Concierge Medicine Practice HIPAA Compliance: A Complete Checklist

HIPAA Applicability to Concierge Medicine

When you are a covered entity

As a concierge practice, you are a HIPAA covered entity if you are a health care provider that transmits any health information electronically in connection with standard billing or insurance transactions (for example, submitting claims, checking eligibility, prior authorization, or receiving remittance advice). If you operate as fully self-pay and never conduct these standard electronic transactions, you may not be a covered entity—but many such practices still follow HIPAA as a best practice.

Business associates and downstream vendors

Even small concierge teams rely on vendors that handle Protected Health Information (PHI). Electronic health records, billing services, cloud storage, answering services, telehealth platforms, IT support, and secure messaging providers are typically business associates. You must have written Business Associate Agreements that define permitted uses, safeguards, breach duties, and subcontractor flow-downs.

What counts as PHI?

PHI includes any individually identifiable health information related to a patient’s health, care, or payment. In concierge medicine, PHI can include membership status, appointment schedules, care plans, direct-pay invoices, and communications about diagnoses or medications—whether stored or shared verbally, on paper, or electronically.

Core HIPAA Rules Overview

Privacy Rule

The Privacy Rule governs how you use and disclose PHI. You may use PHI for treatment, payment, and health care operations, applying the minimum necessary standard. Patients have rights to access, receive copies, request amendments, request restrictions, and obtain an accounting of disclosures. You must issue a clear Notice of Privacy Practices and obtain acknowledgments, and you need authorizations for most marketing and non-routine disclosures.

Security Rule

The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. Core tasks include a documented Risk Analysis, ongoing risk management, workforce security and training, access controls, authentication, transmission security, audit logging, device and media controls, and contingency planning. Encryption, multi-factor authentication, and robust logging are strongly recommended to reduce risk.

Breach Notification Rule

When there is an impermissible use or disclosure of unsecured PHI, you must assess the probability of compromise. If a breach occurred, notify affected individuals without unreasonable delay and within required timeframes, and follow reporting duties to regulators (and, for large events, the media). A tested Incident Response Plan ensures you investigate, decide, document, and notify correctly.

Enforcement and penalties

HIPAA violations can trigger civil monetary penalties that scale with culpability and corrective action. Documented, good-faith efforts—policies, training, audits, and timely remediation—significantly reduce exposure and demonstrate compliance maturity.

Documentation and Record Retention

What to document

• Policies and procedures for the Privacy Rule, Security Rule, and Breach Notification Rule, plus version history and approvals.
• Risk Analysis, risk management plan, and evidence of completed remediation.
• Designation letters for privacy and security officers and governance meeting notes.
• Training materials, attendance logs, competency checks, and sanctions records.
• Business Associate Agreements and vendor due diligence files.
• Notice of Privacy Practices, acknowledgments, authorizations, and refusal logs.
• Access management records, workstation/device inventories, encryption attestations, and media disposal logs.
• Audit logs, security incident records, and breach investigation files.
• Contingency plans, backup/restore tests, and downtime procedures.

How long to retain

• HIPAA compliance documentation: at least six years from the date created or when last in effect, whichever is later.
• Medical records: follow state law and payer requirements; many states require 7–10 years for adults, and for minors, retention extends beyond the age of majority. Document your policy and apply it consistently.
• Breach and incident files: retain alongside core HIPAA documentation to support investigations and enforcement inquiries.

Best Practices for Compliance

Build strong governance

• Appoint privacy and security officers who meet regularly, track risks, and report to leadership.
• Align policies with your concierge workflows—after-hours access, house calls, remote work, and VIP handling.

Harden your technology

• Implement role-based access, unique user IDs, and multi-factor authentication across EHR, email, and portals.
• Encrypt data at rest and in transit; manage laptops and phones with mobile device management and remote wipe.
• Enable audit logs and real-time alerts for suspicious access, especially to VIP charts.

Secure patient communications

• Use secure messaging and patient portals; avoid unencrypted texting or emailing PHI unless risks are explained and minimized.
• Standardize call-back and voicemail protocols to prevent over-disclosure.

Manage vendors rigorously

• Perform due diligence, execute BAAs, review security attestations, and require prompt breach notifications.
• Limit vendor access to the minimum necessary and disable access promptly when contracts end.

Prepare and test response

• Maintain a clear Incident Response Plan with roles, decision trees, counsel contacts, and notification templates.
• Run tabletop exercises at least annually and after major system changes; document lessons learned and improvements.

Step-by-Step Compliance Checklist

1. Decide if you are a HIPAA covered entity based on your electronic transactions with health plans.
2. Map PHI: identify where it’s collected, stored, transmitted, and who can access it (people, systems, vendors).
3. Appoint privacy and security officers and define governance cadence.
4. Draft, approve, and publish Privacy, Security, and Breach Notification policies.
5. Perform a comprehensive Risk Analysis covering administrative, physical, and technical safeguards.
6. Create a risk management plan with owners, timelines, and measurable outcomes.
7. Issue a clear Notice of Privacy Practices and collect acknowledgments from patients.
8. Execute Business Associate Agreements and set vendor monitoring expectations.
9. Implement role-based access, unique IDs, strong passwords, and multi-factor authentication.
10. Encrypt devices and backups; deploy MDM with remote lock/wipe for laptops and phones.
11. Enable audit logging across EHR, email, and file systems; schedule periodic access reviews.
12. Document a patient rights workflow (access, amendment, restriction, and accounting of disclosures).
13. Stand up a tested Incident Response Plan with breach assessment and notification procedures.
14. Train all workforce members at hire and at least annually; track completion and sanctions.
15. Establish contingency plans: data backup, disaster recovery, and downtime care protocols.
16. Define secure communication standards for calls, messaging, telehealth, and house calls.
17. Control physical security: clean-desk rules, locked storage, visitor logs, and media disposal.
18. Set retention and destruction schedules for records and system logs, then document destruction.
19. Audit for VIP access anomalies and run spot checks for minimum necessary use.
20. Reassess risks at least annually and after major changes (new EHR, vendor, or service line).

Enhanced Privacy Protocols for Prominent Patients

Stronger access controls and oversight

• Segment EHR records for VIPs; restrict access to a need-to-know care team.
• Enable “break-glass” access that requires justification and triggers immediate alerts and reviews.
• Run accelerated audit reports for VIP charts and investigate any curiosity access.

Discreet identity and communication

• Use approved aliases or confidentiality flags; avoid revealing visit reasons on calendars and messages.
• Honor preferred communication channels; avoid voicemail details and unencrypted emails with PHI.
• Provide private check-in, scheduling, and waiting arrangements when feasible.

People, process, and environment

• Require confidentiality agreements and targeted training addressing snooping and social engineering.
• Prohibit photography and unauthorized device use in clinical areas; control visitor access.
• Coordinate with security or executive assistants using minimum necessary data sharing.

State-Specific Regulations and Considerations

Understand preemption and “more stringent” rules

HIPAA sets a national floor. Where state laws are more protective of privacy or grant greater patient rights—such as shorter breach notice deadlines, special protections for sensitive health data, or longer retention—they prevail. Your policy should identify these areas and adopt the stricter rule.

Common state-law themes to track

• Medical record retention periods, copy fees, and access timeframes.
• Extra protections for mental health, substance use disorder, HIV/STI, reproductive, and genetic information.
• Breach notification timing and content requirements that may be shorter or more prescriptive than HIPAA.
• Consumer privacy laws that treat health-related data outside HIPAA as sensitive and regulate its use.
• Telehealth, licensure, e-prescribing, and PDMP rules when caring for patients across state lines.

Conclusion

Concierge medicine can deliver highly personal care while meeting rigorous privacy and security standards. By confirming HIPAA applicability, mastering the Privacy, Security, and Breach Notification Rules, documenting diligently, and following the step-by-step checklist, you build a resilient compliance program. Layering enhanced safeguards for VIPs and aligning with stricter state laws completes a defensible, patient‑centric approach.

FAQs

What makes a concierge medicine practice a HIPAA covered entity?

You are a covered entity if you are a provider that transmits health information electronically in connection with standard insurance transactions (such as claims, eligibility checks, or remittance). Fully self-pay practices that never conduct those transactions may not be covered entities, but they still often adopt HIPAA controls and must follow applicable state privacy laws.

How often should risk analyses be conducted in concierge medicine?

Perform a comprehensive Risk Analysis at least annually and whenever you introduce major changes—new EHR, new vendors, new locations, or new services. Reassess after any incident, and keep your remediation plan current with clear owners and timelines.

What are the key documentation requirements under HIPAA?

Maintain written policies and procedures, Risk Analysis and risk management plans, training logs, sanctions records, Business Associate Agreements, your Notice of Privacy Practices and acknowledgments, authorizations, access and disclosure logs, incident and breach files, audit logs, contingency plans, and device/media disposal records. Retain HIPAA documentation for at least six years.

How do state-specific laws impact HIPAA compliance in concierge practices?

State laws that are more protective than HIPAA control. They can mandate longer record retention, faster breach notices, additional consent for sensitive data, different access timelines, and consumer privacy duties for data not covered by HIPAA. Identify the stricter rule for each topic and incorporate it into your policies and workflows.