Many wellness practitioners assume HIPAA only applies to hospitals and physicians' offices. In reality, if you collect, store, or transmit protected health information - and most practitioners do - you have legal obligations under HIPAA. Understanding the basics now saves you from expensive problems later.

Who needs to comply

HIPAA applies to "covered entities" (health care providers who transmit health information electronically) and their "business associates" (vendors who handle that information on their behalf). If you bill insurance, submit electronic claims, or use software that stores client health data, you are likely a covered entity.

Even if you are not technically covered, many states have their own privacy laws that impose similar requirements. And increasingly, clients expect their health information to be handled with care regardless of what the law strictly demands.

What counts as protected health information

Protected health information (PHI) is any individually identifiable health data. This includes obvious items like diagnoses, treatment notes, and medical histories. But it also covers appointment dates, email addresses linked to health services, payment records for treatments, and even the fact that someone is your client at all.

If you can connect a piece of information to a specific person and it relates to their health or your services, treat it as PHI.

Business associate agreements

Every vendor that handles your client data - your practice management platform, email service, cloud storage provider, payment processor - should have a signed Business Associate Agreement (BAA) with you. A BAA is a legal contract that requires the vendor to protect PHI according to HIPAA standards.

If a vendor will not sign a BAA, that is a clear signal not to use them for anything involving client health data. This is one of the most important questions to ask when evaluating any tool for your practice.

Choosing HIPAA-compliant tools

Not every scheduling tool or note-taking app is built with HIPAA in mind. When evaluating platforms, look for explicit HIPAA compliance statements, available BAAs, data encryption (both in transit and at rest), access controls, and audit logging.

Stillpoint is designed with these requirements built in, so practitioners can manage client records, notes, and communications without worrying about compliance gaps.

Common mistakes to avoid

The most frequent HIPAA violations among small practices are avoidable. Sending client health information over unencrypted email, using personal phones for client texting without proper safeguards, storing notes in consumer-grade apps like Google Docs, and failing to have BAAs with vendors all create real risk.

Other common oversights include not having a written privacy policy, not training staff on PHI handling, and not knowing what to do in the event of a data breach. Even solo practitioners need a basic breach notification plan.

Moving forward with confidence

HIPAA compliance is not about perfection - it is about taking reasonable steps to protect your clients' information. Start by auditing the tools you use today, ensure you have BAAs in place, and choose platforms that take security seriously.

If you are looking for a practice management platform that handles compliance so you can focus on your clients, explore Stillpoint with a free account.