Most independent doulas are not HIPAA covered entities, so HIPAA usually does not bind them directly. You become subject to it only when you bill insurance or Medicaid electronically, sign a business associate agreement with a hospital or agency, or work for a covered entity. Even then, protecting your client's privacy is your job either way.
Key Takeaways
- HIPAA is a 1996 law that governs how health plans, clearinghouses, and providers who bill electronically handle protected health information. It was not written to govern everyone who hears something private.
- An independent doula paid directly by families, billing no insurance electronically and keeping no shared medical records, is almost certainly not a HIPAA covered entity.
- Billing Medicaid electronically, signing a business associate agreement with a hospital or agency, or being employed by a hospital doula program can pull a doula under HIPAA.
- Not being covered by HIPAA does not shield a doula from lawsuits, contract breaches, or ethics violations for sharing client information without consent.
- The special HIPAA protections for reproductive health information added in 2024 were vacated nationwide in June 2025 and are not currently in force.
What is HIPAA, and who was it written for?
HIPAA is the Health Insurance Portability and Accountability Act, passed in 1996. The privacy pieces people worry about came a few years later, but the core idea is simple. The law sets rules for how certain health organizations handle protected health information: things like a name tied to a medical condition, a due date, an insurance number, or a birth photo.
The part that lowers the temperature is who it was written for. HIPAA was never meant to govern every person who hears something private. It was written for specific kinds of organizations and the companies that handle information on their behalf. A doula sitting with a laboring client is not automatically one of those organizations. The word sounds heavier than the way it usually lands in birth work.
Are most independent doulas covered entities under HIPAA?
HIPAA binds three groups: health plans, health care clearinghouses, and health care providers who send health information electronically for certain standard transactions. In plain terms, that last group mostly means providers who bill insurance electronically.
Read that again with your own practice in mind. If you are an independent doula, hired and paid directly by the families you serve, billing no insurance electronically and keeping no shared medical records, you are almost certainly not a covered entity. HIPAA's rules do not apply to you directly.
That is the misconception I want to clear up. A lot of doulas walk around certain they are bound by a federal law that, in their actual setup, does not reach them.
What situations pull a doula under HIPAA anyway?
Your status can change the moment your work touches a covered entity's information. Three common ways that happens:
- You bill Medicaid or a private plan electronically for your doula services.
- You contract with a hospital, agency, clinic, or community health program and sign a business associate agreement, often called a BAA. That makes you a business associate, responsible for protecting their information.
- You are employed by a covered entity, such as a hospital-based doula program.
Credentialing is usually exactly this moment. The day you get set up to bill Medicaid or join a hospital program is the day HIPAA starts to apply to you in a concrete way. That is not a reason to avoid the work. It is a reason to learn the fundamentals before you are sitting in it.
If credentialing is on your horizon, this is the moment to get ahead of it. My HIPAA and Client Confidentiality for Doulas class covers the fundamentals, walks through real birth-work scenarios like photos, group chats, and backup handoffs, and gives you a certificate of completion you can keep on file for Medicaid or hospital attestation.
Why is "I'm not covered by HIPAA" not enough to protect you?
Not being a covered entity protects you from one specific law. It does not protect you from everything else.
Post a birth photo or a recognizable story without permission and you may not have broken HIPAA at all. You can still get sued. You can still break the confidentiality clause in your own client contract. You can still violate the ethics of your certifying organization. The duty to protect the people you serve does not disappear because a federal acronym does not apply to you. It was always yours.
What should every doula do to protect client privacy, covered or not?
Whether or not HIPAA reaches you, a handful of habits keep your clients safe and keep you out of trouble:
- A confidentiality clause in your client contract, so your promise is in writing.
- Separate written consent before you use any photo or story, naming where and how it will be shared. A verbal yes in the moment is not the same thing.
- Secure storage for client records. A locked, password-protected app or account, not loose notes or an open spreadsheet.
- Clear rules for what you hand a backup. They need the birth plan and contact information, not the full history. Share the minimum that lets them do the job, over a secure channel.
- Your own social media rules, decided before you are tempted, so a powerful birth does not become a post you regret.
I keep the actual confidentiality clause, the photo and story consent form, and the full privacy checklist inside my HIPAA class rather than here, because those are templates you fill in and keep on file, not paragraphs you skim.
Where do HIPAA and reproductive health information stand right now?
This part is genuinely unsettled, so I will be careful with it. In 2024, a federal rule added special HIPAA protections for reproductive health information. In June 2025, a federal court vacated most of that rule nationwide, and the government later dropped its appeal. As of this writing, those special protections are not in force, and the area is still contested.
What that means for you is plain. Do not assume a special federal reproductive-health privacy protection is covering you, because right now it largely is not. The ordinary privacy duties in this post still apply. For the current status, check the U.S. Department of Health and Human Services (HHS) guidance on HIPAA and reproductive health, since this is the kind of rule that can shift again.
Sources
Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936.
Purl v. U.S. Department of Health and Human Services, No. 2:24-cv-00228 (N.D. Tex. June 18, 2025).
U.S. Department of Health and Human Services. (2024, April 26). HIPAA Privacy Rule to support reproductive health care privacy. Federal Register, 89, 32976.
U.S. Department of Health and Human Services. (n.d.). HIPAA and reproductive health. https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/index.html
U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). Covered entities and business associates. https://www.hhs.gov/hipaa/for-professionals/covered-entities/
Ready for the templates and the full walk-through?
This is a plain-language explainer, not legal advice. State law and your own setup can change the picture, so check your state's rules and read any contract before you sign it. When you want the templates I mentioned, the confidentiality clause, the photo and story consent form, and the full privacy checklist, my HIPAA and Client Confidentiality for Doulas class gives you all of it in one place, plus the certificate you keep for credentialing.
Frequently Asked Questions
Do doulas have to follow HIPAA?
Most independent doulas paid directly by clients are not HIPAA covered entities, so HIPAA does not bind them directly. You come under it when you bill insurance or Medicaid electronically, sign a business associate agreement with a hospital or agency, or work for a covered entity. Even when HIPAA does not apply, protecting client privacy is still part of the job.
Does posting a birth photo violate HIPAA?
If you are not a covered entity, posting a birth photo is usually not a HIPAA violation. It can still get you sued, break your client contract, or violate your certifying organization's ethics if you did not get written permission. Always get separate written consent that names where and how the image will be used.
Do I need a business associate agreement as a doula?
You need one when you handle protected health information on behalf of a covered entity, such as contracting with a hospital, clinic, or community health program. They will usually require the agreement before you start, and it spells out how you will protect their information. If you are independent and paid directly by families, you generally do not need one.
Does billing Medicaid change whether HIPAA applies to me?
Yes. Billing Medicaid or a private plan electronically for your doula services can make you a covered entity or a business associate, which brings you under HIPAA. This is why credentialing is often the moment HIPAA starts to matter for a doula. Getting the fundamentals down before you bill keeps you from learning them under pressure.
Is my client's information protected if I am not a covered entity?
Yes, through other means. Your client contract, your certifying organization's code of ethics, state privacy and confidentiality laws, and ordinary liability all protect client information whether or not HIPAA applies to you. Being outside HIPAA does not free you from the duty to keep what you know private.





