HIPAA Requirements for Acupuncturists: What You Need to Know to Stay Compliant

HIPAA Applicability to Acupuncturists

HIPAA applies to health care providers who transmit health information electronically in connection with standard transactions. If you submit electronic claims, check eligibility, receive remittance advice, or use a clearinghouse on behalf of your acupuncture practice, you are a HIPAA covered entity.

Protected Health Information (PHI) includes any individually identifiable health information you create, receive, maintain, or transmit. When PHI is stored or sent electronically—such as in an EHR, email, or patient portal—it becomes Electronic Protected Health Information (ePHI), subject to the HIPAA Security Rule.

If you accept only self-pay and never conduct standard electronic transactions, you may not be a covered entity. Still, you must safeguard patient records under state law and, if you handle PHI for another covered entity, you could be a business associate with contractual HIPAA obligations.

Telehealth visits, online scheduling, and electronic billing expand your HIPAA footprint. Treat every digital workflow that touches PHI as in scope, and map where PHI enters, flows through, and leaves your practice.

HIPAA Privacy Rule Compliance

The Privacy Rule governs how you use and disclose PHI. You may use PHI for treatment, payment, and health care operations without authorization, but you must apply the minimum necessary standard for non-treatment activities. Uses beyond these purposes—such as most marketing—require a valid, written authorization.

Provide a clear Notice of Privacy Practices (NPP) at the first visit and upon request. Designate a privacy official, train your workforce, implement policies on access, amendments, and restrictions, and keep documentation for at least six years. Verify identities before releasing records and limit incidental disclosures in reception and treatment areas.

Telemedicine Privacy Practices

For remote care, obtain consent that addresses privacy, confirm the patient’s identity, and ensure both parties are in private locations. Avoid recording sessions by default. Use secure messaging inside your patient portal for follow-ups, and document how telehealth encounters are integrated into the medical record.

HIPAA Security Rule Safeguards

Administrative Safeguards

• Perform a comprehensive risk analysis covering all systems that create, receive, maintain, or transmit ePHI.
• Implement risk management plans with timelines, owners, and measurable outcomes.
• Assign a security official; train staff on phishing, device use, and incident reporting; apply sanctions for violations.
• Develop contingency plans, including data backups, disaster recovery, and emergency operations.
• Manage vendors through Business Associate Agreements and periodic due diligence.

Physical Safeguards

• Control facility access; secure treatment rooms after hours.
• Define workstation use; position screens away from public view and use privacy filters.
• Secure and inventory laptops, tablets, and mobile devices; lock file cabinets with paper PHI.
• Dispose of media properly—shred, pulverize, or securely wipe drives before reuse.

Technical Safeguards

• Use unique user IDs, strong passwords, and multi-factor authentication for systems with ePHI.
• Enable audit logs and routinely review access reports and alerts.
• Protect integrity with anti-malware, application allow‑listing, and patch management.
• Secure transmission with modern encryption; use device encryption and automatic screen lock.
• Implement remote wipe for lost devices and promptly terminate access for departing staff.

Telemedicine Security Checklist

• Select a platform that supports encryption, access controls, and audit logging, and is willing to sign a BAA.
• Disable cloud recordings unless medically necessary, and store any recordings as ePHI with full safeguards.
• Use waiting rooms and session passcodes; do not store ePHI on personal devices.

Breach Notification Procedures

The Breach Notification Rule requires action when unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted by the Privacy Rule. Begin by containing the incident and conducting a four-factor risk assessment to determine whether there is a low probability that PHI has been compromised.

• Investigate: Identify what happened, the types of PHI involved, who received it, if it was actually viewed, and mitigation steps taken.
• Notify: Provide written notice to affected individuals without unreasonable delay and no later than 60 days after discovery. For breaches affecting 500 or more residents of a state or jurisdiction, also notify prominent media and the federal regulator; smaller breaches are logged and reported annually.
• Substitute notice: If you lack current contact information for 10 or more individuals, use a website posting or other substitute methods as permitted.
• Document: Keep investigation records, risk assessments, decisions, and corrective actions.

Notices must describe what happened, the types of information involved, steps individuals should take, what you are doing to mitigate harm, and how to contact your practice. Use incidents as learning opportunities to update training and controls.

State-Specific Recordkeeping Requirements

HIPAA does not set medical record retention periods, but it requires you to keep privacy and security documentation for six years. Medical record retention is governed primarily by state law and your licensing board. Many states require records to be retained for a set number of years and longer for minors.

Maintain Contemporaneous Treatment Records—chart each encounter at the time of service or promptly thereafter. Include presenting complaints, subjective and objective findings, points and modalities used, needle counts when applicable, patient response, informed consent, and the follow‑up plan.

When state law is more protective of privacy or mandates longer retention than HIPAA, follow the stricter requirement. Ensure records are retrievable, readable, and secure throughout their retention lifecycle and disposed of securely at the end of that period.

Business Associate Agreements

Business Associate Agreements (BAAs) are required with vendors that create, receive, maintain, or transmit PHI on your behalf. Common examples for acupuncturists include EHR and billing systems, clearinghouses, cloud storage and backup providers, telemedicine platforms, appointment reminder and texting services, IT support, and transcription.

A strong BAA defines permitted uses and disclosures, requires appropriate safeguards (including breach reporting and subcontractor compliance), ensures access for you to meet patient requests, and mandates return or destruction of PHI at termination when feasible. If a vendor will not sign a BAA, do not use that service for PHI.

Perform due diligence before contracting: assess encryption, access controls, audit logging, data location, incident response timelines, and insurance. Reassess critical vendors periodically.

Patient Rights and Access

Patients have the right to access, inspect, and obtain copies of their PHI. Provide records in the requested format if readily producible, including electronic copies of ePHI. Fulfill requests as quickly as possible and no later than 30 days, with one written 30‑day extension if needed.

Fees for copies must be reasonable and cost‑based. For electronic copies, avoid per‑page fees; charge only for allowable labor, supplies, and postage when applicable. Patients may also direct you to transmit records to a designated third party.

Patients may request amendments to their records, restrictions on certain disclosures, and confidential communications (for example, using an alternate address or phone). Honor requests to restrict disclosures to a health plan when the patient pays in full out of pocket, unless another law requires disclosure.

Provide an accounting of certain disclosures for the prior six years upon request, verify identities before releasing PHI, and clearly document all requests and your responses.

Conclusion

By confirming whether HIPAA applies to your practice, implementing Privacy and Security Rule safeguards, executing BAAs, keeping Contemporaneous Treatment Records under state rules, and honoring patient rights promptly, you can meet HIPAA requirements for acupuncturists and strengthen patient trust.

FAQs

What defines an acupuncturist as a HIPAA covered entity?

You are a covered entity if you transmit health information electronically in connection with standard transactions, such as submitting insurance claims, checking eligibility, or receiving electronic remittance advice. If you never conduct these transactions, you may not be a covered entity, but you still must protect records under state law and any BAAs you sign.

How should acupuncturists protect electronic PHI?

Apply administrative, physical, and technical safeguards: perform a risk analysis, train staff, control facility and device access, use unique logins and multi‑factor authentication, enable encryption and audit logging, patch systems, and maintain secure backups. For telehealth, follow Telemedicine Privacy Practices by using a secure platform with a BAA and disabling recordings by default.

What are the breach notification requirements for acupuncturists?

Under the Breach Notification Rule, investigate incidents, conduct a risk assessment, and notify affected individuals without unreasonable delay and within 60 days if unsecured PHI was compromised. Report to the federal regulator and, for larger incidents, to the media as required. Document your actions and strengthen controls to prevent recurrence.

Are there state-specific HIPAA requirements for acupuncturists?

HIPAA sets a national baseline, but state laws often impose additional privacy and recordkeeping duties, including retention periods and access rules. Follow the more stringent standard. Keep Contemporaneous Treatment Records and ensure secure retention and disposal according to your state’s licensing and health information laws.