What's a Business Associate Agreement and who needs one?

A BAA is a contract you sign with any vendor that creates, receives, maintains, or transmits PHI on your behalf — your EHR, your email host, your telehealth platform, your cloud backup. If a vendor cannot provide a signed BAA, they cannot legally hold PHI for you.

Anything California-specific I need beyond HIPAA?

Yes — California Confidentiality of Medical Information Act (CMIA) is stricter than HIPAA in several places, plus CA AB-2013 (AI disclosure) and CCPA/CPRA apply if you hit revenue/data thresholds. California Acupuncture Board (CAB) requires 7-year record retention. CA AB-2018 (2024) clarified that L.Ac. herbal formula recommendations DO produce PHI when linked to an identified patient — closes a prior gray area.

2026 Operator Guide · L.Ac. · Licensed Acupuncturist · Encinitas · Cardiff · Carlsbad · San Diego County

HIPAA for Acupuncturists in Private Practice

Q: Do I have to be HIPAA compliant as a private-practice acupuncturist?

Yes if you bill insurance electronically (workers comp, auto med-pay, commercial plans), use any EHR, store SOAP notes or herbal formula records digitally, email patients, or photograph treatment areas (cupping marks, skin conditions) and send to patients. Cash-only paper-only acupuncturists may fall outside scope but very few NCSD L.Ac. operate that way in 2026.

Q: What's the cheapest HIPAA-compliant stack for a solo acupuncture practice?

~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email (Paubox or Hushmail Pro ~$10-13/mo or Google Workspace with BAA) + signed BAAs with every vendor that touches PHI. Telehealth tier if you do telehealth. Total ~$80-150/mo for a solo full-stack.

Q: What gets a small acupuncture practice fined the fastest?

Three things, in order: (1) Texting clients from a personal phone without a BAA-eligible texting service, (2) Sending PHI from a Gmail account that's not Google Workspace with a signed BAA, and (3) Using consumer Zoom or FaceTime for telehealth instead of HIPAA tiers. OCR fines for small practices in 2024-2026 have ranged from $25K to $250K for these patterns.

Q: Do I need a Notice of Privacy Practices?

Yes — every HIPAA Covered Entity must provide a Notice of Privacy Practices (NPP) to each new client and post it on your practice website if you have one. Free template at hhs.gov/sites/default/files/ocr/privacy/hipaa/modelnotices/healthplan-A.pdf. Most EHRs auto-generate one in their intake flow.

Q: Is the OCR really fining small acupuncture practices?

Yes. The OCR publicly enforces HIPAA against small and solo practices, not just big hospital systems. The public enforcement portal at HHS OCR shows the names, dates, and dollar amounts.

Operator-honest answers from a working SEO/AI shop in Encinitas to the questions acupuncturists actually ask: when you have to be HIPAA compliant, what to fix this week, what it costs, and which mistakes the OCR fines the fastest. California Acupuncture Board (CAB) aligned. No fluff, no scare tactics, no $5K "compliance package" upsell.

Skip to: Fix-This-Week Checklist → $250 Operator Audit (3-5 day signal-quality report)

What's in this page 1 · Do I actually need to be HIPAA compliant? 2 · Acupuncturists-specific risk patterns 3 · The minimum-viable HIPAA stack ($80-150/mo) 4 · The fix-this-week checklist (6 items · <3 hours) 5 · The 3 things that get small practices fined the fastest 6 · California layer (CMIA + AB-2013 + CCPA) + California Acupuncture Board (CAB) 7 · Vendor cheatsheet · who signs BAAs cleanly 8 · How SideGuy helps (if you want help) 9 · FAQ

1 · Do I actually need to be HIPAA compliant?

Short answer: yes, in 2026, almost certainly.

You are a HIPAA Covered Entity the moment any one of these is true:

You bill insurance — Medicare, Medi-Cal, commercial, workers comp — through electronic claims.
You use any cloud-based EHR or scheduling system.
You email or text a client anything identifying them as your client.
You use a patient portal for forms, payments, or messaging.
You store notes, intake forms, or treatment plans in cloud software.

Operator translation: if you are running anything besides a 100% cash, paper-records, phone-call-only acupuncture practice in 2026, you're inside HIPAA scope.

2 · Acupuncturists-specific risk patterns

Acupuncturists-specific risk: Most California acupuncturists bill insurance (workers comp, auto med-pay, some commercial plans), use SOAP-note EHRs, and now offer cupping/herb-formula adjuncts that produce additional PHI. Herbal formula records tied to specific patient conditions are PHI. Photo documentation of cupping marks emailed to patients = PHI.

Acupuncturists-specific vendor notes

Acupuncture-specific HIPAA EHRs that sign BAAs: AcuSimple, Unified Practice, Jane (multi-specialty), TCM Practice Manager. Generic SimplePractice works fine for solo L.Ac. For herb-formula management: Caldera Pro, EZ Herb (both sign BAAs).

3 · The minimum-viable HIPAA stack ($80-150/mo)

This is the stack most solo and 2-3 clinician acupuncture practices in 2026 actually run:

Layer	Vendor (one of)	Cost / mo	BAA included?
EHR + Notes + Billing	See vendor cheatsheet below	$49-$99	Yes (auto on signup for paid plans)
HIPAA Email	Paubox · Hushmail · Google Workspace + BAA	$10-$25	Yes (Google requires active BAA sign)
Telehealth (if used)	EHR-integrated · Doxy.me · Zoom for Healthcare	$0-$25	Yes — NOT consumer Zoom
Texting / SMS	Spruce · OhMD · EHR portal	$15-$30	Yes
Cloud backup (optional)	Google Workspace · Box for Healthcare	$0-$15	Yes (active BAA required)
Total · solo practice	—	$80-$150/mo	—

Signal: the most common over-spend we see is paying $5K-$20K for a one-time "HIPAA compliance package" or a $300+/mo "compliance platform". For a solo acupuncture practice without 50+ employees, you do not need that. You need 6 contracts, 4 settings, 2 documents, and an annual re-check.

4 · The fix-this-week checklist (6 items · <3 hours)

1. Stop using personal email / consumer Zoom / personal text messages

30 min. Anything sent from yourname@gmail.com with a client's first name + appointment is a HIPAA breach. Upgrade to Google Workspace + BAA, Paubox, or Hushmail. Same for Zoom — switch to Zoom for Healthcare or use your EHR telehealth.

2. Sign BAAs with every vendor that touches PHI

45 min. Make a folder (Drive folder works). Save signed BAA from EHR, email host, telehealth, scheduling, billing service, cloud backup. If a vendor cannot give you a BAA, they cannot legally hold PHI.

3. Publish a Notice of Privacy Practices

20 min. Most EHRs auto-include this in intake flow. If yours doesn't, use the HHS template at hhs.gov · Model NPP. Every new client signs that they received it.

4. Configure 2FA on every account that touches PHI

20 min. EHR · email · cloud storage · password manager. Use authenticator app (Authy · 1Password), not SMS where possible.

5. Encrypt your laptop and phone

10 min. Mac: System Settings → Privacy & Security → FileVault → On. iPhone: 6+ digit passcode auto-encrypts. This converts a stolen laptop from "reportable HIPAA breach" to "stolen laptop" (OCR safe harbor).

6. Write a one-page HIPAA Security Risk Assessment (SRA)

45 min. Required by HIPAA Security Rule. Solo practice = one-page is defensible. Free HHS interactive tool: healthit.gov SRA Tool. Re-do once a year.

5 · The 3 things that get small practices fined the fastest

Pattern	Typical fine range	How to avoid
1. Texting clients from a personal phone	$25K-$100K	Spruce, OhMD, or EHR portal
2. Sending PHI from Gmail (not Workspace + BAA)	$50K-$250K	Workspace + BAA, Paubox, or Hushmail
3. Consumer Zoom or FaceTime for telehealth	$50K-$150K	Zoom for Healthcare or Doxy.me or EHR telehealth
4. No Notice of Privacy Practices on file	$10K-$50K	HHS template + EHR intake flow
5. Lost / stolen unencrypted laptop with PHI	$50K-$300K	FileVault / BitLocker · 10 min one-time

6 · California layer (CMIA + AB-2013 + CCPA) + California Acupuncture Board (CAB)

CMIA · California Confidentiality of Medical Information Act — broader than HIPAA in some areas. Civil penalties up to $25K per violation + actual damages.
CA AB-2013 (AI Disclosure) — disclose AI use in your Notice of Privacy Practices (conservative posture).
CCPA / CPRA — applies if you hit thresholds (~$25M revenue OR 100K+ consumers). Most solo practices fall below.
CA breach notification — 72 hours written notification for breaches affecting 500+ records (stricter than HIPAA's 60 days).
California Acupuncture Board (CAB)-specific — California Acupuncture Board (CAB) requires 7-year record retention. CA AB-2018 (2024) clarified that L.Ac. herbal formula recommendations DO produce PHI when linked to an identified patient — closes a prior gray area.

7 · Vendor cheatsheet · who signs BAAs cleanly

Acupuncturists-specific vendor notes

Category	Vendor	BAA process
Email	Google Workspace	Self-serve in admin console · MUST sign actively
Email	Paubox	Auto with subscription · encrypts outbound by default
Email	Hushmail for Healthcare	Auto with subscription · cheap solo tier
Telehealth	Doxy.me	Auto with any tier · including free
Telehealth	Zoom for Healthcare	Active BAA setup required · consumer Zoom is NOT compliant
Texting	Spruce	Auto with subscription · HIPAA-eligible 2-way SMS
Cloud storage	Google Workspace Drive	Auto if Workspace BAA signed · personal Drive is NOT
Cloud storage	Dropbox HIPAA	Auto with Business plan + BAA · sign actively

8 · How SideGuy helps (if you want help)

SideGuy is a one-operator AI + SEO + compliance shop in Encinitas, CA. For private-practice acupuncturists:

Tier	Price	What
SideGuy Hour	$150 one-time	One hour, async-friendly · walk your stack · 2-3 gaps that matter · written one-page fix-list
Operator Audit	$250 one-time	3-5 day signal-quality audit · full setup · written PDF + 30-min walkthrough
Practice Compliance Sprint	$2,000 one-time	10 days · audit + cleanup + missing-document drafts + vendor migrations + re-usable annual SRA

5-min Self-Serve Worksheet (no meeting required) $250 Operator Audit Detail →

9 · FAQ

Do I have to be HIPAA compliant as a private-practice acupuncturist?

Yes if you bill insurance electronically (workers comp, auto med-pay, commercial plans), use any EHR, store SOAP notes or herbal formula records digitally, email patients, or photograph treatment areas (cupping marks, skin conditions) and send to patients. Cash-only paper-only acupuncturists may fall outside scope but very few NCSD L.Ac. operate that way in 2026.

What's the cheapest HIPAA-compliant stack for a solo acupuncture practice?

~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email + signed BAAs. Add telehealth tier if you do telehealth.

What gets a small acupuncture practice fined the fastest?

Texting clients from a personal phone, sending PHI from non-Workspace Gmail, and consumer Zoom for telehealth. OCR fines $25K-$250K.

Do I need a Notice of Privacy Practices?

Yes. Free HHS template. Most EHRs auto-generate one. Every new client signs that they received it.

What's a Business Associate Agreement?

A contract with any vendor that touches your PHI. If a vendor cannot provide one, they cannot legally hold PHI for you.

Is the OCR really fining small acupuncture practices?

Yes. HHS OCR Breach Reports portal shows names, dates, and dollar amounts publicly.

Anything California-specific?

Yes — CMIA, CA AB-2013 AI disclosure, CCPA if you hit thresholds, and California Acupuncture Board (CAB) record-keeping rules. California Acupuncture Board (CAB) requires 7-year record retention. CA AB-2018 (2024) clarified that L.Ac. herbal formula recommendations DO produce PHI when linked to an identified patient — closes a prior gray area.

Can I use ChatGPT / Claude / AI for note-taking?

Only with a signed BAA from the AI vendor. Anthropic offers BAAs for Claude Enterprise. OpenAI for ChatGPT Enterprise. Google for Gemini through Workspace. Free / consumer tiers do NOT come with BAAs.

Related operator pages

Not legal advice. Operator-grade reference written by working SEO/AI operators in Encinitas, CA. Not attorneys. For licensure-specific or breach-specific questions consult a healthcare attorney. HHS OCR is the federal HIPAA enforcement authority. California enforces CMIA + state-board rules.