Direct Primary Care Billing and HIPAA Compliance: A Practical Guide for DPC Practices

Overview of Direct Primary Care Billing

Direct Primary Care (DPC) replaces fee-for-service claims with predictable membership billing. You typically charge a monthly or annual fee that covers defined primary care services, with transparent cash prices for add-ons like labs, imaging coordination, or in-office medications.

Operationally, you need a reliable system for enrollment, invoicing, and autopay. Keep membership agreements clear about what is included, what is excluded, and how cancellations and refunds work. Provide itemized receipts and, if you choose, superbills for patients to submit on their own—avoiding electronic claim submission keeps your billing simple.

Even without insurance billing, you handle Protected Health Information (PHI) whenever you schedule, message, or document care. Choose vendors that protect PHI, minimize data you share, and avoid putting diagnosis codes or sensitive notes on receipts unless the patient specifically requests them.

For pass-through services, post prices up front, track inventory and dispensing rules, and keep documentation tight. Use tokenized payment processors rather than storing card numbers yourself, and separate accounting for prepaid revenue so membership periods are recognized accurately.

HIPAA Applicability to DPC Practices

Under HIPAA, a health care provider becomes a “covered entity” if the provider—or a vendor acting on the provider’s behalf—transmits health information electronically in connection with a covered transaction. Covered transactions include standard electronic claims (837), eligibility checks (270/271), claim status (276/277), prior authorization (278), remittance advice (835), and certain pharmacy claim standards.

If you never conduct those transactions electronically, you generally are not a HIPAA covered entity. Handing a patient a paper superbill, accepting cash or cards, using a portal for messaging, or sending referrals to labs does not, by itself, make you covered.

Electronic Prescribing typically does not, on its own, constitute a HIPAA standard transaction. However, if your e-prescribing or EHR platform also runs eligibility checks or submits claims on your behalf, those activities can trigger covered entity status. Remember: outsourcing a covered transaction to a billing service or clearinghouse still makes you the covered entity because they act on your behalf.

Regardless of status, many DPC practices adopt HIPAA-grade controls because the same safeguards reduce breach risk, strengthen patient trust, and align with state privacy obligations.

Implementing HIPAA Compliance Measures

If you are a covered entity, you must implement the HIPAA Privacy, Security, and Breach Notification Rules. Even if you are not covered, applying these controls is a prudent baseline for protecting PHI.

Governance and roles

• Designate a Privacy Officer and a Security Officer (one person can hold both roles in small practices).
• Publish a Notice of Privacy Practices, define a patient Right of Access process, and set retention schedules that meet state requirements.
• Train all workforce members initially and annually; document attendance and comprehension.

Risk management

• Conduct periodic Risk Assessments to identify threats to ePHI across people, processes, and technology.
• Create a remediation plan with owners, timelines, and measurable milestones; re-assess after major system or vendor changes.

Administrative Safeguards

• Access management: role-based access, unique IDs, immediate termination of access on separation.
• Policies and procedures: minimum necessary, device use, media disposal, incident response, and sanctions.
• Contingency planning: data backups, disaster recovery, and emergency operations with periodic testing.

Physical Safeguards

• Secure facilities and workstations; use locked storage for paper records and prescription pads.
• Device and media controls for laptops, tablets, and drives, including secure disposal and chain-of-custody logs.

Technical Safeguards

• Encryption in transit and at rest, multi-factor authentication, automatic logoff, and integrity checks.
• Audit controls: enable audit logs in your EHR, e-prescribing, and telehealth tools; review exceptions routinely.
• Transmission security for portals, texting, and telehealth; avoid unencrypted email or SMS with PHI unless you follow documented patient preferences.

Breach and patient rights

• Define what constitutes a security incident versus a reportable breach, include a four-factor risk assessment, and document all determinations.
• Fulfill access requests promptly, charge only permitted fees, and provide records in the format requested when feasible.

Managing Business Associate Agreements

Business Associate Agreements (BAAs) are required when a covered entity shares PHI with a vendor that creates, receives, maintains, or transmits PHI on its behalf. Common business associates include EHR and telehealth vendors, e-prescribing platforms, billing services, clearinghouses, cloud storage and email providers, appointment reminder tools, and analytics services.

If you are not a covered entity, HIPAA does not require BAAs. Still, you should obtain privacy and security commitments contractually (for example, a “service provider privacy addendum”) that mirror HIPAA protections without mislabeling the relationship.

What your BAAs should cover

• Permitted uses and disclosures, minimum necessary, and prohibition on secondary use without your authorization.
• Security program expectations: encryption, access controls, logging, secure software development, and subcontractor BAAs.
• Breach notification timelines and cooperation duties, including root-cause analysis and remediation.
• Right to audit or obtain third-party assurance reports; data return and deletion at termination; clear data ownership.

Practical vendor due diligence

• Review security whitepapers, SOC 2 or equivalent reports, penetration test summaries, and uptime/SLA terms.
• Confirm data location, backups, disaster recovery objectives, and incident response playbooks.
• Map all PHI flows, including subcontractors, integrations, and message notifications that might expose PHI.

Electronic Transactions in DPC

Decide deliberately whether your practice will conduct any HIPAA standard transactions. Your choice determines your covered entity status and your compliance workload.

Covered transactions to know

• 837 health care claims and encounters; 835 remittance advice.
• 270/271 eligibility inquiries and responses.
• 276/277 claim status requests/responses; 278 prior authorization.
• NCPDP pharmacy claim standards for retail drug claims.

Practical guidance

• If you want to stay outside HIPAA’s covered entity scope, do not send standard electronic claims, eligibility checks, or prior authorizations through your EHR or vendors.
• Offer patients superbills they submit themselves; avoid submitting claims “as a courtesy” on the patient’s behalf.
• Electronic Prescribing can coexist with DPC; ensure the vendor secures PHI and avoid automatic eligibility checks unless you intend to be a covered entity.
• If you do perform any covered transactions (directly or via a billing service/clearinghouse), implement the full HIPAA program outlined above and execute BAAs with all applicable vendors.

State Regulatory Considerations

Many states recognize DPC agreements as medical services rather than insurance, but details vary. Confirm whether your state requires specific disclosures, filings, or consumer notices stating that the membership is not insurance and that patients should maintain coverage for catastrophic events.

Align membership contracts with state consumer protection rules on auto-renewal, refunds, and transparent fee schedules. Ensure the entity structure complies with corporate practice of medicine rules, and verify whether sales tax applies to any tangible goods you dispense.

When dispensing medications or labs, follow state licensing, labeling, and recordkeeping requirements, and check prescription drug monitoring program obligations. Keep medical records for the period your state requires, including special timelines for minors and imaging.

State privacy and breach laws may apply regardless of HIPAA status. Building HIPAA-aligned Administrative Safeguards and Technical Safeguards helps you meet overlapping state standards and reduces risk.

Distinguishing DPC from Concierge Care

DPC focuses on primary care access for a flat membership fee and typically does not bill insurance. Concierge practices often charge a retainer for enhanced access but still bill insurers for covered services. That difference drives compliance: concierge practices are nearly always HIPAA covered entities; a DPC practice may or may not be, depending on whether it conducts covered transactions.

Marketing also differs. DPC emphasizes price transparency and broad access (same-day visits, longer appointments), while concierge models highlight convenience layered on traditional insurance billing. Your contracts, billing workflows, and vendor stack should reflect whichever model you choose.

Conclusion

Direct Primary Care can keep billing simple and patient-centered while maintaining strong privacy protections. Determine early whether you will conduct any HIPAA standard transactions, appoint a Privacy Officer, perform Risk Assessments, implement core safeguards, and manage Business Associate Agreements or equivalent contract terms. With clear membership agreements and disciplined data practices, you can deliver scalable, compliant DPC care.

FAQs

What makes a DPC practice a covered entity under HIPAA?

You become a covered entity when you—or a vendor acting for you—transmit health information electronically in any HIPAA standard transaction, such as electronic claims (837), eligibility checks (270/271), claim status (276/277), prior authorization (278), remittance (835), or certain pharmacy claim standards. Using paper superbills or accepting cash does not trigger covered status, and Electronic Prescribing alone generally does not either.

How can DPC practices ensure compliance when billing without insurance?

Avoid submitting covered electronic transactions on behalf of patients; provide superbills instead. Even without insurance billing, safeguard PHI: designate a Privacy Officer, train staff, conduct Risk Assessments, encrypt data, enable audit logs, and use secure portals for messaging. Obtain privacy commitments from vendors and keep receipts free of unnecessary clinical details.

What are the key elements of HIPAA compliance for DPC?

Governance (Privacy Officer, policies, training), ongoing Risk Assessments with remediation, and the Security Rule’s Administrative, Physical, and Technical Safeguards. Add breach response procedures, patient Right of Access workflows, vendor management with Business Associate Agreements when applicable, and contingency plans for backup and recovery.

How do Business Associate Agreements impact DPC vendors?

If you are a covered entity, BAAs are mandatory with vendors that handle PHI for you and must set security expectations, permitted uses, breach duties, and data return terms. If you are not covered, use a privacy or security addendum that mirrors HIPAA protections to ensure your vendors still safeguard PHI at a high standard.