Common HIPAA Violations Speech Therapists Should Know—and Avoid

As a speech therapist, you handle Protected Health Information (PHI) every day. This guide highlights common HIPAA violations speech therapists should know—and avoid, with practical steps to strengthen compliance in your practice or clinic.

Unauthorized Access to Patient Information

How this violation happens

• “Snooping” in charts of patients outside your caseload or out of curiosity.
• Sharing login credentials or leaving a workstation unlocked where PHI is visible.
• Discussing cases in public areas where others can overhear details.
• Pulling broad EHR reports that exceed the minimum necessary standard.

Prevention essentials

Implement Role-Based Access Control so team members only see records needed for their role. Require unique user IDs, strong passwords, and time-based screen locks. Enable Audit Trails and review them routinely to detect unusual access patterns.

Adopt a written “minimum necessary” policy and train staff to apply it consistently. Prohibit shared accounts, and document workforce clearance for anyone who can view PHI, including students and per-diem providers.

Safeguarding Electronic Health Records

Technical safeguards to prioritize

Use EHR systems and devices that meet recognized Data Encryption Standards for data in transit and at rest. Add multi-factor authentication, automatic logoff, and device-level encryption on laptops, tablets, and phones used for therapy or telepractice.

Harden endpoints with patching, anti‑malware, and mobile device management for remote wipe if a device is lost. Maintain reliable, tested backups and restrict admin privileges to a small, authorized group.

Administrative and vendor controls

Complete a documented Risk Assessment at least annually to identify ePHI threats, then mitigate them with specific remediation steps and timelines. Turn on Audit Trails in your EHR and schedule periodic log reviews.

Execute a Business Associate Agreement (BAA) with any vendor that creates, receives, maintains, or transmits PHI—EHR platforms, billing services, telehealth tools, cloud storage, and IT support—before sharing data.

Obtaining and Documenting Patient Consent

Know the difference: consent, authorization, and notices

HIPAA allows use and disclosure of PHI for treatment, payment, and healthcare operations without a specific authorization. For disclosures beyond those purposes—such as sending records to a school, attorney, or coach—you must obtain a signed patient authorization that specifies what, to whom, and for how long.

Provide each patient (or parent/guardian) the Notice of Privacy Practices and document acknowledgment. For telepractice, obtain and record informed consent that addresses technology risks and privacy protections.

Documentation practices that hold up

• Use standardized authorization forms and store them in the EHR where they are easy to find.
• Record verbal permissions when allowed, then follow up with written documentation.
• Log each release of information and verify identity before disclosing PHI.

Proper Disposal of Protected Health Information

Paper and physical media

Shred paper records and labels containing PHI using cross-cut shredders or locked shred bins. Secure charts and sign-in sheets; never place PHI in regular trash or recycling.

Electronic media and devices

Before disposing, returning, or repurposing devices, permanently purge ePHI using industry-standard data destruction methods. Remove PHI from copiers, scanners, USB drives, and memory cards. If you use a disposal vendor, maintain a BAA and a certificate of destruction.

Conducting Regular Staff HIPAA Training

Who, when, and what to train

Train everyone with access to PHI—SLPs, SLPAs, schedulers, students, contractors—at onboarding and regularly thereafter. Tailor modules by role so staff understand the minimum necessary rule, secure documentation, and your Breach Notification Procedures.

Reinforce learning with sign-in records, short quizzes, and periodic phishing simulations. Update training after policy changes, system upgrades, or new risks identified in your Risk Assessment.

Employing Secure Communication Methods

Day-to-day messaging without risk

Use secure portals or encrypted email for sharing reports, therapy videos, and invoices. Texting PHI on standard SMS apps is risky—choose a secure messaging platform under a BAA that supports encryption and retention controls.

For phone and voicemail, verify identity and limit details to the minimum necessary. When faxing, confirm the number, use a cover sheet, and retrieve faxes promptly. For telepractice, select platforms that meet Data Encryption Standards and include BAAs.

Recognizing and Reporting HIPAA Breaches

Identify, contain, and investigate

A breach is an impermissible use or disclosure of unsecured PHI. If one occurs, act immediately: stop the exposure, secure devices, preserve Audit Trails, and launch a documented Risk Assessment addressing the nature of PHI, who received it, whether it was viewed, and mitigation taken.

Breach Notification Procedures

Follow your written Breach Notification Procedures to notify affected individuals and, when required, regulators and other parties. Coordinate with Business Associates under the BAA to determine responsibilities, timelines, and corrective actions. Track root causes and update safeguards to prevent recurrence.

Conclusion

Preventing HIPAA violations in speech therapy comes down to strong access controls, secure EHR practices, clear consent and documentation, careful PHI disposal, ongoing role-based training, secure communication, and disciplined breach response. Put these controls in place, verify them with Audit Trails and Risk Assessments, and keep your BAAs current.

FAQs.

What are common HIPAA violations for speech therapists?

Typical issues include unauthorized chart access, missing or outdated BAAs with vendors, weak passwords or no multi-factor authentication, unsecured texting or email, incomplete consent/authorization records, improper disposal of PHI, and slow or undocumented Breach Notification Procedures after an incident.

How should speech therapists handle electronic health records securely?

Choose an EHR that supports Role-Based Access Control, strong Data Encryption Standards, multi-factor authentication, and detailed Audit Trails. Encrypt devices, apply timely updates, use managed backups, review access logs, and document an annual Risk Assessment with remediation steps.

When is patient authorization required under HIPAA?

You need a signed authorization for disclosures not related to treatment, payment, or healthcare operations—such as sending records to non-treating third parties or for certain marketing purposes. The authorization must specify the information, recipient, purpose, expiration, and the patient’s right to revoke.

What are the steps to take after a HIPAA breach?

Immediately contain the incident, secure systems, and preserve evidence. Conduct a documented Risk Assessment, consult any implicated Business Associates under the BAA, and carry out your Breach Notification Procedures—inform affected individuals and required authorities—then implement corrective actions and monitor with Audit Trails.