HIPAA Compliance for Physical Therapy Practices: The Complete 2026 Guide
Everything physical therapy practices need to know about HIPAA compliance — home visit ePHI risks, PRN staff access control, workers' comp records, PT software BAAs, and the step-by-step path to continuous compliance.
Written and reviewed by the Patient Protect team — Joseph A. Perrin, CTO (former government CTO, military-grade security architecture), Angie Perrin, CSO (Certified HIPAA Consultant, 10+ years clinical practice), and Alexander Perrin, CEO (15 years enterprise SaaS).
HIPAA Compliance for Physical Therapy Practices: The Complete 2026 Guide
Physical therapy practices are covered entities under HIPAA with the same obligations as medical offices, dental practices, and behavioral health providers. The Security Rule, Privacy Rule, and Breach Notification Rule apply in full — to every PT practice, regardless of size, location, or ownership structure.
What makes physical therapy distinctive in the compliance landscape is the specific combination of risk factors that the specialty's care delivery model creates. Home visits introduce mobile ePHI into uncontrolled environments. PRN and per-diem staffing creates access control gaps that permanent staff schedules do not. Hospital-adjacent referral relationships require BAA frameworks that most independent PT practices have never formally established. Workers' compensation and personal injury caseloads generate records request patterns that carry disclosure risk similar to what chiropractic practices face.
These are not generic HIPAA risks. They are physical-therapy-specific risks that require physical-therapy-specific compliance responses.
The Physical Therapy Compliance Landscape
The Home Visit Problem
A significant portion of physical therapy is delivered in patients' homes — post-surgical recovery, geriatric care, pediatric therapy, home health PT. This care delivery model creates ePHI risks that clinic-based practices do not face.
The physical therapist conducting home visits carries patient records on a device — typically a tablet or laptop — through uncontrolled environments. That device may connect to the patient's home Wi-Fi (unencrypted and unmonitored), may be used for purposes other than documentation between visits, and is lost or stolen at a far higher rate than devices that remain in a secured clinical location.
HIPAA's Security Rule applies equally to ePHI on a tablet in a patient's home as it does to ePHI on a server in a clinic. The therapist conducting the visit is responsible for ensuring the device is encrypted, password-protected, and configured with session timeout — and that clinical documentation is transmitted through encrypted channels, not through personal email or consumer apps.
The mobile device policy requirement for home visit practices is not optional. Every device used for clinical documentation outside the clinic must be covered by a documented policy, enrolled in whatever device management solution the practice uses, and included in the Security Risk Analysis.
The PRN and Per-Diem Staffing Gap
Physical therapy practices rely heavily on PRN (as-needed) therapists, per-diem staff, and student clinical rotations. This staffing model creates a persistent access control challenge.
Every individual who accesses ePHI — including PRN staff who work one shift per month — requires their own unique login credentials, with access scoped to the minimum necessary for their role. When PRN staff are onboarded, their credentials must be created. When they stop working at the practice — even if they may return — their access must be revoked. The access revocation requirement does not have a grace period.
The pattern that produces violations: a PRN therapist works occasional shifts for 18 months, then stops coming in. No one formally terminates the relationship. No one revokes the EHR credentials. Six months later, a compliance audit or breach investigation reveals active credentials for a person who has not worked at the practice in half a year.
Student clinical rotations create the same issue in a different form. A doctoral student on a 12-week clinical rotation receives EHR access on day one. When the rotation ends, that access must be terminated on the last day — not when someone remembers to submit an IT ticket.
The Hospital-Adjacent Referral Relationship
Many independent PT practices receive the majority of their referrals from hospitals, orthopedic groups, and surgical practices. These referrals typically include clinical information — the referring diagnosis, surgical notes, imaging results, and functional assessments — that constitutes ePHI received from the referring entity.
The compliance question: is the referring hospital or medical group a Business Associate of the PT practice, or is the PT practice a Business Associate of the referring entity, or neither?
The answer depends on the specific relationship and data flow. In most referral arrangements, the referring provider is disclosing PHI to the PT practice for treatment purposes — which is a permitted disclosure under the Privacy Rule that does not require a BAA. However, if the PT practice is accessing the hospital's systems directly, or if there is ongoing data exchange that goes beyond the referral itself, the relationship may create BAA obligations.
What this means practically: PT practices should document the nature of their referral relationships with hospital systems and assess whether BAA agreements are required given how data actually flows.
What HIPAA Requires for Physical Therapy Practices
Security Rule Requirements
Security Risk Analysis: Required and must cover every ePHI system — PT software, email, mobile devices used for home visits, backup solutions, any telehealth platforms used for virtual PT sessions.
Access controls with unique credentials: Every therapist, aide, front desk staff member, and PRN employee must have individual login credentials. No shared passwords. Role-based access configured to minimum necessary.
Mobile device security: All devices used outside the clinic for clinical documentation must be encrypted, password-protected with automatic lock, and covered by a documented mobile device policy.
Encryption: ePHI transmitted from home visit locations — notes uploaded to the EHR, emails with clinical information, telehealth session data — must be encrypted in transit.
Audit logging: The PT software and any other system containing ePHI must have audit logging enabled to record access and actions.
Workforce training: Every staff member — PTs, PTAs, aides, front desk, billing — with individual completion records. Training must include home visit security protocols and mobile device policies.
Privacy Rule Requirements for PT
Minimum necessary for workers' comp and personal injury referrals: PT practices treating workers' compensation and personal injury patients receive records requests from insurers, employers, and attorneys. Each disclosure must be limited to the minimum information necessary for the stated purpose. A workers' comp adjuster requesting "all records" is not necessarily entitled to all records — only those relevant to the claim.
Authorization for attorney and insurer requests: Like chiropractic practices, PT offices treating personal injury patients face records requests from third parties. Valid HIPAA authorization from the patient is required before disclosure to attorneys, employers, or insurance adjusters for purposes other than treatment, payment, or healthcare operations.
The Physical Therapy Vendor BAA Checklist
PT Software and EHR
- WebPT
- Therabill (Therapy Brands)
- Clinicient (Net Health)
- Kareo / Tebra (if used for PT billing)
- Raintree Systems
- Prompt Therapy Solutions
- TheraNest (if used for PT)
- Jane App
Billing and Claims
- Third-party billing service
- Insurance clearinghouse (Availity, Change Healthcare)
- Workers' compensation billing service (if separate)
Home Visit Technology
- Mobile device management (MDM) solution vendor
- Telehealth platform (if used for virtual PT sessions)
- Any cloud sync service used for home visit documentation
Patient Communication
- Appointment reminder service
- Patient portal vendor
- Secure messaging platform
Exercise and Home Program Platforms
- HEP2go
- Theraflow
- MedBridge (home program component)
- Any exercise prescription software that stores patient data
IT and Infrastructure
- Managed IT provider
- Cloud backup service
- Remote access solution
OCR Enforcement Patterns Relevant to PT Practices
OCR enforcement actions involving physical therapy practices most commonly arise from:
Breach notifications following device loss. A therapist's tablet or laptop containing unencrypted patient records is lost or stolen during home visit rounds. The device loss triggers a breach notification — which opens an OCR investigation — which reveals the absence of a mobile device policy, unencrypted devices, and no Security Risk Analysis that covered mobile ePHI.
Patient complaints related to workers' comp disclosures. A patient disputes that their PT records were disclosed to their employer or an insurance adjuster without proper authorization. The investigation reveals the practice had no documented authorization review process for third-party records requests.
Breach notification failures. A PT practice experiences a ransomware attack, determines patient records may have been exposed, and delays notification beyond 60 days while conducting its investigation. The failure to notify within the required timeframe is cited as a separate violation from the underlying security failure.
The pattern across these scenarios is consistent with the broader enforcement record: foundational compliance gaps — missing SRA, no mobile device policy, no authorization review process — are exposed when an incident occurs.
Step-by-Step: HIPAA Compliance for Physical Therapy Practices
Step 1: Designate Your Security and Privacy Officers
Name specific individuals. In most independent PT practices this is the practice owner or administrator. Document the designation in writing with name and date.
Step 2: Map Your ePHI — Including Mobile Devices
Before your SRA, inventory every system and device that holds or transmits ePHI. This explicitly includes: tablets and laptops used on home visits, personal smartphones used for documentation, any cloud service used to sync home visit notes, and every PT software integration (labs if applicable, imaging, billing).
The ePHI Data Flow Mapper helps build this inventory systematically.
Step 3: Conduct a Security Risk Analysis Covering Home Visit Infrastructure
The SRA must specifically address:
- Every mobile device used for home visit documentation
- The networks those devices connect to (patient home Wi-Fi, cellular, hotspots)
- How documentation is transmitted from the home visit location to the practice system
- What happens to patient data on a device if it is lost or stolen
Produce a Risk Management Plan with specific remediation actions for identified gaps.
Step 4: Implement a Mobile Device Policy
Every PT practice that conducts home visits must have a documented mobile device policy covering:
- Which devices are approved for clinical documentation outside the clinic
- Encryption requirements (full-disk encryption required)
- Password/PIN requirements and automatic lock settings
- Prohibition on storing ePHI on personal devices without enrollment in MDM
- What to do if a device is lost or stolen (immediate reporting, remote wipe procedures)
- Session timeout requirements
Obtain staff acknowledgment of the policy in writing.
Step 5: Execute BAAs With All Applicable Vendors
Work through the checklist above. Exercise prescription and home program platforms — HEP2go, MedBridge, and similar — are frequently overlooked. If the platform stores patient identifiers alongside clinical content, it is processing ePHI and requires a BAA.
Step 6: Build Your PRN and Student Access Control Process
For every PRN therapist or student:
- Create individual credentials on day one
- Configure access to minimum necessary (their assigned patients only, if technically feasible)
- Build a documented offboarding process that triggers immediate credential revocation
- Audit active credentials quarterly to identify any that should have been revoked
Step 7: Establish an Authorization Review Process for Third-Party Records Requests
For workers' compensation and personal injury cases, establish a documented protocol:
- Who reviews incoming records requests
- What elements a valid HIPAA authorization must contain
- What to do when a request lacks a valid authorization
- How to document every request and the authorization reviewed
Step 8: Train Every Staff Member Including PRN Therapists
PRN staff who access ePHI require the same HIPAA training as permanent staff. Training must be completed before ePHI access is granted and documented individually. Home visit security protocols must be specifically covered.
Step 9: Implement Secure Communication for Patient Interaction
Establish a HIPAA-compliant patient messaging platform for appointment communication and clinical follow-up. Prohibit use of personal device SMS for patient communication involving ePHI.
Getting to Compliance Without an IT Department
Most independent PT practices do not have dedicated IT staff. The compliance infrastructure described in this guide is achievable without one — if the right platform handles the technical safeguards architecturally and guides the practice through the documentation requirements systematically.
Patient Protect is built for independent PT practices without IT departments. The platform satisfies approximately 25 HIPAA requirements automatically at account creation, guides practices through mobile device policy documentation, BAA lifecycle management, and workforce training — continuously, not annually.
Starting at $39/month. No contracts. Setup in under two hours.
Map your ePHI data flows including home visit infrastructure →
Related: The Most Common HIPAA Violations in Physical Therapy Practices →
This guide reflects HIPAA requirements under 45 CFR Parts 160 and 164 as of April 2026. Provided for informational purposes and does not constitute legal advice.