Blog Post

3 Ways to Keep Your PT Clinic’s Billing HIPAA Compliant

Avoid hefty penalties later by shoring up your clinic's security protocols now.

Leo Langlois
5 min read
April 2, 2021
image representing 3 ways to keep your pt clinic’s billing hipaa compliant
Share this post:


Get the latest news and tips directly in your inbox by subscribing to our monthly newsletter

In this day and age, security is a top concern for anyone working in health care—including those who handle medical billing. There’s no shortage of stories about hefty penalties thrust upon even well-established healthcare players—often as a result of totally preventable violations.

To that end, adhering to the rules and regulations laid down in the Health Insurance Portability and Accountability Act (HIPAA) is of critical importance for physical therapy clinics and staff.

If you’re a US-based healthcare practitioner or biller, you can think of HIPAA as your data security bible. While this article focuses primarily on the billing process, keep in mind that HIPAA governs all aspects of healthcare delivery. Here are our top three tips for keeping your clinic’s billing HIPAA-approved.

1. Make sure your billing software is HIPAA-compliant.

Hands down, the most important step you can take to ensure HIPAA-compliant billing is to use a HIPAA-compliant billing software or service. This means your billing provider has taken all necessary precautions to secure patients’ Protected Health Information (PHI). These measures include:

Technical Preventive Measures

These measures are part of the software itself. For example, any PHI transmitted beyond firewall security must be secured as per National Institute of Standards and Technology (NIST) standards so that no unapproved users can tamper with or modify it.

Physical Preventive Features

These features focus on managing physical access to PHI, irrespective of where it is located or stored (e.g., external clouds, servers, or any other remote location). It also covers the security measures that protect hardware systems against unauthorized access.

Device and Media Controls

Under this regulation, healthcare providers must ensure that secured electronic health information is properly and compliantly transferred, disposed of, or removed from personal devices to prevent unauthorized access (e.g., if the user leaves the company or the device is sold).

Administrative Security Measures

This requires clinics to regularly review HIPAA guidelines and update policies accordingly. Some organizations hire compliance consultants for this purpose.

Physical therapy clinics and staff can also leverage HIPAA-compliant hosting servers to store all of their confidential billing data at a secure remote location. Using a compliant hosting server in conjunction with a compliant billing software can help keep all unwanted breaches at bay.

2. Proactively educate staff on compliance protocols.

There’s more to HIPAA compliance than software and strong passwords. Because medical billing often involves handling patients’ personal information (including their electronic health records, insurance details, and credit card numbers), those responsible for the billing process are legally required to protect this information.

Thus, it’s critically important for clinic leaders to educate staff on how to do this. In fact, no matter how big or small your organization, every single employee should know the basics of HIPAA compliance as well as the details relevant to their role. This requires some type of formal HIPAA compliance training. Note that such training is not a choice for healthcare providers; it is a legal obligation that must be followed and formally documented.

Formal HIPAA Training

Start by establishing what type of information needs to be safeguarded. (Hint: Sensitive patient health information falls under this category.)

Each staff member needs to know what information cannot be shared or disclosed on any other platform or with any other individual. Prying in on patient data (a.k.a. snooping) is also considered a breach under HIPAA rules.

Employees who have access to sensitive patient information need to understand that it is their responsibility to safeguard that data. Otherwise, they put the organization at risk for serious penalties and other issues that will tarnish its reputation—not to mention threaten its survival—in the long run.

Most employees do not want to disclose patient information in an unlawful way. Disclosure occurs by accident in the majority of cases. This is where regular training can help mitigate risks and keep employee HIPAA awareness sharp.


3. Ensure the security of all sensitive data in your clinic at all times.

In the past decade alone, there have been close to 3,054 healthcare data breaches involving 500 or more records. Those breaches have resulted in innumerable thefts, losses, unwanted exposures, or impermissible disclosures of approximately 230,954,151 healthcare records, which equates to roughly 69.78% of the population of the United States.

Source: HIPAA Journal

Security breaches are never good news, but in the healthcare sector, they can be downright devastating. Once patient data confidentiality is compromised, there’s a negative ripple effect across the entire organization. Clients end up losing confidence and profitability takes a major hit.

Data Encryption

In the case of billing, encrypting sensitive data when it is moving out or even coming into your clinic is the key—especially when it leaves your organization’s secure network to be shared with an external party (e.g., a referring physician’s office, a teleradiology network, or even a patient portal).

Despite healthcare providers continually emphasizing the importance of encrypting data that is in transit, in most cases, this data remains unencrypted when sitting in storage. Such data, therefore, remains vulnerable in the event of an access breach.

For that reason, encrypting stored billing data at rest is of critical importance. This type of encryption creates a supplemental layer of security that stops intruders from decoding or sharing billing information, even if they manage to gain access to your data storage.

Data Backup

Physical therapy practices should also ensure they have a well-established recovery plan for their billing data, as well as an authentic, dependable, always-available backup copy—either on the web or in an external device.

Storing your data within a dedicated, HIPAA-compliant cloud server is one way to create secure backups. This type of data storage ensures optimal security while preserving the ability for authorized individuals to access necessary data virtually anytime, anywhere. And even if a breach does occur, you’ll be able to restore all of your data back to another system.

All in all, to keep your billing HIPAA-compliant at all times, you must make sure all the essential protocols are in place and working well in sync. Have more HIPAA compliance questions? Leave them in the comment section below, and we’ll do our best to answer them.

Get the inside scoop on what’s really happening in the rehab therapy industry.

Enter your email below to receive a free copy of the 2023 State of Rehab Therapy report.


KLAS award logo for 2024 Best-in-KLAS Outpatient Therapy/Rehab
Best in KLAS  2024
G2 rating official logo
Leader Spring 2024
Capterra logo
Most Loved Workplace 2023
TrustRadius logo
Most Loved 2024
Join the PXM revolution!

Learn how WebPT’s PXM platform can catapult your practice to new heights.

Get Started
two patients holding a physical therapist on their shoulders