Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect
Breach Intelligence

The Most Common HIPAA Violations in Physical Therapy Practices (2026)

Home visit device loss, PRN staff access gaps, exercise app BAA failures, and workers' comp disclosure violations — the HIPAA violations most common in PT practices, with enforcement context and what to do now.

Patient Protect Editorial Team·May 13, 2026·8 min read
Most common HIPAA violations in physical therapy practices with enforcement examples and prevention steps

The Most Common HIPAA Violations in Physical Therapy Practices (2026)

The HIPAA violations that hit physical therapy practices hardest are shaped by how PT is delivered — in homes, in clinics with rotating staff, across workers' compensation and personal injury caseloads, and through a technology ecosystem that includes exercise platforms and home program apps that most PT practices have never assessed for compliance.

Generic HIPAA content rarely addresses any of these specifically. This post does.

Violation 1: Unencrypted Devices Lost During Home Visits

Citation: §164.312(a)(2)(iv) and §164.310(d)

This is the most common breach trigger for physical therapy practices that conduct home visits — and one of the clearest examples of how care delivery model directly shapes compliance risk.

A physical therapist conducting home visits carries a tablet, laptop, or mobile device with patient records. The device travels through parking lots, patient homes, personal vehicles, and public spaces. When an unencrypted device containing ePHI is lost or stolen — regardless of whether anyone actually accesses the data — HIPAA treats the event as a reportable breach of unsecured PHI.

The consequence chain is direct: device lost → breach notification required → OCR investigation triggered → SRA, mobile device policy, and access controls examined → foundational gaps discovered → enforcement action.

The encryption exception:

If the same device had been encrypted with a strong algorithm (AES-256 is the standard), the loss would not constitute a reportable breach under HIPAA's safe harbor provision. The device is lost, but the PHI is "secured" — meaning it is unreadable without the encryption key. No breach notification required. No OCR investigation triggered.

Encryption costs nothing beyond the time to enable it. Full-disk encryption is built into modern operating systems (BitLocker for Windows, FileVault for macOS, built-in encryption for iOS and Android). The failure to enable it in a clinical environment where devices routinely leave the office is not a technical limitation — it is an operational oversight.

What to do:

Audit every device used for home visit documentation right now. Verify full-disk encryption is enabled on each. Establish a mobile device policy requiring encryption as a condition of use for clinical purposes. For devices that cannot be encrypted, prohibit their use for clinical documentation outside the clinic.

Violation 2: PRN and Student Access Credentials Not Revoked

Citation: §164.308(a)(3)(ii)(C)

Physical therapy practices use PRN therapists and student clinical rotations more extensively than most other healthcare specialties. Every one of these individuals who accesses ePHI requires individual credentials — and those credentials must be revoked when the person's relationship with the practice ends.

The specific enforcement pattern for PT:

A per-diem PT worked occasional weekend shifts for 14 months, then stopped accepting shifts. No formal separation occurred. No one submitted a credential revocation request. Eight months later, those credentials are still active in the PT software, the patient portal administrative system, and the billing platform.

A doctoral student completed a 12-week clinical rotation. On the last day of the rotation, her credentials were not revoked because the supervising PT did not know that was their responsibility, and the clinic administrator assumed IT handled it.

Both scenarios are ongoing HIPAA violations for every day the credentials remain active. If a breach investigation or compliance audit examines credential activity, active credentials for individuals who no longer work at the practice are a direct finding.

The workers' compensation sensitivity:

PT practices with workers' compensation caseloads have additional exposure when former staff credentials remain active. A former PRN therapist with retained access to patient records in workers' comp cases — where records have legal and financial value — presents an elevated risk that regulators and insurers take seriously.

What to do:

Implement a formal offboarding checklist for every person who accesses ePHI — permanent, PRN, or student. Credential revocation must be a same-day requirement on the final day of the relationship. Conduct a quarterly audit of active credentials and cross-reference against current staff and student rosters.

Violation 3: Exercise and Home Program App BAA Failures

Citation: §164.308(b)(1)

This is the most PT-specific violation on this list — and the one that most compliance guides never mention.

Physical therapy practices routinely prescribe home exercise programs through digital platforms: HEP2go, MedBridge, Theraflow, and a growing ecosystem of exercise prescription and patient engagement apps. Many of these platforms store patient identifiers alongside clinical content — exercise programs assigned to named patients, progress tracking tied to patient records, communication with patients about their programs.

When a platform stores or transmits patient identifiers alongside clinical content, it is processing ePHI and qualifies as a Business Associate. Every Business Associate requires a signed BAA.

Most PT practices using these platforms have never assessed their BAA status. They signed up for the service, entered patient data, and assumed either that the vendor handles compliance or that the platform is not subject to HIPAA because it is "just for exercises."

Neither assumption is correct.

The platform assessment:

For every exercise and home program platform your practice uses, ask:

  • Does the platform store patient identifiers (name, date of birth, patient ID)?
  • Does the platform associate clinical content (exercises, progress notes, outcome measures) with individual patient identifiers?
  • Does the platform transmit patient data outside your practice's network?

If yes to any of these, the platform is processing ePHI. If it processes ePHI on your behalf, it requires a BAA. Contact the vendor. Request the BAA. Execute it before entering more patient data.

What to do:

Audit every digital platform your practice uses for patient care delivery — not just your primary PT software. Create a complete inventory. Assess each for ePHI processing. Execute BAAs for every vendor that qualifies.

Violation 4: Workers' Compensation Records Disclosure Without Authorization

Citation: §164.502 and §164.508

Physical therapy practices treating workers' compensation patients face the same records request challenge as chiropractic practices — and the same violation pattern.

Insurance adjusters, employer representatives, case managers, and attorneys regularly contact PT practices for records related to workers' compensation claims. The requests arrive through various channels — phone calls, fax, email, form letters — and are often presented as routine or expected parts of the claims process.

Under HIPAA, disclosing PHI to a workers' compensation insurer, employer, or attorney requires either a valid patient authorization or a specific exception. The applicable exception for workers' comp is narrow: disclosure of PHI to a workers' compensation insurer is permitted to the extent authorized by and necessary to comply with workers' compensation laws (§164.512(l)). This exception permits disclosure of information relevant to the workers' comp claim — it does not authorize unrestricted production of all patient records.

The common violation:

An adjuster requests "all PT records for [patient] related to their workplace injury claim." The practice produces a complete records package — intake assessment, all session notes, functional outcome measures, billing records — without assessing whether all of that information is actually authorized under the workers' comp exception or whether a patient authorization was obtained.

The over-disclosure of records — providing more than the minimum necessary for the authorized purpose — is a Privacy Rule violation even when the disclosure itself is permissible.

What to do:

Establish a workers' comp records protocol. When a request arrives:

  1. Identify the legal basis for the disclosure (workers' comp exception or patient authorization)
  2. If relying on the exception, limit disclosure to information relevant to the claim
  3. If a general authorization exists, verify it meets HIPAA's requirements
  4. Document every request and the basis for the disclosure

Violation 5: No Security Risk Analysis Covering Mobile Infrastructure

Citation: §164.308(a)(1)(ii)(A)

The same SRA violation that appears in every specialty list — but with a PT-specific dimension that makes it distinctly consequential for home visit practices.

Most SRAs conducted by small practices focus on the clinic: the server, the computers, the EHR. They do not address mobile devices used for home visits, the networks those devices connect to during visits, or the specific data flows created by documentation conducted in patients' homes.

When a PT practice experiences a home visit device breach — the most common PT breach trigger — and OCR investigates, the investigation will examine the SRA. An SRA that covers the clinic but not the home visit infrastructure demonstrates that the practice knew the SRA requirement existed, attempted to fulfill it, and still left its highest-risk ePHI environment unaddressed.

OCR treats this as evidence that the practice knew about the obligation — which elevates the violation above the minimum tier.

What to do:

Your SRA must explicitly address home visit infrastructure: every device used outside the clinic, the networks those devices connect to, the data transmission paths from the field to the practice system, and the specific risks created by operating in uncontrolled environments. Document this coverage in the SRA itself. Produce a Risk Management Plan that addresses the identified mobile risks.

The Pattern

Each violation in this post reflects the same challenge: compliance infrastructure designed for a clinic that is also operating in the field. The devices leave. The staff rotates. The exercise platforms accumulate. The workers' comp records move.

HIPAA's requirements do not stop at the clinic door. The practice's compliance infrastructure needs to extend wherever patient data goes.

See how Patient Protect handles the PT-specific compliance environment →

Read the complete PT compliance guide →

See real enforcement cases and fine amounts →

Track breach intelligence in your area →

Based on OCR enforcement data and HHS guidance documents as of April 2026. Provided for informational purposes. Does not constitute legal advice.

Next step

How exposed is your practice right now?

Take the free self-assessment — see your compliance gaps with prioritized next steps.

See your exposureSee pricing — from $39/mo

Stay informed

Get HIPAA Pulse delivered.

Breach alerts, enforcement updates, and compliance intelligence — every two weeks.

© 2026 Patient Protect LLC. All rights reserved. Content may not be reproduced, scraped, or used to train AI models without written permission. Terms · DMCA