HIPAA Requirements for Physical Therapy Practices
Physical therapy practices handle protected health information (PHI) continuously, even when the day to day feel is more coaching than “medical office.” Evaluations, diagnoses, treatment plans, functional limitation scores, progress notes, referrals, billing, scheduling, and communications with patients and payers all involve health information tied to an identifiable individual.
If your practice transmits health information electronically in connection with HIPAA standard transactions, most commonly electronic billing, you are generally a HIPAA covered entity and must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. This applies whether you are a single location outpatient clinic, a multi site group, or you see a heavy workers’ compensation caseload.
This article explains HIPAA requirements as they apply to physical therapy workflows, with practical depth on where PT clinics commonly create risk and how to build a defensible, repeatable compliance posture without turning HIPAA into a second job.
Informational note: This article is for informational purposes only and does not constitute legal advice.
1) Does HIPAA apply to physical therapy practices?
Covered entity basics (the rule that matters)
Under HIPAA, a healthcare provider becomes a covered entity if it transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. This is not a size test. It is not an “electronic records” test. It is a transactions test. Providers that submit electronic claims, check eligibility electronically, or conduct other standard electronic transactions are usually covered entities.
Why this typically captures PT clinics
Most PT clinics interact with payers and billing systems electronically, even when part of the business is cash pay. If you bill electronically for Medicare, Medicaid, commercial insurers, or other payer arrangements where standard transactions occur, you usually fall into covered entity territory.
Business associates are part of your HIPAA footprint
Once you are a covered entity, HIPAA also governs how you use vendors that create, receive, maintain, or transmit PHI on your behalf. These vendors are often business associates, and many business associate relationships require a written business associate agreement with specific required terms.
Typical PT business associates often include:
EHR and practice management vendors (especially cloud hosted systems)
Billing companies and clearinghouses
IT managed service providers who can access systems containing ePHI
Cloud email, file storage, e-fax, and backup providers when used for PHI
Patient engagement platforms (two way texting, reminders that include PHI, portals)
Telehealth platforms used for care involving PHI
Home exercise program platforms and apps that store patient identifiers plus treatment plans
Outcomes measurement platforms, remote monitoring vendors, and wearable integration tools when PHI is involve
A key point: business associate status depends on what the vendor is doing, not what the vendor calls itself. The most reliable way to prevent surprises is to map PHI flows first, then map vendors to those flows.
2) What is PHI in a physical therapy practice?
What counts as PHI
HIPAA protects individually identifiable health information that relates to an individual’s health condition, the provision of care, or payment for care. In PT, health information often looks “functional” rather than “medical,” but it is still health information under HIPAA when tied to an identifiable person.
Common PT examples of PHI
Evaluation findings (range of motion, strength grades, special test results)
Diagnoses and impairments (ICD codes, suspected pathology, post surgical status)
Functional limitations and goals (return to work restrictions, return to sport timelines)
Treatment plans, home exercise programs, progressions, and adherence notes
Pain scores, patient reported outcome measures, and session notes
Imaging references or uploaded reports tied to the patient
Scheduling details tied to a person and visit type
Claims, authorizations, remittances, and payment history tied to care
Communications about care (email, portal messages, reminders with clinical context)
A practical way to think about PHI
A useful operational model is that PHI often looks like a pair:
Identity (who the person is)
Health context (what care they are receiving, seeking, or paid for)
Reducing risk often means reducing one side of that pair:
Reduce identity where appropriate through de-identification rules
Reduce health context in routine communications by keeping content minimal
De-identification is a defined concept in HIPAA with specific standards and is not the same as simply removing a name.
3) The three HIPAA rule areas PT practices must operationalize
A) HIPAA Privacy Rule
The Privacy Rule governs when PHI can be used and disclosed and establishes patient rights such as access, amendment, and accounting of certain disclosures. It also sets requirements for notices, policies, and workforce training.
B) HIPAA Security Rule
The Security Rule applies to electronic PHI (ePHI) and requires administrative, physical, and technical safeguards. The Security Rule is designed to be scalable and risk based, but it still has required implementation elements, including risk analysis.
C) HIPAA Breach Notification Rule
If there is a breach of unsecured PHI, HIPAA requires specific notifications and timeframes. HIPAA also presumes that an impermissible use or disclosure is a breach unless you can demonstrate a low probability that PHI has been compromised based on a defined risk assessment.
4) HIPAA Privacy Rule in PT: the workflows that matter most
4.1 Uses and disclosures for treatment, payment, and health care operations (TPO)
HIPAA permits many uses and disclosures of PHI for treatment, payment, and health care operations. This is the pathway that makes routine healthcare operations feasible without requiring patient authorizations for every exchange of information.
How TPO commonly shows up in PT:
Treatment: coordinating care with referring providers, surgeons, primary care, imaging, or other therapists
Payment: submitting claims, responding to payer requests, prior authorizations, documentation supporting medical necessity
Operations: internal quality review, training, auditing, certain business management activities, and compliance oversight
Even when a disclosure is permitted under TPO, you still need reasonable safeguards and staff discipline. “Permitted” is not the same as “send everything by default.”
4.2 Minimum necessary: where PT clinics commonly drift out of alignment
The minimum necessary standard requires reasonable efforts to limit uses, disclosures, and requests for PHI to what is needed for the purpose. This is one of the most common everyday failure modes because it is not a single checkbox. It is a set of habits and system defaults.
In PT, minimum necessary problems often arise in:
Front desk discussions where clinical detail is shared in public areas
Referral packets that include extra information not needed for the receiving purpose
Payer and workers’ comp disclosures that exceed what is necessary for the request
Broad internal access where many staff can see full charts without role need
A defensible way to implement minimum necessary is role design:
Define what front desk staff need to see versus treating clinicians
Limit chart access by role where your system supports it
Standardize common disclosures (payers, workers’ comp, referrals) so staff do not improvise
4.3 Incidental disclosures and open clinic layouts
PT clinics often operate in open gym spaces where multiple patients share a treatment floor. HIPAA does not require elimination of every incidental disclosure. It expects reasonable safeguards and minimum necessary habits.
Practical “reasonable safeguards” in a PT gym setting often include:
Whiteboards: avoid full names plus clinical details; use first name only or initials, avoid visit reason or diagnosis
Treatment floor conversations: avoid discussing diagnoses, imaging, or sensitive details at a volume that carries
Screens: position monitors to reduce patient visibility into charts; enable automatic locking
Check-in and scheduling: avoid showing detailed visit reasons on public facing screens or paperwork
Printed materials: do not leave treatment notes visible; treat them like controlled documents
A useful mental model is “reasonable in context.” You are engineering a clinic environment to reduce predictable, preventable disclosures while keeping operations functional.
4.4 Patient communications: reminders, portals, and messaging
Appointment reminders are generally allowed as part of treatment. The bigger risk is content and channel. The safest routine posture is to keep reminder content minimal: date, time, clinic name, and a callback number. If you include diagnosis, injury details, or sensitive context, you expand exposure.
Portals and two way messaging should be treated as part of your PHI system boundary:
If PHI flows through a vendor, determine whether the vendor is a business associate and whether an agreement is needed
Train staff on what belongs in a message versus what should stay in the chart
Define a process for wrong numbers, misdirected messages, and patient requests for alternative communication methods
4.5 Confidential communications requests
HIPAA gives individuals the right to request confidential communications in certain circumstances, such as requesting an alternate address or alternate means of communication. For PT clinics, this often comes up as “do not leave voicemails,” “use this number,” or “send mail to a different address.” The operational requirement is not debate. It is having a reliable way to capture the request and implement it consistently.
4.6 Marketing and testimonials: a common PT trap
PT practices often rely on testimonials, outcome stories, before and after narratives, or social posts. HIPAA draws a line between communications for treatment and operations versus communications that encourage someone to purchase or use a product or service.
Practical implications:
Patient testimonial videos or stories that identify the patient and describe care typically require a valid HIPAA authorization if used for marketing
Even without a name, small communities can make a patient identifiable through context (a rare surgery, a visible tattoo, a local sports team)
A safer approach is to use properly de-identified stories or obtain valid authorizations and store them with your marketing assets
4.7 Patient rights: access, amendment, accounting, and notice
Right of access is frequently enforced. The rule is specific about response timing and process. Operationally, you want patient access requests to function like a timed workflow, not an ad hoc favor.
A practical PT access request workflow:
Intake the request in writing (email or form is fine)
Verify identity
Confirm scope (what records, what date range)
Produce records in the requested form and format if readily producible
Deliver through a secure method consistent with the request and risk profile
Log the request, completion date, and what was produced
Patients may also request amendments and an accounting of certain disclosures. These are less frequent than access, but you need a defined process so you can respond properly when asked.
Many providers also have obligations related to providing a Notice of Privacy Practices and implementing privacy administrative requirements such as training, sanctions, complaints process, and maintaining privacy policies and procedures.
5) Workers’ compensation and employer requests: special pressure on PT clinics
PT clinics often operate inside workers’ compensation ecosystems. Employers, adjusters, third party administrators, and utilization review vendors routinely request medical information.
HIPAA permits certain disclosures for workers’ compensation purposes as authorized by and to the extent necessary to comply with workers’ compensation laws and similar programs. However, minimum necessary still applies. The reality is that requests often arrive broad, informal, and urgent, which is exactly when clinics over-disclose.
A defensible control is “scope gating”:
What is being requested?
What is the legal basis or authorization for this request?
What information is actually necessary for that purpose?
How will the disclosure be transmitted?
Where will you log or track the disclosure?
This is not about being difficult. It is about preventing uncontrolled, broad disclosures when a narrower disclosure satisfies the purpose.
6) HIPAA Security Rule for PT practices: building a risk based posture
The Security Rule requires administrative, physical, and technical safeguards for ePHI. HIPAA is flexible in the sense that safeguards can be tailored based on size, complexity, and capabilities. That flexibility does not remove the need to implement the safeguards, document them, and maintain them.
A simple way to frame Security Rule posture in a PT clinic:
Identify what systems contain ePHI
Control who can access them and from where
Ensure access is tied to unique users
Ensure there is auditability and accountability
Protect ePHI during transmission and storage
Be able to recover from downtime and respond to incidents
6.1 Risk analysis and risk management are foundational requirements
HIPAA requires a documented risk analysis and risk management measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
A practical PT risk analysis approach:
Inventory systems containing ePHI (EHR, billing, portals, email, file storage, backups, device fleet)
Map PHI entry points (intake forms, referrals, patient messages, scans, imported documents)
Map PHI exit points (claims, referrals, employer or workers’ comp disclosures, patient exports)
Identify threats (phishing, ransomware, lost devices, misdirected communications, unauthorized access)
Identify vulnerabilities (shared logins, no MFA, unmanaged devices, weak endpoint controls, lack of tested backups)
Assign likelihood and impact in practical terms
Track mitigations as actions with owners and dates
If your risk analysis produces “we should do everything,” it is not usable. It should produce a short prioritized mitigation plan.
6.2 Administrative safeguards: people and process
In small and mid sized clinics, administrative safeguards are usually where the program lives or dies because technology can be purchased, but processes have to be designed.
Administrative controls that matter in PT:
Assign security responsibility: someone owns the program
Workforce training: staff understand privacy and security expectations
Access management: provisioning and deprovisioning is timely and role based
System activity review: periodic review of relevant logs and alerts where feasible
Incident response procedures: define detection, escalation, containment, and documentation
Contingency planning: downtime procedures and restore capability are defined and tested
Ransomware is a realistic threat in healthcare. Clinics should assume that if email exists, phishing attempts exist. Planning for containment and recovery is part of a reasonable posture.
6.3 Physical safeguards: clinic specific realities
PT environments often include open floors, portable devices, and high traffic areas.
Common physical safeguard issues:
Unlocked workstations on the treatment floor
Patient visibility into scheduling screens or charts at the front desk
Laptops used for documentation that travel between rooms
Printed notes used for convenience and left visible
Poor device disposal practices for retired laptops, tablets, or drives
Defensible controls:
Automatic lock timeouts and consistent screen locking habits
Workstation placement that reduces shoulder surfing
Secure storage for laptops and tablets when not in use
Controlled access to back office spaces where systems or records are stored
Documented wipe and disposal processes
6.4 Technical safeguards: access control, auditability, secure transmission
Technical safeguards that typically deliver the most risk reduction for PT clinics:
Unique user identification (no shared accounts)
Strong authentication (MFA where available)
Role based access where supported
Audit controls and the ability to review access patterns
Secure transmission for ePHI across networks, portals, and integrations
A simple test:
Can you show who accessed a patient record and when?
Can you demonstrate that access was tied to a specific user?
If the answer is no, you have a predictable vulnerability.
6.5 Vendor security and business associate controls
PT clinics often underestimate how much PHI moves through vendors: online intake, scheduling widgets, messaging tools, home exercise platforms, outcomes tracking, telehealth, cloud storage, and email.
A repeatable vendor workflow:
Maintain a vendor inventory with a “touches PHI” flag
For vendors that touch PHI, determine business associate status and store executed agreements where required
Confirm that the vendor has an incident notification pathway that you can actually reach under stress
Document what PHI the vendor touches and why
7) Websites, online intake, and tracking technologies: the modern PT blind spot
Many PT practices add web tools for contact forms, appointment requests, chat widgets, online scheduling, and analytics. These tools can create HIPAA exposure when identifiable health information is disclosed to third parties, including through tracking technologies.
Practical risk reduction choices:
Treat “request an appointment for my injury” as potentially sensitive
Keep web forms minimal and avoid prompting for detailed medical information in free text fields
Be cautious with chat widgets and third party tools that transmit content or identifiers externally
If you need detailed intake, route it through a controlled environment (for example a portal) designed for PHI handling, rather than a general website form
This area is high leverage because design choices can reduce exposure quickly without complex program changes.
8) Breach Notification Rule: what PT practices need ready before something happens
Breach presumption and risk assessment
HIPAA generally presumes an impermissible use or disclosure is a breach unless the clinic can demonstrate a low probability that PHI has been compromised based on a defined risk assessment. That means you need a documented process for assessing incidents.
The 60-day outer boundary for notice to individuals
HIPAA requires notice to affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach.
Reporting to HHS depends on scale
HIPAA distinguishes between breaches involving 500 or more individuals and those involving fewer than 500, with different timing and reporting mechanics.
Common PT breach scenarios
A lost laptop with cached notes or access to the EHR
Misdirected email with evaluation notes or patient identifiers
Staff emailing records to personal accounts for convenience
Ransomware encrypting systems containing ePHI
Vendor incidents involving messaging platforms or portals
You do not need a large incident response team. You do need:
A triage and containment process
A way to determine what information was involved and who was affected
A method for documenting the assessment and decision
A notification playbook that is not invented under pressure
9) Documentation and retention: what you must be able to show
HIPAA compliance is not only “do safeguards exist.” It is “can you demonstrate they exist, were implemented, and were maintained.”
The Security Rule requires written policies and procedures and retention of required documentation for six years from the date of creation or the date it was last in effect, whichever is later. It also expects documentation to be available to the people responsible for implementing those procedures.
Privacy Rule administrative requirements also imply you should be able to show that your privacy program exists in practice: policies, training, complaint process, and sanctions.
Important distinction: HIPAA documentation retention is not the same as clinical record retention. State law and payer rules frequently govern medical record retention periods. Treat record retention as its own policy domain that intersects with HIPAA but is not fully defined by HIPAA.
10) A defensible baseline HIPAA program for a PT clinic
This section is deliberately operational. It is a set of building blocks aligned to HIPAA requirements and typical PT workflows.
10.1 Build a PHI system map
Goal: Know where PHI exists and moves.
Systems: EHR, billing, email, file storage, portals, texting, telehealth, home exercise platform, backups, device fleet
Inputs: intake forms, referrals, payer authorizations, patient messages
Outputs: claims, referral notes, employer or workers’ comp disclosures, patient access exports
This supports both Privacy Rule minimum necessary decisions and Security Rule risk analysis.
10.2 Implement role-based access aligned to minimum necessary
Goal: Reduce unnecessary access and disclosure.
Front desk: scheduling and billing essentials, limit broad chart access where possible
Aides and techs: limited access unless role requires more
Clinicians: access appropriate for treatment
Owners and managers: access tied to operational need, not convenience
Enforce this with system settings where possible, and with policy and training where the system is limited.
10.3 Engineer the clinic environment for reasonable safeguards
Goal: Reduce predictable incidental disclosures.
Sign-in workflow: limit what is exposed and avoid listing visit reasons publicly
Treatment floor: standardize “quiet zones” for sensitive discussions if needed
Screens and devices: position and lock screens, stop using shared logins
Whiteboards and schedules: avoid names plus clinical details
10.4 Make vendor management repeatable
Goal: Prevent “shadow PHI systems.”
Maintain a vendor list with a PHI flag
Determine business associate status for PHI vendors
Store executed agreements where required
Document what PHI the vendor touches and why
Define how vendor incidents will be escalated to the clinic
10.5 Turn patient rights into a timed workflow
Goal: Meet access obligations reliably.
Create a written process and train front desk staff on routing
Track dates and deadlines
Standardize how records are produced and delivered
Log completion and what was produced
10.6 Build incident readiness
Goal: Respond coherently to security events.
Define what counts as a security incident internally
Define containment and escalation steps
Define how you assess compromise probability and document that assessment
Define who is responsible for notifications and what timelines apply
11) Where software can reduce compliance burden without changing obligations
Many PT clinics start with shared folders, spreadsheets, and reminders. That can work until staff turnover, multi site expansion, a payer audit, or a security incident forces the clinic to answer “what is our current posture” immediately.
Some practices use platforms such as Timber to centralize assessments, vendor tracking, policy documentation, training status, and task management. The point is not to outsource accountability. The point is to reduce operational drift so compliance becomes repeatable.
A simple rule keeps you honest: if a tool stores or routes PHI, it becomes part of your HIPAA system boundary and should be handled accordingly through vendor management, safeguards, and documentation.
Sources
HHS OCR guidance
Covered Entities and Business Associates: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
Summary of the HIPAA Privacy Rule: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Uses and Disclosures for Treatment, Payment, and Health Care Operations: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html
Minimum Necessary Requirement: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html
OCR PDF on Minimum Necessary: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf
Incidental Uses and Disclosures (OCR PDF): https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/incidentalu%26d.pdf
Sign-in Sheets and Calling Patient Names FAQ: https://www.hhs.gov/hipaa/for-professionals/faq/199/may-health-care-providers-use-sign-in-sheets/index.html
Appointment Reminders FAQ: https://www.hhs.gov/hipaa/for-professionals/faq/286/are-appointment-reminders-allowed-under-hipaa-without-authorization/index.html
Business Associates guidance: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Business Associates PDF: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.pdf
Online Tracking Technologies bulletin: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
Individuals’ Right of Access guidance: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
Summary of the HIPAA Security Rule: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Risk Analysis guidance: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
Cybersecurity and Ransomware guidance: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
Ransomware fact sheet: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/ransomware-fact-sheet/index.html
Breach Notification Rule: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Breach reporting instructions: https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
Disclosures for Workers’ Compensation: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-workers-compensation/index.html
NIST implementation resource
NIST SP 800-66 Rev. 2 (HIPAA Security Rule implementation guide): https://csrc.nist.gov/pubs/sp/800/66/r2/final
PDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.pdf
Primary regulatory text
45 CFR 160.103 (definitions including covered entity): https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
45 CFR 164 Subpart C (Security Rule): https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C
45 CFR 164.306 (general Security Rule requirements): https://www.law.cornell.edu/cfr/text/45/164.306
45 CFR 164.308 (administrative safeguards, including risk analysis): https://www.law.cornell.edu/cfr/text/45/164.308
45 CFR 164.310 (physical safeguards): https://www.law.cornell.edu/cfr/text/45/164.310
45 CFR 164.312 (technical safeguards): https://www.law.cornell.edu/cfr/text/45/164.312
45 CFR 164.314 (organizational requirements): https://www.law.cornell.edu/cfr/text/45/164.314
45 CFR 164.316 (policies, procedures, documentation, retention): https://www.law.cornell.edu/cfr/text/45/164.316
45 CFR 164.506 (TPO uses and disclosures): https://www.law.cornell.edu/cfr/text/45/164.506
45 CFR 164.512 (permitted disclosures including workers’ compensation pathway): https://www.law.cornell.edu/cfr/text/45/164.512
45 CFR 164.514 (de-identification and related requirements): https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.514
45 CFR 164.520 (Notice of Privacy Practices): https://www.law.cornell.edu/cfr/text/45/164.520
45 CFR 164.522 (confidential communications): https://www.law.cornell.edu/cfr/text/45/164.522
45 CFR 164.524 (right of access): https://www.law.cornell.edu/cfr/text/45/164.524
45 CFR 164.526 (amendment): https://www.law.cornell.edu/cfr/text/45/164.526
45 CFR 164.528 (accounting of disclosures): https://www.law.cornell.edu/cfr/text/45/164.528
45 CFR 164.530 (privacy administrative requirements): https://www.law.cornell.edu/cfr/text/45/164.530
45 CFR 164.402 (unsecured PHI definition): https://www.law.cornell.edu/cfr/text/45/164.402
45 CFR 164.404 (notice to individuals): https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
45 CFR 164.408 (notice to HHS): https://www.law.cornell.edu/cfr/text/45/164.408