HIPAA Business Associate Agreement for Concierge Medicine Practices
By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ Concierge medicine and DPC practices are HIPAA covered entities — not billing insurance does not exempt you
- ✓ Membership platforms (Hint Health), EHR (Elation Health), and telehealth tools all require BAAs
- ✓ Remote monitoring and wearable platforms deployed by the practice require BAAs
- ✓ Electronic prescribing and lab interfaces create BAA obligations even without insurance billing
Concierge medicine and Direct Primary Care (DPC) practices are growing rapidly, and many of their founders and operators believe that opting out of insurance billing frees them from HIPAA. It does not. The HIPAA covered entity definition focuses on whether a healthcare provider transmits health information electronically in connection with standard transactions — not exclusively on insurance billing. Most concierge and DPC practices meet this threshold through e-prescribing, lab orders, or electronic referrals even without billing insurance.
The "We Don't Bill Insurance" Misconception
This is the most common compliance misunderstanding in the concierge medicine space. HIPAA's covered entity definition includes any healthcare provider that transmits health information electronically in connection with any of the following transactions:
- Health care claims (billing)
- Eligibility inquiries
- Referral authorizations
- Claim status inquiries
A DPC practice that sends electronic prescriptions through Surescripts is transmitting health information electronically. A concierge practice that uses an EHR that sends lab orders electronically is transmitting health information electronically. Both meet the covered entity threshold. "We don't bill insurance" removes the billing transaction from the analysis — it doesn't eliminate all other electronic transactions.
Furthermore, even if a practice determined it was not a covered entity, it would still have strong patient privacy obligations as an ethical matter. Most practice management software is designed for HIPAA compliance, meaning BAA provisions are built into the vendor's standard contracts regardless.
Vendors Concierge Practices Typically Need BAAs With
Membership Management Platforms
Hint Health is the most widely used membership management platform for DPC practices; it offers a BAA as part of its provider contract. Hint's platform handles patient names, contact information, and membership-linked health information — PHI. Spruce Health (used for secure messaging) and similar platforms that combine membership management with communication also require BAAs.
Clinical EHR Systems
Elation Health is popular among concierge and DPC physicians for its direct primary care focus; it offers a BAA. Other commonly used EHRs for small independent practices include Athenahealth, DrChrono, and SimplePractice (for practices with behavioral health components). Confirm BAA execution with your EHR vendor before using the platform for any patient records.
Telehealth Platforms
Concierge practices often provide direct-access telehealth as a key membership benefit. Telehealth platforms including Doxy.me, Zoom for Healthcare, and similar solutions require signed BAAs before conducting any patient video visits. See our guide on when a HIPAA BAA is required for the decision framework.
Remote Monitoring and Wearables
Concierge practices often integrate biometric monitoring, wearable data, or continuous glucose monitors as part of their high-touch care model. When the practice deploys a remote monitoring platform that aggregates patient biometric data and links it to patient identities, the platform vendor is a business associate requiring a BAA. Consumer-grade wearable apps used independently by patients for personal tracking are a different matter — but platform-level integrations deployed by the practice require BAAs.
Patient Secure Messaging
Secure messaging platforms that allow patients to communicate with their concierge provider — sharing symptoms, receiving results, or exchanging care plans — handle PHI and require BAAs. Klara, Spruce Health, and similar healthcare-specific messaging platforms provide BAAs. Standard SMS, WhatsApp, and personal email do not qualify for HIPAA-regulated communication. See our checklist on whether your vendor signs BAAs.
IT Support
IT providers with remote access to your practice systems — even a small concierge practice with one or two physicians — are business associates under 45 CFR § 164.504(e). Ensure your IT support provider has signed a BAA.
| Vendor Type | Example Vendors | BAA Required? |
|---|---|---|
| Membership management | Hint Health, Spruce (membership component) | Yes |
| Clinical EHR | Elation Health, Athenahealth, DrChrono | Yes |
| Telehealth | Doxy.me, Zoom for Healthcare | Yes |
| Remote monitoring / wearables | Withings Health Solutions, RPM platforms | Yes (when practice-deployed) |
| Secure messaging | Klara, Spruce Health | Yes |
| E-prescribing | Surescripts (via EHR), DrFirst | Yes (typically via EHR BAA) |
| IT support | Local or remote IT provider | Yes |
Generate a BAA for your concierge medicine practice
Create a HIPAA-compliant Business Associate Agreement for your billing company, software vendor, or IT provider — free to start, no subscription required.
Generate BAA for Free →Frequently Asked Questions
Is a concierge medicine practice required to follow HIPAA?
Yes. Concierge medicine practices are healthcare providers subject to HIPAA. Most transmit health information electronically through e-prescribing, lab orders, or referrals — enough to trigger covered entity status even without insurance billing. Vendor BAAs under 45 CFR § 164.504(e) are required for every vendor handling patient PHI.
Does a DPC practice need BAAs?
Yes. DPC practices that transmit health information electronically are covered entities under HIPAA regardless of whether they bill insurance. If your EHR sends electronic prescriptions, lab orders, or referrals, you meet the covered entity definition and your vendors require BAAs.
What software do concierge practices use that requires BAAs?
Hint Health (membership management), Elation Health (EHR), Doxy.me or Zoom for Healthcare (telehealth), Klara or Spruce Health (secure messaging), remote monitoring platforms, and IT support providers all require BAAs. Most are designed for HIPAA compliance and offer BAAs as part of their standard provider contracts.
Do wearable and remote monitoring platforms require BAAs for concierge medicine?
Yes, when the practice deploys the platform to collect patient data as part of care. Practice-deployed remote monitoring platforms that store patient-identified biometric data require BAAs. Consumer wearable apps used independently by patients for personal tracking without a direct practice relationship generally do not create a covered entity obligation.