Patient ProtectPatient Protect

HIPAA for physical therapy

HIPAA compliance for physical therapy: workers' comp, field devices, and the vendor blind spot.

Physical therapy practices share more ePHI with more external parties than almost any other specialty. Workers' comp disclosures, home health device usage, and a dense vendor network create compliance exposure that most PT clinics have never mapped.

PT-specific requirements

What HIPAA specifically demands of physical therapy practices.

The HIPAA Security Rule applies uniformly across healthcare — but the operational reality differs dramatically by specialty. Physical therapy practices face a unique combination of multi-party ePHI disclosure (workers' comp), mobile device exposure (home health), and a vendor network that extends beyond the clinical setting into equipment suppliers, referral management, and functional testing platforms.

Workers' Compensation Disclosure Controls

Workers' comp communication involves ePHI sharing with employers, insurers, and legal entities that do not have a treatment relationship with the patient. HIPAA requires each disclosure to satisfy the minimum necessary standard — only the specific information required for the stated purpose. PT practices must have documented policies defining what information can be shared with each party type, a verification process for requestor identity and authority, and an audit trail of every disclosure made.

Mobile Device Security for Field Staff

Physical therapists conducting home health visits, school-based therapy, or off-site evaluations must comply with the HIPAA Security Rule on every device that accesses or stores ePHI. This means full-disk encryption, mandatory screen lock with timeout, remote wipe capability, application-level access controls, and network security for data transmission. If therapists use personal devices, the practice must implement a BYOD policy with mobile device management. Documentation of these controls must be maintained for every device that touches patient data.

Digital Intake and Patient Portal Security

Every digital intake form, patient questionnaire, and outcome measurement tool that collects patient information must transmit data over encrypted connections (TLS 1.2 minimum) and store responses in encrypted databases. Patient portals must implement unique authentication, session timeout, and access logging. The vendor providing the intake platform must have a signed BAA. Paper-to-digital conversion does not reduce HIPAA obligations — it changes the attack surface.

Inter-Provider Communication and Referrals

Physical therapy involves constant communication with referring physicians, specialists, case managers, and other treating providers. Faxing referrals, emailing progress notes, and transmitting evaluation reports all involve ePHI. HIPAA requires these transmissions to use encrypted channels with sender and recipient authentication. The common practice of faxing progress notes to a referring physician's general fax number — potentially accessible to untrained staff — is a compliance risk that most PT clinics have never assessed.

Common PT HIPAA violations

Four violations embedded in standard physical therapy workflows.

1

Sharing workers' comp records beyond the minimum necessary standard

Workers' compensation cases require physical therapy practices to communicate with employers, insurers, case managers, and attorneys. Every one of these communications involves ePHI — treatment plans, progress notes, functional capacity evaluations, and discharge summaries. HIPAA's minimum necessary standard requires that each disclosure contain only the specific information the requesting party needs. When a PT clinic sends the full medical record to an employer who only needs a return-to-work clearance, that is an unauthorized disclosure. The temptation to over-share — to avoid follow-up requests or expedite case resolution — is the single most common HIPAA violation in physical therapy.

2

Home health visits documented on personal devices

Physical therapists conducting home health visits routinely use personal smartphones and tablets to document treatment sessions, photograph wound progress, record range-of-motion measurements, and access patient records in the field. Personal devices without mobile device management, encryption, remote wipe capability, and screen lock policies are not HIPAA compliant — regardless of what apps are installed on them. A lost or stolen personal phone with patient photos and treatment notes constitutes a reportable breach for every patient whose information is accessible on that device.

3

Unencrypted digital intake forms

The shift from paper to digital intake has created a new attack surface in PT practices. Web-based intake forms collect patient demographics, insurance information, medical history, and injury descriptions — all ePHI. When these forms are hosted on standard website builders without end-to-end encryption, transmitted via unencrypted HTTP, or stored in databases without encryption at rest, the entire patient population is exposed. Many PT practices adopted digital intake during COVID without evaluating the security of the platforms collecting this data.

4

Missing BAAs with equipment vendors and referral sources

Physical therapy practices operate within a dense vendor network. DME suppliers who receive patient measurements and prescriptions, FCE software vendors who process functional capacity data, billing clearinghouses, cloud-based scheduling platforms, and electronic referral systems all touch ePHI. Each requires a signed Business Associate Agreement. The average outpatient PT clinic has vendor relationships with eight to twelve companies that handle patient data. In OCR investigations, missing BAAs are cited more frequently than any technical control failure.

Built for physical therapy

Compliance infrastructure that matches how PT practices actually work.

Patient Protect was built for independent healthcare practices — including the specific workflows, vendor relationships, and mobile device realities of physical therapy. The platform addresses workers' comp disclosure, field documentation, and vendor management from day one. Starting at $39/month with no long-term contracts.

Workers' comp disclosure management

Patient Protect provides workflow controls that enforce the minimum necessary standard for workers' comp communications. Define disclosure templates for each party type — employer, insurer, case manager, attorney — that include only the information appropriate for each. Every disclosure is logged with the requestor, purpose, content scope, and authorization. When an auditor asks how you manage workers' comp disclosures, the evidence is already documented.

Mobile device compliance for field therapists

The platform includes mobile device security assessment and policy templates built for PT practices with home health or off-site therapy programs. Verify encryption, screen lock, remote wipe, and application security on every device that accesses patient data. Whether your therapists use practice-issued iPads or personal phones under a BYOD policy, the compliance controls are documented and auditable.

Vendor and BAA tracking across the referral network

Track every vendor relationship — DME suppliers, FCE software, billing clearinghouses, scheduling platforms, referral management tools. Upload BAAs, set expiration alerts, and flag vendors operating without coverage. For PT practices that work with multiple referral sources and equipment vendors, this eliminates the most common gap in practice compliance: knowing exactly who touches your patient data and whether they are contractually accountable.

Continuous risk monitoring with PT-specific controls

Daily compliance diagnostics cover the full spectrum of PT-specific risks: mobile device security, workers' comp disclosure practices, intake form encryption, vendor coverage, staff training status, and access controls. Alerts surface drift before it becomes a finding. At $39/month, this replaces the cost of quarterly consultant reviews that only capture a snapshot of compliance at a single point in time.

FAQ

Common questions about physical therapy HIPAA compliance.

Are physical therapy practices required to be HIPAA compliant?

Yes. Any physical therapy practice that transmits health information electronically — including filing insurance claims, using electronic health records, sending referral reports, or offering a patient portal — is a HIPAA covered entity. There is no exemption for practice size, specialty, or setting. Solo PT practitioners have the same compliance obligations as large rehabilitation hospitals.

Can I share patient records with a workers' comp employer?

You can share limited information with an employer in a workers' comp case, but only under the minimum necessary standard. The employer is typically entitled to information about work capacity, restrictions, and return-to-work status — not the full treatment record. Every disclosure must be documented, and the practice must verify the identity and authority of the person requesting the information.

Can physical therapists use personal phones for home health documentation?

Personal phones can be used for home health documentation only if the practice has implemented a BYOD policy with mobile device management, full-disk encryption, mandatory screen lock, remote wipe capability, and application-level access controls. Using a personal phone without these safeguards to access patient records, take clinical photographs, or document treatment sessions is a HIPAA violation.

Do PT practices need BAAs with DME suppliers?

Yes. Any durable medical equipment supplier that receives patient-identifiable information — measurements, prescriptions, diagnosis codes, delivery addresses — is a business associate under HIPAA. A signed Business Associate Agreement must be in place before any ePHI is shared. This includes both direct vendor relationships and third-party ordering platforms.

See all FAQs →

Next step

Map every compliance gap in your PT practice. Five minutes, no guesswork.

The free risk assessment evaluates your workers' comp disclosure practices, mobile device security, vendor coverage, and digital intake safeguards. Built for physical therapy workflows.

Check Your RiskCompare plans