Does HIPAA Apply to You? A Simple Guide for Small Practices
Does HIPAA Apply to Me?
If you’re a solo provider, telehealth startup, or run a boutique medical spa, you might be wondering if HIPAA applies to your business. After all, you’re not a hospital or insurance company, and maybe you don’t even bill insurance. However, the truth is: HIPAA compliance isn’t just for the large organizations. It applies to many small and independent providers, often without them realizing it.
So how do you know if HIPAA applies to you? The answer lies in whether you’re considered a Covered Entity under HIPAA.
What Is a Covered Entity?
Under HIPAA, a Covered Entity is one of three things:
A Healthcare Provider
A Health Plan
A Healthcare Clearinghouse
Most likely your practice falls into the first category, but it’s not just about what you do, it’s also about how you handle protected health information. If you transmit health data electronically in connection with certain administrative or financial transactions (i.e., billing, checking eligibility, or prior authorizations), you’re likely a Covered Entity and HIPAA compliance is required.
Provider Types
Common provider types we work with:
Traditional Clinics and Physician Practices
These are the most straightforward. If you run a clinic or medical practice and bill insurance, use an electronic health record (EHR), or communicate PHI electronically, you are a Covered Entity. Full HIPAA compliance is expected.
Home Health Agencies and Mobile Services
Whether you’re providing wound care, therapy, or lab collection in the home, HIPAA applies if you handle patient health information and send it to insurance companies or other providers. Mobile providers are often overlooked; however, they are a Covered Entity. Full HIPAA compliance is expected.
Medical Spas
Here’s where it gets tricky. If your med spa offers services like Botox, IV Hydration, hormone therapy, or skin treatments — and you store patient health history, share information with a medical director, or bill insurance — you are likely a Covered Entity. Even if you are cash-pay only, HIPAA can still apply depending on how you handle PHI.
Telehealth Providers
If you provide virtual care, you’re almost always subject to HIPAA. You’re likely storing PHI, using communication platforms, prescribing, and keeping records, which makes you a Covered Entity, even if you’re not seeing patients in person. Full HIPAA compliance is expected.
Gray Areas
Wellness coaches, doulas, birth workers, and other alternative care providers may or may not be considered Covered Entities. It depends on:
Whether they share patient data with medical providers;
Whether they keep detailed health records electronically; or
Whether they bill insurance or submit related claims.
If you’re not sure, it’s better to assume HIPAA applies until otherwise confirmed.
Why Does it Matter?
Being a Covered Entity triggers HIPAA’s full requirements including, but not limited to:
Notice of Privacy Practices
Secure storage and transmission of PHI
Business Associate Agreements (BAAs)
Staff Training
Risk Assessments
Written Policies and Procedures
Failure to comply can result in fines, patient complaints, and reputational damage.
Free Resource: Self-Check Tip Sheet
If you’re still not sure whether HIPAA applies to you, we’ve created a quick user-friendly flowchart that walks you through it.
Download: Am I a Covered Entity? Tip Sheet
Final Thoughts
HIPAA doesn’t just apply to big institutions, it applies to anyone who handles health data in ways that fall under federal rules. Whether you’re launching a telehealth business, running a small clinic, or expanding your services as a medical spa, understanding your compliance status is the first step to protecting your practice.
At ClientShield, we help small practices build privacy programs that actually work — practical, affordable, and built by design.
Need help figuring out where to start?
Book a consultation or check out FREE HIPAA Starter Toolkit to get started today.