Skip to main content

Do HIPAA Regulations Apply to Naturopathic Doctors?

By Joseph Abear ·
Do HIPAA rules apply to naturopathic doctors title graphic with a person icon on a dark blue background.

HIPAA applies to a naturopathic doctor when the practice furnishes healthcare and transmits health information electronically in connection with a standard transaction, such as an insurance claim or eligibility check, which makes the practice a covered entity under 45 CFR § 160.103. Licensure does not decide the question by itself, and neither does the word "naturopathic." The trigger is electronic billing activity. An ND in Washington whose biller files claims with regional insurers is a covered entity; an unlicensed traditional naturopath selling cash wellness consultations in a non-regulating state usually is not, though state privacy laws still reach them.

TL;DR: Quick answer

  • A naturopathic doctor becomes a HIPAA covered entity by transmitting health information electronically for a standard transaction under 45 CFR § 160.103, most commonly insurance billing.
  • About 26 US jurisdictions, including the District of Columbia, Puerto Rico, and the US Virgin Islands, license or regulate naturopathic doctors; licensure expands insurance participation and therefore HIPAA exposure.
  • A cash-only ND who never bills electronically can sit outside HIPAA, but a single electronic claim, eligibility check, or claim filed by a third-party biller on the ND's behalf changes the answer.
  • An ND who handles PHI for a covered entity, for example reviewing labs for an integrative MD practice, is a business associate and must sign a BAA under 45 CFR § 164.504(e).
  • State laws such as Washington's My Health My Data Act and California's Confidentiality of Medical Information Act regulate consumer health data even where HIPAA does not apply.

Why licensure changes the HIPAA math for NDs

Naturopathic licensure is a patchwork. Roughly 26 US jurisdictions regulate NDs, including states like Washington, Oregon, Arizona, and Vermont where licensed NDs hold broad scopes of practice, and where some commercial insurers and state programs reimburse naturopathic services. In those states, an ND practice often looks like any other outpatient clinic: it verifies eligibility electronically, files claims through a clearinghouse, and receives electronic remittances. Each of those is a standard transaction, and performing any one of them electronically makes the practice a covered entity subject to the Privacy Rule and the Security Rule safeguards at 45 CFR §§ 164.308, 164.310, and 164.312.

In states that do not license naturopathy, insurance reimbursement is rare, so practices tend to be cash-based and are less likely to trip the covered-entity test. The compliance question shifts from federal HIPAA to state consumer-health-privacy law.

Three ND scenarios and how HIPAA treats each

Scenario 1: Licensed ND billing insurance

A licensed ND in Portland contracts with a billing service that submits claims electronically. The practice is a covered entity. It needs a documented risk analysis under 45 CFR § 164.308(a)(1)(ii)(A), technical safeguards for its EHR and website, BAAs with the billing service, any cloud EHR, and the web host, and notice-of-privacy-practices workflows. If the practice website collects intake details, that data is ePHI; the requirements mirror what we describe for therapist contact forms.

Scenario 2: Cash-only licensed ND

A licensed ND in Phoenix takes only direct payment and never transmits health information electronically for billing. The practice is likely not a covered entity. Watch the edges: filing even one electronic claim, running an electronic eligibility check for a curious patient, or letting software submit superbills electronically to insurers can flip the status. HHS treats covered-entity status as ongoing once triggered, so the conservative posture is to either firmly avoid all electronic standard transactions or build HIPAA-grade safeguards anyway.

Scenario 3: ND as a business associate

An ND consults for an integrative medicine clinic that is itself a covered entity, reviewing patient labs and charting in the clinic's EHR. For that work the ND is a business associate under 45 CFR § 160.103 and must sign a BAA under §§ 164.308(b) and 164.504(e). Business associates carry direct liability for Security Rule failures; HHS OCR has settled enforcement actions with business associates throughout its risk analysis initiative, which remains active in 2026.

What if HIPAA does not apply? State law usually does

Falling outside HIPAA does not mean health data is unregulated. Washington's My Health My Data Act covers consumer health data held by businesses regardless of HIPAA status. California's Confidentiality of Medical Information Act reaches many providers and apps. Naturopathic licensing boards impose recordkeeping and confidentiality duties of their own. The FTC has also pursued health platforms for sharing user health data with advertisers under the FTC Act and the Health Breach Notification Rule. A cash ND who emails consult notes through a free inbox or runs intake through an ad-tracked website is exposed even with zero HIPAA obligations. The broader applicability picture for adjacent fields is covered in our posts on alternative health practitioners and health coaches.

A compliance checklist for naturopathic practices

  • Write down every way health information leaves your practice electronically: claims, eligibility checks, e-prescribing, referrals, superbill submissions by software or billers.
  • If any is a standard transaction, you are a covered entity: complete and document a risk analysis, adopt the § 164.308/310/312 safeguards, and retain documentation six years per 45 CFR § 164.316(b)(2)(i).
  • Collect BAAs from every vendor holding patient data: EHR, scheduling, forms, email, web host. The decision framework in who needs HIPAA-compliant hosting helps scope the hosting piece.
  • If you consult for covered entities, sign their BAA and apply Security Rule safeguards to the PHI you touch.
  • Cash-only and outside HIPAA? Map your state's consumer health privacy law and your board's record rules before deciding any safeguard is optional.

Frequently asked questions

Does accepting credit cards make an ND a covered entity?

No. Payment card processing for direct patient payment is not a HIPAA standard transaction. The trigger is electronic transactions with health plans, such as claims and eligibility checks.

My biller files claims for me. Am I still covered by HIPAA?

Yes. HHS treats electronic standard transactions conducted on your behalf by a billing service the same as if you sent them yourself.

Do unlicensed traditional naturopaths have HIPAA obligations?

Almost never as covered entities, since they cannot bill insurance. They can still be business associates if they handle PHI for a covered entity, and state consumer-health-privacy laws apply regardless.

Does giving a patient a superbill trigger HIPAA?

Handing a paper superbill to the patient does not. If your practice software transmits the claim electronically to the insurer on the patient's behalf, that is an electronic standard transaction and can trigger covered-entity status.

Is there a HIPAA certification an ND practice can get?

No. There is no official HIPAA certification from HHS. Third-party attestations like HITRUST CSF or SOC 2 Type II indicate security maturity but do not certify HIPAA compliance.

Where to go from here

If your ND practice is a covered entity and your website handles patient information, the site needs BAA-covered, compliance-ready infrastructure. Our HIPAA-compliant hosting guide explains the requirements, and our HIPAA-compliant WordPress hosting is one option that includes the BAA; we run that service, so compare it against the guide's criteria.

This article is general information, not legal advice. Covered-entity status is fact-specific; confirm yours with qualified counsel and base safeguards on a documented risk analysis. Reviewed June 2026.

Sources

  • 45 CFR § 160.103, definitions of covered entity and business associate: ecfr.gov
  • 45 CFR § 164.308, administrative safeguards: ecfr.gov
  • HHS OCR, covered entities and business associates: hhs.gov
  • HHS, are you a covered entity decision tool: cms.gov
  • AANP, regulated states and regulatory authorities: naturopathic.org
  • AANMC, naturopathic licensure by state: aanmc.org
← Back to all posts