Imagine a medical practice that does not accept payment from any commercial payers and does not participate in any government health insurance programs. The owners have decided that, for one reason or another, the practice only accepts cash or credit card payments directly from patients. Is that practice subject to HIPAA and its attendant compliance obligations?
The issue is one of definitions. HIPAA applies to covered entities and their business associates. Presuming for the purposes of this post that the practice is not a business associate, the question is whether our cash-only practice is a covered entity. While the definition of covered entity includes health plans and health care clearinghouses, our focus is on the third category, namely health care providers. A health care provider is only a covered entity if it, “transmits any health information in electronic form in connection with a transaction covered by” Subchapter A of Title 45 of the Code of Federal Regulations. 45 C.F.R. §160.103. In other words, being a health care provider alone is not enough to trigger HIPAA compliance obligations; the health care provider must also engage in a standard transaction.
This may seem quite broad, and in a sense it is, but it is important to dig deeper into the two primary components of the above quotation. First, the health care provider must transmit health information in electronic form. The term health information is expansive (see its definition in 45 C.F.R. §160.103), but keep in mind that the transmission must be in electronic form. Second, the transmission must be in connection with a standard transaction covered by that Subchapter. The term “transaction” is defined as “the transmission of information between two parties to carry out financial or administrative activities related to health care.” 45 C.F.R. §160.103. The definition includes the following list:
- Health care claims or equivalent encounter information.
- Health care payment and remittance advice.
- Coordination of benefits.
- Health care claim status.
- Enrollment and disenrollment in a health plan.
- Eligibility for a health plan.
- Health plan premium payments.
- Referral certification and authorization.
- First report of injury.
- Health claims attachments.
- Health care electronic funds transfers (EFT) and remittance advice.
- Other transactions that the Secretary may prescribe by regulation.
In the context of the hypothetical cash-only practice described above, there are no claims, plans, or third parties. Thus, it appears that none of the foregoing would come into play with our hypothetical cash-only practice. It is important to note that every practice must determine for itself whether it engages in any of the foregoing transactions. If not, however, then even a cash-only health care provider that transmits health information in electronic form could fall outside the definition of covered entity and not be subject to HIPAA compliance if it avoids all of the above-listed transactions.
None of the foregoing is to suggest that a cash-only practice is relieved from the obligation to ensure that patient records remain private and secure. Apart from regulatory and ethical obligations to do so, there may be applicable consumer protection laws and other federal and state laws that apply to specific types of records, particularly certain types of sensitive information. As a result, it would nevertheless be advisable for our hypothetical cash-only practice to look to HIPAA for guidance in crafting appropriate privacy and security policies and procedures to abide by.
 As a word of caution, the preamble to the HIPAA final rules published in 2000 notes that if a health care provider does not itself engage in standard transactions, then it becomes a covered entity if it assigns that task to a third party, such as a billing services.