Does HIPAA apply to solo lactation consultants?

Almost certainly yes. If you bill any insurance, submit electronic claims, or conduct eligibility checks, you are unambiguously a HIPAA covered entity. Even strictly cash-pay IBCLCs are strongly recommended to maintain HIPAA-level compliance because they handle sensitive health information, and many state privacy laws impose similar obligations regardless of covered entity status.

Can I text patients about their care as an IBCLC?

Regular SMS (iMessage, Android Messages) does not satisfy HIPAA requirements, even though iMessage is encrypted, because Apple will not sign a Business Associate Agreement. Use your practice management system’s HIPAA-compliant messaging instead. If a patient texts you a clinical question, acknowledge it briefly and direct them to your secure messaging portal.

What is a Business Associate Agreement (BAA) and do I need one?

A BAA is a legal contract requiring any vendor that creates, receives, stores, or transmits Protected Health Information (PHI) on your behalf to protect that data and comply with HIPAA. You need BAAs with your EHR/practice management software, email provider (if used for PHI), cloud storage, payment processor, telehealth platform, and any billing service. Most healthcare-focused software vendors provide BAAs as part of their service.

What is the minimum I need to do for HIPAA compliance as a solo IBCLC?

Use a HIPAA-compliant practice management system with a signed BAA. Encrypt all devices (FileVault on Mac, BitLocker on Windows). Use strong unique passwords with two-factor authentication. Set automatic screen lock to 5 minutes. Complete a one-page risk assessment. Create a Notice of Privacy Practices. Have BAAs with every vendor that touches PHI. Do not text or email PHI through non-compliant channels. Know your breach notification obligations.

What are common HIPAA mistakes in lactation practice?

Texting patients about clinical matters through regular SMS. Posting patient photos on social media without explicit consent (even with faces blurred). Sharing identifiable patient stories in professional Facebook groups. Using personal devices without encryption. Not having BAAs with vendors like Google Drive or scheduling tools. Sending detailed appointment reminders that include clinical information through insecure channels.

HIPAA Compliance for Lactation Consultants: What You Actually Need

Every IBCLC in private practice knows they need to be "HIPAA compliant." Very few know what that actually means in practice. The result is either anxiety-driven paralysis (afraid to text a patient, unsure if they can email a growth chart) or head-in-the-sand avoidance (using iMessage for patient communication and hoping nobody notices).

Neither is necessary. HIPAA compliance for a small lactation practice is manageable. Here's what you actually need to do, and what you can skip.

Do I Even Need to Comply with HIPAA?

Almost certainly yes. Technically, HIPAA's covered entity definition requires that a healthcare provider transmit health information electronically in connection with a standard transaction - meaning electronic claims, eligibility inquiries, referral authorizations, and similar payer-related transactions. If you are strictly cash-pay and never submit electronic claims or conduct other HIPAA-standard transactions with insurers, you may not be a covered entity under the strict legal definition.

However: Most experts strongly recommend HIPAA-level compliance for all healthcare providers regardless, and many state privacy laws impose similar obligations. If you bill any insurance, submit electronic claims, conduct eligibility checks, or plan to in the future - you are unambiguously covered. And even cash-pay IBCLCs handle sensitive health information that deserves the same level of protection.

The good news: HIPAA doesn't require you to build a Fort Knox-level security infrastructure. The regulations scale to the size and complexity of your practice. What's reasonable for a 200-bed hospital is not what's expected of a solo IBCLC.

The Three HIPAA Rules That Matter

HIPAA has a lot of provisions, but three rules cover 95% of what you need to worry about.

1. The Privacy Rule

What it requires: Protect the confidentiality of Protected Health Information (PHI). PHI is any individually identifiable health information - patient names, addresses, dates of birth, diagnoses, treatment records, photos, and anything else that could identify a specific patient.

What this means for you:

Don't share patient information without authorization. You can share PHI with the patient themselves, with other providers involved in their care (treatment), for payment activities, and for healthcare operations. Everything else requires written patient authorization.
Minimum necessary standard. When sharing PHI, share only the minimum amount needed for the purpose. If a pediatrician asks how a baby is feeding, you don't need to send your entire chart - a summary of the feeding assessment and plan is sufficient.
Patient rights. Patients have the right to access their records (you must respond within 30 calendar days of the request under 45 CFR 164.524, with one possible 30-day extension), request corrections, and know who you've shared their information with. You need a process for handling these requests.
Notice of Privacy Practices (NPP). You must provide patients with a written notice explaining how you use and protect their health information. This can be a simple one-page document that patients sign at their first visit. Templates are widely available online.

2. The Security Rule

What it requires: Protect electronic PHI (ePHI) through administrative, physical, and technical safeguards. This is the rule most IBCLCs worry about - and it's more straightforward than it sounds.

Administrative safeguards (policies and procedures):

Risk assessment. Identify where your ePHI lives and what threats exist. For a solo IBCLC, this is a simple inventory: "Patient records are in my EHR (encrypted, cloud-based, BAA in place). I access them on my laptop (password-protected, encrypted drive). I communicate with patients through my EHR's messaging (encrypted, HIPAA-compliant)." You don't need a 50-page document - a one-page risk assessment is appropriate for a solo practice.
Workforce training. If you have employees or contractors (an office manager, a billing assistant, an intern), they need basic HIPAA training. If it's just you, this requirement is satisfied by your own knowledge.
Incident response plan. Know what to do if patient data is ever compromised. (See the Breach Notification section below.)

Physical safeguards:

Device security. Lock your laptop when you step away. Don't leave your tablet in your car. Use a privacy screen if you chart in public spaces like coffee shops.
Workstation security. If you have a home office where you chart, take reasonable precautions - lock the door, don't let family members use your work devices.

Technical safeguards:

Access controls. Unique username and password for every system that contains ePHI. No shared logins.
Encryption. ePHI should be encrypted in transit (HTTPS, TLS) and at rest (encrypted hard drives, encrypted databases). Under the current Security Rule, encryption is technically an "addressable" specification - meaning you must either implement it or document why an equivalent alternative is appropriate. In practice, encryption is effectively required for any modern practice, and HHS has proposed making it mandatory. If your EHR is cloud-based and HIPAA-compliant, it handles most of this for you.
Audit logs. Your EHR should log who accessed what and when. This is a system feature, not something you manage manually.
Automatic logoff. Set your devices to auto-lock after a period of inactivity.

3. The Breach Notification Rule

What it requires: If unsecured PHI is accessed, used, or disclosed in a way not permitted by the Privacy Rule, you must:

Notify affected patients without unreasonable delay and in no case later than 60 days after discovering the breach (45 CFR 164.404)
Notify HHS (Department of Health and Human Services) (45 CFR 164.408) - if the breach affects fewer than 500 individuals, you log it and report it within 60 days of the end of the calendar year in which it was discovered; if 500 or more individuals are affected, you must notify HHS contemporaneously with patient notification (no later than 60 days after discovery)
Notify prominent media outlets (45 CFR 164.406) - this is a separate trigger that applies only if the breach affects more than 500 residents of a single state or jurisdiction; the deadline is also no later than 60 days after discovery
Document the breach - what happened, what data was involved, what corrective actions you took

Common breach scenarios for solo IBCLCs:

Your laptop is stolen with unencrypted patient data (this is why encryption matters - if the data is encrypted, it's not a reportable breach)
You accidentally send a patient's chart to the wrong email address
You discuss a patient by name in a Facebook group

Prevention is easier than notification. Encrypt your devices, use HIPAA-compliant communication channels, and never discuss identifiable patient information on social media - even in "private" professional groups.

Business Associate Agreements (BAAs)

This is the most commonly overlooked HIPAA requirement for small practices.

A Business Associate is any vendor that creates, receives, stores, or transmits PHI on your behalf. You must have a signed Business Associate Agreement (BAA) with each one. The BAA is a legal contract that requires the vendor to protect PHI and comply with HIPAA.

Vendors that require BAAs:

Vendor Type	Examples	BAA Needed?
Practice management / EHR software	NuBloom, Jane, SimplePractice	Yes
Email provider (if used for patient communication)	Google Workspace, Microsoft 365	Yes (if you email PHI)
Cloud storage (if used for patient files)	Google Drive, Dropbox	Yes (if you store PHI)
Payment processor	Square (HIPAA-enabled features), others that store PHI	Yes (if PHI is transmitted - note that some processors like Stripe do not sign BAAs, so avoid sending PHI through them)
Messaging platform	Your EHR's messaging, secure messaging apps	Yes
Phone/SMS provider (if used for patient communication)	Twilio, Spruce	Yes
Billing service (if you outsource)	Any third-party billing company	Yes
Telehealth platform	Zoom for Healthcare, Doxy.me	Yes
Appointment scheduling (if separate from EHR)	Calendly, Acuity	Yes (if it captures PHI)
IT support (if they access your systems)	Any managed IT provider	Yes

Vendors that do NOT require BAAs:

Your internet service provider
Phone carrier (for voice calls - not texts containing PHI)
Cleaning service for your office
Payment processor for non-health-related transactions

How to get a BAA: Most healthcare-focused software vendors provide BAAs as part of their service. Look for "HIPAA" or "BAA" on their pricing or security page. If a vendor won't sign a BAA, they're not appropriate for handling PHI - find an alternative.

NuBloom provides a BAA with every account. So do major healthcare platforms. If a software company you're evaluating doesn't mention HIPAA compliance or BAAs anywhere, that's a red flag.

What You Can and Can't Use for Patient Communication

This is where most solo IBCLCs run into trouble. You're used to texting and emailing - but are those HIPAA-compliant?

Texting

Regular SMS (iMessage, Android Messages): No. Standard text messages are not encrypted end-to-end in a way that satisfies HIPAA. Even iMessage, which is encrypted, doesn't meet HIPAA requirements because Apple won't sign a BAA and you can't audit or control message retention.

HIPAA-compliant messaging through your EHR: Yes. This is the correct approach. Use your practice management system's built-in messaging feature. Patients receive a notification (email or SMS) that they have a new message, then log into the patient portal to read it. The message content stays within the HIPAA-compliant system.

What if a patient texts you? You can't control what patients do. If a patient texts you with a clinical question, respond with a brief acknowledgment and direct them to your secure messaging system: "Got your message! Please send clinical questions through the patient portal so we can keep your health information secure. Here's the link."

Email

Regular email (Gmail, Outlook, Yahoo): Not recommended for PHI. While most major email providers now use TLS encryption in transit, the real compliance gaps are that personal email providers won't sign a BAA, you can't control message retention or audit access, and patients may reply from insecure providers - creating an unprotected chain of PHI.

Google Workspace or Microsoft 365 with BAA: Acceptable if configured with encryption and you're only sending PHI to the patient directly. But it's still risky - patients reply from insecure email providers, creating a chain of unprotected PHI.

Best practice: Use your EHR's messaging for clinical communication. Use email for non-PHI communication - appointment reminders (without clinical details), general practice announcements, billing inquiries (without health information).

Phone Calls

Regular phone calls: Yes, generally fine. HHS guidance on audio-only telehealth confirms that voice calls over a traditional landline are not electronic transmissions of PHI under the Security Rule, and the Privacy Rule's reasonable-safeguards standard still applies to all calls (landline, mobile, or VoIP). You can discuss patient care over the phone. Just be mindful of your surroundings - don't discuss patients by name on speakerphone in a public place. If you use a VoIP system, the underlying Security Rule does apply, so use a HIPAA-compliant phone service and get a BAA from the provider.

Telehealth Video

Regular Zoom, FaceTime, Google Meet: No (outside of the COVID-era enforcement discretion, which has expired). Telehealth-specific platforms with BAAs: Yes - Zoom for Healthcare, Doxy.me, and many EHR-integrated video features.

The Minimum Viable HIPAA Checklist

Here's what a solo IBCLC needs to be compliant, distilled to the essentials:

That's it. You don't need a compliance officer, a 100-page policy manual, or a $5,000 consultant. You need a secure system, basic security hygiene, and BAAs with your vendors. If you're just getting started, our Starting Your IBCLC Private Practice guide covers the full business setup, and our IBCLC Billing Guide covers CPT codes and superbills.

Common HIPAA Mistakes in Lactation Practice

Texting patients about clinical matters. The most common violation. "Baby's weight looks great! Keep doing what you're doing" seems harmless, but it's PHI in an insecure channel.

Posting patient photos on social media. Even with face blurred, if any identifying details are visible (hospital bracelet, location, unique physical features), it's a potential violation. Always get explicit written consent - and even then, think twice.

Sharing patient stories in professional Facebook groups. "I had a mom today with XYZ" - even without using the name, if enough details are included for someone to identify the patient, it's a violation. This is especially risky in small communities where IBCLC groups overlap with the patient's social circle.

Using personal devices without encryption. Your phone, laptop, and tablet need device-level encryption enabled. If an unencrypted device with patient data is lost or stolen, that's a reportable breach.

Not having BAAs. Using Google Drive to store patient charts without a Google Workspace BAA, or using Calendly to schedule appointments that capture health information without a BAA - these are technical violations even if no breach occurs.

Sending detailed appointment reminders. "Reminder: your lactation consultation re: nipple pain and low supply is tomorrow at 10 AM" - this is PHI in an insecure channel. Keep reminders generic: "Reminder: your appointment with [practice name] is tomorrow at 10 AM."

Your software does most of the heavy lifting

The single biggest thing you can do for HIPAA compliance is pick a practice management system that's already compliant. A good one handles most of the technical safeguards for you:

Encryption at rest and in transit - your data is encrypted in the database and during transmission
Access controls and audit logs - the system tracks who accessed what
Automatic backups - your data is backed up and recoverable
Secure messaging - patient communication stays within the encrypted system
BAA provided - the vendor contractually agrees to protect your PHI

When evaluating software, ask:

Do you provide a signed BAA?
Is data encrypted at rest and in transit?
Where is data stored? (US-based data centers for US providers)
Do you maintain audit logs?
What happens to my data if I cancel?
Do you have SOC 2 or HITRUST certification? (Nice to have, not required for small practices)

We cover pricing, features, and compliance for 8 tools in our practice management software comparison.

For documentation best practices while staying HIPAA-compliant during home visits, see our Home Visit Documentation guide.

NuBloom provides a BAA with every account, encrypts all data at rest and in transit, and includes secure patient messaging. No PHI in SMS or email.

Sources

HHS HIPAA for Professionals — main HIPAA compliance hub
HHS HIPAA Security Rule — ePHI safeguard requirements
HHS Breach Notification Rule — reporting obligations
HHS Business Associate Guidance — BAA requirements and definitions
HHS Right of Access (45 CFR 164.524) — patient records access right and the 30-day deadline
HHS Audio-Only Telehealth Guidance — voice call and VoIP applicability

NuBloom is HIPAA-compliant practice management for lactation consultants. Encrypted data, signed BAA, secure messaging, audit trails. Try it free.