If you run or are planning to start a healthcare practice, especially in integrative medicine or direct primary care (DPC), understanding what a covered entity under HIPAA is essential. Many providers assume HIPAA applies only to large hospitals or insurance-based practices. In reality, the definition is broader and more nuanced than most expect.
This guide explains what a covered entity is, how HIPAA applies to modern healthcare models, and what compliance really means for your practice. Want to learn more? Sign up for the Practice Protection Program.
What Is a Covered Entity Under HIPAA?
Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is any organization or individual that handles protected health information (PHI) in connection with specific healthcare-related functions.
There are three main categories of covered entities:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
However, simply being a healthcare provider does not automatically make you a covered entity. The key factor is whether you transmit health information electronically in connection with certain standardized transactions, such as billing insurance.
1. Healthcare Providers
Healthcare providers make up the largest category of covered entities under the Health Insurance Portability and Accountability Act. This group includes a wide range of licensed professionals such as medical doctors (MDs and DOs), nurse practitioners (NPs), physician assistants (PAs), chiropractors, psychologists, therapists, dentists, and providers practicing within functional and integrative medicine.
If you offer clinical care and handle patient health information, you are part of this broad category. However, whether you are considered a covered entity depends on how your practice operates, not just the type of care you provide.
When Is a Provider a Covered Entity?
A healthcare provider becomes a covered entity when they transmit health information electronically in connection with certain standardized transactions. These transactions typically involve interactions with insurance companies or other healthcare organizations. Common examples include submitting insurance claims, checking patient eligibility, requesting referral authorizations, or processing payments electronically. Even if these activities happen infrequently, they are enough to bring your practice under HIPAA. In simple terms, if your practice bills insurance electronically at any point, you are considered a covered entity and must comply with HIPAA regulations.
Integrative and Functional Medicine Practices
For integrative and functional medicine practices, the situation is often less straightforward. Many of these clinics operate on a cash-based model. Their services, including nutritional counseling, supplement protocols, and advanced therapies such as IV treatments, peptides, or regenerative medicine, are often paid for directly by patients; some practices do not engage in traditional insurance billing.
If your practice does not bill insurance and does not conduct standard electronic transactions, you may not technically meet the definition of a covered entity. That said, several factors can change that status. If you use third-party laboratories that bill insurance, submit any electronic claims, or collaborate with other providers who are covered entities, you may still fall under HIPAA requirements or be classified as a business associate.
Even when HIPAA does not strictly apply, many integrative practices choose to follow its standards. Patients expect their personal health information to be protected, and aligning with HIPAA helps build trust while reducing legal and operational risk.
Direct Primary Care (DPC) Practices
Direct primary care practices are often intentionally designed to avoid insurance billing altogether. Instead of submitting claims, these practices typically use a membership model where patients pay a monthly fee for access to care. This structure eliminates the need for many of the electronic transactions that would otherwise trigger covered entity status under HIPAA.
Because of this, some DPC practices are not technically classified as covered entities. However, the reality is more nuanced. Situations such as ordering lab work through insurance, sending referrals through electronic systems, or using software platforms that store or transmit protected health information can still create HIPAA-related obligations. These interactions may also involve relationships with covered entities or business associates.
As a result, most DPC clinics choose to operate as if HIPAA applies, even when it may not be strictly required. Implementing HIPAA-compliant systems helps protect patient data, supports smoother collaboration with other healthcare entities, and reinforces the trust that is central to the DPC model.
2. Health Plans
Health plans are clearly defined covered entities and include:
- Health insurance companies
- HMOs (Health Maintenance Organizations)
- Employer-sponsored health plans
- Government programs such as Medicare and Medicaid
These organizations manage large amounts of patient data, including:
- Enrollment information
- Claims data
- Payment records
- Medical histories tied to coverage
Because of the scale and sensitivity of this data, they are subject to strict HIPAA regulations.
3. Healthcare Clearinghouses
Healthcare clearinghouses are less commonly discussed, but they play an essential role in keeping the healthcare system running smoothly. These entities are responsible for converting nonstandard health data into standardized formats, allowing different systems to communicate effectively. They also act as intermediaries between healthcare providers and insurance companies, ensuring that information flows accurately and efficiently.
In addition, clearinghouses help maintain compatibility across billing systems, which is critical for processing claims and payments without errors or delays. Common examples include billing services, repricing companies, and claims processing vendors. If your practice uses a third-party billing company, there is a strong likelihood that it is functioning as a clearinghouse or is closely connected to one, and it must comply with HIPAA regulations to properly safeguard patient information.
Covered Entities vs. Business Associates
It is important to distinguish between covered entities and business associates.
A business associate is any person or company that:
- Handles PHI on behalf of a covered entity
- Provides services that involve access to patient data
Examples include:
- EHR software providers
- Cloud storage platforms
- IT support companies
- Marketing agencies handling patient data
- Laboratory services
Even if your practice is not a covered entity, you may still need to sign Business Associate Agreements (BAAs) depending on your relationships.
For integrative and DPC practices, this distinction is especially important. You may not be a covered entity, but your vendors may still require HIPAA-level protections.
What Is HIPAA Compliance?
HIPAA compliance refers to following the rules established under HIPAA to protect patient information.
At its core, HIPAA is about safeguarding protected health information (PHI), which includes:
- Names and identifying details
- Medical records
- Lab results
- Payment information
- Any data tied to a patient’s health status
The Three Main HIPAA Rules
HIPAA compliance is built around three primary rules that work together to protect patient information and ensure it is handled responsibly. These rules form the foundation of how healthcare organizations manage, store, and share protected health information (PHI).
Privacy Rule
The Privacy Rule establishes how PHI can be used and disclosed in healthcare settings. It sets clear boundaries on when and how patient information can be shared, helping prevent unnecessary or unauthorized access. In many cases, patient consent is required before information can be disclosed, particularly for purposes outside of treatment, payment, or healthcare operations. This rule also gives patients important rights, including the ability to access their medical records, request corrections, and understand how their information is being used.
Security Rule
The Security Rule focuses specifically on protecting electronic protected health information (ePHI). It requires healthcare organizations to implement safeguards that secure digital data from breaches or unauthorized access. These safeguards fall into three main categories. Administrative safeguards include policies, procedures, and staff training to ensure the proper handling of patient data. Physical safeguards involve securing offices, devices, and access points to prevent unauthorized entry. Technical safeguards include measures such as encryption, secure login systems, and data protection protocols that keep electronic information safe.
Breach Notification Rule
The Breach Notification Rule outlines what must happen if PHI is compromised. If a breach occurs, affected patients must be informed so they understand what information may have been exposed. In some cases, regulatory authorities must also be notified, depending on the size and scope of the breach. This rule includes specific timelines that organizations must follow to ensure timely communication and transparency.
Together, these three rules create a comprehensive framework for protecting sensitive health data, reinforcing both legal compliance and patient trust.
Why HIPAA Compliance Matters
Whether you are clearly a covered entity or operating in a gray area, HIPAA compliance matters.
Legal Protection
Noncompliance can lead to:
- Significant fines
- Legal liability
- Investigations and audits
Penalties can range from thousands to millions of dollars, depending on the severity.
Patient Trust
Patients expect their health information to be handled with care.
Even in a cash-based or wellness-focused practice, poor data protection can:
- Damage your reputation
- Reduce patient retention
- Undermine your brand
Business Growth and Partnerships
As your practice grows, you may:
- Partner with labs or specialists
- Implement new software systems
- Expand into telehealth
Most of these steps require HIPAA compliance. Without it, growth can be limited.
Ethical Responsibility
Beyond regulations, protecting patient information is a core responsibility.
Healthcare depends on trust, and safeguarding personal data is part of delivering quality care.
Common HIPAA Mistakes in Integrative and DPC Practices
Many integrative and direct primary care (DPC) practices are built around personalized care, flexibility, and modern systems. While these models offer clear advantages, they can also lead to gaps in HIPAA compliance when privacy and security are not addressed with the same level of intention. Below are some of the most common mistakes and why they matter.
Using Non-Secure Email or Messaging Platforms
It is common for smaller or cash-based practices to rely on standard email or text messaging to communicate with patients. While convenient, these platforms are often not encrypted or designed to protect protected health information (PHI). Sending lab results, treatment plans, or even appointment details through unsecured channels can expose sensitive data to unauthorized access. HIPAA requires that communication methods include appropriate safeguards, which typically means using secure, encrypted platforms designed for healthcare use.
Storing Patient Data in Unsecured Cloud Systems
Cloud-based tools make it easier than ever to manage patient records, but not all platforms are HIPAA compliant. Some practices store intake forms, notes, or lab results in general file-sharing systems that lack proper encryption or access controls. Without the right protections in place, this data can be vulnerable to breaches or unauthorized viewing. HIPAA requires that any system storing electronic PHI include technical safeguards such as encryption, secure access, and activity monitoring.
Failing to Sign Business Associate Agreements
Many integrative and DPC practices work with third-party vendors, including electronic health record (EHR) systems, lab companies, billing services, and even marketing platforms. If these vendors have access to PHI, they are considered business associates. HIPAA requires a formal Business Associate Agreement (BAA) to outline how patient data will be protected. Failing to have these agreements in place is a common oversight that can lead to compliance issues, even if the vendor itself follows security best practices.
Inadequate Staff Training on Data Handling
Even the best systems can fail if staff members are not properly trained. Front desk teams, medical assistants, and practitioners all interact with patient data in different ways. Without clear training on how to handle PHI, mistakes such as discussing patient information in public areas, leaving records unsecured, or sharing information improperly can occur. HIPAA requires ongoing staff education so that everyone in the practice understands their role in protecting patient privacy.
Assuming Cash-Pay Models Are Exempt from HIPAA
One of the most common misconceptions in integrative and DPC care is that avoiding insurance billing automatically removes HIPAA obligations. While some cash-based practices may not meet the strict definition of a covered entity, many still interact with systems, vendors, or partners that bring them under HIPAA rules. Ordering labs, using digital platforms, or coordinating care with other providers can all trigger compliance requirements. Assuming exemption without fully evaluating your operations can leave your practice exposed to unnecessary risk.
These gaps can create significant legal and operational challenges, even for smaller practices. Addressing them early helps protect your patients, your reputation, and the long-term stability of your business.
Building a HIPAA-Compliant Practice
HIPAA compliance is not a one-time task. It is an ongoing process.
A compliant practice typically includes:
- Written privacy and security policies
- Staff training and clear protocols
- Secure EHR and communication systems
- Regular risk assessments and audits
- Signed agreements with vendors handling PHI
For integrative and DPC clinics, it is important to evaluate how your services and workflows interact with patient data.
When You Are Not Sure, Get Expert Help
HIPAA can be complex, especially when your practice does not fit a traditional model.
If you are unsure whether you are a covered entity or how to stay compliant, professional guidance can help you avoid costly mistakes.
Working with a legal expert who understands:
- Functional and integrative medicine
- Direct primary care models
- Healthcare business structures
can provide clarity and confidence.
Work With Functional Lawyer Today
If you want to build your practice on a strong legal foundation, consider working with Functional Lawyer. Our team helps modern healthcare providers determine whether they are covered entities, navigate HIPAA requirements, structure compliant business models, and protect patient data as they grow and expand services.
HIPAA compliance is not just about avoiding penalties. It is about creating a trustworthy and sustainable practice where you can operate with confidence and focus fully on delivering high-quality patient care.
