Is My Cash Practice a HIPAA Covered Entity?

confidential cash pay practice a HIPAA covered entity

I receive quite a few questions regarding compliance issues when discussing the cash based physical therapy practice model. These include; Medicare, HIPAA, patient privacy, documentation, direct access, multiple services etc. In general, it would seem like these issues should apply to a cash-based practice in the same manner as a traditional insurance-based practice, but the details might surprise you. There is a lot of misinformation and misunderstanding floating around, especially regarding HIPAA and putting it’s rules and regulations into practice, including the assumption that we are all “covered.”

My curiosity started when my brother, who is in private practice as a social worker counseling individuals and couples, first brought a HIPAA compliance issue to my attention. He forwarded to me a copy of an email correspondence written by a lawyer, who is an advisor to another therapist in my brother’s mental health therapist network. I have not been in personal contact with this lawyer, but the email I received stated that his opinion is “anyone who does NOT do electronic billing remove the HIPAA forms from their intake packets. If you include HIPAA forms you are subject to HIPAA rules and regulations and if you violate any of those you can be strictly fined.”

This really got me thinking and asking myself questions. When I set up my practice 6 years ago, I was told I needed to have my patients sign a HIPAA privacy release form. Upon hearing this new information I was now concerned that doing so might unnecessarily jeopardize or put my practice at risk. This deserved some more investigation and in researching this, I’ve learned quite a bit, though not all the answers and I want to share what I’ve learned.

hipaa-logo-cash-practiceWhat is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996 and it was primarily aimed at providing workers with easier ways to continue their healthcare insurance coverage whenever they changed jobs.

An area of special consideration was the transfer or portability of patient records. The easiest way to make data transfers is electronically and the most common is via email. Unfortunately, email is not a secure form of communication. Legislators added appropriate language to ensure the confidentiality of patient information when stored or sent electronically, which became the first legislation to address email confidentiality. HIPAA is about patient confidentiality in electronic format.

Click Here for the HIPAA Basics for Providers handout

What is a “covered entity?”

The first question to ask your self is “Is my practice a covered entity?”

The CMS website has an excellent flow sheet to help you answer this question and determine if you are a covered entity: Click Here For The CMS Flowsheet

The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is:
– a health care provider that conducts certain standard transactions in electronic form (called here a “covered health care provider”).
– a health care clearinghouse.
– a health plan.

An entity that is one or more of these types of entities is referred to as a “covered entity” in the Administrative Simplification regulations.

What are the “certain standard transactions?”

Transactions are electronic exchanges involving the transfer of information between two parties for specific purposes. For example, a health care provider will send a claim to a health plan to request payment for medical services. In the HIPAA regulations, the Secretary of Health and Human Services (HHS) adopted certain standard transactions for Electronic Data Interchange (EDI) of health care data. These transactions are:

  • claims and encounter information
  • payment and remittance advice
  • claims status
  • eligibility
  • enrollment and disenrollment
  • requests to obtain referral certifications and authorizations
  • coordination of benefits
  • premium payment

Under HIPAA, if a covered entity conducts one of the adopted transactions electronically, they must use the adopted standard.

What information is protected?

The privacy rule protects all “individually identifiable health information” stored or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).  This includes common demographic information such as name, street address, telephone number, date of birth, social security number, etc. PHI also includes past, present or future information about the individuals physical or mental health condition, payment status and provision of health care.

What about Faxes and Emails?

Transactions of paper via facsimiles and voice via telephone are specifically exempted from the HIPAA Security Rule. They are not ruled as electronic transactions because the information did not exist in digital format prior to the transmission.

However, data sent by email and through the Internet, even if scanned into a pdf file, is an electronic transmission. Another interpretation of this is that if the data or information originates on a computer (including a cell phone or tablet) it is an electronic transmission.

To summarize:

There are two aspects to determining if you are a “covered entity” or not, the purpose of the transaction and how it is delivered. Certain Standard Transactions include Protected Health Information and if you send or transmit any of these transactions electronically you are a Covered Entity.What is a HIPAA Covered Entity

  • If you are transmitting a patient’s protected health information, but are not participating in a “certain standard transaction”, you are not a covered entity. An example of this would be consulting with or referring a patient to a physician by sending a patients name and health problem via email.
  • The HIPAA privacy rule also allows health care providers to communicate with their patients electronically (via email) provided you establish reasonable safeguards when doing so.
  • If you are a physical therapist in private practice and only accept payment by cash, check, debit or credit cards, these forms of billing/collection do not make you a covered entity.
  • If you sometimes submit a handwritten HCFA 1500 form, this does not make you a covered entity.
  • If you are a physical therapist in private practice, you live in a state with limited Direct Access and Fax your patient’s physician the plan of care to sign, then you are not participating in a “certain standard transaction,” and doing so would not make you a covered entity.
  • If you, or someone on your behalf, like a clearing house, submit your patient’s protected health information electronically to receive reimbursement you are a covered entity.
  • If you are a Medicare provider and submit claims electronically but accept cash, check or credit cards from everyone else, you are still a covered entity and should have all of your patients sign HIPAA privacy forms.
  • If you use an “electronic fax” service and participate in “certain standard transactions” you are a “covered entity.” You need to be sure ad choose a HIPAA compliant fax service and sign a BAA.

Even if your answer to the title question is “no” and you are not a “covered entity,” you still have to conform to the standards of practice and privacy ethics as outlined in your state’s practice act and/or your professional association.

How do I maintain my patient’s privacy?

My practice, which is a cash-based physical therapy practice, does not fit the definition of a covered entity. HIPAA consent forms are no longer something I have my patients sign. I have my patients sign an informed consent form that includes the following statement:

“I understand that LeBauer Physical Therapy, LLC will maintain my privacy to the highest standards and may use or disclose my personal health information for the purposes of carrying out treatment, obtaining payment, evaluating the quality of services provided and any administrative operations related to treatment or payment.”

Likewise, just as my documentation is the same as if I owned a traditional insurance-based practice, I protect my patients’ privacy when in public, in my office and on social media. I also keep a standard landline and use a traditional fax machine the 2-3 times a year I am requested to send patient information. Another alternative to a electronic fax, especially if you don’t have a landline and use an EMR is to print the patient record and put it in the mail. Conversely you can request to have patient’s information and records mailed to you.

Also, whether or not a provider uses an electronic medical record or electronic health record is irrelevant to determining covered entity status. If you, or someone on your behalf, transmit one or more of the standard transactions in electronic format then you will be a “covered entity.”

Final Thoughts on HIPAA:

I am not a lawyer, and this may be a topic that needs further vetting with your advisory board, healthcare compliance authority or healthcare attorney, but if you keep it simple, and do not transmit any health information in connection with a covered standard transaction then you are likely not a “covered entity.” This means that you would not need to follow the guidelines and regulation set out in the HIPAA rules and regulations including: having your patients sign a HIPAA privacy release, creating a HIPAA policies & procedures manual, obtain an NPI (national provider identifier standard), signing a BAA or Business Associates Agreement. Finally there is the benefit that you would not potentially put yourself and your practice at risk for violating a HIPAA rule or paying a fine when it doesn’t apply in the 1st place.

If you have a 100% cash-based practice, you are likely not participating in any of the “certain standard transactions” anyway. If you want to maintain a simple and low key existence and you want to avoid being a HIPAA covered entity, or even the gray areas and uncertainty in the middle, be sure you communicate via phone, snail mail or standard fax. Remember if you hire someone else to do this for you, or on your behalf, be sure they do the same and insist that health plans and insurance companies communicate with you only via phone, snail mail or standard fax.

Is your practice a “covered entity” or not? What steps and measures you are taking to keep it that way and why is this beneficial to you?

Update 1-7-17

Just to be clear, this is really best left for you and your healthcare attorney to decide based on your unique practice. A few years ago when I looked at HIPAA, and wrote this article, I discovered that I was not a covered entity and did not sign a BAA with anyone. Recently I’ve talked with my healthcare attorney, who is falls on the less conservative side of a few important issues. After going back and forth quite a few times, she pointed out that there are two HIPAA rules, the Security Rule and the Privacy Rule. She said the ‘non-covered entity’ status I mention in this article applies to the security rule, and that everyone is bound to the privacy rule. Her advice to me was to be sure and sign a BAA with Google since I use G Suite for my EMR, IntakeQ and anyone else I’m using to store my patient information. However, I’m also still using an analog fax and not sending patient notes to the insurance companies when they request it. I send them directly to the patient. Also, she recommended that I have patients to sign a HIPAA notice of privacy practices. That way I’m complying with the privacy rule and still not bound by the security rule. This just shows how complex these issues are and why it’s best to have a great lawyer (or two) on your team.

This article has been updated from the original version that appeared on

CashPT Checklist Download Now banner

About The Author

Aaron LeBauer

Aaron LeBauer PT, DPT, LMBT started a 100% cash based physical therapy practice right after graduation. He's on a mission to save 100 million people from unnecessary surgery & enjoys helping passionate therapists build successful businesses without relying on insurance.


  • Lisa Hamilton

    Reply Reply November 22, 2015

    Hey Aaron,

    As always, a wealth of information! I also follow Jarod, so I had acquired most of this info quite some time ago, thanks to both of you. 🙂 However, just to clarify, should I be concerned about any/all of the following:
    Texting appointment reminders to patients?
    Emailing patients regarding their exercises or progress?
    Emailing physicians with patients’ treatment/progress-related information?
    I am not a covered entity, as I am 100% cash-based, but I want to be sure I’m not placing myself at risk…

    • Aaron LeBauer

      Reply Reply November 22, 2015

      Hey Lisa,
      Thank you very much for your comment and compliments. You have a great question. No, according to my understanding, I don’t believe you should be worried about these communications since your purpose and intention for them is not one of the “certain standard transactions.”

  • Sue Walker

    Reply Reply November 24, 2015

    Good article with straight forward, easy to understand, meaningful information. I am forwarding this to all the instructors at the school so they will have answers for students when these types of questions come up.
    Sue Walker

    • Aaron LeBauer

      Reply Reply November 24, 2015

      Thanks Sue, I’m glad this information has been helpful.

  • Jessica

    Reply Reply November 30, 2015

    I’m also 100% cash based. As of now, I used good old fashioned paper charts. If I were to use an online program, such as PracticeFusion, but I don’t send these notes to anyone, then that is okay (i.e. Still not a covered entity)? I could print and then standard fax or snail mail if I needed……correct?

    Interaction via email with patients to schedule appointments….am I still in the clear?

    I do use hcfa 1500 form as an invoice for a patient if they want to send it to their insurance company for reimbursement….if they scan it and send it in to insurance, does that turn me into a covered entity?

    And how do you keep your schedule? Can I use my phone if I don’t put in full names? And still remain an non-covered entity?

    Sorry if you’ve already answered these questions, I’m just trying to clarify.

    • Aaron LeBauer

      Reply Reply November 30, 2015

      Great questions
      Yes, just using an online documentation program does not make you a “covered entity.” Yes, you can print and snail mail or use a standard fax and still not be a “covered entity.”
      Emailing patients does not make you a “covered entity” and is not a “certain standard transaction.”

      When a patient scans and sends a HCFA to their insurance as a self-claim, that does not make you a “covered entity.”

      I use Google Calendar for my schedule. Yes, you should be able to use your phone and can use the patients full name. Just be sure to use a lock code to get into your phone. That along with your email/calendar password, you are taking reasonable precautions to safeguard your patients private information.

      I hope this helps clear things up.

  • Mary Ruth Velicki

    Reply Reply December 3, 2015

    Hi Aaron,
    I think you addressed this with Jessica, but I’m going to ask anyway! How about this scenario. You are a cash based provider but the client requests that treatment notes be sent to their insurance provider for reimbursement. You send them with a stand-alone FAX connected to the phone line. However, they are not hand-written have been previously written in a Word document and stored electronically. Is this still in line with being a non-covered entity?

    Thanks for your time,
    Mary Ruth

    • Aaron LeBauer

      Reply Reply December 3, 2015

      Mary Ruth,
      Yes, that shouldn’t be a problem, because you printed them out, they exist in analog format prior to putting them into the fax machine. The answer to this is because anything you put into a fax machine (whether it is handwritten, typed on a typewriter or created in a word processor then printed) is not considered an electronic transmission of data.

  • Mary Ruth Velicki

    Reply Reply December 3, 2015

    A sideline question. Do you use a super-bill or the HCFA 1500 as an invoice for your patient treatment? Is there a benefit to the HCFA 1500 if you are not a Medicare provider?

    • Aaron LeBauer

      Reply Reply December 3, 2015

      I provide a super bill like this one. Some insurance providers will want their patients to use an HCFA, when that happens they usually bring it in to the clinic. I fill out the information that does not change and sign it, then instruct them to make photo copies and to put in the individual dates and codes that are in the receipts I gave them.

  • Jessica

    Reply Reply December 7, 2015

    Another question….in addition to having my own space that I rent and see patients on a cash basis only (which we’ve determined above is a non-covered entity), I also do some contract work on the side for a bigger company. Since I’m a contractor there, I’ve considered it a service I’ve been providing as part of my own business. The question is, if THEY ARE a covered entity, will that in turn make my whole business a covered entity? Or can these two different “jobs” be looked at separately…???

    • Aaron LeBauer

      Reply Reply February 22, 2016

      Hi Jessica,
      thanks for your question. Sorry I haven’t replied sooner, I must have missed the comment notification.

      Look at the flow sheet above from the perspective of your corporation. Is your corporation in any capacity participating in “certain standard transactions” or communicating electronically? If you are a contractor and your person or corporation are not doing these, then according to the flow chart you are not a “covered entity.” If when working for this other company you are or you feel you need another layer of protection, it wouldn’t hurt to be employed their as your person individually vs as your physical therapy company/corporation. Even establishing another business entity for your sub-contracting jobs would be something to consider.

  • Aaron LeBauer

    Reply Reply February 22, 2016

    Hi Aaron,
    I’m getting real close to opening my cash practice and have been looking closely at “covered entity” status. Does sending a POC through email to a physician put you into a covered entity status? I’ve seen you talk extensively about snail mail and standard faxing, but not email. Thanks in advance for any advice.

    Hey, thanks for contacting me.
    As posted above the following are “certain standard transactions”
    claims and encounter information
    payment and remittance advice
    claims status eligibility
    enrollment and disenrollment
    requests to obtain referral certifications and authorizations
    coordination of benefits premium payment

    From my understanding, communicating with a patient’s physician via email does not create “covered entity status.” However, if you are requesting a “referral certification or authorization” it may, and I don’t know exactly how those terms are defined. If you need a signed plan of care, that’s not a referral certification in my interpretation. I’ve never been in-network, and we have direct access so don’t have experience with what is entailed in obtaining a “referral certification”
    If you are just sending the POC to the physician, I don’t think it’s a problem. Standard faxing and snail mail just take out 1/2 of the equation, so it doesn’t matter what the “intent” of your communication is.
    I hope that helps.

  • Carrie Jose

    Reply Reply March 14, 2016

    Hi Aaron,

    I just hired a virtual assistant and we are in the process of handing over all of my client-care needs to her. We are going to transition to using google docs and google drive so that she can have access to my schedule and patient notes in case I need her to fax anything for me.

    As a completely cash-based practice (no billing, no Medicare), do I need sign a BAA with google and use their HIPAA level option? I’m a little nervous about having all of that info in the cloud. Let’s say I do go with their HIPAA option just to be “safe”, does that automatically make me a covered entity bc I signed something with them?
    My second question is if I want to use an efax instead of land-line fax (I don’t have a landline), if I am only sending notes to doctors and/or receiving them, does that make me a covered entity? The notes originate from my computer.

    I get confused about what a covered transaction is. Is it the info being sent or is it the mode of transmission that makes it a covered transaction? For example, I’m only sending notes to a doctor, not sending information to a third-party payer for reimbursement.

    Thank you!

  • Aaron LeBauer

    Reply Reply March 15, 2016

    Hey Carrie,
    Thanks for your question and post.

    I am not a HIPAA covered entity and don’t have any BAA’s signed. You need to sign a BAA if you are a HIPAA “covered entity.” If you are it only costs $10/month for the Google option where they will sign a BAA with you.

    If your practice is like mine, then you a likely not a HIPAA covered entity. If you email or send patient info electronically to your patient’s insurance companies, then that could make you a HIPAA covered entity.

    Emailing information to patients or to providers about their patients does not make you a covered entity.

    HIPAA “covered entity” status is determined by 2 things: 1) the type of communication: electronic or analog and 2) the intent or reason for the communication, the “certain standard transactions”

    I use analog fax still to be certain that my intent or reason for communicating is a null point, however, if you are not participating in any of the “certain standard transactions” it shouldn’t matter how you communicate, wether electronically or not. I personally don’t believe that only sending an internet fax meets the requirement for HIPAA “covered entity” status because the flow chart state you must also be participating in a “certain standard transaction”. There is not a lot of detail about what these transactions include, however I’m pretty confident that it’s not a problem. Communication with the patients provider via email is not a “certain standard transaction” and when done alone does not put you in “covered entity status.

    Remember though, I am not a legal advisor 😉 and have to leave it up to you to make the best decision for your practice.

    Google email, calendar, cloud storage (drive) and docs are secure, other wise they wouldn’t offer the BAA option. Be sure to use a long and unique password. If you do sign a BAA when you are not a HIPAA covered entity, what that might mean is that you “intend” to be a HIPAA covered entity. Signing a BAA doesn’t make any of the stored information more secure or safe.

    The problem is most education on HIPAA is geared towards entities that are assumed to be HIPAA covered entities, so be thoughtful and ask questions when you read or listen to their advice on how to proceed.
    I hope that helps!

    • Carrie Jose

      Reply Reply March 19, 2016

      Thank you so much Aaron for this comprehensive reply!! Truly appreciate it.

  • Laura

    Reply Reply October 26, 2017

    Thank you for this helpful article! I am an RDN and am starting my own private practice, so I’m trying to navigate whether or not to utilize HIPPA forms with clients and how to safeguard information.

    I’m stuck on the “certain standard transactions”; you wrote:

    “If you are a physical therapist in private practice and only accept payment by cash, check, debit or credit cards, these forms of billing/collection do not make you a covered entity.”

    What about if you accept payment online via an invoice/credit card like Square? I’m just confused if accepting payment online in any form is what makes you a covered entity, or if it’s working with insurance/accepting payment through insurance that makes you a covered entity.

    Thank you!

    • Aaron LeBauer

      Reply Reply November 14, 2017

      thanks for your comment and question. As far as I know, I’m not a lawyer, accepting payment via Square is not a problem and does not make you a “covered entity”. It’s more about accepting payment from insurance companies, because to do so you are sharing PHI with them.

  • Dina

    Reply Reply November 13, 2018

    Once you are a covered entity are you always a covered entity? For example. I used to take Medicare and billed online. It was so few patients I decided to drop Medicare. Now I am a 100% cash based practice. Am I still a covered entity? I used to but no longer meet the requirements. Thank you!

    • Aaron LeBauer

      Reply Reply November 27, 2018

      Hi Dina,
      Thanks for your question. This is certainly a complicated topic. Go back through the post and look for the difference between the security rule and privacy rule.
      You will likely always be a “covered entity” as per the privacy rule, however depending on the chart your status may change as per the security rule depending on your billing and information sharing practices.
      If you are still confused it’s best to hire a lawyer to go through your documents with you and for that I highly recommend working with Gwen Simons
      Just let her know you found out about her here 😉

Leave A Response

* Denotes Required Field