Does a cash-only medical practice need a HIPAA Notice of Privacy Practices?

It depends on whether the practice is a HIPAA covered entity. HIPAA covers entities that conduct standard electronic health transactions — including submitting electronic claims, verifying eligibility, or transmitting PHI via EHR. A practice that accepts zero insurance and never uses electronic health transactions may not be a covered entity.

Does a direct primary care (DPC) practice need an NPP?

Pure DPC practices that accept no insurance and conduct no electronic health transactions may qualify as non-covered entities exempt from HIPAA. However, most DPC practices use EHR systems or patient portals that transmit PHI electronically — which can trigger covered entity status. Evaluate your technology stack carefully.

What if my cash-pay practice uses an EHR?

If your EHR transmits PHI electronically — for any purpose, not just insurance billing — your practice may qualify as a covered entity. Most modern EHRs send lab orders, referrals, prescription data, or patient summaries electronically as part of normal operations.

What are the risks of not having an NPP if my practice is a covered entity?

HIPAA civil monetary penalties for NPP non-compliance range from $100 to $50,000 per violation depending on culpability. Even if enforcement is unlikely, a patient complaint to OCR or a state AG can trigger an audit that examines your NPP compliance alongside other HIPAA obligations.

How-To Guide

Does a Cash-Pay Practice Need a HIPAA NPP?

NPP Generator Research Team · April 25, 2026 · 5 min read

Key Takeaways

✓ HIPAA coverage depends on electronic health transactions, not insurance acceptance
✓ A truly cash-only practice with no electronic health transactions is not a covered entity — no NPP required
✓ Most cash-pay practices use EHRs, portals, or e-prescribing that trigger covered entity status
✓ When in doubt, having an NPP costs $49 and eliminates the compliance risk
✓ See does my practice need an NPP? for a full covered entity checklist

One of the most common misconceptions in HIPAA compliance: "I don't take insurance, so HIPAA doesn't apply to me." The reality is more nuanced — HIPAA coverage turns on electronic health transactions, not on whether you bill insurance. Many cash-pay practices are covered entities anyway.

What makes a practice a HIPAA covered entity?

Under HIPAA, a health care provider is a covered entity if it transmits health information electronically in connection with any of the "standard transactions" defined in 45 CFR Parts 160 and 162. Key standard transactions include:

Submitting electronic claims to a health plan (Medicare, Medicaid, commercial insurance)
Electronic eligibility verification
Electronic remittance advice
Referral authorizations transmitted electronically

A practice that does none of these — that accepts only cash, check, or credit card, never submits any electronic claim, and never electronically verifies insurance eligibility — is technically not a covered entity and is not required to maintain an NPP under federal HIPAA.

Why most cash-pay practices are still covered entities

In practice, very few health care providers can honestly say they never transmit health information electronically. Consider these common activities:

name="Accepting insurance for even one patient"

Activity	Covered entity trigger?
Using an EHR that stores and shares patient data	Often yes — many EHRs transmit referral and care coordination data electronically
Using e-prescribing software	Yes — e-prescribing transmits PHI electronically
Using a patient portal	Often yes — portals transmit PHI electronically between provider and patient
Ordering labs electronically	Yes — electronic lab orders are standard transactions
Accepting insurance for even one patient	Yes — one electronic claim is sufficient to trigger covered entity status

A true non-covered entity is one that: uses only paper records, sends all referrals by fax or paper, uses only a cash register (no EHR), writes all prescriptions by hand, and never accepts any form of insurance. This describes essentially no modern practice.

Direct primary care (DPC) — the clearest case

DPC practices are often cited as the canonical example of potential non-covered entities because they explicitly reject insurance billing. But even within the DPC model, the analysis requires looking at technology use:

Truly tech-minimal DPC: Paper charts, handwritten prescriptions, no EHR, no patient portal, zero insurance of any kind → may be a non-covered entity
Technology-enabled DPC: Uses an EHR or DPC-specific platform (Hint, Elation, CharmHealth), uses e-prescribing, uses a patient portal, or uses any lab ordering software → likely a covered entity

Most DPC practices are somewhere in the second category. If your DPC uses any software that transmits patient health information electronically, consult your HIPAA attorney about covered entity status. See does my practice need an NPP? for a broader analysis.

The practical case for having an NPP anyway

Even if your practice is a genuine non-covered entity, there are reasons to consider having an NPP:

State law. Several states have health privacy laws that apply to providers regardless of covered entity status. California, Massachusetts, and others impose privacy obligations that mirror HIPAA even for non-covered entities.
Patient expectations. Patients increasingly expect practices to have privacy policies. An NPP builds trust and sets expectations about how their health information is handled.
Business associate relationships. If you share PHI with any vendor — a billing service, an EHR vendor, a lab — and your practice is a covered entity, you need BAAs. Having an NPP is baseline documentation that you take privacy seriously.
Future insurance billing. If you ever decide to start accepting insurance, you'll need an NPP from day one. Having one in place avoids a compliance gap.

Quick answer

A cash-pay practice that never submits electronic claims and never transmits PHI electronically may not be a HIPAA covered entity. But most cash-pay practices use EHRs, e-prescribing, or patient portals that trigger covered entity status. When in doubt, having a compliant NPP is low-cost insurance against the compliance risk.

Generate an NPP for your cash-pay practice.

HHS February 2026 model, PDF + editable Word. $49 one-time, no subscription. No risk if your practice turns out not to need one — you'll have it ready if that changes.

Generate your NPP — $49

Free watermarked preview available. See sample →

Frequently Asked Questions

Does a cash-only practice need a HIPAA NPP?▼

Only if it's a HIPAA covered entity — which requires transmitting PHI electronically in standard transactions. True cash-only practices with zero electronic health transactions may not be covered entities. Most modern practices are covered entities regardless of payment model.

Does using an EHR make my cash-pay practice a covered entity?▼

Often yes. Many EHRs transmit electronic referrals, lab orders, or care coordination data — which are standard electronic health transactions. Review what your EHR transmits externally to assess covered entity status.

Is a DPC (direct primary care) practice exempt from HIPAA?▼

A DPC practice that never submits electronic claims and never electronically transmits PHI may be exempt. Most DPC practices use EHR platforms or patient portals that transmit PHI electronically — which triggers covered entity status. Consult your HIPAA attorney if unsure.

What state laws apply to cash-pay practices that aren't HIPAA covered entities?▼

California, Massachusetts, New York, and several other states have health information privacy laws that apply to health care providers regardless of federal covered entity status. Even non-covered entities in these states may be subject to state privacy law NPP-equivalent requirements.

Related: Does my practice need an NPP? · What is a HIPAA NPP? · NPP for California practices · NPP requirements in 2026