Does my Cash Based Practice Need to be Compliant with HIPAA Privacy Laws?

Today’s post comes from Aaron LeBauer PT, DPT, LMBT, who has a successful cash-based practice and recently started a website for those interested in the private pay business model. It has been really nice to have him and a few others now putting great content out there, and hopefully as a team we can educate even more of our colleagues on this business model.

Not all healthcare practices are covered entities and subject to HIPAA

He has been ever-so-kind to tackle the enormous topic of HIPAA as it relates to cash-based physical therapy practices. 

There are quite a few questions regarding compliance when discussing the cash based physical therapy practice model including; Medicare, HIPAA, Documentation, Direct Access, multiple services etc.  In general, it would seem like these issues should apply to a cash-based practice in the same manner as a traditional insurance-based practice, but the details might surprise you.

My brother, who is in private practice as a social worker counseling individuals and couples, first brought the HIPAA compliance issue to my attention.  He forwarded to me a copy of email correspondence written by a lawyer, who is an advisor to another therapist in my brother’s mental health therapist network.  I have not been in personal contact with this lawyer, but the email I received stated that his opinion is “anyone who does NOT do electronic billing remove the HIPAA forms from their intake packets.  If you include HIPAA forms you are subject to HIPAA rules and regulations and if you violate any of those you can be strictly fined.”

This really got me thinking and asking myself questions. I was told I needed to have my patients sign a HIPAA policy form, but am I jeopardizing my practice unnecessarily?  This deserved some more investigation and I found a few hits on Google, but not all the answers.

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996 and it was primarily aimed at providing workers with easier ways to continue their healthcare insurance coverage whenever they changed jobs.  An area of special consideration was the transfer or portability of patient records.  The easiest way to make data transfers is electronically and the most common is via email. Unfortunately, email is not a secure form of communication.  Legislators added appropriate language to ensure the confidentiality of patient information when stored or sent electronically, which became the first legislation to address email confidentiality.  HIPAA is about patient confidentiality in electronic format.

What is a “covered entity?”

The first question to ask your self is “Is my practice a covered entity?”

The CMS website has an excellent flow sheet to help you answer this question and determine if you are a covered entity:

The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is:

– a health care provider that conducts certain standard transactions in electronic form (called here a “covered health care provider”).
– a health care clearinghouse.
– a health plan.

An entity that is one or more of these types of entities is referred to as a “covered entity” in the Administrative Simplification regulations.

What are the “certain standard transactions?”

Transactions are electronic exchanges involving the transfer of information between two parties for specific purposes.  For example, a health care provider will send a claim to a health plan to request payment for medical services. In the HIPAA regulations, the Secretary of Health and Human Services (HHS) adopted certain standard transactions for Electronic Data Interchange (EDI) of health care data. These transactions are:

  • claims and encounter information
  • payment and remittance advice
  • claims status
  • eligibility
  • enrollment and disenrollment
  • requests to obtain referral certifications and authorizations
  • coordination of benefits
  • premium payment

Under HIPAA, if a covered entity conducts one of the adopted transactions electronically, they must use the adopted standard.

What information is protected?

The privacy rule protects all “individually identifiable health information” stored or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).  This includes common demographic information such as name, street address, telephone number, date of birth, social security number, etc.  PHI also includes past, present or future information about the individuals physical or mental health condition, payment status and provision of health care.

What about Faxes and Emails?

Transactions of paper via facsimiles, and voice via telephone are not electronic transactions because the information did not exist in digital format prior to the transmission.

However, data sent by email and through the internet, even if scanned into a pdf file, is an electronic transmission.

To summarize:

Certain Standard Transactions include Protected Health Information and if you send or transmit any of these transactions electronically you are a Covered Entity.

  • If you are transmitting a patient’s protected health information, but are not participating in a “certain standard transaction”, you are not a covered entity.  An example of this would be consulting with or referring a patient to a physician by sending a patients name and health problem via email.
  • If you are a physical therapist in private practice and only accept payment by cash, check, debit or credit cards, these forms of billing/collection do not make you a covered entity.
  • If you sometimes submit a handwritten HCFA 1500 form, this does not make you a covered entity.
  • If you are a physical therapist in private practice, you live in a state with limited Direct Access and Fax your patient’s physician the plan of care to sign, then you are not participating in a “certain standard transaction,” and doing so would not make you a covered entity.
  • If you, or someone on your behalf, like a clearinghouse, submit your patient’s protected health information electronically to receive reimbursement you are a covered entity.
  • If you are a Medicare provider and submit claims electronically but accept cash, check or credit cards from everyone else, you are still a covered entity and should have all of your patients sign HIPAA privacy forms.

Even if your answer to the title question is “no” and you are not a “covered entity,” you still have to conform to the standards of practice and privacy ethics as outlined in your state’s practice act.

How do I maintain my patient’s privacy?

My practice, which is a cash-based physical therapy practice, does not fit the definition of a covered entity, so HIPAA consent forms are no longer something I have my patients sign. I have my patients sign a consent form that includes the following statement:

I understand that LeBauer Physical Therapy, LLC will maintain my privacy to the highest standards and may use or disclose my personal health information for the purposes of carrying out treatment, obtaining payment, evaluating the quality of services provided and any administrative operations related to treatment or payment.”

Likewise, just as my documentation is the same as if I owned a traditional insurance-based practice, I protect my patients’ privacy when in public, in my office and on social media.

Also, whether or not a provider uses an electronic medical record or electronic health record is irrelevant to determining covered entity status.  If you, or someone on your behalf, transmit one or more of the standard transactions in electronic format then you will be a “covered entity.”

I am not a lawyer, and this may be a topic that needs further vetting with your advisory board or lawyer, but if you keep it simple, and do not transmit any health information in connection with a covered standard transaction then you are likely not a “covered entity.”

If you have any questions or any thoughts to add, I would appreciate your comments below.

Aaron LeBauer PT, DPT, LMBT


Click Here to learn how to start your own Cash-Based Practice

Facebook Comment

{ 27 comments… read them below or add one }

Aaron LeBauer PT, DPT, LMBT June 14, 2013 at 2:19 pm

This looks great. Thanks for the opportunity to write a guest post for your blog. I’m looking forward to hearing/reading the questions and thoughts about this topic and working with you again in the future.


Dr Jarod Carter June 14, 2013 at 3:26 pm

Thank You Aaron. This is no small topic and we really appreciate your time and expertise!


Christopher Anthony, DC June 16, 2013 at 11:17 pm

Solid post, Dr. LeBauer. I appreciate the relevant story and clear explanation. This may save many therapists from unneeded hassle. It’s surprising how streamlined a cash practice can be–how many more minutes can be devoted to patient care!


Justin Feldman June 17, 2013 at 2:08 pm

Great post Dr. LeBauer! Really good information. I asked a health care lawyer friend to look into this and they agreed that this is the best course of action. I also enjoyed your new site! Great information thanks for sharing!


Aaron LeBauer June 17, 2013 at 6:33 pm

Dr. Anthony, Dr. Feldman, Thank you!


Victoria Liu June 18, 2013 at 2:57 pm

What if I email my clients a receipt or invoice-would that be considered a certain standard transaction and make me subject to HIPAA?


Aaron LeBauer PT, DPT, LMBT June 18, 2013 at 7:25 pm

Thanks for the great question. From my understanding and interpretation of the law, emailing a client a receipt or invoice is not considered a “certain standard transaction.”


Rebecca Morehead June 20, 2013 at 1:33 am

Hi Jarod and Aaron,

Thanks for the great post and for bringing this awareness to the attention to cash-based practices. This question is often asked and more now than ever due to the new Omnibus Rule that just came out in January requiring all covered entities and business associates to develop their compliance plans for HIPAA as it relates to HIPAA Privacy and Security. There are also updates now to the privacy practices due to this rule. Wishing these solo practices much success as we are helping them wade through these murky waters.

I would also enjoy interviewing you both sometime on my radio show if you are ever interested and have some time to chat. Keep up the great work!



Dr Jarod Carter June 20, 2013 at 5:52 pm

My pleasure … thanks taking the time to comment!


Tracy Sher June 20, 2013 at 6:54 pm

Thanks Aaron and Jarod for this great content. I have a cash-based PT practice that is growing… I am still slightly confused and appreciate any clarification for the following:

1. How does Rebecca Morehead’s comment affect any of this? What’s a COMPLIANCE PLAN for non-covered?
“This question is often asked and more now than ever due to the new Omnibus Rule that just came out in January requiring all covered entities and business associates to develop their compliance plans for HIPAA as it relates to HIPAA Privacy and Security.”

2. If I hire a virtual assistant and/or on-site assistant (and additional PTs) – if they handle my records, do I need them to sign something? They are considered a business associate of a non-covered, but still handle medical records and info.

3. Do you have templates we can view regarding what you have your patients sign AND what our employees should sign for non-covered?

4. For clarification – we can use EMRs like WebPT, ELECTRONICALLY fax records to physicians, keep medical records and info on a computer…and as long as we don’t do the “standard transactions”, still non-covered?

I appreciate your time and help.


Aaron LeBauer June 26, 2013 at 12:22 am

Thanks for your comment and question. Sorry for the delay in responding, I’ve been out of town. I am not a HIPAA covered entity and am familiar with how that relates to practice. If you are a HIPAA covered entity then you may find that there are other resources better than I who can answer your questions.
1) My understanding is that if you are not a “covered entity” Rebecca’s comment should not apply to you or your practice

2) If you are not a “covered entity”, you are only required to abide by privacy rules/laws of your state practice act or your professional associations codes of conduct. Handling medical records is not a “standard transaction.”

Any employees and contractors should still be informed of your practice’s privacy policy and sign an agreement to keep all patient information confidential.

My opinion is that for a practice that is not a “covered entity” a separate “Privacy Agreement” would be a good document to have inside of, or separate to, the employment/contracting agreement. It should state your privacy policy, and that the contractor/employee agree and sign that they will abide by and maintain your privacy standards. I would also include (either in that document or separate training) some examples of how and when they can talk to others about patients/clients/customers. I would personally include a clause that they are not to mention, write or post about patients/clients on their facebook, twitter or other social media accounts.

3) I don’t have a template, but included my privacy statement above word for word from the consent form I use that is in my new patient history packet.

4)I’m unsure and unable to find a clear answer regarding “electronic” faxes from within an EMR, in general faxes are not electronic transactions.

No “standard transactions” = not “covered entity”
You are only “covered entity” if you transmit or store information electronically AND participate in a “certain standard transaction.”


Tracy Sher July 8, 2013 at 1:48 pm

Thanks so much for clarifying, Aaron. I am intrigued by #3. It seems that the statement you have is so basic, but I suppose that’s all that is needed in non-covered? : “I understand that LeBauer Physical Therapy, LLC will maintain my privacy to the highest standards and may use or disclose my personal health information for the purposes of carrying out treatment, obtaining payment, evaluating the quality of services provided and any administrative operations related to treatment or payment.”

I appreciate your insight. Cheers!


Jitendra February 13, 2016 at 9:09 am

You know what we are really in a twist about is to whom can we send peiatnt-specific data via email (i.e. for claims resolution) and how do we secure those emails? Also, what about our folks who are now pushing work emails to their PDA’s? What if peiatnt-specific data lands on a hand-held device and it goes bad? Do we have to get a Business Agreement (HIPAA) with Verizon? Sorry so many questions without answers, but this is the content of our IT meetings lately. Great post!


Aaron LeBauer July 8, 2013 at 11:56 pm

Thanks! I think the adage of “keep it simple” is what seems to work best for me. I think the culture of health care and insurance reimbursement can be so complicated and full of requirements that when all you need is a contract between a patient and therapist, “less is more”.


Kathleen scribner September 29, 2013 at 2:58 am

Thank you


Beth Swanson October 14, 2013 at 11:54 am

Hi! so it seems that if you do not bill electronically and are a fully cash based practice you are NOT a covered entity.

but how do you handle storage of treatment notes?? do you go old school and keep them on paper or can they be stored on a computer?

thanks beth


Aaron LeBauer October 15, 2013 at 12:24 am

Thanks for your question.

In regards to your statement “so it seems that if you do not bill electronically and are a fully cash based practice you are NOT a covered entity.” In general, yes, but I urge you to follow the guide and flow sheet above as there may be an exception in someone’s case.

Since my practice is not a HIPAA “covered entity” I do not need to follow HIPAA rules for storage of my notes, patient information or files. I use paper notes and keep them in manila folders in a file drawer, and store my old notes in a closet. I keep my folders face down on my desk, do not disclose who my patients are to others who are not part of their healthcare team and generally try to keep my patient’s information private.

I use a lock for the front door and do not have anyone in my office except patients and myself (and my wife who is a therapist and a sublessor who is a cash based chiropractor and his assistant). I have patient information on my computer as well in the form of pictures, notes and summaries. My laptop is password protected and locked to the desk with a cable lock.

I believe there is no problem keeping patient notes and information on a computer, and this alone does not make one a “covered entity.” I do not use an EMR for many reasons, that I don’t have room to explain here, however privacy is not one of them.


Beth Swanson October 15, 2013 at 2:31 am

it sounds like these are a common sense approach to maintain privacy for your patients. thanks for the quick reply and input.



Aaron LeBauer PT, DPT, LMBT October 15, 2013 at 10:39 pm

you are very welcome.


Kaye Sharp October 27, 2014 at 3:24 pm

Great information! What do you think about the program suggested in Dr. Jarod Carter’s podcast with Nancy Beckley to add security to PDF’s through Acrobat Security System? Is this necessary if your are not a covered entity? I guess this question should go to Jarod,as well. Just wondering about emailing or efaxing a PDF containing patient information. Thanks!


Dr Jarod Carter October 29, 2014 at 4:43 pm

Since it’s quick and easy to lock a PDF, I don’t see why we wouldn’t do so, just in case


Aaron LeBauer October 28, 2014 at 1:47 am

Thank you! I haven’t had the opportunity to listen to Jarod’s recent podcast, so I’ll have to defer the answer to him or even to Nancy. You can always snail mail or send a traditional fax to be within the rules as I understand them.


MU Lee December 1, 2014 at 7:22 pm

My husband and I have a counseling practice. We are HIPAA compliant, unfortunately. Our practice is very small and limited. The insurance companies pushed for electronic submissions, which I realize now benefited them much more than it did us. We have talked about pulling our of the maze, which is expensive for a small, limited practice. To date, we have made very little profit, and are considering going to a cash based counseling practice. Do you know if it is possible to reverse the process? I would think that we would have to eliminate being listed with insurance companies, and doing anything electronically. That alone might hit the bottom line, but I am beginning to think that we wouldn’t have a whole lot to lose at this point. A great deal of our profit seems to be going to keep the HIPAA thing going. Thoughts?


Dr Jarod Carter December 1, 2014 at 8:08 pm

You’ll definitely have to pull out of the electronic directories and, as you said, stop doing any billing electronically. Also, check with your state laws because I know that by State Law here in Texas, all counselors are considered covered entities even if they’re cash-based.


Stephen Mandler July 25, 2015 at 3:51 am

What do you hand to your patient and the end of the session along with the receipt so that they can file on their own with their insurance company? billing codes? diagnostic information?


Dr Jarod Carter July 27, 2015 at 2:04 pm
Marina Castellanos February 26, 2016 at 1:14 pm

If a patient requests that you email treatment notes directly to them, does this make you a covered entity? What about emailing billing invoices directly to the patient?


Leave a Comment

{ 1 trackback }

Previous post:

Next post: