Many cash practices have the misconception that HIPAA does not apply to them. Well, that maybe true in some aspects, BUT… state privacy laws may actually be more stringent. In the coming years, more states will implement privacy laws to protect consumers from privacy and security failures due to the rise in cybercrime.
So, when practices compare HIPAA vs State Privacy laws, HIPAA sets a federal floor for covered entities. Cash practices escape HIPAA’s reach but land directly in a patchwork of state laws that can be equally or more demanding. The absence of HIPAA liability is not the absence of privacy liability.
What is HIPAA and Who Must Comply?
HIPAA (Health Insurance Portability and Accountability Act) applies to covered entities. This includes health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with certain standard transactions (like billing insurance).
If you never bill insurance and never transmit health information electronically for covered transactions, you are likely not a HIPAA covered entity.
Cash-Only or Direct-Pay Practices and HIPAA
Although a cash only or direct pay practice may not fall under the HIPAA rule guidelines there are other laws they must follow and still have significant legal obligations to protect patient information.
Specialized Federal Privacy Laws
Depending on the services provided, additional federal laws may apply, such as:
- 42 CFR Part 2 for certain substance use disorder treatment records.
- Federal protections for certain research records.
- Privacy requirements related to employment or occupational health records.
Federal Trade Commission (FTC) Health Breach Notification Rule
The FTC Health Breach Notification Rule may apply to certain health apps, telehealth providers, and businesses that are not covered by HIPAA if they experience a breach of individually identifiable health information
Federal Trade Commission (FTC) Act
The Federal Trade Commission can investigate businesses that:
- Misrepresent their privacy practices.
- Fail to safeguard consumer information after promising to do so (this includes posting a HIPAA Compliant Seal on a website).
- Engage in unfair or deceptive acts involving personal information.
State Privacy Laws Fill the Gap
- Govern how long records must be retained (varies: 5–10+ years by state)
- Define patient rights to access and amend their records
- Authorized disclosures
- Apply to all providers regardless of insurance billing status
- Civil penalties for unauthorized disclosures
- Protection of electronic health records
These laws often apply regardless of whether the provider accepts insurance.
State Medical or Dental Practice Licensing Boards
State licensing boards generally require licensed healthcare providers to:
- Maintain confidential patient records.
- Secure electronic records.
- Maintain complete and accurate documentation.
- Retain records for the required period.
- Protect patient information from unauthorized access.
Failure to do so can result in disciplinary action, including license suspension or revocation.
State Consumer Health Privacy Laws
Several states have enacted broader health privacy laws that apply beyond HIPAA. Examples include:
- California (CMIA) – California Confidentiality of Medical Information Act applies broadly, including to providers not covered by HIPAA. California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
- Colorado – Outlines five key rights for Colorado consumers, right to access, right to correction, right to delete, right to data portability, right to opt out.
- Connecticut – The Connecticut Data Privacy Act (CTDPA) includes stronger data protections for children.
- Florida, Texas, New York – each have specific statutes governing patient records, breach notification, and consent requirements.
- Washington My Health MY Data Act (2023) – extends beyond HIPAA to cover consumer health data broadly.
Most states have implemented similar state privacy laws, some are more stringent, while others apply to larger entities. Keep in mind, these laws may apply even when HIPAA does not.
State Data Breach Notification Laws
All 50 states have breach notification laws. If an EHR containing patient information is accessed, stolen, or compromised, the provider may have to notify:
- Affected patients.
- The state attorney general (in some states).
- Consumer reporting agencies (for large breaches).
The notification requirements vary by state.
Contracts with the EHR Vendor
Nearly every EHR agreement requires the practice to:
- Maintain account security.
- Control user access.
- Protect passwords.
- Report security incidents.
- Use the software appropriately.
Violating these contractual obligations can create liability.
Does using an EHR create security obligations?
Even if HIPAA does not apply, using an EHR means the practice should implement reasonable safeguards such as:
- Unique user accounts
- Strong passwords or passkeys
- Multi-factor authentication, when available
- Encryption of devices and backups
- Automatic screen locking
- Audit logs
- Routine software updates
- Staff confidentiality training
- Procedures for responding to security incidents
These measures are often considered evidence of reasonable care if a privacy dispute or data breach occurs.
Class Action Lawsuits
Medical data breaches carry significant class action lawsuit risk, as a single incident can expose personal health information. Plaintiffs’ attorneys have increasingly targeted healthcare providers, insurers, and their vendors following breaches, alleging failures to implement reasonable and appropriate security measures, violations of state privacy statutes, and in some cases HIPAA-adjacent state law claims. Even cash-pay practices that fall outside HIPAA’s reach are not immune: state consumer protection laws, medical records statutes, and common law negligence theories can all support class action claims when patient data is compromised. Courts have become more receptive to standing arguments in data breach cases, and the cost of defending, let alone settling a class action, can be devastating for a and size of practice. Inadequate data security is not just a regulatory risk; it’s a litigation risk that no practice can afford to ignore.
Smart practice even if not required:
Many cash-pay providers voluntarily adopt HIPAA-like privacy practices because:
- It builds patient trust.
- It provides a defensible compliance standard.
- State laws often parallel HIPAA requirements anyway.
- It simplifies operations if the practice ever accepts insurance later.
Protect Your Organization Before It’s Too Late
HIPAA compliance isn’t a one-time project, it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper™ system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.
Protect your practice — and your patients.
Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.
