HIPAA Compliance for Speech-Language Pathology and Audiology Practices

Speech-language pathology and audiology practices carry a HIPAA risk that few other specialties share: they routinely create recordings of the patient’s own voice and likeness. An articulation sample, a fluency recording, a video of a swallow study, or a saved audiology session is far harder to de-identify than a text note, because the recording is the identifier. Add to that the fact that many SLPs split their time between schools governed by FERPA and clinics governed by HIPAA, and you have a profession where the single most important compliance skill is knowing which rule applies to which record. Getting that boundary wrong, or leaving recordings scattered across phones and tablets, is where these practices most often stumble.

What makes speech and hearing data distinct

The protected health information in these practices is unusually rich and unusually portable. Clinicians capture audio and video on tablets and phones, save audiograms and tympanometry traces in proprietary device software, and exchange progress data with schools, physicians, and hearing-aid manufacturers. Pediatric caseloads add a layer of sensitivity, since most patients are minors and parents or guardians control authorization. The practical exposure points are predictable: recordings sitting in a phone’s camera roll, session files synced to a personal cloud account, audiology devices that store patient data locally with no encryption, and email threads with referring physicians that include attachments. A compliant practice knows where every recording lives and who can reach it.

The Security Risk Analysis comes first

HIPAA requires every covered practice to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic PHI, under 45 CFR § 164.308(a)(1)(ii)(A). For an SLP or audiology clinic, the analysis should inventory every device that records or stores patient media, document how recordings move between staff and outside parties, confirm encryption on tablets and audiology hardware, and verify Business Associate Agreements with your EHR, teletherapy platform, and cloud backup vendors. It should also draw a clear line between HIPAA-covered clinical records and FERPA-covered school records. The risk analysis is not optional and not a one-time event; it must be refreshed whenever you adopt a new recording tool or change how you share data, and it is the first document the Office for Civil Rights requests in an investigation.

The proposed 2026 Security Rule changes

In December 2024, the Office for Civil Rights published a Notice of Proposed Rulemaking that would meaningfully tighten the HIPAA Security Rule. The proposal would convert several currently “addressable” safeguards into explicit requirements, including encryption of electronic PHI, multi-factor authentication, and a written, annually updated inventory and network map of every system that handles PHI. For speech and audiology practices that maps directly onto encrypting recordings on mobile devices and maintaining a real inventory of the tablets, phones, and audiology units that capture patient media. The key caveat: this is a proposed rule, not yet final. If finalized as written, organizations would have about a 240-day compliance window after the final rule is published, so it is best treated as a clear direction of travel rather than a current obligation.

How Medcurity helps

Medcurity guides speech and audiology practices through a HIPAA Security Risk Analysis designed for real clinical workflows, prompting your team to account for recordings, mobile devices, audiology hardware, and the FERPA boundary so nothing falls through the cracks. The platform produces the written documentation regulators expect, tracks remediation over time, and helps you keep Business Associate Agreements in order. Pricing is $499/year (about $42/month) for a single practice; larger or multi-site organizations can request a quote. For related allied-health guidance, see our HIPAA guide for physical therapy practices and our practical HIPAA compliance checklist.

Frequently asked questions

Are session recordings and audiology test results PHI?

Yes. Audio and video recordings of speech therapy sessions, articulation samples, audiograms, tympanometry results, and hearing-aid fitting data are all individually identifiable health information once tied to a patient. Recordings deserve special care because they capture the patient’s voice and likeness, which makes de-identification difficult and re-identification easy.

Do school-based SLPs have to follow HIPAA or FERPA?

It depends on the setting. When a speech-language pathologist works for a school and the records are education records, FERPA generally governs rather than HIPAA. When an SLP bills a health plan or operates a private clinic, HIPAA applies. Many clinicians work in both worlds, so it is essential to know which law covers each record and to keep the two record systems separate.

Is teletherapy allowed for speech and audiology services under HIPAA?

Yes, provided you use a platform that will sign a Business Associate Agreement and that encrypts the session. Consumer video tools without a BAA are not appropriate for routine telepractice. You should also confirm the patient’s identity, document consent, and make sure recordings made during teletherapy are stored on an encrypted, access-controlled system.

How should we handle recordings used for clinical or training purposes?

Treat every recording as PHI. Store it encrypted, restrict access to staff with a clinical need, and obtain specific written authorization before using a recording for teaching, marketing, or research. Build a retention and secure-deletion schedule so recordings are not kept indefinitely on phones, tablets, or shared drives.