Does HIPAA Apply to Alternative Health Practitioners?

HIPAA applies to alternative health practitioners such as acupuncturists, chiropractors, herbalists, and massage therapists only when they meet the definition of a Covered Entity or Business Associate under 45 CFR § 160.103, which in practice usually means transmitting health information electronically for insurance billing. The label on your license does not decide the question. A chiropractor who bills Medicare electronically is regulated the same way a hospital is. A cash-only herbalist who never files a claim is generally outside HIPAA entirely, although state health-privacy laws may still apply.

TL;DR: Quick answer

• Under 45 CFR § 160.103, a healthcare provider becomes a HIPAA Covered Entity only by transmitting health information electronically in connection with a standard transaction, such as a claim or eligibility check under 45 CFR Part 162.
• Most chiropractors are Covered Entities because they bill Medicare or private insurers electronically; most massage therapists and herbalists are not, because they operate cash practices.
• A practitioner who handles protected health information (PHI) for a Covered Entity, for example inside an integrative clinic, can be a Business Associate and must sign a BAA under 45 CFR § 164.504(e).
• HHS OCR penalties reach $73,011 per violation with an annual cap of $2,190,294 per provision under 45 CFR § 102.3 (2026 inflation adjustment).
• Even outside HIPAA, state laws such as Washington's My Health My Data Act and California's Confidentiality of Medical Information Act regulate health data held by wellness businesses.

What makes an alternative health practitioner a Covered Entity?

The Covered Entity definition at 45 CFR § 160.103 has two parts for providers. First, you must furnish healthcare, which acupuncture, chiropractic, naturopathy, and massage therapy all qualify as when delivered for treatment purposes. Second, you must transmit health information in electronic form in connection with a transaction for which HHS has adopted a standard. Those standard transactions are listed in 45 CFR Part 162 and include claims, eligibility inquiries, claim status checks, and referral authorizations.

Both conditions must be true. Treating patients alone does not trigger HIPAA. Sending one electronic claim does, and HHS OCR treats the status as sticky: once you are a Covered Entity, all of your PHI is covered, including records for cash-paying clients. The same definitional test governs naturopathic doctors and health and life coaches, which we cover in separate guides.

How the test applies by profession

Chiropractors

Most are Covered Entities. Medicare Part B covers spinal manipulation, and the vast majority of chiropractic offices submit claims electronically through a clearinghouse or practice-management system. Using a third-party billing service does not change the answer; the transaction is still attributed to the practice.

Acupuncturists

It depends on payer mix. Acupuncturists who bill private insurers, workers' compensation carriers that use standard electronic transactions, or Medicare (which began limited acupuncture coverage for chronic low back pain in 2020) are Covered Entities. Cash-only acupuncture practices generally are not.

Massage therapists

Usually not Covered Entities, because most operate on direct payment. The common exceptions are medical massage practices that bill auto-injury or workers' compensation claims electronically, and therapists employed by a covered clinic, whose work is then governed by the clinic's HIPAA program.

Herbalists and other unlicensed wellness practitioners

Almost never Covered Entities, since insurers rarely reimburse herbal consultations. Client intake records are still sensitive health data under several state laws, discussed below.

Does a cash-only practice escape HIPAA completely?

Generally yes, with three caveats. First, the superbill nuance: handing a patient a receipt or superbill that the patient submits to their own insurer does not make you a Covered Entity, because you are not the one transmitting the standard transaction. Second, the one-claim trap: filing even a single electronic claim, or having a billing agent file one on your behalf, brings the entire practice under HIPAA. Third, checking eligibility electronically through a payer portal or clearinghouse is itself a standard transaction under 45 CFR Part 162, a detail many practitioners miss.

When is an alternative practitioner a Business Associate?

A Business Associate creates, receives, maintains, or transmits PHI on behalf of a Covered Entity (45 CFR § 160.103). Common scenarios in alternative health:

• A massage therapist contracted by a physical therapy clinic to deliver treatment documented in the clinic's records works inside that Covered Entity's compliance program, typically as a workforce member or under a BAA.
• An herbalist or nutritionist reviewing patient charts referred by an integrative medicine practice that bills insurance is handling PHI for a Covered Entity and should expect a BAA under 45 CFR §§ 164.308(b) and 164.504(e).
• An acupuncturist providing services through a hospital wellness program documents into the hospital's system and is bound by its policies.

The obligation also runs downstream. If your practice is covered, your own vendors that touch electronic PHI (ePHI), including your web host, scheduling platform, and email provider, must sign BAAs. Our guide on who needs HIPAA-compliant hosting walks through the vendor analysis.

State laws that apply even when HIPAA does not

Falling outside HIPAA does not mean health data is unregulated. Two overlays matter most for wellness practices:

• Washington My Health My Data Act. Effective in 2024, it regulates "consumer health data" held by businesses not covered by HIPAA, requires opt-in consent for collection and sharing, and includes a private right of action. A cash-only massage studio in Seattle collecting intake forms is squarely in scope.
• California Confidentiality of Medical Information Act (CMIA). Civil Code § 56 covers licensed providers regardless of billing method, and amendments have extended it to certain digital health services. A cash-only licensed acupuncturist in California has CMIA confidentiality duties even with no HIPAA status.

State licensing boards for acupuncture, chiropractic, and massage therapy also impose recordkeeping and confidentiality rules independent of both statutes.

What covered practitioners must actually implement

If electronic billing makes you a Covered Entity, the core obligations are a documented risk analysis under 45 CFR § 164.308(a)(1)(ii)(A), administrative, physical, and technical safeguards under 45 CFR §§ 164.308, 164.310, and 164.312 (including encryption of ePHI per § 164.312(a)(2)(iv) and (e)), workforce training under § 164.308(a)(5), BAAs with vendors, and breach notification procedures under 45 CFR §§ 164.400-414. Our HIPAA-compliant hosting guide and safeguards breakdown cover each layer.

Websites are a frequent gap. Online intake forms, appointment booking, and contact forms that collect symptoms or treatment history transmit ePHI and need BAA-covered infrastructure; see our guide to HIPAA and practitioner contact forms. hipaacomplianthosting.com provides managed HIPAA hosting for practices in this position; that is our business, and our HIPAA-compliant WordPress hosting includes a signed BAA.

Frequently asked questions

Is a chiropractor who bills Medicare a HIPAA Covered Entity?

Yes. Electronic Medicare claims are standard transactions under 45 CFR Part 162, so a chiropractic practice submitting them meets the Covered Entity definition at 45 CFR § 160.103, and all of its patient records become PHI.

Does giving patients a superbill trigger HIPAA?

No. If the patient submits the superbill to their insurer themselves and the practice never transmits a standard transaction electronically, the practice does not become a Covered Entity on that basis.

A clinic asked me to sign a BAA. Does that mean HIPAA applies to me?

If you handle PHI on the clinic's behalf, yes. Signing a BAA reflects Business Associate status under 45 CFR § 160.103, which makes you directly subject to the Security Rule and to HHS OCR enforcement.

Do I need HIPAA-compliant hosting if my practice is cash-only?

Not as a HIPAA matter, but state laws such as Washington's My Health My Data Act may still regulate the health data your website collects, and secure handling of intake forms is good practice regardless.

Are herbalists ever covered by HIPAA?

Rarely as Covered Entities, since insurers seldom reimburse herbal care. An herbalist working with patient records for an insurance-billing integrative clinic can be a Business Associate, which carries direct HIPAA obligations.

This article is general information, not legal advice. Consult qualified counsel about your practice's status, and base your safeguards on a documented risk analysis. Reviewed June 2026.

Sources

• 45 CFR § 160.103, Definitions (ecfr.gov)
• 45 CFR Part 162, Administrative Requirements: Standard Transactions (ecfr.gov)
• HHS, Covered Entities and Business Associates (hhs.gov)
• 45 CFR § 102.3, Adjusted civil money penalty amounts (ecfr.gov)
• HHS, The Security Rule (hhs.gov)