Integrative and functional medicine practices sit at a complicated HIPAA compliance intersection. You are likely a covered entity, which means your HIPAA obligations apply across every service you provide — not just the ones that look like conventional medicine. Nutrition counseling, supplement protocols, lifestyle coaching, and functional lab testing can all involve PHI even if they are cash-pay, even if they are not billed to insurance, and even if the patient thinks of them as wellness services rather than medical care.
Most compliance guidance is written for conventional practices. The grey areas integrative practices deal with — determining when wellness information is PHI, figuring out which vendors need BAAs, training staff who straddle medical and non-medical roles — are largely unaddressed by generic HIPAA checklists.
The regulatory landscape for integrative medicine
A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically. If your practice submits any claims electronically, even for a portion of your services, you are a covered entity. That status applies to everything you do, not just the services covered by insurance.
The services integrative practices offer do not divide neatly into “HIPAA applies” and “HIPAA does not apply” buckets. If your physician orders a functional lab panel for a patient, documents the results in the patient record, and discusses them in a follow-up visit, that is PHI regardless of whether the visit was billed to a payer. If your health coach documents a patient’s nutrition intake and you store it alongside clinical notes, that information is part of the patient’s medical record and subject to the same protections.
The HIPAA Security Rule also applies. Any PHI you store electronically — health history intake forms submitted through your website, wearable data patients share with you via a patient portal, functional lab results emailed from a specialty lab — must be protected under the Security Rule’s administrative, physical, and technical safeguards.
Where compliance breaks down in integrative settings
Determining what is PHI when services span medical and wellness. The harder cases come up regularly. A patient completes a detailed health history intake that includes current medications, diagnoses, and lifestyle habits. You use that to build a personalized protocol. If that lifestyle data is in your system and tied to a patient’s identity and health status, it is PHI. The intake form alone can be PHI. Staff need to understand this — not just for their own handling of records, but for what they tell patients about how their information is used.
BAA management across a broader vendor set. Integrative practices tend to work with a wider range of vendors than conventional practices: specialty functional labs, telemedicine platforms for remote consults, patient-facing apps for symptom tracking or supplement scheduling, and sometimes health coaches or nutritionists who work as independent contractors. Each of these relationships needs to be assessed for whether a BAA is required. Missing one is a compliance gap and, if PHI is involved in a breach, a liability.
Patient data from wellness intake forms and wearables. Many integrative practices collect detailed intake data through online forms or patient portals. Patients may submit food logs, symptom diaries, or wearable data through these channels. How that data is stored, who can access it, and how it is transmitted to or from your EHR all fall under HIPAA’s Security Rule. If you are using a third-party intake tool, you may need a BAA with that vendor.
Staff training across hybrid roles. A front desk employee who also assists with supplement sales has a different data access profile than a clinical assistant. A health coach who reviews clinical notes before patient sessions has different obligations than one who only receives general wellness goals. Training that covers HIPAA basics without addressing the specific situations your staff encounters tends to leave gaps.
Policies for non-covered services. Some integrative practices offer services that may fall outside HIPAA entirely, for example, group wellness classes with no individual health records. Knowing where the HIPAA line is, and having policies that reflect it, helps your staff make correct decisions in real time rather than guessing.
How PHIGuard addresses these challenges
PHIGuard is task management and compliance tracking built specifically for clinic operations. It handles the ongoing operational work of compliance: training, BAA management, policy acknowledgment, and incident response.
BAA tracking across all vendor relationships. PHIGuard maintains a record of every vendor relationship that involves PHI, the status of the BAA, and renewal dates. When you add a new functional lab or switch patient intake platforms, PHIGuard creates a task to get the BAA executed before patient data moves. Expired or missing agreements surface as open items, not surprises.
Workforce training with role-appropriate scope. PHIGuard lets you assign training tasks by role. Clinical staff, front desk staff, and health coaches can receive training curricula that address the HIPAA questions most relevant to their day-to-day responsibilities. Completion is logged and timestamped. If an auditor asks whether your health coaches received training on handling PHI, you have a record.
Policy management and acknowledgment tracking. Integrative practices often need privacy policies and procedures that are more specific than generic HIPAA templates, particularly around intake data, wearables, and cash-pay services. PHIGuard lets you manage your policy library, distribute updates to staff, and record acknowledgment. When a policy changes, you can require staff to re-acknowledge and track who has done so.
Audit log for every compliance action. Every task completion, document acknowledgment, and incident report in PHIGuard is logged with the user, timestamp, and outcome. If OCR requests documentation of your compliance program, you have a searchable audit trail rather than a filing cabinet.
Incident response when something goes wrong. Misdirected emails, unauthorized access to records, and accidental disclosures happen in every practice. PHIGuard’s incident response task templates walk your team through the steps: containment, documentation, breach risk assessment, and notification determinations. Working through a defined process under pressure is easier than improvising.
PHIGuard does not provide legal advice about which of your services are covered by HIPAA or how to classify specific data. It ensures your compliance operations — the training, the vendor management, the documentation — run consistently instead of falling behind.
Pricing and next steps
PHIGuard charges per clinic, not per user. Your whole team works in one plan with no per-seat fees.
- Essentials at $99/month covers core compliance task management, BAA tracking, and audit logging for smaller practices.
- Clinic at $249/month adds policy management, incident response workflows, and expanded task library.
- Group at $499/month is built for multi-location integrative practices managing compliance across sites.
Every plan includes a signed BAA with PHIGuard. If a compliance platform refuses to sign a BAA with you, it is not built for medical practices.
Start your free trial or review our HIPAA compliance self-assessment to identify where your practice has gaps today.