HIPAA Compliance FAQ

C2Local works with healthcare, wellness, and health adjacent businesses, including solo practitioners and small practices. Many of these businesses collect sensitive, health related information as part of normal operations. This can include intake forms, appointment notes, messages, or records stored inside marketing and CRM systems.

Even when insurance billing is not involved, health related information often enters digital tools simply through everyday client communication. Most general purpose marketing platforms are not designed with this reality in mind.

Because of that, questions about HIPAA come up frequently. Clients want to understand when it applies, what counts as protected health information, and how their data is handled inside the systems they use.

This page exists to explain, in plain language, how HIPAA relates to modern marketing and automation workflows, and how C2Local approaches data privacy and security by default.

The questions below cover basic HIPAA concepts and explain how those rules intersect with C2Local’s infrastructure, tools, and responsibilities. This page is informational and intended to provide clarity, context, and documentation. It is not legal advice and does not replace guidance from a qualified attorney.

1. What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law designed to protect personal health information (PHI). It sets national standards for how health data must be handled, stored, and shared — particularly by healthcare providers, insurers, and any vendors or contractors who support them.

2. Who needs to be HIPAA compliant?

HIPAA compliance is required for two main groups and may be required for a third:

•  Covered Entities: Doctors, nurses, and licensed healthcare professionals who bill insurance or transmit health data electronically.

•  Business Associates: Vendors, consultants, or service providers (like marketers, software companies, or virtual assistants) who create, receive, or store PHI on behalf of a covered entity.

•  Solo practitioners such as naturopaths, massage therapists, estheticians, or mobile nurses <strong>may need to be HIPAA compliant</strong> if they collect and store client health information electronically (such as on our platform).

This is a <strong>compliance gray zone</strong> — with legal risk and liability even if they don't bill insurance.

HIPAA compliance is required for two main groups and may be required for a third:

•  Covered Entities: Doctors, nurses, and licensed healthcare professionals who bill insurance or transmit health data electronically.

•  Business Associates: Vendors, consultants, or service providers (like marketers, software companies, or virtual assistants) who create, receive, or store PHI on behalf of a covered entity.

•  Solo practitioners uch as naturopaths, massage therapists, estheticians, or mobile nurses may need to be HIPAA compliant if they collect and store client health information electronically (such as on our platform). This is a compliance gray zone— with legal risk and liability even if they don't bill insurance.

3. What counts as Protected Health Information (PHI)?

PHI includes any health-related information tied to an identifiable person. For solo practitioners and wellness pros, this can include:

•  Intake form responses about pain, allergies, or medications.

•  Notes or messages about conditions or treatments.

•  Photos or documents tied to a client’s name

•  Even appointment records or reminders, if linked to health discussions

If it's health-related and attached to a person’s identity, it’s PHI — and it's subject to HIPAA protections.

4. What if I don’t bill insurance or think HIPAA doesn’t apply to me?

Not billing insurance does not automatically exempt you. If you're collecting health-related information and storing it digitally — even through a form, CRM, or chat message — you could still be handling PHI.

This puts you in a <strong>compliance gray zone</strong>: HIPAA may not formally apply, but your exposure to privacy risk and liability is real. Many small businesses have unknowingly mishandled sensitive data simply by using non-compliant systems.

5. What has C2Local done about this?

We've built HIPAA compliance into the foundation of our service — so you don’t have to think about it. Every account we create runs on:

•  HIPAA-compliant infrastructure with encryption, access controls, and secure storage

•  Signed Business Associate Agreements (BAAs) with our technology providers

•  Systems configured to properly collect, store, and manage PHI

Whether or not you’re technically required to follow HIPAA, we treat your data — and your clients' privacy — as if you are.

6. What do I need to do?

Very little. We’ve done the heavy lifting for you. To maintain compliance on your end:

•  Only store PHI inside the system we've provided — not on your phone, in email, or in apps that aren't HIPAA-compliant

•  Keep your account access secure — don’t share logins or leave devices unlocked

•  Use the tools we’ve set up — they’re already configured to protect health data

If you’re a covered entity under HIPAA, you may need a BAA in place with anyone who handles PHI on your behalf — including us.

To streamline the process, we’ve created a professional, plain-language BAA starter template.. Feel free to have your legal team review and/or modify and send it back for signature.

Download the BAA Template Here

Contact

(702) 582-6708

5550 Painted Mirage Road, Suite 320

Las Vegas, NV 89149

Copyright © 2026 C2Local LLC | All Rights Reserved