAA-compliant intake forms that replace consumer form tools
Integrated pharmacy routing: PHI is transmitted securely to pharmacy partners (who also have BAAs)
Compliant communications: Patient messaging through secure, logged channels

The platform handles the technical compliance infrastructure so practices can focus on clinical care rather than building HIPAA programs from scratch.

For more information about Karpa Health, visit our About page or check our FAQ for common questions about the platform. To see how Karpa’s compliance infrastructure works across peptide therapy, GLP-1 weight loss, TRT, and HRT programs, explore our solution pages.

If you are building patient-facing workflows, our guide on patient intake for peptide clinics covers how to collect PHI securely during onboarding. For telehealth-specific compliance, see telehealth peptide prescribing.

This article is for informational purposes only and does not constitute legal advice. HIPAA compliance requirements may vary based on your specific practice structure, state laws, and operational details. Consult qualified healthcare privacy counsel for advice specific to your situation. Last reviewed: April 2026.