HIPAA for physical therapy
Physical therapy practices share treatment data with referring physicians, insurance carriers, and workers' comp systems every day. Each exchange is a potential compliance gap Patient Protect was built to close.
The real risk
PT practices receive referrals and send progress reports to physicians constantly. If these exchanges happen via unencrypted email, fax-to-email services, or patient portals without BAAs, every transmission is a potential HIPAA violation.
Workers' comp cases involve employers, insurers, attorneys, and case managers — all requesting patient information. Knowing what you can disclose, to whom, and under what authorization is complex. One wrong disclosure is a violation.
Home exercise program apps, outcome tracking tools, and patient engagement platforms all handle ePHI. Many PT-specific tools lack BAAs, encryption, or proper access controls — and practices adopt them without compliance review.
PT practices often see 30–50 patients per day across multiple therapists. Each patient interaction generates ePHI. The sheer volume of data handling amplifies every compliance gap — a single unsecured workflow affects thousands of records annually.
What HIPAA requires
Referral Data Security
Encrypted transmission for all referral communications with physicians. BAAs with referring physician practices, clearinghouses, and any intermediary that handles referral data.
Workers' Compensation Policies
Documented disclosure policies for workers' comp records. Authorization tracking for each disclosure. Separate handling procedures for comp cases vs. standard clinical records.
Third-Party Tool Compliance
BAAs with exercise prescription apps, outcome tracking platforms, patient engagement tools, and any software that stores or processes patient data.
High-Volume Access Controls
Unique credentials per therapist and support staff. Session timeouts on shared workstations. Audit trails documenting who accessed which patient records and when.
How Patient Protect helps
Track BAAs with every referring physician and specialist. Secure messaging ensures clinical data stays encrypted end-to-end, replacing unsecured fax and email.
Track agreements with EHR vendors, exercise platforms, billing services, and outcome tracking tools. Expiration alerts and e-sign keep everything current.
HIPAA training modules designed for PT practice workflows — high-volume patient handling, shared workstations, and multi-provider documentation. Completion tracked automatically.
See your practice's compliance posture update as you close gaps. Prioritize the highest-risk items first. Know where you stand before an audit — not during one.
How we compare
Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.
| RecommendedPatient Protect$39/ month to start | Compliancy Group$99+/mo | AccountableHQPer-employee | AbydeNot listed | Total HIPAANot listed | |
|---|---|---|---|---|---|
| Core Compliance | |||||
| Risk AssessmentSatisfies §164.308(a)(1) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Policy TemplatesVersioned, workforce acknowledgment | ✓ | ✓ | ✓ | ✓ | ✓ |
| Staff TrainingDelivery, tracking, and documentation | ✓ | ✓ | ✓ | ✓ | ✓ |
| BAA ManagementFull lifecycle, e-sign, PDF | ✓ | ✓ | ✓ | ✓ | ~ |
| Where Others Stop | |||||
| Secure MessagingBAA-gated, ePHI-compliant | ✓ | ✕ | ✕ | ✕ | ✕ |
| Digital ReferralsSend, track, and audit across offices | ✓ | ✕ | ✕ | ✕ | ✕ |
| Real-Time Security PromptsLive alerts for risks and violations | ✓ | ✕ | ✕ | ✕ | ✕ |
| Live DiagnosticsReal-time compliance visibility | ✓ | ✕ | ✕ | ✕ | ✕ |
| ePHI Audit TrailWho accessed what, and when | ✓ | ✓ | ~ | ✓ | ✓ |
| Dynamic Risk ScoringAuto-prioritized, self-updating queue | ✓ | ✓ | ✓ | ~ | ~ |
| Monthly Price | $39to start | $99+ | Per-employee | Not listed | Not listed |
Swipe to compare →
Based on publicly available feature lists and pricing as of 2026. Secure messaging and digital referrals absent from every major compliance competitor.
Pricing
No contracts · No setup fees · Cancel anytime
Core
$39/mo
Risk assessments, policies, BAA management, training, and compliance scoring.
Pro
$99/mo
Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.
FAQ
Yes. Physical therapy practices are covered entities under HIPAA. Every practice that transmits health information electronically — including insurance claims and referral communications — must comply with the full HIPAA Security, Privacy, and Breach Notification Rules.
Workers' comp records are subject to HIPAA protections. While certain disclosures to employers and insurers are permitted, they must follow specific authorization requirements. Unauthorized disclosure of treatment details beyond what's permitted is a HIPAA violation.
Many are not. If an exercise prescription app stores patient names, treatment data, or any identifying information, it must comply with HIPAA requirements and your practice needs a signed BAA with the vendor. Always verify before adopting any patient-facing tool.
Compliance consultants charge $3,000–$8,000 per year for physical therapy practices. Patient Protect starts at $39/month ($468/year) with no contracts — covering risk assessments, policy management, BAA tracking, staff training, and continuous monitoring.
Next step
Get continuous monitoring that keeps up with your patient volume. Free risk assessment — no login required.
