HIPAA Compliance for Chiropractic Practices: Essential Guide

Chiropractic practices sit in a HIPAA blind spot that catches many owners off guard. Because care is hands-on and often delivered in open, multi-table treatment bays, the privacy risks look nothing like a typical clinic with private exam rooms. Add electronic billing — which is what makes almost every chiropractic office a covered entity in the first place — and you have a practice that creates, stores, and transmits protected health information (PHI) all day, frequently without a dedicated compliance person on staff.

The PHI itself is broader than many chiropractors assume. Treatment and SOAP notes, X-rays and other diagnostic images, insurance and billing records, intake forms describing prior injuries and conditions, and even the appointment schedule visible at the front desk are all PHI. Spinal imaging is a particular concern: films and the software that stores them are electronic PHI (ePHI), and that imaging system is one of the most commonly overlooked components when a practice thinks about security.

Open treatment areas raise unique privacy risks

Because adjustments often happen in shared spaces, conversations about a patient’s condition can be overheard, and screens at reception can be read by the next person in line. HIPAA calls these “incidental disclosures,” and it expects you to apply reasonable safeguards — repositioning monitors, lowering voices, using privacy screens, and keeping sign-in sheets minimal — to keep them to a minimum.

A note on cash-based practices: if your office genuinely never transmits any HIPAA-covered electronic transaction, you may fall outside HIPAA’s definition of a covered entity. That is a narrow exception, and the moment you bill a payer electronically — directly or through a clearinghouse or billing service — you are fully covered. Most practices should assume they are in scope.

The Security Risk Analysis is your starting point

Every covered chiropractic practice must complete a Security Risk Analysis (SRA), the requirement at 45 CFR § 164.308(a)(1)(ii)(A). The SRA is a documented, practice-wide review of where ePHI lives — your EHR, imaging and X-ray system, billing software, email, mobile devices, and any cloud services — and the threats to each. It is not a one-time form; the HHS Office for Civil Rights expects it to be reviewed and updated as your practice changes, and a missing or stale SRA is one of the most frequently cited findings in enforcement actions.

The proposed 2026 Security Rule update

In December 2024, the U.S. Department of Health and Human Services published a Notice of Proposed Rulemaking (NPRM) that would significantly strengthen the HIPAA Security Rule. Among other changes, it would make safeguards that are currently “addressable” — such as encryption and multi-factor authentication — effectively mandatory, and require more rigorous, regularly updated risk analyses. This proposal is not final. If it is finalized as written, organizations would have a 240-day compliance window after the final rule is published. Small practices should treat it as a strong signal of where expectations are heading, not as a current requirement.

How Medcurity helps

Medcurity gives chiropractic practices a guided way to complete and maintain the Security Risk Analysis without hiring a full-time compliance team. The platform walks you through the analysis step by step, documents your safeguards, and keeps everything audit-ready — for $499/year (about $42/month). Larger groups and multi-location organizations can request a quote for tailored pricing. To go deeper, see our HIPAA compliance checklist and our overview of the HIPAA Security Rule requirements.

Frequently asked questions

Are small or solo chiropractic offices exempt from HIPAA?

No. HIPAA has no small-practice exemption. If your office bills payers electronically, you are a covered entity and must comply regardless of how few people work there.

Are chiropractic X-rays and spinal images considered PHI?

Yes. Diagnostic images, and the imaging software and systems that store them, are electronic protected health information and must be included in your Security Risk Analysis.

Does HIPAA apply to a cash-only chiropractic practice?

Only if you never conduct a HIPAA-covered electronic transaction. The moment you submit electronic claims or eligibility checks, directly or through a billing service, you are fully covered.

How often should we redo our Security Risk Analysis?

There is no fixed interval in the rule, but it should be reviewed at least annually and whenever you add systems, change vendors, or experience a security incident.