Is Practice Fusion HIPAA Compliant? What Small Clinics Must Know

Short answer

Yes, with important context — Practice Fusion executes BAAs with covered entities and is ONC-certified for its EHR modules, making it a platform with the compliance foundation required for healthcare use. The covered entity retains the standard HIPAA shared responsibility obligations for configuration, access management, and training. The most important context for a covered entity evaluating Practice Fusion is the 2020 DOJ settlement: while it involved business practices rather than PHI handling, it is the kind of vendor history that a diligent privacy officer should understand before signing a long-term agreement.

What Practice Fusion is

Practice Fusion is a cloud-based electronic health record designed for small and independent medical practices. It was founded in 2005 and built the early part of its growth on a free-to-physicians model funded by advertising and pharmaceutical partnerships — a model that eventually contributed to the compliance and legal issues described below.

The platform includes clinical documentation, e-prescribing, lab and imaging order management, a patient portal, and practice management features. For small practices that don’t need the scale and complexity of Epic or athenahealth, Practice Fusion has historically offered an accessible entry point with lower upfront cost.

The compliance foundation: BAA and ONC certification

BAA availability: Practice Fusion executes BAAs with covered entities. If you are using or evaluating Practice Fusion, confirm that your agreement includes a BAA and that the BAA is executed with the current operating entity — Veradigm, following the Allscripts acquisition. An older BAA executed with Practice Fusion as a standalone entity should be reviewed and updated to reflect the current corporate structure.

ONC certification: Practice Fusion’s EHR has been certified under the ONC Health IT Certification Program. ONC certification confirms the EHR meets technical standards for health information exchange, patient access, and clinical quality reporting. Verify the current certification status for the specific modules you use through the ONC CHPL (Certified Health IT Product List) at the verification date — certification must be actively maintained.

Encrypted cloud hosting: Practice Fusion is a cloud-hosted platform. Data at rest and in transit is encrypted. Physical safeguard responsibilities for the hosting infrastructure are Practice Fusion’s, while the covered entity remains responsible for device and network security at the clinic.

Audit logging: The platform maintains audit logs of user access to patient records. These logs are available to covered entities for compliance review.

The 2020 DOJ settlement: what it was and what it was not

In January 2020, Practice Fusion Inc. agreed to pay $145 million to resolve a U.S. Department of Justice investigation. The settlement resolved both criminal and civil charges.

What the settlement involved: The DOJ alleged that Practice Fusion entered into arrangements with pharmaceutical companies in which those companies paid Practice Fusion to influence the design of clinical decision support alerts — specifically, to create and display alerts that nudged physicians toward prescribing opioid medications in patterns aligned with the pharmaceutical company’s business interests. The DOJ charged this as a violation of the Anti-Kickback Statute and related laws governing healthcare business practices.

What the settlement did not involve: The settlement was not a HIPAA enforcement action. It did not involve unauthorized disclosure of PHI, a breach of patient records, or failure to maintain required safeguards. Practice Fusion’s HIPAA compliance posture — its BAA execution, encryption practices, and audit logging — was not the subject of the DOJ investigation.

Why it matters for vendor due diligence: A company that entered into arrangements designed to influence clinical decision-making for financial benefit has demonstrated a willingness to compromise clinical independence for revenue. That history does not mean Practice Fusion is currently engaged in similar practices, and Veradigm’s ownership may represent a different corporate governance posture. But a covered entity conducting diligent vendor evaluation should understand this history and satisfy itself that the business practices that led to the DOJ settlement have been addressed under the current ownership and management.

Specific questions a privacy officer might ask Practice Fusion/Veradigm during vendor evaluation:

• What governance changes were implemented following the DOJ settlement?
• Are there currently any pharmaceutical, insurance, or other third-party financial arrangements that influence clinical decision support content in the platform?
• How is clinical decision support content curated and by whom?

These are not HIPAA compliance questions per se. They are vendor due diligence questions that any diligent practice administrator should ask of a vendor with this history.

Corporate structure and contract currency

Practice Fusion was acquired by Allscripts Healthcare Solutions in 2018 for approximately $100 million. Allscripts subsequently rebranded its commercial organization as Veradigm. As of the verification date, Practice Fusion operates under the Veradigm umbrella.

For practices with agreements executed with Practice Fusion as a standalone entity, review the following:

1. BAA contracting entity: Confirm whether your BAA names Practice Fusion Inc., Allscripts, or Veradigm as the business associate. Request a BAA review and update to reflect the current operating entity if needed.

2. Customer agreement terms: Confirm that your broader customer agreement — beyond the BAA — is current and reflects the current entity. Vendor acquisitions can create situations where service terms have effectively changed without formal amendment.

3. Data portability provisions: Understand what your options are for data export if you need to transition EHR vendors. This is particularly important in the context of a vendor that has been through multiple ownership changes.

Covered entity responsibilities: the standard shared responsibility model

Using Practice Fusion does not transfer your HIPAA compliance obligations to Practice Fusion. The practice retains:

User access management: Create individual accounts for each staff member. Assign access roles appropriate to job function. Disable access immediately when staff leave.

Audit log review: Review Practice Fusion’s access reports on a regular schedule. Document those reviews. Identify and investigate unusual access patterns.

Incident response: Have a documented process for responding to potential PHI incidents involving Practice Fusion — unauthorized access, potential breaches, or security questions. Know how to contact Practice Fusion’s support and compliance teams.

Workforce training: Train staff on HIPAA privacy and security requirements, including how to use Practice Fusion appropriately and how to report concerns.

Device and network security: Secure the devices staff use to access Practice Fusion. Enforce screen lock policies. Restrict access from unsecured public networks.

Alternative EHR options for small practices

If your evaluation of Practice Fusion’s history raises concerns, there are alternatives designed for small practices with cleaner compliance histories. See best HIPAA-compliant EHR systems for small clinics for a comparison that includes Practice Fusion alongside Kareo, DrChrono, eClinicalWorks, and SimplePractice.

Managing vendor relationships in your compliance program