HIPAA for direct primary care
Direct primary care practices operate outside the traditional insurance billing model, which has produced widespread confusion about whether HIPAA applies. The honest answer: yes, almost always — and the specific moment that flips the calculus is the first electronic transmission of patient information. The page below explains exactly when, where the genuine gray zones live, and how to operate cleanly without inheriting the bureaucratic overhead designed for insurance-billed practices.
When HIPAA applies to your clinic
Most vendor content gives a marketing-flavored hedge. The page below answers the question directly, with primary-source references where they exist. This is the section that matters most if you’re trying to figure out whether your operation is actually a covered entity.
What flips the calculus
Specific operational events that move a dpc practice from theoretical-non-coverage into clearly-covered-entity territory:
OCR enforcement record
As of 2026, OCR has not published an enforcement action specifically targeting a direct primary care practice. That is a function of segment newness rather than absence of risk — and it is the reason DPC operators should adopt a conservative reading of HIPAA's covered-entity definition rather than waiting for the first DPC-specific enforcement action to clarify their obligations.
Not legal advice. This page summarizes how HIPAA and related state consumer-health privacy laws apply to direct primary care practicesbased on Patient Protect’s reading of the relevant CFR provisions and state statutes. Operators with applicability questions specific to their setup should consult a qualified HIPAA attorney. Patient Protect is a HIPAA compliance platform; we are not a law firm and do not provide legal advice.
Where to start
In order. Each step is the foundation the next one rests on. A dpc practice that completes the five below has cleared the operational core of HIPAA compliance.
EHR, e-prescribing service, lab interfaces, telehealth platform, secure messaging tool, payment processor, cloud backup. Methodology aligned with NIST SP 800-30 per OCR's 2010 guidance. This is §164.308(a)(1)(ii)(A) — the foundational requirement other compliance work hangs on.
Surescripts or DrFirst for e-prescribing. Quest, LabCorp, and regional labs. The EHR (Atlas.md, Hint, Elation, etc.). The secure messaging tool. The payment processor if PHI ever touches it. Backup and compliance vendors. Most DPC practices have unsigned templates or expired agreements on file — fixable in a single afternoon.
Patients expect direct messaging in the DPC model. SMS, iMessage, and personal email cannot carry PHI under HIPAA. The fix is a secure messaging platform that fits the direct-care workflow — physician-direct, after-hours capable, audit-logged. This is the highest-frequency and least-defensible compliance gap in DPC practices.
Per §164.530(b)(1), training must occur within a reasonable time after hire and after material role or system changes. Completion records must be retained per employee, per session. In a solo or small-staff DPC practice this is one afternoon of work that produces six years of audit-ready evidence.
Per §164.530(a) and §164.308(a)(2). In a solo DPC practice these can be the same person — typically the physician owner. The designation must exist in writing with documented responsibilities. This is a one-page document that closes the most commonly-cited deficiency in OCR small-practice audits.
The real risk
DPC practices commonly operate on the assumption that the absence of insurance billing means HIPAA does not apply. That assumption is wrong the moment the practice e-prescribes — which nearly every modern DPC practice does. Operating under the wrong assumption produces real exposure: untrained staff, no risk analysis, no BAAs with technology vendors, no breach notification protocol when an incident hits.
DPC practices order labs differently than insurance-billed practices — directly through Quest, LabCorp, or regional reference labs, often at negotiated cash rates patients pay through the practice. Each lab is a business associate, and each requires a current signed BAA before any electronic order or result moves. The same applies to specialty labs DPC practices use disproportionately: hormone panels, food sensitivity, microbiome testing, advanced cardiac markers. Specialty labs are the most commonly-missed BAA category in DPC compliance reviews.
DPC's value proposition is direct, accessible communication — text, voice, email, video. Patients expect to message their physician directly. The operational reality is that staff and physicians often communicate from personal phones, personal email, and consumer messaging apps that are not HIPAA-compliant. OCR has consistently treated unsecured patient communication as a willful-neglect category in enforcement actions.
DPC practices skew small — many are solo physician plus one to three staff. No dedicated IT, no security operations, no continuous monitoring of the practice's attack surface. Ransomware groups have systematically targeted small healthcare practices because of this exact gap; attacks on practices under ten employees have grown faster than any other healthcare segment since 2021.
What HIPAA requires
Risk Analysis
Annual risk analysis under §164.308(a)(1)(ii)(A) covering every system that touches PHI: EHR, e-prescribing service, lab interface, patient portal, payment processor, secure messaging, backup. Methodology must align with NIST SP 800-30; documentation must be retained for six years.
Business Associate Agreements
Signed, current BAAs with every technology vendor handling PHI under §164.308(b)(1) and §164.314(a). For DPC practices, that typically includes the EHR, e-prescribing service, lab interface vendors, secure messaging tool, payment processor (if PHI flows through it), telehealth platform, and any cloud backup or compliance platform.
Workforce Training
Documented HIPAA training under §164.530(b)(1) for every staff member with PHI access — including the physician owner. Training must occur within a reasonable time after hire and after any material role or system change. Completion records must be retained per employee, per session.
Patient Communication Discipline
A documented secure-messaging protocol that replaces SMS, iMessage, and personal email for any communication containing PHI. The protocol must cover routine messaging, after-hours availability, and the specific consents that allow communication via lower-security channels for non-PHI content.
Your state, your rules
HIPAA is federal — but your state layers additional breach notification deadlines, AG reporting requirements, and privacy laws on top. Select your state to see what applies to your practice.
How Patient Protect helps
The SRA wizard satisfies §164.308(a)(1) without requiring a consultant, a spreadsheet, or institutional IT support. Specifically modeled around the DPC stack — Atlas.md or Hint or Elation, e-prescribing service, lab interface, telehealth, secure messaging — rather than the hospital-system threat model that most compliance vendors design around. The output is a risk register your DPC operation can actually act on, not a 60-page document modeled for a 200-bed hospital.
The Vendor Risk Scanner pre-loads templates and known BAA status for the platforms DPC practices actually use — Atlas.md, Hint, Elation, Surescripts, DrFirst, Quest, LabCorp, regional reference labs, common secure-messaging vendors. Surfaces missing or weak agreements with specific clause-level analysis before they become enforcement findings. This is the differentiator over generic compliance vendors that ship one BAA template and expect the practice to fit every relationship into it.
Replaces SMS and personal-device communication with a HIPAA-compliant channel calibrated for how DPC operates: physician-direct, after-hours capable, audit-logged, no per-message overhead. Removes the highest-frequency and least-defensible compliance gap in DPC practices — and does it without making the practice less responsive than the SMS workflow it is replacing.
Auto-generated policies for the scenarios that don't show up in dental or hospital-system templates: membership-agreement language compatible with HIPAA's §164.520 notice requirements, hybrid billing protocols when one provider in the practice bills insurance, hospital coordination procedures when a member gets admitted, after-hours communication standards. Reviewed against current OCR enforcement trends, not 2013-era templates that are still the default for most vendors.
Eighty-plus training modules with completion tracking, designed to work at DPC scale — short, scenario-based, with content actually relevant to direct-care workflows rather than generic hospital-employee training repackaged. The physician owner can complete required training in an evening; a small staff completes onboarding in a single afternoon.
The Autonomous Compliance Engine recalculates posture in real time as the practice changes — new staff member added, new vendor signed, new workflow rolled out. The result is an audit-ready position year-round, not a binder that is accurate only at the moment of the annual review and stale every other day of the year.
How we compare
Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.
10 questions to ask any platform
Risk assessment that satisfies §164.308(a)(1)
A readiness quiz is not a risk analysis.
Full SRA wizard mapped to NIST CSF with live scoring
Auto-generated policies with workforce acknowledgment
HIPAA requires documented proof your staff reviewed them.
48 policies from your risk profile, versioned acknowledgment
Staff training with delivery tracking
§164.308(a)(5) — sending a PDF is not sufficient.
80+ modules, completion tracking, audit-ready records
Full BAA lifecycle management
Expired BAAs are a top enforcement target.
E-signature, renewal alerts, Vendor Risk Scanner
Patient Protect answers yes to all 10.
Ask every vendor on your list. Then compare.
Pricing
No contracts · No setup fees · Cancel anytime
Core
$39/mo
Risk assessments, policies, BAA management, training, and compliance scoring.
Pro
$99/mo
Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.
FAQ
In nearly every operational reality, yes. HIPAA's covered-entity definition under 45 CFR §160.103 turns on whether the practice transmits protected health information electronically in connection with a covered transaction — not on whether the practice bills insurance. E-prescribing is the most common trigger: a single electronic prescription via NCPDP SCRIPT makes the practice a covered entity. Electronic lab orders, electronic referrals, and electronic hospital coordination each independently trigger CE status as well.
There's a narrow theoretical case for HIPAA to not apply — pure cash-pay, no e-prescribing, no electronic lab orders, no electronic hospital coordination. This is essentially impossible to maintain in 2026 because most state pharmacy boards require electronic prescribing for controlled substances and many require it for all prescriptions. Even where HIPAA technically wouldn't apply, state consumer-health privacy laws (Washington MHMDA, Nevada CHPA, Connecticut DPA) impose HIPAA-equivalent obligations with private rights of action.
The HSA-DPC integration that takes effect in 2026 doesn't directly change covered-entity analysis under HIPAA, but it does change the operational posture. HSA-funded payments introduce additional record-keeping requirements, can trigger reporting obligations, and increase the pressure to integrate with insurance and pharmacy benefit infrastructures — each of which in turn creates new electronic transaction surfaces. Practices planning to accept HSA-funded membership fees should treat HIPAA compliance as foundational rather than optional from the date the integration takes effect.
Yes. E-prescribing vendors — Surescripts, DrFirst, plus the e-prescribing modules built into EHRs — handle PHI on behalf of the prescribing practice and qualify as business associates under §160.103. A signed, current BAA is required before any PHI flows. Most DPC practices either rely on the EHR's BAA to indirectly cover the e-prescribing module (sometimes valid, sometimes not, depending on the EHR's own subcontracting language) or have no specific BAA at all.
Four things, in order: (1) Run a documented risk analysis covering every system that touches PHI. (2) Get current, signed BAAs from every technology vendor — EHR, e-prescribing, lab interfaces, secure messaging, payment processor, backup. (3) Replace SMS and personal-device communication with a HIPAA-compliant channel. (4) Document training for yourself and any staff. Patient Protect handles all four at $39/month for the Core tier with no consultant and no contract.
SMS and iMessage are not HIPAA-compliant for PHI. Practices can text patients for limited non-PHI purposes (appointment confirmations without diagnosis information, generic logistics) under documented patient consent, but any clinical content requires a HIPAA-compliant channel. The practical solution is a secure messaging platform that replaces SMS for clinical communication while remaining as low-friction as possible — that's the only model that survives sustained operational use.
Yes. The Privacy Rule under §164.530(a) requires every covered entity to designate a Privacy Official and a contact person for receiving complaints. The Security Rule under §164.308(a)(2) requires a Security Official as well. In a solo DPC practice these can be the same person — typically the physician or a senior staff member — but both designations must exist in writing with documented responsibilities.
Patient Protect is intuitive, proactive, and affordable — exactly what small clinics like ours need to keep patient data safe and stay on the right side of HIPAA.
Next step
$39/month for Core, $99/month for Pro. No per-patient pricing, no insurance-billing assumptions baked in, no contracts. The same platform that handles thousand-patient panels works for solo DPC practices.
