HIPAA for concierge medicine
Concierge medicine practices face a distinct compliance posture from both traditional primary care and direct primary care. HIPAA applicability is unambiguous — concierge practices typically bill insurance plus charge a retainer, making them clearly covered entities — but the patient base shifts the operational threat model significantly. High-net-worth patients, prominent professionals, and public figures are asymmetric targets for social engineering, paparazzi-driven data theft, and OCR enforcement attention when a breach involves identifiable prominent individuals. The page below covers what makes concierge HIPAA different, how to operate cleanly, and where the heightened-exposure risk concentrates.
When HIPAA applies to your clinic
Most vendor content gives a marketing-flavored hedge. The page below answers the question directly, with primary-source references where they exist. This is the section that matters most if you’re trying to figure out whether your operation is actually a covered entity.
What flips the calculus
Specific operational events that move a concierge practice from theoretical-non-coverage into clearly-covered-entity territory:
OCR enforcement record
OCR has not published large-scale enforcement actions targeting concierge practices specifically as a segment, but breaches involving prominent individuals — including the 2017 OCR resolution agreement with Memorial Healthcare System ($5.5 million) and several cases involving celebrity-patient breaches at large hospital systems — signal heightened agency attention when prominent individuals are affected. The OCR's risk-tier model under the HITECH Final Rule explicitly considers the harm potential of the breach, which scales with the prominence of affected patients. A concierge breach involving public figures is positioned to attract enforcement at the upper end of OCR's discretion.
Not legal advice. This page summarizes how HIPAA and related state consumer-health privacy laws apply to concierge medicine practicesbased on Patient Protect’s reading of the relevant CFR provisions and state statutes. Operators with applicability questions specific to their setup should consult a qualified HIPAA attorney. Patient Protect is a HIPAA compliance platform; we are not a law firm and do not provide legal advice.
Where to start
In order. Each step is the foundation the next one rests on. A concierge practice that completes the five below has cleared the operational core of HIPAA compliance.
Standard HIPAA risk analysis under §164.308(a)(1)(ii)(A) modeling the actual threat surface: social engineering of staff by paparazzi or unauthorized parties, targeted phishing of physicians, document or device theft motivated by celebrity-patient access, insider threats from staff with access to identifiable prominent patients. Most concierge risk analyses are written for the wrong threat model.
Per §164.502(b), workforce access to PHI should be limited to what each role requires. For concierge practices serving prominent patients, this often means compartmentalized record access, named-physician-only sections, reduced administrative footprint, and explicit role-based access rules that exceed the practice's general minimum-necessary policy.
Standard breach response timelines accelerate when prominent-individual involvement is anticipated. Pre-drafted communications for affected patients, legal coordination with patient representatives, media-handling protocols, and AG-notification preparation should be in place before any incident — not assembled in the 72-hour window after one occurs.
Beyond standard EHR/lab/billing BAAs, concierge practices typically have additional partners: 24/7 nurse lines, travel medicine partners, executive health screening providers, second-opinion services, mental health referral networks. Each is a BA; each requires a current signed agreement. The long-tail BAA gap is the highest-frequency miss in concierge operations.
Generic HIPAA training under §164.530(b)(1) is necessary but not sufficient. Concierge staff face active social engineering pressure that practices in other segments rarely encounter. Training should cover specific scenarios: paparazzi calling pretending to be patient family members, unauthorized media inquiries, requests for patient information that come through what appear to be legitimate channels.
The real risk
Most concierge practices use compliance vendors that produce risk analyses calibrated for general primary care. The actual concierge threat model — paparazzi-driven social engineering, celebrity-patient targeting, asymmetric breach impact — is not what those analyses cover. The result is a documented risk analysis that satisfies the audit but does not protect the practice from the threats it actually faces.
Beyond the standard EHR/lab/billing BAAs, concierge practices typically have ten to twenty partner relationships that touch PHI: 24/7 nurse lines, travel medicine partners, executive health screening, second-opinion services, mental health referral networks, dietitians, physical therapists, advocacy services. Most have unsigned templates or no BAA at all on the long-tail partners.
A breach affecting one prominent patient can produce more reputational, legal, and regulatory consequence than a breach affecting hundreds of routine patients. Most concierge operators have not run the breach-impact analysis with the patient prominence factored in, and consequently have not built a response protocol calibrated to the actual stakes.
Concierge's value proposition includes direct, accessible communication with the physician — text, email, video, phone. The compliance reality is that patient communications must travel through HIPAA-compliant channels. Many concierge practices operate under informal communication patterns that create §164.530 exposure on every message.
What HIPAA requires
Risk Analysis
Annual risk analysis under §164.308(a)(1)(ii)(A) modeling the concierge-specific threat surface: social engineering, celebrity-patient targeting, paparazzi-driven data theft, insider threats with prominent-patient access, asymmetric breach impact analysis.
Minimum Necessary and Access Controls
Documented minimum-necessary policy under §164.502(b) calibrated for prominent-patient scenarios — compartmentalized record access, role-based access controls beyond the practice's general policy, explicit logging of access to identifiable prominent-patient records.
Business Associate Agreements
Signed BAAs with every standard partner (EHR, billing, e-prescribing, lab, secure messaging, payment processor) plus every concierge-specific partner (24/7 nurse line, travel medicine, executive health, second-opinion, mental health referrals, advocacy services).
Breach Response and Workforce Training
Pre-built breach response protocol for prominent-patient scenarios with accelerated timelines, pre-drafted patient communications, and AG-coordination procedures. Workforce training under §164.530(b)(1) including concierge-specific social engineering scenarios.
Your state, your rules
HIPAA is federal — but your state layers additional breach notification deadlines, AG reporting requirements, and privacy laws on top. Select your state to see what applies to your practice.
How Patient Protect helps
The SRA wizard models the actual threat surface concierge practices face: social engineering, paparazzi-driven access attempts, prominent-patient targeting, asymmetric breach impact. The output is a risk register grounded in the actual threats, not the generic primary-care threat model competitors design around.
Role-based access management with explicit support for compartmentalized record access — named-physician-only sections, reduced administrative footprint per record, granular logging of access to identifiable prominent-patient records. Documented under §164.502(b) for audit defensibility.
The Vendor Risk Scanner pre-loads the long-tail concierge partner ecosystem: 24/7 nurse lines, travel medicine partners, executive health screening providers, second-opinion services, mental health referral networks, advocacy services. Surfaces the BAA gaps generic compliance vendors miss because they don't model the concierge operating pattern.
Pre-built breach response with accelerated timelines, pre-drafted patient communications, AG-coordination procedures, and media-handling protocols specific to prominent-patient incidents. Assembled before any incident occurs rather than during the 72-hour window after one.
HIPAA-compliant text, email, and video that doesn't make the practice less responsive than the SMS-and-personal-email pattern it replaces. Audit-logged, role-aware, and calibrated for after-hours physician-direct communication.
Real-time posture recalculation that accounts for prominent-patient roster changes, new partner relationships, communication pattern drift. The dashboard surfaces the specific risks that scale with the patient base, not just the generic compliance score.
How we compare
Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.
10 questions to ask any platform
Risk assessment that satisfies §164.308(a)(1)
A readiness quiz is not a risk analysis.
Full SRA wizard mapped to NIST CSF with live scoring
Auto-generated policies with workforce acknowledgment
HIPAA requires documented proof your staff reviewed them.
48 policies from your risk profile, versioned acknowledgment
Staff training with delivery tracking
§164.308(a)(5) — sending a PDF is not sufficient.
80+ modules, completion tracking, audit-ready records
Full BAA lifecycle management
Expired BAAs are a top enforcement target.
E-signature, renewal alerts, Vendor Risk Scanner
Patient Protect answers yes to all 10.
Ask every vendor on your list. Then compare.
Pricing
No contracts · No setup fees · Cancel anytime
Core
$39/mo
Risk assessments, policies, BAA management, training, and compliance scoring.
Pro
$99/mo
Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.
FAQ
Yes. The retainer-fee structure does not change HIPAA's covered-entity analysis. Concierge practices conducting standard electronic transactions — insurance claims, eligibility verification, e-prescribing, electronic referrals — are covered entities under §160.103 from inception, regardless of the additional retainer relationship.
OCR's risk-tier model under the HITECH Final Rule explicitly considers the harm potential of a breach, which scales with the prominence of affected patients. Concierge breaches involving public figures, executives, or other prominent individuals are positioned to attract enforcement at the upper end of OCR's discretion. The agency has not published a formal segment-specific posture, but enforcement patterns in adjacent contexts (celebrity breaches at hospital systems) suggest heightened attention.
Section 164.502(b) requires reasonable efforts to limit PHI access to the minimum necessary for each workforce role's function. For concierge practices, this often justifies compartmentalized record access — named-physician-only sections, reduced administrative footprint, explicit role-based controls that exceed the practice's general minimum-necessary policy. Documenting these enhanced controls makes them audit-defensible.
Yes. Every entity receiving PHI on the practice's behalf is a business associate under §160.103: 24/7 nurse lines, travel medicine partners, executive health screening providers, second-opinion services, mental health referral networks, advocacy services. Each requires a current signed BAA under §164.308(b)(1) before any PHI flows.
California's CMIA, New York's SHIELD Act health-data provisions, Texas HB 300, plus any state-specific medical privacy laws applicable in operating jurisdictions. Some impose stricter notification timelines than HIPAA's 60 days; some impose AG-notification thresholds that catch incidents HIPAA wouldn't require reporting federally. Multi-state concierge practices face a state-by-state matrix.
Patient communications containing PHI must travel through HIPAA-compliant channels — that is non-negotiable. The implementation question is how to maintain concierge-level accessibility while satisfying §164.530. The practical answer is a HIPAA-compliant messaging platform that fits the direct-physician-access pattern: low-friction, after-hours capable, audit-logged, and indistinguishable in user experience from the SMS workflow it replaces.
Five steps: (1) risk analysis modeling the concierge-specific threat surface, (2) compartmentalized access controls under §164.502(b), (3) BAAs with every standard and concierge-specific partner, (4) pre-built breach response protocol for prominent-patient scenarios, (5) workforce training including social engineering scenarios. Patient Protect handles all five at $99/month for Pro.
Patient Protect is intuitive, proactive, and affordable — exactly what small clinics like ours need to keep patient data safe and stay on the right side of HIPAA.
Next step
$99/month for Pro — the tier most concierge practices need given the prominent-patient threat model. Includes secure messaging, breach simulation, AI compliance assistant, and prominent-patient overlay tracking.
