HIPAA Compliance for Physical Therapy Practices: The 2026 Guide

Physical therapy runs on conversation. A clinician discusses a patient’s progress across an open gym, the day’s schedule sits on a whiteboard at the front desk, and exercise videos get texted to patients between visits. Every one of those touchpoints involves protected health information (PHI), and a physical therapy practice answers to the same HIPAA Privacy, Security, and Breach Notification Rules as a hospital system. This guide covers what compliance actually looks like in an outpatient PT setting: why your practice is almost certainly a covered entity, the open-floor-plan problem, the texting-and-app problem, the vendor problem, and the documented risk analysis that the Office for Civil Rights (OCR) asks for first in any investigation.

Yes, your PT practice is a covered entity

Under HIPAA, a health care provider becomes a covered entity the moment it transmits health information electronically in connection with a covered transaction — billing, eligibility checks, claims, and the like (45 CFR § 160.103). In practice, that captures virtually every physical therapy practice that bills Medicare or a commercial payer. If a claim, a superbill that feeds an electronic submission, or an electronic eligibility verification ever leaves your office, HIPAA applies to your entire operation.

Cash-pay-only practices occasionally fall outside covered-entity status, but the exception is fragile: a single electronic eligibility check or one payer claim brings the practice into scope. Don’t build a compliance program on the hope that you’ll never transmit electronically.

Solo and small-group PT practices sometimes assume the rules are written for big systems. They aren’t off the hook. The Security Rule’s flexibility provision (45 CFR § 164.306(b)) scales how you meet requirements to your size and resources — it does not waive the core obligations. Every practice, regardless of size, still owes a risk analysis, a named security official, workforce training, and business associate agreements. For more on right-sizing a program, see our guide to HIPAA compliance for small practices.

The open-gym problem: incidental disclosures done right

PT’s defining HIPAA tension is that treatment happens in shared space. The good news is that HIPAA anticipated exactly this. The Privacy Rule permits incidental disclosures — the secondary exposures that can’t reasonably be avoided during legitimate care — as long as reasonable safeguards and the minimum-necessary standard are in place (45 CFR § 164.502(a)(1)(iii)). HIPAA does not require a private room for every session.

What counts as a reasonable safeguard in a gym setting is mostly common sense applied consistently: lower your voice for sensitive discussion, keep schedule boards to first names rather than diagnoses or insurers, angle monitors away from common areas, and don’t call clinical details across the floor. What does not qualify as merely “incidental” are avoidable exposures — charts left open at an unattended station, a sign-in sheet that captures the reason for the visit, or progress notes visible on a shared screen. Those are disclosures you could have prevented, and OCR treats them that way.

Front desk and waiting room specifics

Sign-in sheets are permitted as long as they stay minimal — name, time, and provider, but not condition or insurer. Appointment reminder calls and texts are permitted as treatment communications; keep the content to the date and time and leave diagnosis out of the message.

Texting, exercise apps, and telehealth PT

Patient texting is one of the most common gray areas in outpatient PT. Standard SMS is unencrypted. You may text a patient who has been warned of the risk and still prefers it — but document that preference. Staff-to-staff communication that contains PHI is a different matter entirely and needs an encrypted channel, full stop.

Then there’s the app layer that modern PT runs on. Home exercise program (HEP) platforms, outcomes-tracking tools, scheduling and intake apps, fax-to-email services, cloud backup — any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate, and each one needs a signed business associate agreement (BAA) before patient data starts flowing. If you’ve never inventoried these, start with our BAA inventory checklist.

Telehealth PT deserves a specific note: the COVID-era enforcement discretion that let providers use consumer video tools has ended. A telehealth platform that handles PHI must be backed by a BAA, and consumer-grade video apps generally don’t qualify.

The five findings that would actually show up in a PT practice’s risk analysis

Across provider types, a handful of deficiencies show up again and again in OCR investigations. Here is where a physical therapy practice tends to be exposed.

1. No current organization-wide risk analysis. This is the single most-cited deficiency in OCR investigations across all provider types. If your last analysis was done years ago for an EHR incentive program, it’s stale and won’t hold up.

2. Vendor sprawl without BAAs. The billing service, the EHR, the HEP app, the fax-to-email tool, the cloud backup, and the marketing platform holding your patient email list are each a business associate. Missing agreements are a frequent and easily avoidable finding.

3. Shared workstation logins. Front-desk and gym stations where everyone uses one login make it impossible to attribute access. This is cheap to fix and heavily cited.

4. Unencrypted laptops and tablets. Devices that travel between clinic locations and home visits are the classic breach vector. Full-disk encryption converts a lost device from a reportable breach into a non-event.

5. Departed-employee access. PRN and rotating staff make termination-of-access sweeps easy to skip. Stale accounts are a standing liability.

The pending 2026 Security Rule update: what PT owners should budget for

As of June 2026, the most significant change on the horizon is a proposed update to the HIPAA Security Rule. OCR published a Notice of Proposed Rulemaking on January 6, 2025, and an informal target of finalizing it passed without a final rule being issued. It remains proposed, not final — but its direction is clear, and it’s worth planning around.

If finalized as written, the update would convert several controls that are currently “addressable” into mandatory requirements: encryption of ePHI, multi-factor authentication, a maintained asset inventory and network map, and regular vulnerability scanning, with a compliance runway measured in months. The practical read for a PT practice is reassuring: nearly every proposed mandatory item is already today’s security best practice. Starting now either buys you compliance lead time or simply buys you better security in the meantime. For ongoing status, see our HIPAA Security Rule 2026 update.

A 60-day compliance sprint for a PT practice

You don’t need a year to get materially safer. A focused 60-day arc covers the ground OCR cares about most.

During the first two weeks, inventory your ePHI — every system, app, and device that touches patient data — and inventory your vendors and BAAs alongside it. Name your security official in writing. Over the following three weeks, run an organization-wide security risk analysis against that inventory, ranking each risk by likelihood and impact so you’re working the real exposures rather than a generic checklist. In the final stretch, close the top tier: turn on MFA for email and remote EHR access, encrypt every portable device, run a terminated-access sweep, and complete workforce training with documented completion records. That documented arc — inventory, analysis, remediation — is the first thing OCR requests when an investigation opens.

How Medcurity helps PT practices

Medcurity is a healthcare-native security risk analysis platform built for the realities of outpatient practices, not enterprise GRC overhead. The guided risk analysis is scaled for a PT clinic’s size and workflows; findings become tracked worklist items instead of a PDF that gets filed and forgotten; and your policies and training records live in one audit-ready place. Pricing is straightforward at $499 per year. If you want to see how it fits your practice, explore the Medcurity platform.

Frequently Asked Questions

Does HIPAA require private treatment rooms in a PT clinic?

No. HIPAA permits incidental disclosures in shared treatment spaces when reasonable safeguards are in place — lowered voices, minimal-information schedule displays, and screens angled away from common areas. The standard is at 45 CFR § 164.502(a)(1)(iii).

Can physical therapists text patients?

Yes, with a documented patient preference and minimal-necessary content (date and time, not diagnosis). Staff-to-staff communication that contains PHI requires an encrypted channel — standard SMS does not qualify.

Does a home exercise program app need a BAA?

If it creates, receives, maintains, or transmits PHI on your behalf, yes — and the agreement should be in place before any patient data flows. Most HEP and outcomes-tracking platforms are business associates.

Is a cash-only PT practice exempt from HIPAA?

Possibly, if it never transmits health information electronically for a covered transaction. But a single electronic eligibility check or claim brings the practice into scope, so most practices should assume HIPAA applies.

What’s the first thing OCR asks for in an investigation?

A current, organization-wide security risk analysis. It is the most-cited deficiency across provider types, and its absence colors everything else in an investigation.