Why Physical Therapy Practices Are HIPAA Covered Entities
Physical therapy practices that bill insurance electronically, submit claims to Medicare or Medicaid, or conduct any standard electronic transactions are HIPAA covered entities. This applies to solo practitioners, multi-location PT chains, outpatient rehab clinics, hospital-based PT departments, and home health physical therapy providers. If your practice transmits any health information electronically in connection with a HIPAA-covered transaction, the full weight of HIPAA’s Privacy, Security, and Breach Notification Rules applies to you.
Physical therapy practices face unique compliance challenges compared to other healthcare specialties. Open treatment areas where multiple patients receive care simultaneously, the hands-on nature of PT that requires verbal communication about conditions and progress, the use of exercise equipment and treatment areas shared across patients, and the growing adoption of telehealth for PT sessions all create HIPAA risk factors that require specialty-specific policies and safeguards.
PT-Specific HIPAA Risk Areas
Open Treatment Areas: Unlike private exam rooms, many PT clinics use open floor plans where patients exercise and receive manual therapy in shared spaces. This creates significant privacy risks. Conversations between therapists and patients about diagnoses, treatment plans, and progress can be overheard by other patients. To mitigate this, implement sound masking systems, use private consultation rooms for initial evaluations and sensitive discussions, train staff to lower their voices when discussing PHI, and position treatment stations to maximize physical separation.
Exercise and Home Program Documentation: PT practices frequently provide patients with printed home exercise programs (HEPs) that include patient names, diagnosis information, and treatment details. These documents are PHI. Ensure HEPs are printed securely (not left on shared printers), handed directly to patients, and that electronic versions are transmitted through secure patient portals rather than unencrypted email.
Practice Management and EHR Systems: Common PT software platforms (WebPT, Clinicient/Net Health, TheraOffice, ReDoc, Prompt) all handle ePHI and require proper configuration. Verify that your system has MFA enabled (now mandatory under the 2026 Security Rule), access controls limiting staff to only the patient records they need, automatic session timeouts, and audit logging. You must also have a current BAA with your software vendor.
Telehealth PT Sessions: Virtual physical therapy has expanded significantly. When conducting telehealth PT sessions, you must use a HIPAA-compliant video platform (not standard Zoom, FaceTime, or Skype without a BAA), obtain patient consent for telehealth, ensure the therapist’s environment is private (no one else can see or hear the session), and document the telehealth encounter with the same rigor as in-person visits.
Student Interns and Clinical Rotations: PT practices frequently host DPT students for clinical rotations. Students who access patient records are part of your workforce under HIPAA and must receive HIPAA training before beginning their rotation, sign confidentiality agreements, have access limited to only the patients they are treating, and be supervised in their use of EHR and practice management systems.
Required HIPAA Safeguards for PT Practices
Administrative Safeguards: Designate a HIPAA Privacy Officer and Security Officer (can be the same person in small practices). Conduct a Security Risk Assessment annually. Develop written policies for PHI handling, breach notification, and workforce training. Implement a sanctions policy for HIPAA violations. Maintain a BAA inventory for all vendors handling PHI (billing companies, EHR vendors, cloud storage, shredding services).
Physical Safeguards: Secure workstations so screens are not visible to patients in waiting or treatment areas. Implement clean desk policies — no patient charts or printouts left in accessible areas. Secure paper records in locked cabinets. Control physical access to server rooms and areas where ePHI is stored. Use privacy screens on computer monitors in open treatment areas.
Technical Safeguards: Implement MFA on all systems accessing ePHI. Encrypt all ePHI at rest and in transit. Configure role-based access controls (front desk staff should not have the same EHR access as treating therapists). Enable audit logging and review logs regularly. Implement automatic session lockout after periods of inactivity. Secure your Wi-Fi network — patient-accessible Wi-Fi must be separated from the network that handles ePHI.
PT-Specific Training Requirements
All workforce members — therapists, PTAs, front desk staff, billing staff, students, and volunteers — must receive HIPAA training. For PT practices, training should cover open treatment area privacy protocols, proper handling of home exercise program documents, secure communication with referring physicians, patient portal usage and secure messaging, social media policies (never post patient photos or outcomes without written authorization, even with faces obscured), and incident reporting procedures.
Training must be provided at hire and refreshed periodically (annually is best practice). Document all training with dates, topics covered, and attendee signatures.
Common PT HIPAA Violations
The most common violations OCR investigates in PT practices include discussing patient conditions in areas where other patients can overhear, leaving patient intake forms or progress notes visible on clipboards or desks, sharing patient progress photos on social media or in marketing materials without proper authorization, sending unencrypted emails containing treatment summaries to referring physicians, failing to conduct a Security Risk Assessment, and failing to provide patients access to their records within the required timeframe.
How Medcurity Helps PT Practices
Medcurity’s platform is built for practices like yours — organizations that need comprehensive HIPAA compliance without the overhead of hiring a dedicated compliance team. Our AI-powered Security Risk Assessment walks you through every requirement specific to your practice type, generates the documentation OCR expects, and provides ongoing risk management to keep you compliant year-round.