HIPAA Basics for Small Practices

Written By Harley Skaggs

What You Need to Know to Stay Compliant Without Getting Overwhelmed

If you’re a midwife, doula, or part of a small birth center team, you already wear a lot of hats. Adding “compliance officer” to your list probably wasn’t something you dreamed of when you entered birth work—but protecting your clients’ personal health information is one of the most important things you can do for your practice.

The good news? HIPAA compliance doesn’t have to be intimidating. With the right foundation, small practices can stay compliant and confident without getting buried in legal jargon.

Let’s walk through the basics.

What is HIPAA, Really?

HIPAA stands for the Health Insurance Portability and Accountability Act. At its core, it’s a federal law that sets rules about how personal health information (PHI) is collected, stored, used, and shared.

The goal? To protect your clients' privacy and keep their sensitive medical data safe—especially in an increasingly digital world.

What Counts as PHI?

Protected Health Information (PHI) includes any health-related information that can be linked to a specific individual. That could be:

  • Names

  • Birth dates

  • Addresses

  • Medical records

  • Lab results

  • Appointment notes

  • Billing info tied to a client

  • Even photos, audio, or video related to care

If it can identify someone + it relates to their care or payment = it’s PHI.

Who Must Comply with HIPAA?

If your practice electronically bills insurance or uses a clearinghouse, you are considered a covered entity and must comply with HIPAA.

Even if you're not billing insurance directly (e.g., some doulas), if you handle PHI or work in a business associate role (like billing, coding, or admin support for a provider), you may still be required to comply—or at the very least, follow best practices.

Key Areas of HIPAA for Small Practices

1. Privacy Rule

Protects how PHI is used and shared. You must:

  • Get client permission before sharing information

  • Provide a Notice of Privacy Practices

  • Limit access to PHI to those who truly need it

2. Security Rule

Applies to electronic PHI (ePHI). You must:

  • Use secure, encrypted systems for email, charts, and billing

  • Limit access to files and logins

  • Protect devices (phones, laptops) with passwords or biometrics

3. Breach Notification Rule

If there’s a data breach, you may be legally required to notify:

  • The client(s) affected

  • The U.S. Dept. of Health and Human Services (HHS)

Practical Tips for Staying Compliant

  • Use secure platforms (email, EHRs, cloud storage—make sure they’re HIPAA-compliant)

  • Train your team (yes, even if it’s just you + one assistant!)

  • Limit file access to only those who need it

  • Shred paper documents you no longer need

  • Lock your devices and avoid sharing logins

  • Get signed consent before sharing PHI—even with family members

Do I Need a HIPAA Policy?

Yes! Every practice should have:

  • A written HIPAA Privacy and Security Policy

  • A Notice of Privacy Practices for clients

  • A Business Associate Agreement (BAA) with any admin or billing contractors

If you're working with someone like me (a billing and compliance specialist), we should both have a signed BAA in place.

Bottom Line

You don’t need to be a lawyer to be HIPAA-compliant—but you do need to be intentional. Protecting your clients' privacy isn't just about checking a box—it's about trust, integrity, and professionalism.

Start with the basics, get organized, and ask for help when you need it. You’ve got this—and if you ever need a second set of eyes on your compliance workflow, I’m here to help.

Need help writing a HIPAA policy or figuring out where to start? Let’s connect.
📩 Harley Skaggs, CPC, CPB
harley@elitemasolutions.net

Harley Skaggs
Previous

Credentialing vs. Contracting: What’s the Difference—and Why It Matters

Next

Global Maternity Billing Overview: What’s Bundled—and What’s Not