1. What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law designed to protect personal health information (PHI). It sets national standards for how health data must be handled, stored, and shared — particularly by healthcare providers, insurers, and any vendors or contractors who support them.

2. Who needs to be HIPAA compliant?

HIPAA compliance is required for two main groups and may be required for a third:

• Covered Entities: Doctors, nurses, and licensed healthcare professionals who bill insurance or transmit health data electronically.
• Business Associates: Vendors, consultants, or service providers (like marketers, software companies, or virtual assistants) who create, receive, or store PHI on behalf of a covered entity.
• Solo practitioners such as naturopaths, massage therapists, estheticians, or mobile nurses may need to be HIPAA compliant if they collect and store client health information electronically (such as on our platform).
  This is a compliance gray zone — with legal risk and liability even if they don't bill insurance.

3. What counts as Protected Health Information (PHI)?

PHI includes any health-related information tied to an identifiable person. For solo practitioners and wellness pros, this can include:

• Intake form responses about pain, allergies, or medications
• Notes or messages about conditions or treatments
• Photos or documents tied to a client’s name
• Even appointment records or reminders, if linked to health discussions

If it's health-related and attached to a person’s identity, it’s PHI — and it's subject to HIPAA protections.

4. What if I don’t bill insurance or think HIPAA doesn’t apply to me?

Not billing insurance does not automatically exempt you. If you're collecting health-related information and storing it digitally — even through a form, CRM, or chat message — you could still be handling PHI.

This puts you in a compliance gray zone: HIPAA may not formally apply, but your exposure to privacy risk and liability is real. Many small businesses have unknowingly mishandled sensitive data simply by using non-compliant systems.

5. What has C2Local done about this?

We've built HIPAA compliance into the foundation of our service — so you don’t have to think about it. Every account we create runs on:

• HIPAA-compliant infrastructure with encryption, access controls, and secure storage
• Signed Business Associate Agreements (BAAs) with our technology providers
• Systems configured to properly collect, store, and manage PHI

Whether or not you’re technically required to follow HIPAA, we treat your data — and your clients' privacy — as if you are.

6. What do I need to do?

Very little. We’ve done the heavy lifting for you. To maintain compliance on your end:

• Only store PHI inside the system we've provided — not on your phone, in email, or in apps that aren't HIPAA-compliant
• Keep your account access secure — don’t share logins or leave devices unlocked
• Use the tools we’ve set up — they’re already configured to protect health data

If you’re a covered entity under HIPAA, you may need a BAA in place with anyone who handles PHI on your behalf — including us.

To streamline the process, we’ve created a professional, plain-language BAA starter template.. Feel free to have your legal team review and/or modify and send it back for signature.

Download the BAA Template Here