Does HIPAA apply to small practices?

Many small healthcare practices assume they are too small for HIPAA. The law has no size exemption. Here is the two-part test that determines whether you are a covered entity — and what applies if you are.

By CoreFolio

Published May 20, 2026Verified May 20, 20265-minute read

A common assumption among small and solo healthcare practices is that HIPAA is a large-system concern — something that applies to hospitals and health plans, not to a three-person clinic or a solo therapist. That assumption is wrong, and it is one that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) regularly encounters when investigating small covered entities.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains no size exemption. There is no employee threshold, no revenue floor, no patient-volume minimum. The question is a legal one with a specific two-part answer.

The covered entity test

HIPAA defines three categories of covered entities: health plans, health care clearinghouses, and health care providers. Most small practices fall into the third category.

Under 45 CFR § 160.103, a health care provider is a covered entity if two conditions are both true:

1. The entity furnishes, bills, or is paid for health care in the normal course of business.

Health care includes preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care — and any service, supply, or product furnished in connection with it. This definition is broad. It covers physicians, dentists, chiropractors, physical therapists, mental health counselors, psychologists, home health agencies, nursing homes, and pharmacies. It also covers occupational therapists, speech-language pathologists, and optometrists.

2. The entity transmits any health information in electronic form in connection with a covered transaction.

Covered transactions are administrative and financial exchanges for which HHS has adopted a standard. The most common for small practices are:

Health care claims (ANSI X12 837P for professional services, 837I for institutional services)
Eligibility inquiries and responses (X12 270/271)
Claims status requests (X12 276/277)

If your practice submits claims to Medicare, Medicaid, or a private insurer electronically — or uses a clearinghouse that does so on your behalf — you are conducting covered transactions and meeting the second condition.

The indirect transmission rule

A small practice that transmits claims through a billing company or clearinghouse is still conducting covered transactions. The routing of the transaction through a third party does not change the practice's status as a covered entity. CMS confirmed this interpretation in its guidance on covered entity determination.

This matters because practices sometimes believe that outsourcing billing removes their HIPAA obligations. It does not. It also creates a business associate relationship with the billing company — which itself carries obligations (see below).

No size exemption: what OCR says explicitly

The HHS FAQ on covered entities states directly: “The size of a covered entity is not a factor in determining whether it must comply with the HIPAA Rules.”

OCR’s enforcement record reflects this. Under the Risk Analysis Initiative launched in October 2024, OCR has brought enforcement actions against solo providers, small neurology practices, and single-location behavioral health centers. Settlement amounts in small-practice cases have ranged from $5,000 to $375,000 — plus multi-year corrective action plans.

What happens when a practice does not submit electronic transactions

A genuine cash-only practice that never submits electronic claims, never checks eligibility electronically, and never performs other covered transactions may not meet the definition of a covered entity. CMS provides a Covered Entity Decision Tool at cms.gov to help determine status.

Important caveats:

Most practices do conduct covered transactions. Even a practice that does not bill insurance directly often uses an EHR system, a scheduling platform, or a payment processor that runs eligibility checks or submits remittance advice electronically. Each of those activities may constitute a covered transaction.
The business associate framework still applies. A practice that is not a covered entity may still be a business associate of a covered entity it works with. Business associates have been directly liable under HIPAA since the HITECH Act of 2009.
State law may impose additional obligations. California, Texas, New York, and other states have health privacy statutes that apply regardless of HIPAA covered-entity status.

Business associates: the second coverage path

Even if a practice concludes it is not a covered entity, any vendor it works with that handles protected health information (PHI) on its behalf creates a business associate relationship in the opposite direction. If a covered entity sends PHI to a business associate, that business associate must comply with the HIPAA Security Rule and applicable Privacy Rule provisions under 45 CFR § 164.308(b).

More practically: if your practice receives PHI from covered entities you serve — for example, a billing company that processes claims for multiple covered-entity clients — you are a business associate and are directly subject to HIPAA.

Which rules apply once you are a covered entity

A covered health care provider must comply with three rules:

The Privacy Rule (45 CFR Part 164, Subparts A and E) governs when and how PHI may be used and disclosed. It requires a Notice of Privacy Practices, patient access rights, minimum necessary standards, and designated privacy official responsibilities.

The Security Rule (45 CFR Part 164, Subparts A and C) applies specifically to electronic PHI (ePHI). It requires a risk analysis, risk management plan, administrative safeguards, physical safeguards, technical safeguards, and workforce training. All of these apply to small practices.

The Breach Notification Rule (45 CFR Part 164, Subpart D) requires notification to affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals also require notification to HHS and to media outlets serving the affected area.

Practical first steps if you are uncertain

Use the CMS decision tool. The Covered Entity Decision Tool at cms.gov walks through the determination question by question and produces a documented answer.
Inventory your electronic transactions. List every system that sends or receives health information electronically. If any of those systems submit claims, check eligibility, or transmit remittance advice, you are conducting covered transactions.
Audit your vendor relationships. Any vendor with access to PHI — EHR, billing, scheduling, cloud backup, IT support — is a potential business associate. Business associate agreements (BAAs) are required.
Start with the risk analysis. If you have confirmed covered-entity status and have not conducted a risk analysis under 45 CFR § 164.308(a)(1)(ii)(A), that is the highest-priority gap. It is the finding in nearly every OCR enforcement action.

Sources: 45 CFR § 160.103 (definitions, covered entity); 45 CFR §§ 164.302–164.318 (Security Rule); 45 CFR §§ 164.400–164.414 (Breach Notification Rule); CMS Covered Entity Decision Tool, cms.gov; HHS FAQ on Covered Entities, hhs.gov/hipaa/for-professionals/covered-entities; HHS FAQ “Is a healthcare provider that only accepts cash payments a covered entity?”; HITECH Act of 2009 (direct liability for business associates). Last verified May 20, 2026.

FAQ

Common questions

Is there a size exemption under HIPAA for small practices?

No. HIPAA contains no employee-count or revenue threshold. A solo physician who submits claims electronically is a covered entity and subject to the full Privacy Rule, Security Rule, and Breach Notification Rule. The Office for Civil Rights does not scale compliance obligations based on practice size.

What makes a healthcare provider a covered entity?

Under 45 CFR § 160.103, a health care provider is a covered entity if it furnishes, bills, or receives payment for health care services and transmits any health information in electronic form in connection with a covered transaction — typically insurance claim submissions.

What if I only accept cash and do not bill insurance?

A cash-only practice that never submits electronic claims, checks eligibility electronically, or performs other covered transactions may not be a covered entity. CMS provides a decision tool at cms.gov to confirm. However, any vendor relationship involving patient data — billing services, EHR platforms, scheduling software — may create business associate obligations regardless.

Do business associates have to follow HIPAA?

Yes. The HITECH Act (2009) made business associates directly liable under HIPAA. A vendor handling protected health information on behalf of a covered entity must sign a business associate agreement and comply with the Security Rule and applicable Privacy Rule provisions independently of their covered-entity clients.

Keep learning

How-to
HIPAA requirements for solo and small practices: what applies and what is scaled
HIPAA has no size exemption. A solo practitioner is a covered entity subject to the same Privacy Rule, Security Rule, and Breach Notification Rule as a large health system. Here is what that means in practice, what is scaled to size, and what is not.
May 20, 20267-minute read
How-to
What is a business associate agreement, and who needs one?
A business associate agreement (BAA) is required whenever a vendor handles your patient data. Here is who qualifies as a business associate, what the agreement must contain, and what happens when you skip it.
May 9, 20265-minute read
How-to
How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
May 14, 20266-minute read