Privacy · 4 min read
HIPAA probably isn't the privacy law you think it is
“Is it HIPAA compliant?” is the first question most clinics ask - and, more often than people realize, the wrong one. What HIPAA actually is, and what really governs a reproductive health practice.
"Is this HIPAA compliant?" is the first question most clinics ask about any new tool. It's a reasonable instinct. It's also, more often than people realize, the wrong question.
Start with what HIPAA actually is. The Health Insurance Portability and Accountability Act passed in 1996 with two jobs: let people keep their coverage when they change jobs, and standardize the electronic paperwork of billing - claims, eligibility checks, remittances - so providers and insurers could stop faxing each other. At its core, HIPAA is a framework for how the people who pay for care exchange information with the people who deliver it. It's plumbing for insurance.
The privacy part everyone means came later. The Privacy Rule and the Security Rule were bolted on to protect the patient information moving through that plumbing. They matter enormously. But they're a wing of an insurance-billing law, not a general-purpose privacy statute - and in this specialty, that distinction has teeth.
"Covered entity" is where people get lost
HIPAA doesn't apply to everyone who touches health information. It applies to covered entities and the vendors working on their behalf.
A covered entity is a health plan, a clearinghouse, or a health care provider who sends health information electronically in connection with a billing transaction. The trigger is the billing transaction. A provider becomes a covered entity, in practice, by submitting claims to insurance electronically.
A business associate is a vendor handling that information for the clinic - the billing company, the records system, the place the backups live. They're bound through a Business Associate Agreement.
Notice what's missing from the list. A period-tracking app. A data broker. Your patient's phone. None of them is a covered entity, which means "is it HIPAA compliant?" is a meaningless question to ask about a consumer app. HIPAA was never pointed at it.
The part that catches reproductive health clinics
Here's where this specialty leaves the textbook. A large share of reproductive and abortion care providers don't bill insurance - cash-pay, sliding scale, grant- and donation-funded. If a clinic never sends an electronic claim to a health plan, it may not be a covered entity at all. Which means the HIPAA Privacy Rule may not technically apply to it.
That surprises people. It should not reassure them.
The obligations don't vanish when HIPAA steps back - they move. A cash-pay clinic outside HIPAA is still squarely inside:
- State medical-privacy laws, many of them broader than HIPAA and triggered no matter how you bill - California's Confidentiality of Medical Information Act, Washington's My Health My Data Act, and a growing list of others.
- Record-keeping and retention rules - how long you keep a chart, what has to be in it - set by state law and your licensing board, not by HIPAA.
- Professional and ethical duties of confidentiality that bind the clinician regardless of any statute.
- Federal consumer-protection rules from the Federal Trade Commission for health data that falls outside HIPAA's reach.
So the clinic that figured "we don't bill insurance, so privacy is simpler" usually has it backwards. More rules, from more directions - and far less of the off-the-shelf "HIPAA-ready" tooling built to fit them.
Why this matters more here than almost anywhere
In this specialty, the risk isn't only a careless breach. It's a record that exists, kept longer than it had to be, requested by someone you didn't expect. Encryption is the easy part. The harder questions are what you collect, what you keep, for how long, and who can compel it - and HIPAA's framework barely speaks to several of those. It may not even be the framework you're governed by.
The practical version
You don't need to memorize which statute applies to your clinic. You need two things. First, someone who can tell you which rules actually bind you - a health care attorney licensed in the states you operate in, because this is genuinely state-by-state. Second, systems built around those rules instead of a vendor's checkbox that says "HIPAA compliant."
That second part is our job. We build for the obligation, not the acronym: collect less, keep only what the rules require, keep identifiers out of the places they don't belong, make every access auditable. Whether or not the law happens to call you a covered entity.
If "is it HIPAA compliant?" is the only privacy question your tools can answer, you're not protected. You're compliant with the part everyone remembered the name of.
This is background, not legal advice. Which rules apply to your clinic depends on your states and how you operate - a health care attorney can tell you exactly where you stand.