The Health Insurance Portability and Accountability Act of 1996—a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size.

Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides a framework for managing your clinic operations and reassures patients that their data is secure (this is especially important in light of so many newsworthy security breaches). Signing a new office lease? HIPAA tells you what your agreement needs to say about the private patient data stored inside that office. Hiring a new employee? HIPAA tells you how often you need to provide him or her with privacy training. Buying a new laptop? HIPAA tells you what to do with the old one.

Still, there’s plenty of confusion around HIPAA requirements—especially when it comes to the manner in which HIPAA applies to smaller providers. On that note, let’s dive into the five things small-practice PTs, OTs, and SLPs should know about HIPAA.

Suppressing Sticker Shock: How to Handle Your Patients High-Deductible Health Plans - Regular BannerSuppressing Sticker Shock: How to Handle Your Patients High-Deductible Health Plans - Small Banner

1. You can only become a covered entity by performing a covered transaction. That’s it.

Do you electronically transmit patient information related to “covered transactions?” (Covered transactions generally include the electronic transmission of claims, but you can use HHS’s online tool to evaluate your status.) If so, you’re a covered entity who’s required to comply with HIPAA. But if you’re not a covered entity, you can stop worrying; you can’t accidentally become a covered entity unless you engage in a covered transaction.

I hear lots of myths about the fluidity of a provider’s covered entity status. Does using email make you into a covered entity—even if you don’t do electronic billing? No, because email isn’t a covered transaction. If you’re not a covered entity, but your intake forms reference HIPAA, does that obligate you to follow HIPAA? No, because as a non-covered entity, HIPAA doesn’t apply to you. Remember, there’s only one way to fall within the scope of HIPAA: performing a covered transaction.

One caveat: If you tell your patients that you’ll comply with HIPAA’s requirements, you should do so. This doesn’t mean that you become a HIPAA-covered entity—it simply means you should subject yourself to HIPAA’s privacy and security requirements because you promised your patients you would do so. For example, if you’re not a covered entity but your Notice of Privacy Practices states that you’ll use only HIPAA-compliant email software, then you should use HIPAA-compliant email software—not because HIPAA requires it, but because you said you would (and your patients could sue you if their information were compromised after you didn’t do as you promised).

2. You must have written privacy policies.

HIPAA compliance audits are many providers’ greatest fear. But, they’re absolutely something for which you can prepare. As explained here, “Every covered entity and business associate is eligible for an audit.” Audits can be random or targeted, and the auditors will begin by “review[ing] the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.” Gulp.

Don’t have any such policies? Double gulp.

HIPAA requires that all covered entities maintain written privacy policies and procedures addressing HIPAA’s three main components: privacy, security, and breach notification. To ensure the best protection against HIPAA audits, your policies should address each of the requirements imposed by these three components of the law. Government regulators are more likely to audit small practices, which are more likely to fall short of HIPAA’s requirements—and a failure to maintain adequate policies and procedures is one of the biggest reasons that practices are fined.

While privacy policies are required, they are not a mere formality. In fact, they come with some pretty good benefits—including providing you with accessible answers to privacy-related questions like:

  • How should I discipline an SPT who shared my patient’s private information at PT Pub Night? (Disclaimer: My HIPAA policies don’t typically address this specific situation, but they would give you enough guidance to problem-solve it yourself!)
  • How long should I retain patient records?
  • How complex does my WebPT password need to be?
  • Can all members of my clinic share a single computer login?
  • What do I do with an old laptop?
  • Can I use the Wi-Fi at Starbucks?

As you work with your attorney to create your privacy policies, you’ll learn about HIPAA—which is crucial for minimizing the chances that you’ll commit a breach. Need more convincing? Check out this government press release from earlier this year for details on a $2.5 million settlement resulting from a lack of understanding regarding HIPAA requirements. To learn more about the importance of comprehensive policy manuals, refer to this discussion between my law partner (and, full disclosure, my wife), Erin Jackson, and Dr. Karen Litzy, DPT.

3. Required risk assessments will help you tailor HIPAA compliance safeguards to your practice’s needs.

HIPAA isn’t one-size-fits-all. A crucial element of privacy rule compliance is the requirement that you complete technical, administrative, and physical risk assessments. These assessments help you consider and address privacy threats and vulnerabilities as well as plan your safeguards and action steps. The privacy requirements imposed upon your practice will largely depend upon the results of your risk assessments.

Once complete, your risk assessments will help you balance your patients’ privacy rights and the risk of a patient data breach against factors like your practice size and the cost of compliance. You must complete risk assessments annually, or more frequently if certain privacy-related events occur (e.g., an employee termination, a natural disaster, or a laptop theft). Additionally, as your practice grows, you may find that your answers—and thus, your policies—change.

Many small practices are overwhelmed by the daunting task of HIPAA compliance, and sometimes, the perceived weight of HIPAA discourages them from accepting insurance altogether—even when doing so would better serve their financial interests and their patients. But, in my view, HIPAA isn’t so onerous as to govern this important decision.

4. Without written policies, simply distributing a Notice of Privacy Practices document to patients doesn’t make you HIPAA-compliant.

Am I HIPAA-compliant if I have a Notice of Privacy Practices? Well, if that’s all you have, then no.

Your Notice of Privacy Practices document—which you give to patients at their first visit to explain how you’ll use their health information—is merely the tip of the HIPAA iceberg. HIPAA requires much more.

Your Notice of Privacy Practices is the required written notice informing patients of your privacy practices. If you don’t have underlying written privacy policies, then your Notice of Privacy Practices is likely misleading. In fact, handing out a Notice of Privacy Practices without maintaining the specified privacy policies may land you in hot water, as it may falsely represent your privacy practices to your patients.

For example, say that you don’t have a written privacy policy. Your Notice of Privacy Practices asserts that you use only HIPAA-compliant communication methods. But in practice, you use a VOIP phone, and you send text message appointment reminders. Thus, there’s a chance your communication methods are not HIPAA-compliant, meaning your Notice of Privacy Practices is misleading—and that exposes you to additional liability.

Now, let’s say you do have a written privacy policy. Your Notice of Privacy Practices asserts that your communication methods are HIPAA-compliant. Your policies back this up: you only use trackable mail when sending paper records, your voicemail password is up-to-snuff, and you’ve executed the appropriate paperwork to ensure that your email is HIPAA-compliant. Your Notice of Privacy Practices very accurately depicts your commitment to privacy, and you’ve taken tangible steps to limit your liability.

5. You must have HIPAA agreements with anyone who handles your patient information.

Business associate agreements (BAAs) can help make HIPAA compliance much easier for small providers. These agreements alert those with whom you do business to the sensitive nature of your business operations and data. As noted here, you should enter into a business associate agreement with any entity that handles or has access to your patients’ health information. This may include your landlord (who probably has keys to your office), your janitorial staff, your tech support contractor, the yoga teacher who rents your studio in the evenings, or the phone company installing new lines.

I strongly suggest integrating a business associate agreement specific to your practice into your HIPAA policies. It’s one of the most frequently used, tangible aspects of HIPAA compliance, and you’ll occasionally need one on short notice—like when a laptop crash prompts you to summon a tech expert to the office or you must make an emergency call to a locksmith because you’re locked out of the clinic. Need more convincing? Consider this government press release explaining why not having a business associate agreement could end up being a very expensive mistake—to the tune of $31,000. As an added benefit, business associate agreements help protect your business associates, as providers aren’t the only ones who can get hit with HIPAA violation fines.

There you have it: the five biggest HIPAA misconceptions for small practices. Still having trouble separating HIPAA fact from HIPAA fiction? Leave your question in the comment section below.

Connor D. Jackson is a Chicago healthcare attorney with Jackson LLP. Connor works primarily with small physical therapy practices and regularly advises his clients about HIPAA compliance, scope of practice, liability concerns, privacy obligations, and new practice formation. Connor enjoys working with clients to create their ideal practice environment and to quell their compliance concerns. As a former litigator, Connor understands the financial and emotional cost of litigation, and he collaborates with his clients to minimize the risk of getting sued. You can email Connor at or follow him on Twitter at @cjacksonESQ.


  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans Image

    webinarFeb 23, 2017

    Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans

    Copayments, coinsurances, unresolved balances—oh my! Any one of these can cause headaches for healthcare providers, but as healthcare reform efforts shift more and more financial burden to insurance beneficiaries, today’s practitioners are increasingly facing all three. And these challenges are not only hurting their patient acquisition and retention rates, but also their bottom lines. Tired of spending time verifying benefits only to lose those patients to copay sticker shock? Stuck in a constant cycle of pursuing past-due …

  • Common Questions from Our Patient Sticker Shock Webinar Image

    articleMar 31, 2017 | 33 min. read

    Common Questions from Our Patient Sticker Shock Webinar

    From copays and deductibles to payer contracts and benefits verification, understanding all the nuances of third-party insurances is tough enough for healthcare providers—let alone their patients. In WebPT’s most recent webinar— Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans —co-hosts Heidi Jannenga, PT, DPT, ATC/L, the cofounder and president of WebPT, and WebPT CEO Nancy Ham provided a lot of great advice on how to have productive conversations about healthcare costs with your patients—without …

  • Is Your Practice HIPAA-Compliant? [Quiz] Image

    articleDec 12, 2018 | 1 min. read

    Is Your Practice HIPAA-Compliant? [Quiz]

    Back in 1996—long before the days of social media and smartphones—Congress passed the Health Insurance Portability and Accountability Act (HIPAA) as a means of governing the manner in which providers, insurers, and business associates collect, share, and use patient protected health information (PHI). Ultimately, it’s in everyone’s best interest to ensure that patient information remains private, but adhering to all HIPAA rules can be a daunting task for even the most seasoned provider—especially in the age of …

  • How the Affordable Care Act Impacts Patient Payment Collection Image

    articleMay 16, 2016 | 5 min. read

    How the Affordable Care Act Impacts Patient Payment Collection

    You take the good; you take the bad. You take ’em both, and you have healthcare reform. Like most government-led initiatives, healthcare reform in general—and the Affordable Care Act (ACA) in particular—has inspired a lot of passionate debate. And that’s because, while it has expanded health coverage to millions of previously uninsured people (woo-hoo!), it also has given way to some less-than-positive consequences. One such effect: the trend toward increased patient financial responsibility (whomp, whomp). Out-of-Pocket Overload …

  • The Healthcare Provider's Guide to HIPAA-Compliant Marketing Image

    articleSep 14, 2017 | 6 min. read

    The Healthcare Provider's Guide to HIPAA-Compliant Marketing

    In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here , this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may …

  • Cloudy with a Chance of Reform: 5 Key Healthcare Forecasts for 2017 Image

    webinarJan 5, 2017

    Cloudy with a Chance of Reform: 5 Key Healthcare Forecasts for 2017

    Predicting the weather is tough—just ask any meteorologist who has called for sun on the day of a major downpour. Well, predicting the fate of the US healthcare system isn’t much easier—there’s a lot up in the air, after all. But, even without a healthcare equivalent of Doppler Radar, there are a few key trends that are sure to have a major impact on PTs, OTs, and SLPs in 2017 and beyond. And to keep your practice …

  • Give to Get: The How and Why of Patient Loyalty Programs Image

    articleSep 28, 2017 | 8 min. read

    Give to Get: The How and Why of Patient Loyalty Programs

    It’s common knowledge that acquiring new patients is significantly more expensive than keeping existing ones. How much more expensive? According to this Harvard Business Review article —which WebPT’s Kylie McKee cited here —“Depending on which study you believe, and what industry you’re in, acquiring a new customer is anywhere from five to 25 times more expensive than retaining an existing one.” Even if your numbers are on the low end of that range—and that seems unlikely for …

  • Common Questions from our State of Rehab Therapy Webinar Image

    articleJul 17, 2017 | 16 min. read

    Common Questions from our State of Rehab Therapy Webinar

    WebPT recently conducted an industry survey of thousands of rehab therapy professionals across a wide variety of settings, specialties, and geographic regions. Our goal: To capture an accurate snapshot of the demographics, trends, frustrations, and motivations that shape our businesses, our future outlook, and our potential for success in this environment of change. In last week’s webinar , WebPT President and Co-Founder Dr. Heidi Jannenga, PT, DPT, ATC/L, and WebPT CEO Nancy Ham shared the results of …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.