Does HIPAA Apply if We’re Cash-Only or Don’t Bill Insurance?
Executive summary
A cash-only practice is not automatically outside HIPAA. HIPAA applies to a health care provider only if the provider fits the definition of a “covered entity,” which for providers turns on a single test: whether the provider transmits any health information in electronic form in connection with a HIPAA “transaction” for which HHS has adopted standards.
If a practice truly never conducts any of the standard electronic administrative transactions (claims, eligibility inquiries, claim status, referral authorization, and similar transactions listed in the regulations), and it does not use a billing service or clearinghouse to conduct them on its behalf, the practice generally is not a HIPAA covered entity and HIPAA does not legally apply to it as a covered entity. HHS states plainly that if an entity does not meet the definition of a covered entity or business associate, it does not have to comply with HIPAA.
The practical trap is that many “cash-only” clinics still conduct at least one standard transaction electronically without thinking of it as “billing,” most commonly an electronic eligibility check, a prior authorization/referral authorization request, or an electronic claim submission done as a courtesy for out-of-network reimbursement, often via a third-party billing service or clearinghouse. HHS explicitly states that using electronic technology like email does not make a provider a covered entity, but transmitting health information electronically in connection with standard transactions does, and a provider is covered whether it transmits directly or uses a billing service or other third party to do so on its behalf.
Informational note: This report is for informational purposes only and does not constitute legal advice.
The precise legal test that determines HIPAA applicability for cash-only clinics
HIPAA’s definition of “covered entity” is in 45 CFR § 160.103. A covered entity is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
Two definitional sub-points matter for small, cash-only practices. First, “health care provider” is defined broadly as any person or organization who furnishes, bills, or is paid for health care in the normal course of business. Cash-only practices are still health care providers; the question is whether they also become covered entities by conducting the relevant electronic transactions.
Second, “transaction” is defined as transmissions of information between two parties to carry out financial or administrative activities related to health care, and the regulation lists the types of transmissions that count, including health care claims, eligibility, claim status, referral certification and authorization, payment and remittance advice, and others.
HHS OCR’s Privacy Rule summary translates the test into operational English: every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions is a covered entity; the listed examples include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has adopted standards under the Transactions Rule. HHS also states a critical limiter: using electronic technology such as email does not make a provider a covered entity; the transmission must be in connection with a standard transaction.
The implication is blunt. “Cash-only” is not the legal test. “Do we electronically conduct any standard transaction, directly or through a vendor” is the legal test.
What counts as “electronic transmission” and what does not
HIPAA’s covered-entity test for providers uses the phrase “transmits any health information in electronic form.” That concept is often confused with “we use computers,” “we use an EHR,” or “we email patients.” HHS explicitly rejects that confusion: email is electronic technology, but it does not, by itself, make a provider a covered entity because the transmission must be tied to a standard transaction.
A related source of confusion is faxing and phone calls. HIPAA defines “electronic media” and explains that certain transmissions, including paper via facsimile and voice via telephone, are not considered transmissions via electronic media if the information did not exist in electronic form immediately before the transmission. This definition is most important for determining when PHI is “electronic PHI” for Security Rule purposes, but it also illustrates why many paper-to-paper workflows (paper chart copied and faxed) do not automatically become “electronic” just because they moved over a wire. The bigger compliance point for cash-only status is not “did a phone line carry it,” but “did the clinic conduct a HIPAA standard transaction electronically.”
There is a particularly important modern clarification for clinics that use payer portals. The Transactions Rule recognizes “direct data entry” (DDE), defined as direct entry of data (for example, via web browsers) that is immediately transmitted into a health plan’s computer. Under the Transactions Rule, when a provider chooses to use direct data entry offered by a health plan to conduct a covered transaction, the provider must use the standard’s data content and data condition requirements, even though the provider is not required to use the format requirements of the standard. This is the civilizing detail for cash-only clinics: “we don’t do EDI, we just use the plan’s website” can still mean the clinic is conducting standard transactions electronically.
Edge cases that frequently make “cash-only” clinics HIPAA covered
The easiest way to analyze edge cases is to keep the transaction list and the “on your behalf” concept in your head at the same time. Under 45 CFR § 160.103, transactions include eligibility, referral certification and authorization, and claims, among others. Under HHS guidance and CMS’s covered entity decision tool, it does not matter whether the provider transmits directly or uses another entity to conduct those transactions.
Eligibility checks, even if you never submit a claim
The eligibility transaction is defined in 45 CFR § 162.1201 as an inquiry from a health care provider to a health plan, and the response, to obtain information about eligibility, coverage, or benefits. If your front desk logs into payer portals and checks benefits electronically, you are often engaging in the “eligibility for a health plan” transaction even if you never submit a claim.
Prior authorization and referral authorization workflows
Referral certification and authorization is itself a standardized transaction in Part 162, defined as a request to obtain authorization for health care or for referring an individual to another provider, and the response. A cash-only clinic can trigger covered entity status if it performs electronic authorization transactions as part of seeking plan approval for a service, even when the patient intends to pay out-of-pocket and seek reimbursement later.
E-claims via third-party billing services, including “courtesy” submissions
HHS OCR explicitly states that a provider is a covered entity whether it electronically transmits standard transactions directly or uses a billing service or other third party to do so on its behalf. CMS’s covered entity decision tool is even more explicit: if a provider uses another entity (such as a clearinghouse) to conduct covered transactions in electronic form on its behalf, the provider is considered to be conducting the transaction in electronic form.
This matters because many “cash-only” clinics still submit out-of-network claims as a courtesy, use a billing company to generate and transmit claims, or outsource revenue-cycle workflows for the subset of patients who insist on insurance submission. Those choices usually convert the practice into a HIPAA covered entity, and HIPAA applies to the practice’s PHI, not only to “insured patients.”
clearinghouses and when they are covered entities versus business associates
A “health care clearinghouse” is itself a covered entity under 45 CFR § 160.103. The definition of “health care clearinghouse” includes entities such as billing services and “value-added networks” that process or facilitate the processing of nonstandard health information into standard data elements or a standard transaction, or vice versa.
But clearinghouses can also function as business associates when they perform transaction-related services for a covered entity. Part 162 explicitly contemplates that a covered entity may use a business associate, including a health care clearinghouse, to conduct a covered transaction and must require the business associate (and its agents/subcontractors) to comply with applicable Part 162 requirements. Part 162 also describes how clearinghouses translate transactions on behalf of covered entities.
In plain terms: the clearinghouse is always in HIPAA-land as a covered entity, and when it processes transactions for a provider that is a covered entity, it is also wearing a business associate hat for that provider.
Patient portals and EHRs do not automatically trigger covered entity status, but payer portals can
HHS draws a clean line: using electronic technology such as email does not make you a covered entity; you must transmit health information electronically in connection with a standard transaction. A patient portal used for communicating with patients, delivering records, or scheduling is not, by itself, a HIPAA standard transaction under Part 162.
In contrast, a payer portal used for direct data entry to conduct eligibility inquiries, claim-status checks, or referral authorization transactions is within the Part 162 transaction ecosystem, even though the portal entry may not use the standard transaction format.
Hybrid arrangements inside one business
Most small practices mean “hybrid” as “some services are cash-only and some are insurance-billed.” HIPAA’s provider test is not service-specific. A provider becomes a covered entity if it transmits any health information electronically in connection with a covered transaction. Once that is true, the practice must comply with HIPAA’s privacy and security requirements for its PHI.
If a larger organization truly has covered and non-covered functions under one legal entity, HIPAA’s “hybrid entity” concept may apply, requiring designation of health care components and compliance controls around those components. Many small clinics should treat this as an “only if you have counsel and structure” path, because mis-designation can create more confusion than clarity.
Safe harbor scenarios and the “cash-only but still careful” posture
The clearest safe harbor is the negative case: a provider that never conducts any Part 162 standard transactions electronically, does not use any billing service or clearinghouse to conduct them electronically on its behalf, and is not otherwise a business associate. Under HHS guidance, such an entity does not have to comply with HIPAA.
That said, “HIPAA does not apply” is not the same as “no privacy obligations exist.” State medical confidentiality laws, consumer protection rules, professional licensing obligations, and contractual obligations can still impose privacy and security duties. HIPAA is only one layer. HHS’s covered entities page is explicit that HIPAA applies to covered entities and business associates, and if you are not either, HIPAA does not apply. It does not say you have no other obligations.
A defensible operational position for truly non-covered cash-only clinics is to minimize risk anyway: limit ePHI sprawl, restrict vendor access, and document your status determination so you can revisit it if your operations change (for example, you adopt payer eligibility tools). This is pragmatic risk engineering, even if HIPAA does not legally attach.
Determining status in a small clinic: workflow, evidence, and templates
The CMS covered entity decision tool is a useful anchor because it operationalizes the “on your behalf” concept and points directly to Part 162 transaction definitions. A defensible determination workflow should run at least annually and whenever billing or insurance workflows change.
A workable clinic decision checklist can be built around evidence rather than opinions. The evidence you need is straightforward: whether the practice (or a vendor acting for the practice) conducts any of the transactions listed in 45 CFR § 160.103 and Part 162 using electronic means, including direct data entry into health plan systems.
Table A: Scenario comparison for HIPAA applicability and controls
The scenarios below are derived from the covered entity definition in 45 CFR § 160.103, the transaction list in § 160.103, and CMS/HHS explanations about transactions conducted through clearinghouses or direct data entry.
ScenarioDoes HIPAA apply as a covered entity?WhyRecommended control posturePure cash, no eligibility checks, no claims, no prior auth, no claim status, no clearinghouse or billing service for those transactionsOften noProvider is not transmitting health info electronically in connection with a covered transactionDocument status determination; monitor operational drift; use privacy/security baseline anywayCash-only but uses a clearinghouse or billing service to submit any claims or eligibility inquiries “on our behalf”YesProvider is considered to be conducting the transaction electronically when using another entity to conduct covered transactions on its behalfTreat as full HIPAA program; BAAs with vendors; risk analysis; access controls; audit logsCash-only but staff check insurance eligibility electronically “just to help the patient” via payer portalOften yesEligibility inquiry/response is a Part 162 transaction; direct data entry can still be conducting the transactionStandardize process; restrict who can run eligibility; include in HIPAA compliance scopeCash-only with a patient portal only (messaging, scheduling, e-delivery of records), no insurance transactionsNot by itselfHHS clarifies email/tech use alone is not enough; must be tied to standard transactionStill treat PHI carefully; avoid assuming HIPAA safe harbor for other lawsCash plus mixed model (some services billed to insurers, others cash) within same legal entityYesAny covered transaction conducted electronically makes provider a covered entityTreat all PHI under HIPAA; avoid “cash-patient exemption” myths
Checklist fields and retention rules
If you conclude you are a covered entity, HIPAA requires you to retain required HIPAA documentation for six years from creation or the date last in effect, whichever is later. A status determination memo is not explicitly enumerated in HIPAA, but it is a high-value record because covered entity status drives whether OCR has jurisdiction.
The table below is a practical documentation structure, anchored to HIPAA’s six-year documentation retention rule for required documentation once HIPAA applies.
ArtifactExact fields to includeWho signsRetention (if HIPAA applies)Covered entity decision memoEntity legal name; service lines; transaction inventory (claims, eligibility, claim status, referral auth, EFT/remittance); electronic methods used; vendors involved; conclusion and rationale; effective date; review datePrivacy officer or owner; counsel if available6 years is a defensible minimum aligned to HIPAA retention expectations Vendor classification logVendor; service; touches PHI (Y/N); performs Part 162 transaction (Y/N); in-scope systems; BAA required (Y/N); BAA executed date; subcontractors; termination/offboarding planCompliance leadSame as above if HIPAA appliesTransaction evidence fileScreenshots or export logs showing eligibility lookups, submitted claims, payer portal usage, clearinghouse contracts, billing service workflows; SOP referencesOps leadSame as above if HIPAA applies
Sample templates
These are practical templates designed to create the evidence a clinic needs. They are not legal advice, and they should be adapted to your state and your vendor ecosystem.
Vendor questionnaire (transaction and PHI exposure)
Vendor legal name and services provided
Do you create, receive, maintain, or transmit PHI for us? Describe where and how
Do you conduct any HIPAA standard transactions (claims, eligibility, claim status, referral authorization, EFT/remittance) on our behalf? If yes, which
Do you use direct data entry into payer systems on our behalf? If yes, describe
Do you have subcontractors that will access or maintain PHI? List and describe controls
Will you sign a HIPAA Business Associate Agreement that covers these services?
Security controls: access control, MFA, audit logs, encryption at rest/in transit, incident response, breach notice process
Data retention and deletion: timelines, backups, secure disposal
Evidence: attach SOC report, security summary, or equivalent assurance documents
Vendor classification log (one row per vendor)
Vendor name; category (EHR, portal, billing, clearinghouse, eligibility tool)
PHI touchpoints and systems
Part 162 transaction involvement (none, eligibility only, claims, authorization, multiple)
Business associate status determination (and rationale)
BAA status and renewal date
Incident contact and response SLA
Offboarding plan and data return/destruction confirmation
Status determination memo (one page)
“We are (or are not) a covered entity because…”
Transaction inventory: explicit yes/no for each transaction category
Evidence attached: payer portal screenshots, billing service contracts, clearinghouse account records
“Operational change triggers a re-review if…” (new eligibility tool, new payer portal workflow, any claim submission, any outsourced billing)
Signature block and annual review date
Enforcement risk and what OCR and CMS are signaling
The central enforcement risk for cash-only clinics is not “OCR will hunt you down for being cash-only.” It is that a clinic will incorrectly assume HIPAA does not apply, operate without a HIPAA program and without business associate agreements, and then discover after an incident or complaint that it was a covered entity because it conducted a standard transaction electronically or through a vendor.
HHS OCR emphasizes that covered entities that engage business associates must have a written business associate contract and that business associates are directly liable for certain HIPAA provisions. OCR has imposed significant settlements for failures to execute BAAs, including a $750,000 settlement with Raleigh Orthopaedic Clinic for failing to execute a business associate agreement prior to disclosing PHI to a vendor, and a $1,550,000 settlement with North Memorial Health Care involving failure to implement a business associate agreement and failure to conduct an organization-wide risk analysis.
CMS’s National Standards Group has also published guidance clarifying that complaints frequently arise against entities conducting standard transactions that do not meet the regulatory definition of a covered entity, and that such entities typically function as business associates providing services or conducting transactions on behalf of covered entities. CMS further states that a covered entity is responsible for noncompliance of its business associate in the administrative simplification transaction context and that business associate actions may be imputed to the covered entity.
A specific OCR enforcement example where “cash-only” status itself was litigated as the decisive issue was not identified in primary OCR enforcement materials during this research. Most enforcement narratives assume covered-entity status and focus on concrete compliance failures (risk analysis, BAAs, access rights, breaches). That gap is itself a useful insight: the risk is not a named “cash-only crackdown,” it is misclassification leading to basic compliance omissions.
Practical controls for cash-only clinics
If you are truly not a covered entity, you still reduce real-world risk by shrinking your PHI footprint and tightening vendor governance, because breaches and patient trust failures are expensive even without OCR jurisdiction.
If you are a covered entity, the control set looks familiar but should be tuned to the edge cases that created covered status in the first place. Eligibility and payer-portals need role-based access and logging. Vendors that conduct transactions on your behalf need BAAs and oversight. Documentation of your status and vendor inventory should be maintained like any other compliance artifact, with retention aligned to HIPAA’s six-year documentation rule for required HIPAA documentation.
Short decision flow clinicians and managers can follow
If you want a fast decision flow that is usually correct, it is this:
If your practice, or any vendor acting for your practice, submits claims, checks eligibility, requests referral authorization, checks claim status, or exchanges remittance/EFT information with health plans electronically (including through payer portals), treat the practice as a HIPAA covered entity and build your compliance program accordingly.
If you do none of those, and you have evidence that you do none of those, HIPAA likely does not apply to you as a covered entity. Document that determination and re-check it whenever your workflows change.
Sources
HHS OCR: Covered Entities and Business Associates
https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
HHS OCR: Summary of the HIPAA Privacy Rule (who is covered; standard transaction test; email does not trigger; billing service on your behalf counts)
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
45 CFR § 160.103 (definitions: covered entity, health care provider, transaction, electronic media, clearinghouse)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
45 CFR Part 162 (Administrative Simplification transactions and code sets)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162
45 CFR § 162.923 (direct data entry exception; use of business associates for transactions)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162/subpart-I
45 CFR § 162.1101 (health care claims transaction definition)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162/subpart-K/section-162.1101
45 CFR § 162.1201 (eligibility transaction definition)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162/subpart-L/section-162.1201
45 CFR § 162.1301 (referral certification and authorization transaction definition)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162/subpart-M/section-162.1301
45 CFR § 162.930 (clearinghouse additional rules)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-162/section-162.930
CMS: Administrative Simplification Covered Entity Decision Tool (provider using clearinghouse “on its behalf” counts as electronic transaction)
https://www.cms.gov/regulations-and-guidance/administrative-simplification/hipaa-aca/downloads/coveredentitieschart20160617.pdf
CMS: HIPAA Administrative Simplification Regulations Overview (Part 162 overview; lists standard transactions; business associate use; DDE exception)
https://www.cms.gov/files/document/hipaa-admin-simp-regulations-fact-sheet.pdf
CMS: Guidance on Direct Data Entry (DDE) and use of automated tools (June 24, 2021)
https://www.cms.gov/files/document/guidance-direct-data-entry-dde-and-use-automated-tools-entering-data.pdf
CMS: Guidance on HIPAA Covered Entities’ responsibility to require Business Associates’ compliance with Administrative Simplification requirements (GL-2022-03)
https://www.cms.gov/files/document/guidance-letter-business-associate.pdf
OCR enforcement examples for BAA failures (risk illustration)
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic/index.html
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic-bulletin/index.html
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html
45 CFR § 164.530(j)(2) (documentation retention period, six years)
https://www.law.cornell.edu/cfr/text/45/164.530
45 CFR § 164.105 (hybrid entity organizational requirements, where applicable)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.105