HIPAA for physical therapy

HIPAA Compliance for Physical Therapists

Physical therapy practices share treatment data with referring physicians, insurance carriers, and workers' comp systems every day. Whether you already work with a compliance vendor or are evaluating for the first time, Patient Protect adds a security-first layer to close the operational gaps in each exchange.

See your HIPAA score — free See pricing

Active breach prevention·Starting at $39/mo·No contracts

HIPAA in practice

What HIPAA actually looks like for physical therapy practices.

The regulatory framework, the enforcement patterns OCR has historically cited, the non-HIPAA standards that apply, the gaps audits routinely surface, and the record-retention overlay where state law stacks on HIPAA’s six-year minimum.

Regulatory framework

Physical therapy practices operate under HIPAA as covered entities through standard electronic transactions — claims submission to Medicare Part B, private payers, workers' compensation systems, and eligibility verification. Medicare therapy services impose specific documentation requirements: plan of care signed by referring physician within 30 days, periodic reassessment, KX modifier and therapy-cap exception documentation, progress-note specificity. State physical therapy practice acts govern record-keeping. The ABPTS specialty board rules apply where the practice employs specialty-certified clinicians.

OCR enforcement patterns

OCR's PT enforcement record includes cases of progress photo storage on consumer cloud platforms (Dropbox, Google Drive, iCloud are not HIPAA-compliant for treatment-record photos), unauthorized record access by former employees, missing or expired BAAs with therapy-specific platforms (home exercise prescription, electronic claims), and disclosure errors involving workers' compensation and personal-injury attorneys. Medicare audits surface HIPAA-adjacent documentation gaps — missing referring-physician signatures, inadequate progress-note specificity — that compound into HIPAA exposure.

Specialty-specific standards beyond HIPAA

Medicare therapy cap exceptions and KX modifier documentation under §1833(g). Section 164.512(l) workers' compensation disclosure exception (state-specific implementation varies). Plan-of-care signature requirements under Medicare. State licensure board rules on direct-access vs referral-required care. State workers' compensation systems impose their own record-disclosure frameworks. Home exercise program (HEP) platforms are business associates when they receive PHI.

Common compliance gaps

Progress photos stored on consumer platforms or staff personal devices is the single highest-frequency compliance gap in PT practice. Other recurring gaps: missing referring-physician signatures on plans of care creating both Medicare and HIPAA documentation issues, undocumented disclosures to personal-injury attorneys (which require §164.508 authorization, not the §164.512(l) workers' comp exception), missing BAAs with HEP platforms and electronic claims clearinghouses, and inadequate audit logging on staff access to celebrity-patient or executive-patient records.

Retention overlay

State law stacked on HIPAA’s six-year floor.

HIPAA's six-year minimum; state PT board rules typically require seven to ten years post-last-encounter. Medicare requires retention of plan-of-care and treatment documentation for the period of care plus a tail. Workers' compensation cases impose their own retention requirements under state law — typically the duration of the claim plus a multi-year period. Progress photos as part of the medical record are subject to the same retention as the rest of the record.

Reference summary, not legal advice. This page summarizes how HIPAA and adjacent regulatory frameworks apply to physical therapy practicesbased on Patient Protect’s reading of the relevant CFR provisions, OCR enforcement record, and state statutes. Operators with specific compliance questions should consult a qualified HIPAA attorney. Patient Protect is a HIPAA compliance platform; we are not a law firm and do not provide legal advice.

Where to start

The five-step path to compliant operation.

In order. Each step is the foundation the next one rests on. A physical therapist that completes the five below has cleared the operational core of HIPAA compliance.

Run a risk analysis covering EHR, exercise tracking, and progress documentation systems
Risk analysis under §164.308(a)(1)(ii)(A) covering EHR (WebPT, ClinicSource, Therabill), home exercise prescription platform, progress photo storage, electronic claims clearinghouse, patient portal. Plus the unique PT pattern: workers' comp claim transmission and attorney-disclosure infrastructure.
Migrate progress photos to BAA-covered storage
Progress photos documenting range-of-motion, swelling, post-surgical recovery are PHI when linked to patient identity. Move from consumer cloud platforms (iCloud, Dropbox, Google Photos) and staff personal devices to BAA-covered storage with proper access and audit controls.
Sign BAAs with the PT-specific vendor ecosystem
EHR vendor, home exercise program platform (HEP), electronic claims clearinghouse, secure messaging tool, photo storage system, e-fax service, IT support. Each is a BA under §160.103.
Document Medicare therapy compliance procedures
Plan of care signed by referring physician within 30 days, periodic reassessment per Medicare schedule, KX modifier and therapy-cap exception documentation, progress note specificity. Patient Protect's policy generation handles the Medicare overlay alongside HIPAA training.
Train staff on workers' comp and personal-injury disclosure scenarios
PT practices field disclosure requests routinely — employers, insurance adjusters, attorneys. Staff need clear rules: workers' comp permits state-law-defined disclosures without authorization; personal-injury attorneys require §164.508 authorization. Training under §164.530(b)(1) should cover the distinction.

The real risk

Where physical therapy practices are most exposed.

Referring physician data exchanges lack BAA coverage

PT practices receive referrals and send progress reports to physicians constantly. If these exchanges happen via unencrypted email, fax-to-email services, or patient portals without BAAs, every transmission is a potential HIPAA violation.

Workers' compensation records add disclosure complexity

Workers' comp cases involve employers, insurers, attorneys, and case managers — all requesting patient information. Knowing what you can disclose, to whom, and under what authorization is complex. One wrong disclosure is a violation.

Exercise and treatment documentation tools may not be compliant

Home exercise program apps, outcome tracking tools, and patient engagement platforms all handle ePHI. Many PT-specific tools lack BAAs, encryption, or proper access controls — and practices adopt them without compliance review.

High patient volumes mean high breach exposure

PT practices often see 30–50 patients per day across multiple therapists. Each patient interaction generates ePHI. The sheer volume of data handling amplifies every compliance gap — a single unsecured workflow affects thousands of records annually.

What HIPAA requires

Regulatory requirements specific to physical therapy practices.

Referral Data Security

Encrypted transmission for all referral communications with physicians. BAAs with referring physician practices, clearinghouses, and any intermediary that handles referral data.

Workers' Compensation Policies

Documented disclosure policies for workers' comp records. Authorization tracking for each disclosure. Separate handling procedures for comp cases vs. standard clinical records.

Third-Party Tool Compliance

BAAs with exercise prescription apps, outcome tracking platforms, patient engagement tools, and any software that stores or processes patient data.

High-Volume Access Controls

Unique credentials per therapist and support staff. Session timeouts on shared workstations. Audit trails documenting who accessed which patient records and when.

Your state, your rules

State-specific HIPAA rules for physical therapy practices.

HIPAA is federal — but your state layers additional breach notification deadlines, AG reporting requirements, and privacy laws on top. Select your state to see what applies to your practice.

Select your state

How Patient Protect helps

Built for physical therapy practices, not hospital systems.

Referral workflow compliance

Track BAAs with every referring physician and specialist. Secure messaging ensures clinical data stays encrypted end-to-end, replacing unsecured fax and email.

BAA management for PT vendors

Track agreements with EHR vendors, exercise platforms, billing services, and outcome tracking tools. Expiration alerts and e-sign keep everything current.

Workforce training for clinical staff

HIPAA training modules designed for PT practice workflows — high-volume patient handling, shared workstations, and multi-provider documentation. Completion tracked automatically.

Real-time compliance scoring

See your practice's compliance standing update as you close gaps. Prioritize the highest-risk items first. Know where you stand before an audit — not during one.

Plan-of-care documentation aligned with Medicare therapy requirements

Physical therapy plans of care under Medicare require physician signature within 30 days, periodic reassessment, and specific documentation of progression. Patient Protect's policy generation produces the documentation framework Medicare auditors expect — without which Part B reimbursement is vulnerable to clawback for documentation deficiency.

KX modifier and therapy cap exception tracking

Therapy services exceeding the annual cap require the KX modifier with documentation justifying medical necessity. The platform tracks cap thresholds per patient and surfaces the documentation requirements before claims are submitted — the alternative is appeals after denial.

How we compare

See exactly what you get that competitors don't offer.

Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.

What to ask

Patient Protect

Risk assessment that satisfies §164.308(a)(1)

A readiness quiz is not a risk analysis.

Full SRA wizard mapped to NIST CSF with live scoring

Auto-generated policies with workforce acknowledgment

HIPAA requires documented proof your staff reviewed them.

48 policies from your risk profile, versioned acknowledgment

Staff training with delivery tracking

§164.308(a)(5) — sending a PDF is not sufficient.

80+ modules, completion tracking, audit-ready records

Full BAA lifecycle management

Expired BAAs are a top enforcement target.

E-signature, renewal alerts, Vendor Risk Scanner

Yes on all 10. Now run the checklist on the rest.

From $39/mo · No long-term contracts.

Start free trial See pricing

Pricing

Enterprise-grade compliance. Independent-practice pricing.

No contracts · No setup fees · Cancel anytime

Core

$39/mo

Risk assessments, policies, BAA management, training, and compliance scoring.

Start 14-day free trial

Recommended

Pro

$99/mo

Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.

Start 14-day free trial

See full feature comparison →

FAQ

Common questions about HIPAA compliance for physical therapy practices.

Do physical therapy practices need HIPAA compliance?

Yes. Physical therapy practices are covered entities under HIPAA. Every practice that transmits health information electronically — including insurance claims and referral communications — must comply with the full HIPAA Security, Privacy, and Breach Notification Rules.

How does HIPAA apply to workers' compensation in PT?

Workers' comp records are subject to HIPAA protections. While certain disclosures to employers and insurers are permitted, they must follow specific authorization requirements. Unauthorized disclosure of treatment details beyond what's permitted is a HIPAA violation.

Are home exercise program apps HIPAA compliant?

Many are not. If an exercise prescription app stores patient names, treatment data, or any identifying information, it must comply with HIPAA requirements and your practice needs a signed BAA with the vendor. Always verify before adopting any patient-facing tool.

What does HIPAA compliance cost for a PT practice?

Compliance consultants charge $3,000–$8,000 per year for physical therapy practices. Patient Protect starts at $39/month ($468/year) with no contracts — covering risk assessments, policy management, BAA tracking, staff training, and continuous monitoring.

Are progress photos taken for insurance documentation considered PHI?

Yes. Photos that document patient progress, range-of-motion, swelling, or other clinical findings linked to patient identity are PHI under HIPAA. Storage on consumer cloud platforms (iCloud, Google Photos, Dropbox) or staff personal-device camera rolls is non-compliant. PHI photos require BAA-covered storage with the same access and audit controls as the EHR.

Do PT practices need a BAA with the referring physician's practice?

Generally no — provider-to-provider PHI exchange for treatment purposes is permitted under §164.506 without a BAA. However, electronic transmission infrastructure (clearinghouses, secure messaging platforms, fax services that handle PHI) typically requires BAAs. The provider relationship is treatment-purpose; the technical intermediaries handling the data are business associates.

Can PT practices share patient progress with employers or attorneys for workers' comp cases?

Workers' compensation is one of HIPAA's permitted disclosure categories under §164.512(l) — practices may disclose PHI as authorized by state workers' comp law without specific patient authorization. The disclosure must be limited to what state law requires. Disclosures for personal-injury attorneys typically require specific patient authorization under §164.508 because they fall outside the workers' comp exception.

See all FAQs →

“

Patient Protect is intuitive, proactive, and affordable — exactly what small clinics like ours need to keep patient data safe and stay on the right side of HIPAA.

Dr. Thomas E Murray, D.D.S.Patient Protect Member Since 2017

Also built for

Dentists Therapists Chiropractors Optometrists Medical Practices Telehealth Dermatology Pediatrics Psychiatry Urgent Care DPC Practices GLP-1 Clinics HRT / TRT Clinics Concierge Practices Med Spas

Next step

Your PT practice moves too fast for annual compliance reviews.

Get continuous monitoring that keeps up with your patient volume. Free risk assessment — no login required.