HIPAA for HRT and TRT clinics
HRT and TRT clinics share the GLP-1 telehealth profile — multi-state licensing, e-prescribing, lab-heavy operations, compounding pharmacy partnerships — with one critical addition: hormone medications often involve controlled substances (testosterone is Schedule III), which adds DEA telehealth-prescribing rules on top of HIPAA. Most operators in this segment came up under wellness-clinic mental models and have under-built compliance programs. The page below covers when HIPAA applies, the state-law overlay, and the operational checklist for clean operation.
When HIPAA applies to your clinic
Most vendor content gives a marketing-flavored hedge. The page below answers the question directly, with primary-source references where they exist. This is the section that matters most if you’re trying to figure out whether your operation is actually a covered entity.
What flips the calculus
Specific operational events that move a hrt / trt clinic from theoretical-non-coverage into clearly-covered-entity territory:
OCR enforcement record
OCR has not yet published a HIPAA enforcement action targeting an HRT or TRT clinic specifically. The DEA, by contrast, has been active in TRT enforcement around prescribing pattern and EPCS compliance. The conservative reading: HIPAA enforcement attention will follow DEA attention; operators with no HIPAA compliance program are at risk on both fronts simultaneously when the first action lands.
Not legal advice. This page summarizes how HIPAA and related state consumer-health privacy laws apply to hormone replacement therapy and trt clinicsbased on Patient Protect’s reading of the relevant CFR provisions and state statutes. Operators with applicability questions specific to their setup should consult a qualified HIPAA attorney. Patient Protect is a HIPAA compliance platform; we are not a law firm and do not provide legal advice.
Where to start
In order. Each step is the foundation the next one rests on. A hrt / trt clinic that completes the five below has cleared the operational core of HIPAA compliance.
Telehealth platform, e-prescribing service (with EPCS for testosterone), every compounding pharmacy, every lab including specialty hormone labs, intake platform, secure messaging, payment processor, plus any aesthetic-service systems if bundled. Methodology aligned with NIST SP 800-30. Required under §164.308(a)(1)(ii)(A).
Testosterone is Schedule III. EPCS requires multi-factor authentication, audit trails, and specific identity-proofing for prescribers. EPCS records overlap with but don't replace HIPAA audit logs. Both frameworks must be satisfied separately for any clinic prescribing testosterone electronically.
Compounding pharmacies (most HRT/TRT clinics use multiple), Quest and LabCorp plus specialty hormone labs, telehealth platform, e-prescribing service, intake platform, secure messaging. Each is a separate BA. The BAA cascade is the highest-frequency compliance gap in this segment.
WA MHMDA, NV CHPA, CT DPA, CA CMIA/CPRA for consumer-health data. State medical board rules for TRT prescribing — some states require in-person evaluation, specific consent forms, or periodic follow-up. Multi-state operations require a state-by-state matrix maintained alongside HIPAA compliance.
Per §164.530(a) and §164.308(a)(2). Training under §164.530(b)(1) covering both HIPAA and the state-law overlay. Six-year retention. The most commonly-missed administrative requirement in OCR small-practice audits.
The real risk
HRT and TRT clinics commonly market themselves as wellness or longevity operations and operate as if HIPAA does not apply. The medical director's first electronic testosterone prescription flips the analysis — and the flip is permanent. The exposure compounds with every prescription, lab order, and patient record stored under the wrong assumption.
TRT and HRT clinics use specialty labs that aren't on the standard Quest/LabCorp BAA template list — comprehensive hormone panels, free testosterone calculations, IGF-1, sex hormone binding globulin, cortisol, thyroid panels at higher detail than primary care. Each specialty lab is a BA; each requires a current signed agreement; most operators have unsigned templates or no BAAs at all on the specialty side.
Testosterone's Schedule III status invokes DEA electronic prescribing of controlled substances rules — multi-factor authentication, identity proofing, audit trails — that overlap with but don't replace HIPAA audit logs. Many TRT operators meet one framework but not both, leaving gaps that surface in audits or after a breach.
Operating in 15+ states means HIPAA + state consumer-health privacy law + state medical board prescribing rules + DEA EPCS — each with its own record-keeping, notification, and consent requirements. Most operators have one of the four well-managed and gaps in the other three.
What HIPAA requires
Risk Analysis
Annual risk analysis under §164.308(a)(1)(ii)(A) covering telehealth platform, e-prescribing service, EPCS infrastructure for testosterone prescribing, every compounding pharmacy, every lab including specialty hormone panels, intake platform, secure messaging, payment processor.
Business Associate Agreements
Signed BAAs with the telehealth platform, e-prescribing service, every compounding pharmacy partner, every clinical and specialty lab, the intake platform, and the secure messaging tool. EPCS provider relationship may require additional contractual provisions beyond the standard BAA.
DEA EPCS Compliance
For clinics prescribing testosterone or other Schedule III medications electronically, full DEA EPCS compliance: multi-factor authentication on prescribing accounts, identity proofing, audit trail retention, two-of-three biometric/credential factor authentication for each transmission. Maintained alongside but not replacing HIPAA audit logs.
State Law and Workforce Training
State consumer-health law compliance per operating jurisdiction (WA MHMDA, NV CHPA, etc.), state medical board rules for hormone prescribing, documented training under §164.530(b)(1) including state-overlay content, Privacy Official under §164.530(a), Security Official under §164.308(a)(2).
Your state, your rules
HIPAA is federal — but your state layers additional breach notification deadlines, AG reporting requirements, and privacy laws on top. Select your state to see what applies to your practice.
How Patient Protect helps
The SRA wizard handles the HRT/TRT-specific threat model: telehealth-prescribing for both controlled and non-controlled hormones, compounding pharmacy data flows, specialty hormone lab integrations. EPCS-specific risk analysis runs in parallel for clinics with controlled-substance prescribing.
Vendor Risk Scanner pre-loads the HRT/TRT vendor ecosystem — compounding pharmacies, Quest and LabCorp, specialty hormone labs (Genova, Boston Heart, ZRT, Rupa Health, others). Surfaces BAA gaps in the long-tail specialty labs that generic compliance vendors miss entirely.
EPCS audit trails and HIPAA audit logs are maintained in parallel rather than overwritten or duplicated. The platform tracks which compliance framework each log entry satisfies, surfacing gaps where one framework's record-keeping does not satisfy the other.
Policy generation reflects state-specific TRT prescribing requirements: which states require in-person evaluation, which require specific consent forms, which require periodic in-person follow-up. The matrix updates as states modify their rules.
Pre-loaded notification timelines, AG thresholds, and remediation requirements per state — calibrated for the kinds of incidents that actually happen in TRT operations (compounding pharmacy compromise, lab credential theft, telehealth platform breaches).
Posture recalculation in real time as the operation expands states, adds pharmacy partners, modifies prescribing patterns. The single dashboard shows HIPAA + state consumer-health + state medical board + DEA EPCS posture without bouncing between four separate systems.
How we compare
Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.
10 questions to ask any platform
Risk assessment that satisfies §164.308(a)(1)
A readiness quiz is not a risk analysis.
Full SRA wizard mapped to NIST CSF with live scoring
Auto-generated policies with workforce acknowledgment
HIPAA requires documented proof your staff reviewed them.
48 policies from your risk profile, versioned acknowledgment
Staff training with delivery tracking
§164.308(a)(5) — sending a PDF is not sufficient.
80+ modules, completion tracking, audit-ready records
Full BAA lifecycle management
Expired BAAs are a top enforcement target.
E-signature, renewal alerts, Vendor Risk Scanner
Patient Protect answers yes to all 10.
Ask every vendor on your list. Then compare.
Pricing
No contracts · No setup fees · Cancel anytime
Core
$39/mo
Risk assessments, policies, BAA management, training, and compliance scoring.
Pro
$99/mo
Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.
FAQ
Yes. Under §160.103, the covered-entity question turns on whether PHI moves electronically in a covered transaction — not on insurance billing. E-prescribing testosterone is a covered transaction under NCPDP SCRIPT. The first electronic prescription makes the clinic a CE permanently, regardless of payment model.
EPCS and HIPAA are separate frameworks with overlapping but distinct requirements. EPCS mandates specific identity-proofing, multi-factor authentication, and audit trails for controlled-substance prescribing; HIPAA mandates ePHI-handling controls more broadly. A TRT clinic prescribing testosterone electronically must satisfy both. Audit logs from EPCS partially satisfy HIPAA's audit-control requirement under §164.312(b) but do not fully replace it.
Yes. Every compounding pharmacy receiving PHI is a separate business associate under §160.103 and requires a written BAA under §164.308(b)(1). Most TRT operators rely on three to seven pharmacy partners; each requires a current signed agreement. Relying on one master pharmacy BAA to cover unrelated pharmacies is the highest-frequency BAA gap in this segment.
Washington MHMDA, Nevada CHPA, Connecticut DPA, California CMIA/CPRA cover the consumer-health-data layer. State medical boards add hormone-prescribing rules — some states require in-person evaluation before TRT initiation, specific informed consent forms, or periodic in-person follow-up. Multi-state operations face a state-by-state matrix that updates regularly.
When stored as part of a treatment record, yes. Photos documenting body composition or other treatment-response indicators are PHI under HIPAA when associated with the patient's hormone treatment. They require the same protections as any other ePHI: BAA-covered storage, encryption, access controls, audit trails.
Both, typically. The prescriber is a CE through the e-prescribing transaction. The clinic that maintains patient records, intake data, and ongoing relationship is functionally a CE through its own records — even if the technical prescribing transaction sits with the third-party network. At minimum the clinic is a BA to the prescriber and requires a BAA with them. Most operators in this configuration meet both the BA and CE definitions simultaneously.
Five steps: (1) documented risk analysis covering the full operating stack including EPCS where applicable, (2) signed BAAs with every pharmacy, lab, and platform, (3) DEA EPCS compliance for any controlled-substance prescribing, (4) state-law overlay for operating jurisdictions, (5) Privacy and Security Official designations plus documented training. Patient Protect handles all five at $39/month for the Core tier.
Patient Protect is intuitive, proactive, and affordable — exactly what small clinics like ours need to keep patient data safe and stay on the right side of HIPAA.
Next step
$39/month for Core, $99/month for Pro. Pharmacy BAA tracking, EPCS audit integration, state-law overlay, multi-state breach notification. Free 14-day trial.
