HIPAA Requirements for Midwives: What You Need to Know to Stay Compliant

HIPAA Compliance Determination

Are you a covered entity?

You are a health care provider under HIPAA. You become a covered entity if you transmit health information electronically in connection with standard transactions such as claims, eligibility checks, prior authorizations, referrals, or remittance advice. If you bill electronically or use a clearinghouse or practice management system to submit claims, you are a covered entity.

Quick self-assessment

• Do you submit or receive any HIPAA standard transactions electronically (even through a vendor)? If yes, you are a covered entity.
• Do you only accept cash/check and never transmit standard transactions electronically? You may not be a covered entity, but you still handle Protected Health Information (PHI) and should apply privacy and security safeguards.
• Do you provide services for a hospital, clinic, or insurer that requires you to access PHI? You may act as a business associate and need appropriate agreements.

If you are not a covered entity

You may still be bound by state privacy rules, professional ethics, and contractual duties. Best practice is to implement baseline safeguards and adopt policies modeled on HIPAA to protect PHI and client trust.

Key HIPAA concepts you will use

• Minimum necessary: limit PHI to what is needed for the task.
• Designated record set: the records clients have a right to access and amend.
• Security Rule: administrative, physical, and technical safeguards for ePHI.
• Breach notification: assess, mitigate, document, and notify when required.

Informed Disclosure Obligations

Notice of Privacy Practices (NPP)

If you are a covered entity, you must provide a Notice of Privacy Practices at the first in-person or telehealth encounter, post it in your office, and make it available on your website if you have one. The NPP explains how you use and disclose PHI, client rights, your duties, how to file a complaint, and who to contact at your practice.

Permitted uses and disclosures without authorization

You may use and disclose PHI for treatment, payment, and health care operations without a separate authorization. You must still apply the minimum necessary standard for payment and operations, verify the recipient, and document processes. Required disclosures include providing an individual access to their own PHI and furnishing information to regulators when lawfully requested.

Authorizations and special cases

Obtain a written authorization for marketing, most non-routine disclosures, and uses not covered by treatment, payment, or operations. Ensure authorizations are specific, time-limited, and revocable. For public health reporting, abuse reporting, and law enforcement requests, follow law- and policy-defined pathways and release only what is permitted.

Peer review confidentiality and quality improvement

Quality assessment, credentialing, and peer review are health care operations permitted by HIPAA. Maintain Peer Review Confidentiality by restricting access to reviewers, separating peer review records from the medical record, and documenting decisions without unnecessary PHI. If you engage an external reviewer, execute a Business Associate Agreement.

Informed Consent Process

Consent for treatment versus HIPAA authorization

Clinical informed consent covers the risks, benefits, and alternatives of maternity care. A HIPAA authorization is different: it is permission to use or disclose PHI for purposes beyond routine care. Keep these forms and conversations distinct so clients clearly understand each decision.

Elements of an effective consent conversation

• Explain the condition, proposed care plan, expected benefits, material risks, and reasonable alternatives, including declining care.
• Assess decision-making capacity and voluntariness; invite questions and encourage teach-back to confirm understanding.
• Discuss information sharing preferences, including family involvement and confidential communications (e.g., alternate phone or mailing address).

Documentation tips

• Record the discussion date, participants, interpreter use, client questions, and the decision reached.
• Note any requested restrictions on disclosures and add them to the client’s designated record set.
• For minors or surrogates, document authority to consent.

Record-Keeping and Documentation

Retention and client rights

Maintain HIPAA-required documentation—policies, procedures, NPP versions, training logs, risk analyses, and Business Associate Agreements—for at least six years from creation or last effective date. Medical record retention periods are governed by State Licensing Requirements; set your retention schedule to meet the longest applicable rule.

Access, amendments, and fees

• Provide client access to their PHI within required timeframes, in the format requested if readily producible (including electronic copies).
• Process amendment requests promptly; document approvals or denials with reasons and appeal rights.
• If charging for copies, use a reasonable, cost-based fee aligned with rules on labor and supplies; avoid per-page fees for electronic records.

Privacy and security artifacts to maintain

• Risk analysis and risk management plans, device and media controls, and access logs for systems storing ePHI.
• Incident and breach assessments, mitigation steps, and notifications when applicable.
• Accounting of disclosures (for those beyond treatment, payment, and operations), requests for restrictions, and confidential communication requests.

Safeguards for paper and electronic records

• Physical: locked storage, clean-desk protocols, and secure shredding for PHI.
• Technical: unique user IDs, strong authentication, encryption at rest and in transit, and automatic logoff.
• Administrative: workforce training, sanction policies, and periodic audits.

Telehealth Services Compliance

Platform selection and Telehealth Encryption

Use telehealth tools that support end-to-end Telehealth Encryption, access controls, and audit logging. Execute a Business Associate Agreement with the platform vendor so the service is contractually bound to protect PHI.

Workflow and environment controls

• Verify client identity, confirm their physical location at each visit, and obtain telehealth-specific consent addressing privacy limits and emergency plans.
• Use private spaces, headsets, and screen-positioning to prevent incidental disclosures; disable recording unless necessary and authorized.
• Protect endpoints with updates, malware protection, device encryption, and multi-factor authentication.

Documentation and follow-up

• Document modality, participants, location, consent, clinical content, and any technical issues affecting care.
• If using remote monitoring, treat transmitted data as ePHI and apply Security Rule safeguards.

Licensing and cross-border care

Telehealth does not bypass State Licensing Requirements. Confirm your license allows you to treat clients located in that state during the session; adjust scheduling or referrals if not.

Business Associate Agreements

Identify your business associates

Business associates include entities that create, receive, maintain, or transmit PHI on your behalf: EHR and billing vendors, cloud or backup services, telehealth platforms, revenue cycle firms, transcription, IT support, and external quality reviewers. Janitorial services and couriers typically are not business associates when their access is incidental.

What a strong BAA includes

• Permitted and required PHI uses and disclosures, with minimum necessary limits.
• Administrative, physical, and technical safeguards; breach reporting timelines and cooperation duties.
• Subcontractor flow-down requirements so downstream vendors also sign BAAs.
• Right to terminate for material breach and obligations to return or destroy PHI at contract end.

Vendor management in practice

• Keep executed BAAs centrally with version control and renewal reminders.
• Perform due diligence: security questionnaires, references, and proof of controls.
• Map all data flows so every system touching PHI is covered by a BAA or is within your own environment.

State-Specific Regulatory Obligations

When state law is more stringent

HIPAA sets a federal floor. If a state law offers greater privacy protection or additional client rights, it controls. Common examples include stronger consent rules for sensitive information, shorter response times, or tighter fee limits for copies.

Licensing, scope, and retention

State Licensing Requirements define your scope of practice, supervision or collaboration conditions, telehealth parameters, and medical record retention. Align your consent forms, prescribing workflows, emergency transfers, and documentation style with these rules.

Public health and peer review

Follow state-mandated reporting for communicable diseases, newborn screening, vital records, and suspected abuse or neglect. If your state provides peer review privilege, structure quality reviews to preserve confidentiality while applying HIPAA’s minimum necessary standard.

Building a practical compliance matrix

• List each requirement area: privacy, security, breach, consent, access, retention, telehealth, reporting, and peer review.
• For each state in which you practice, cite the controlling rule, effective date, and responsible owner on your team.
• Review annually and upon regulatory changes or scope expansions.

FAQs.

Are midwives considered covered entities under HIPAA?

Yes—if you transmit any health information electronically in connection with standard transactions (such as claims or eligibility checks). If you do, you are a covered entity and must comply fully with HIPAA. If you do not, you may still need HIPAA-like safeguards and Business Associate Agreements when you handle PHI for a covered entity.

How should midwives handle client informed consent?

Provide a clear discussion of the condition, proposed care, benefits, material risks, and alternatives; assess understanding using teach-back; confirm voluntariness; and document the conversation, decision, any restrictions requested, and interpreter use. Keep treatment consent separate from HIPAA authorizations for non-routine disclosures.

What are the key HIPAA record-keeping requirements for midwives?

Retain HIPAA policies, procedures, risk analyses, training logs, NPP versions, incident assessments, and Business Associate Agreements for at least six years. Maintain an accounting of certain disclosures, track requests for confidential communications or restrictions, and respond to client access and amendment requests within required timeframes. Follow state rules for medical record retention periods.

How can midwives ensure HIPAA compliance during telehealth services?

Use a platform with strong Telehealth Encryption and a signed BAA, verify client identity and location, obtain telehealth-specific consent, secure endpoints and the environment, document the session thoroughly, and confirm your license allows care where the client is located. Apply the Security Rule to any devices or apps that create or store ePHI.