Skip to main content
CoreFolioHIPAA
How-to

HIPAA compliance for physical therapy practices

Physical therapy practices are covered entities subject to the full HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Here is what the requirements mean in a PT setting — including EHR selection, telehealth, and the 2026 NPP update deadline.

By CoreFolio

6-minute read

Physical therapy practices are covered entities under HIPAA — subject to the same Privacy Rule, Security Rule, and Breach Notification Rule requirements as any other health care provider. What distinguishes HIPAA compliance in a PT setting is the specific technology landscape (PT-specific software platforms, exercise video tools, telehealth for post-surgical rehab), the physical environment (open gym spaces, workstations visible to waiting patients), and a set of workflow patterns that create ePHI exposure points that general HIPAA guidance often misses.

Who this applies to

A physical therapy practice is a covered entity if it furnishes services and transmits health information electronically in connection with covered transactions (45 CFR § 160.103). This includes:

  • Independent outpatient PT clinics
  • Hospital-based PT departments (as part of the covered hospital entity)
  • PT practices integrated into physician practices
  • Solo PT practitioners seeing patients and billing insurance

Cash-only practices that never submit electronic claims should verify their status using the CMS Covered Entity Decision Tool, but most PT practices do bill insurance and are covered entities.

The 2026 Notice of Privacy Practices update

Covered entities that create, receive, or maintain substance use disorder (SUD) records subject to 42 CFR Part 2 were required to update their Notice of Privacy Practices (NPP) by February 16, 2026.

This update was required following the 2024 amendment to 42 CFR Part 2 that aligned SUD record handling more closely with HIPAA while adding an NPP disclosure obligation. PT practices may encounter patients with SUD-related diagnoses — opioid use disorder is particularly common in rehabilitation settings — and should confirm whether their NPP has been updated to reflect the Part 2 requirements.

If your practice has not reviewed or updated its NPP since before February 2026, review the current NPP requirements at 45 CFR § 164.520 and the 2024 Part 2 amendment requirements.

The risk analysis in a PT practice context

The risk analysis required under 45 CFR § 164.308(a)(1)(ii)(A) must cover every system that creates, receives, maintains, or transmits ePHI. For a PT practice, this typically includes:

EHR and documentation systems: Most PT practices use PT-specific EHR platforms (WebPT, Clinicient, Net Health, Heno, and others). These platforms handle the bulk of clinical ePHI and typically provide BAAs. Confirm BAA execution, encryption configuration, and audit log settings.

Billing and practice management software: Often separate from the clinical EHR. Billing platforms handle PHI in claims and remittance processes. BAA required.

Home exercise program (HEP) platforms: PT-specific tools that generate and deliver exercise programs to patients may link programs to patient names and diagnoses. If PHI is associated with exercise content — even indirectly — the platform handles ePHI and requires a BAA.

Scheduling and patient communication platforms: Scheduling tools that send appointment reminders with patient-identifying information and specialty information constitute PHI. BAA required for vendors handling this data.

Telehealth platforms: PT telehealth for post-surgical rehab, home exercise supervision, and remote assessment has expanded significantly. Full HIPAA requirements apply; see telehealth article for platform-specific BAA guidance.

Staff mobile devices: Physical therapists who use personal phones to photograph exercise form, send exercise videos to patients, or communicate about clinical care are creating uncontrolled ePHI on personal devices. A bring-your-own-device (BYOD) policy is required if personal devices are used, and the risk analysis must address them.

Physical safeguard risks specific to PT

The physical environment of a PT practice creates exposure patterns that are less common in traditional clinical settings.

Open gym layout: Many outpatient PT clinics have open floor plans where therapists document on tablets or workstations within view of other patients. Screen positioning requirements (45 CFR § 164.310(b)) apply to all workstations visible to unauthorized persons. Privacy screens on workstations in open treatment areas are a practical solution.

Front desk and check-in areas: Workstations where staff view the schedule, verify insurance, and access clinical notes are often positioned where waiting patients can view the screen. The facility access control and workstation use policies must address this.

Treatment note documentation in patient presence: Therapists who document during treatment (directly on a tablet or laptop beside the patient) create a de facto disclosure situation if the screen is visible to others. Workstation use policy should address screen positioning during patient-side documentation.

Portable devices: Tablets used for documenting at the point of care and laptops taken home for after-hours charting must meet the device security requirements in 45 CFR § 164.310(c): encryption at rest, remote wipe capability, and physical security when not in use.

Common BA gaps in PT practices

Beyond the EHR, the business associate gaps most commonly found in PT practices:

Billing companies: If billing is outsourced, the billing company handles extensive PHI and requires a BAA. This is often in place but should be confirmed to include the Security Rule compliance obligations added by the 2013 Omnibus Rule.

Outsourced IT support: Any IT firm with remote access to practice systems containing ePHI is a business associate. This is a consistently missed BAA in small practices across all specialties.

Cloud storage and backup services: Practice files backed up to Dropbox, Google Drive, or similar services without a signed BAA constitute an impermissible disclosure if those services can access unencrypted ePHI. Consumer-tier Dropbox and Google Drive do not offer BAAs; their paid healthcare or enterprise equivalents do.

Fax services and electronic fax platforms: Physical fax machines in shared areas create privacy exposure. Electronic fax services that store fax content in a platform (eFax, MyFax) handle ePHI and require BAAs.

2026 Security Rule NPRM: what to watch

The 2026 NPRM (90 Fed. Reg. 898, January 6, 2025) proposes requiring encryption at rest and in transit as mandatory specifications, MFA for all ePHI systems, and a technology asset inventory. None of these are finalized as of May 2026, but they represent the direction of enforcement expectations.

PT practices that are behind on current Security Rule compliance — no current risk analysis, missing BAAs, no encryption on portable devices — should prioritize current rule compliance rather than waiting on the NPRM. OCR continues enforcing the current rule actively through the Risk Analysis Initiative.

Starting point for a PT practice compliance review

  1. Confirm covered entity status
  2. Identify the Security Official (and Privacy Official if different)
  3. Inventory all ePHI systems: EHR, billing, HEP, scheduling, telehealth, cloud storage, staff mobile devices
  4. Audit BAA status for every vendor on that list
  5. Complete or update the risk analysis
  6. Review the NPP for the 2026 SUD amendment compliance
  7. Address workstation positioning in open treatment areas
  8. Implement a device policy covering tablets and personal phone use

Sources: 45 CFR § 160.103 (covered entity definition); 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.310(b) and (c) (workstation use and security); 45 CFR § 164.520 (Notice of Privacy Practices); 42 CFR Part 2 (Confidentiality of SUD Records, 2024 amendments); CMS Covered Entity Decision Tool; APTA HIPAA guidance, apta.org/your-practice/compliance/hipaa. Last verified May 20, 2026.