No items found.

HIPAA for Physical Therapists

The Health Insurance Portability and Accountability Act (HIPAA) regulates how physical therapists and other providers handle patients’ protected health information (PHI).

We've compiled what physical therapists need to know about HIPAA and securing patient information and medical data.

Heidi Jannenga
5 min read
February 6, 2023
No items found.
Share this post:


Get the latest news and tips directly in your inbox by subscribing to our monthly newsletter


What is HIPAA?

Passed by Congress in 1996, HIPAA is a dense piece of legislation that has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists. All HIPAA-covered entities (e.g., healthcare providers, insurers, and business associates) must follow certain rules governing the way PHI is collected, shared, and used.

While you may think that HIPAA violations are significantly more likely to happen to large insurance carriers or major healthcare organizations, the US Department of Health & Human Services (HHS) says that private practices are the most common type of covered entities “that have been required to take corrective action to achieve voluntary compliance,” coming in ahead of hospitals, outpatient facilities, pharmacies, and health plans.

What’s PHI?

PHI includes:

  • patient demographic information
  • medical history
  • test and laboratory results
  • insurance information
  • other data used to identify individual patients and develop plans of care

What are the consequences of non-compliance?

HIPAA violations include anything from talking about identifiable patient information with your friends and family members to using FaceTime to discuss PHI in a public place. Such violations could have very serious implications for rehab therapists and their clinics. Those found to have wrongfully disclosed individually identifiable health information are subject to both financial and criminal repercussions—including fines of up to $50,000 and a year of imprisonment.

According to the HHS, since April 2003—when compliance with HIPAA standards became mandatory—the Office for Civil Rights (OCR) “has received over 319,816 HIPAA complaints and has initiated over 1,154 compliance reviews.” Of those reviews, here are the top four most-investigated compliance issues:

  1. Impermissible uses and disclosures of PHI
  2. Lack of safeguards of hard copy and electronic PHI
  3. Inability for patients to access their PHI
  4. Use or disclosure of more than the minimum necessary PHI

What should I do if I suspect a HIPAA breach?

Do your research.

Healthcare providers are legally obligated to research any suspected breach, no matter what. This means that your practice must immediately determine the size and scope of the incident to assess whether the probability that PHI has been compromised is high or low. Medical Economics recommends performing a risk assessment based on the answers to the following questions:

  • What is the nature and extent of the PHI involved? What types of identifiers does the data include, and how easily could they be re-identified?
  • Who received or used the PHI?
  • Was the PHI actually acquired or viewed?
  • Has the risk to the PHI been mitigated? If so, to what extent?

Additionally, you should identify the number of affected patient records, because this number will determine how you handle the next step.

Disclose the breach to patients.

The manner in which you handle post-breach disclosure communication is incredibly important. As much as you may wish you could keep the breach quiet, well-timed and strategic communications with your patients, employees, business partners, and vendors will help manage patient concerns and minimize the spread of misinformation. Plus, your practice is legally required to notify the affected patients—regardless of the scope of the breach.

However, there are two additional reporting requirements that do depend on the size of the incident:

Fewer than 500 individuals

According to HHS, if the breach affects fewer than 500 patients, your clinic isn’t under much of a time crunch. So long as you report the breach to the Office for Civil Rights (OCR) “within 60 days of the end of the calendar year in which the breach was discovered,” you’ve fulfilled your reporting requirements (though you can report sooner, if you’d like).

500 or more individuals

However, if the breach affects 500 or more patients, your clinic must report the breach electronically “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.” This Healthcare IT News article explains that if you do need to report the breach to the OCR, you’ll need to document several key pieces of information, including:

  • the number of impacted patients
  • your practice’s efforts to notify those patients
  • a description of the type of PHI that was compromised
  • steps individual patients should take to protect their privacy
  • a description of your damage-control efforts and how you plan to prevent future breaches

Your practice also must report the breach to the news media. And it’s important to note that if a breach is large, your practice likely will attract a lot of media attention. So, make sure your employees know not to engage with members of the press without approval or appropriate messaging. Better yet, consider retaining an experienced public relations firm.

For more guidance on who to notify and when, read this page.

Crunch the numbers.

Brace yourself, because there will be financial fallout. Even if your practice has a reserve of funds earmarked for emergencies such as this, you may still be in for a shock. Between the costs of investigating the breach, obtaining PR services, and making necessary IT security upgrades—not to mention the potential lawsuits and OCR fines—your practice stands to lose and/or spend a lot of money in a short amount of time. Moreover, losing patient trust could really hurt your bottom line. That’s why it’s imperative that you communicate smartly and quickly—and create a plan to prevent another breach from occurring in the future.

What’s the HIPAA Omnibus Rule?

In 2013, the Department of Health and Human Services (HHS) beefed up HIPAA’s regulations and violation penalties with the HIPAA Omnibus Rule. Among other things, this rule expands the liability of business associates, further restricts the use of PHI for marketing purposes, and strengthens patients’ rights to obtain copies of their health information. According to this executive summary, the changes:

  • Hold business associates and covered entities liable for some aspects of HIPAA compliance.
  • Prevent the unauthorized sale of PHI and restrict the use and disclosure of PHI for marketing and fundraising.
  • Provide individuals with the authority to obtain electronic copies of their health records and decline to disclose information related to a treatment paid for out-of-pocket.
  • Mandate that covered entities update and redistribute their notices of privacy practices (NPPs).
  • Change certain requirements related to the disclosure of health information with the intent to facilitate research and the disclosure of childhood immunization records.
  • Allow family members to access the health records of their decedents.
  • Enforce penalties for noncompliance that arise from willful neglect and establish an objective standard for the “harm” threshold.
  • Prohibit health plans from using or disclosing genetic information for underwriting.
  • Amend the civil monetary penalties. (See table below.)

The table below, modified from the Federal Register, displays the range of penalty amounts for civil breaches. We’re not even going to address criminal ones, because we know you would never intentionally do such a thing. Each amount has been adjusted for inflation each year since the passage of the HITECH Act, with the most recent adjustment coming in 2022 (reflected below):

Table 2—Categories of Violations and Respective Penalty Amounts

Violation category—Section 1176(a)(1) Each Violation All such violations of an identical provision in a calendar year
(A) Did Not Know $127–$63,973 $1,919,973
(B)Reasonable Cause $1,280–$63,973 $1,919,973
(C)(i)Willful Neglect-Corrected $12,794–$63,973 $1,919,973
(C)(ii) Willful Neglect-Not Corrected $63,973 $1,919,973

How can I keep my clinic HIPAA-compliant?

Digital Security

Get the Right EMR

The government doesn’t take PHI protection lightly. But don’t worry; there are lots of ways to ensure that you and your clinic have the resources and internal processes crucial to achieving full HIPAA compliance. Step one is making sure your patient records are stored securely—within a HIPAA-compliant EMR, for example.

WebPT provides unique user IDs and passwords for each therapist, PTA, front-office staff member, and administrator. That way, clinic owners can control access to PHI. And with secure data centers, featuring defensible perimeter, digital video surveillance, biometric screening, and round-the-clock guard staff, your data receives top-level security.

Still have concerns about storing your patients’ information electronically? Consider this: In 2018, WebPT obtained International Standardization Organization (ISO) certification, making it the first ISO-certified EMR designed specifically for rehab therapists. What does that mean? Being ISO-certified means WebPT has proven that it securely manages all its sensitive data—including financial information, patient details, Member data, and medical record data hosted by WebPT’s third-party vendors and partners. Plus, WebPT’s ISO certification in 2018 further demonstrated the company’s commitment to data security for all Members.

Wondering how you can avoid any issues with HIPAA for physical therapists? Learn more about our gold-standard security here.

Create Safe and Secure Passwords

Chances are good that you’re using more than one web app as part of your clinic’s daily operations—and each application requires a password that is challenging enough to be safe, but a password recovery process that doesn’t bring operations to a halt if you or someone on your staff forgets which password open-sesames which application. Because HIPAA has guidelines around password security, you could include using a password management system to oversee all your letter, number, and special character combinations, such as LastPass, KeePass, or 1Password.

Encrypt and Back Up Your Data

Encryption has been around since, well, cavemen and cavewomen etched encoded images into cave walls. But in today’s small-business world, it’s an often-overlooked solution to preventing unauthorized access to high-risk data. If you’re a WebPT Member, you can rest a little easier knowing that the WebPT application is well-encrypted at every level. However, you should still consider encrypting your workstation.

Just make sure that when you implement an encryption application, you store the keys created during the encryption process in a safe (read: locked) space. While we’re on the topic of safe spaces, consider this: all portable storage should be encrypted as well. That way, if any flash drives or external hard drives are lost or stolen, your data remains protected.

Speaking of portable data storage, mobile devices such as smartphones and tablets are another cause for security concerns. Several HIPAA investigations have resulted in providers receiving fines because their unencrypted mobile devices contained electronic PHI (ePHI) or stored passwords that non-authorized individuals could use to access cloud-stored data. In this day and age, you must set lock-screen combinations and encrypt your devices. It’s just too easy to misplace or lose tablets and phones during work or travel.

If you’re a WebPT Member, you’re covered when it comes to backing up the files that contain your critical EMR data. That’s right—we store it all and keep it safe. But we can’t do much of anything to protect all of the other data your clinic uses, so please be sure to implement a solid backup process to cover everything else.

Install Antivirus and Malware Protection

A lot of questions arise during discussions about antivirus and malware, probably because there are a lot of options from which to choose. While many of them are good, you need one that’s great. In other words, you need one that provides regular and intensive updates and immediate fixes to address the nastiest of Internet viruses.

You should also be cautious of ransomware attacks, where malicious parties infiltrate private computers and networks to encrypt data, only providing decryption in exchange for a ransom. Of growing popularity in the malware department is the advent of ransomware. From 2020 to 2021, the rate of ransomware attacks has increased by 94% in the healthcare sector alone. From these attacks, 61% of healthcare organizations paid the ransom. Within these attacks, phishing emails have gained increased popularity in people’s personal and work emails. To make matters even scarier, there are spear-phishing emails now, which account for initiated 91% of cyberattacks. Spear Phishing entails using personal details within an email to lower the guard of intended victims getting them to click a link or other malicious medium.

Social Media

Your patients are using social media to make informed decisions about their health, so as a smart healthcare provider, you should be using social media, too. But because of privacy concerns, you also must be prudent with its use. After all, social media is anything but private—and it’s practically permanent because once you put something online, chances are good it’s going to live forever. You might think you deleted that unfortunate tweet or photo, but if someone took a screenshot of it, it’s most definitely not gone for good.

That’s why your clinic should develop—and enforce—a social media policy that takes HIPAA compliance into consideration. Here are seven tips for keeping your practice socially safe:

  1. Supervise staff members who handle your social media platforms.
  2. Train your staff on social media and your social media policy.
  3. Establish a system to track, archive, and retrieve electronic communications, just in case you need them as evidence should you ever find yourself facing a lawsuit.
  4. Approve content before it’s posted. If this isn’t possible, Forbes suggests implementing technology that monitors real-time social media posts for you—and flags posts with non-compliance potential.
  5. Create pre-approved content and short snippets of text for your staff to provide regular, consistent status updates. These also come in handy whenever staff need to quickly respond to patients in sticky situations.
  6. Do not give out medical advice or include PHI on social media—ever.
  7. Monitor your social media accounts regularly to ensure your staff is using them appropriately. If you find cause for concern, be sure to enforce your policy—including the consequences.


Just like all other facets of your business, your email marketing must adhere to HIPAA rules.

Unfortunately, the HIPAA rules around marketing are pretty murky—especially since the introduction of the 2013 HIPAA omnibus ruling. So, to cover your bases, include a marketing communications opt-in form as part of your intake packet. That way, there’s no question as to whether you can market to your patients via email. Within your opt-in form, clearly explain the types of communications they’ll receive from you. If a patient is hesitant to opt in, explain how those communications will benefit him or her. And if the patient still chooses not to opt in, respect that decision and don’t try to pressure him or her into it.

Also, remember that the email addresses you collect are considered PHI. Thus, you must handle them accordingly. On that note, be sure to have an email solution that allows you to encrypt the email where PHI or other confidential information is being emailed.

Wearable Technology

Many people are sporting activity trackers like Fitbit, Garmin, Samsung, and the Apple Watch, which means individuals, businesses, and healthcare professionals can easily monitor physical activity of all kinds. And where there’s fitness activity data, there may also be protected health information (PHI). That means these seemingly insecure devices are chock full of protected health information, which is leading many experts to question whether wearable technology is HIPAA-compliant. 

The Gray Area

HIPAA doesn’t directly mention wearables—at least not yet—which leaves a legal gray area between health data collected for personal use and health data collected by or for a HIPAA-covered entity. Most wearables manufacturers are not at all capable of being able to analyze, share, and secure health data in compliance with HIPAA regulations. The Office of Civil Rights of the United States Department of Health and Human Services has issued guidance on tracking technologies.  

However, there’s more clarity regarding devices used in remote therapeutic monitoring. Because RTM devices are an extension of services provided by a covered entity (their therapist), HIPAA guidelines apply between patient and provider—and the company supplying the wearable or software. 

Data for Sale

Selling data is a very sticky subject as well.  There are restrictions under HIPAA on the sale of data.  This should be addressed with your compliance advisors with caution. Fitness apps are one area that should be addressed with caution.  A recent review in Science Translational Medicine provides some anxiety-producing statistics for wearables consumers: “The U.S. Federal Trade Commission recently tested 12mHealth and fitness apps and found that consumer data from these apps were being sent to 76 different third-party companies. Some of the data shared include the phone’s unique device identifier as well as the owner’s running routes, dietary habits, and sleep patterns. A similar analysis of 43 fitness apps found that 40% were collecting what was classified as high-risk data—addresses, financial information, full name, health information, location, date of birth, or zip code—and more than 55% were sharing data with third-party analytical services that could potentially link those data with data from other apps.”

Scary, huh? Be careful about utilizing or partnering where this data may be sold without the proper authorizations from the patient.

Of course, HIPAA for physical therapists can be quite complicated, so be sure to consult with legal experts and check out the HHS references lined above if you’re unsure about the potential for HIPAA violations.

You don’t have to handle HIPAA all on your own.

See how WebPT helps you keep your patient data secure.

Demo WebPT Today




KLAS award logo for 2024 Best-in-KLAS Outpatient Therapy/Rehab
Best in KLAS  2024
G2 rating official logo
Leader Spring 2024
Capterra logo
Most Loved Workplace 2023
TrustRadius logo
Most Loved 2024
Join the PXM revolution!

Learn how WebPT’s PXM platform can catapult your practice to new heights.

Get Started
two patients holding a physical therapist on their shoulders
No items found.