HIPAA Best Practices for Speech Therapists: A Practical Compliance Guide

HIPAA Privacy Rule Compliance

Understand what counts as PHI

Protected Health Information (PHI) includes any data that can identify a client and relates to their health, care, or payment. For speech therapists, that means evaluation reports, progress notes, audio or video samples, diagnoses, billing details, and even appointment times if tied to a name or contact information.

Apply the Minimum Necessary Standard

Disclose or access only the PHI needed to accomplish a specific task. For example, when coordinating with a referring provider, share relevant therapy goals and findings—not your entire session history. Build this Minimum Necessary Standard into templates, checklists, and role-based permissions.

Honor patient rights and document your process

• Provide a Notice of Privacy Practices at intake and note acknowledgment.
• Respond to access and amendment requests within required timeframes and keep a log.
• Track disclosures that require an accounting and document denials with justification.

Use valid authorizations for non-routine disclosures

When sharing PHI with schools, caregivers not involved in treatment, or third parties, obtain written authorization that specifies who, what, why, and for how long. Verify identity before release and store the authorization with the client’s record.

Implementing Security Rule Safeguards

Start with Risk Assessments

Conduct a formal security Risk Assessment to identify where ePHI is created, received, maintained, or transmitted. Map your systems (EHR, email, telepractice platform, mobile devices) and evaluate threats, vulnerabilities, impact, and likelihood.

Translate risks into an action plan

Develop a risk management plan that prioritizes fixes, timelines, and owners. Reassess at least annually and after major changes, such as adopting a new EHR or expanding telehealth. Document decisions, including accepted residual risks, to show due diligence.

Align with safeguard categories

Implement administrative, physical, and technical safeguards as a cohesive program. Use policies to define expectations, training to build habits, and monitoring to verify controls are operating as intended.

Ensuring Secure Communication Methods

Email and patient messaging

Use encrypted email or secure patient portals for PHI. If a client prefers unencrypted email, explain the risk, obtain written acknowledgment, and document the preference. Add a standardized confidentiality footer and verify recipient addresses before sending.

Texting and chat

Avoid consumer SMS and consumer chat apps for PHI. Choose a platform that meets Encryption Standards, offers Access Controls, and provides audit logs. Disable message previews on lock screens and set automatic deletion intervals when feasible.

Phone, voicemail, and fax

• Confirm identities before discussing PHI over the phone.
• Limit voicemail content to minimum necessary (e.g., callback request without diagnosis).
• Use secure fax with pre-programmed numbers and cover sheets masking PHI.

Data sharing with other providers

Prefer secure direct messaging or EHR-to-EHR exchange. When exporting reports, password-protect files, use unique passwords shared via a separate channel, and record the disclosure in your log.

Applying Administrative Safeguards

Define roles, responsibilities, and policies

Designate a privacy and security officer, even in small practices. Issue written policies covering Access Controls, acceptable use, data retention, social media, and bring-your-own-device (BYOD). Review policies with staff at hire and annually.

Training and sanctions

Train all workforce members on HIPAA basics, phishing awareness, secure communication, and Incident Response Procedures. Enforce a graduated sanction policy for violations and document all corrective actions.

Contingency and continuity planning

• Create and test a data backup and disaster recovery plan.
• Maintain emergency contacts and alternate workflows for scheduling, documentation, and billing.
• Practice downtime procedures so care continues when systems are unavailable.

Vendor oversight

Inventory all third parties that touch PHI and ensure a Business Associate Agreement (BAA) is executed before any PHI exchange. Conduct initial and periodic due diligence to confirm safeguards remain adequate.

Enforcing Physical Safeguards

Control facility and workstation access

Restrict access to areas where PHI is handled. Use locked doors or cabinets for paper files, position screens away from public view, and employ privacy filters in shared spaces. Keep visitor logs when appropriate.

Secure devices and media

• Store laptops and tablets in locked locations when not in use.
• Encrypt portable media, and avoid using USB drives unless they are encrypted and approved.
• Apply secure disposal methods (shredding, certified e-waste) for paper and hardware.

Protect therapy materials

For audio or video samples, label using unique IDs rather than names. Keep test forms, scoring sheets, and session notes out of waiting areas and therapy rooms between clients.

Utilizing Technical Safeguards

Strong Access Controls

Issue unique user IDs, require multi-factor authentication, and apply role-based permissions that reflect the Minimum Necessary Standard. Remove access immediately upon role change or termination.

Encryption and integrity

Encrypt devices at rest and use secure protocols in transit. Align with widely recognized Encryption Standards and enable integrity controls to detect unauthorized alteration of records or recordings.

Session management and logging

• Set automatic logoff and screen lock timeouts.
• Enable audit logs to track who accessed what, when, and from where.
• Review logs routinely and investigate anomalies.

Endpoint protection and updates

Deploy anti-malware, keep operating systems and apps patched, and manage mobile devices with passcodes and remote wipe. Prohibit storing PHI in personal cloud accounts or unapproved apps.

Managing Business Associate Agreements

Know who is a business associate

Common business associates for speech therapists include EHR vendors, billing services, cloud storage providers, telepractice platforms, appointment reminder services, and transcriptionists. If a vendor can access PHI, you likely need a BAA.

Key BAA provisions to require

• Permitted uses and disclosures of PHI and prohibition on secondary use.
• Administrative, physical, and technical safeguards aligned to HIPAA.
• Subcontractor flow-down obligations.
• Breach reporting timelines, cooperation, and Incident Response Procedures.
• Return or destruction of PHI at termination and right to audit or receive attestations.

Due diligence and monitoring

Request security summaries or independent attestations, confirm encryption and Access Controls, and evaluate the vendor’s history handling incidents. Revalidate BAAs during renewals or when services change.

Developing Incident Response Plans

Prepare before an incident

Create a written incident response plan that defines what constitutes a security incident or breach, who is on the response team, and how to escalate. Keep contact lists, decision trees, and notification templates ready.

Respond methodically

• Identify and contain: isolate affected systems, revoke compromised credentials.
• Eradicate and recover: remove malicious code, restore from clean backups, and validate integrity.
• Assess breach risk: consider the nature of PHI, who received it, mitigation steps, and likelihood of misuse.
• Notify as required: inform affected individuals and applicable authorities within required timelines.

Learn and improve

Document root causes, implement corrective actions, retrain where needed, and update policies and technical controls. Log every step to demonstrate compliance and continuous improvement.

Maintaining Telehealth Compliance

Choose the right platform

Select a telepractice solution that provides a BAA, robust encryption, Access Controls, and audit capabilities. Disable unneeded features like file sharing if they add risk without clinical value.

Secure the session environment

• Verify client identity at the start and confirm location for emergency purposes.
• Use headphones to prevent eavesdropping and position cameras to avoid showing other clients’ information.
• Avoid recording sessions unless clinically necessary and covered by policy and consent.

Protect endpoints and networks

Use updated devices, strong Wi‑Fi encryption, and VPNs when appropriate. Store telehealth notes only in approved systems, never on local desktops or personal cloud accounts.

Consent and expectations

Obtain and document telehealth consent, including limits of technology, privacy considerations, and how to reach you if disconnected. Provide clients with instructions for secure communications and safe device use.

Avoiding Common HIPAA Violations

Frequent pitfalls and fixes

• Discussing PHI in public spaces: move conversations to private areas and use white-noise machines if needed.
• Unencrypted messaging: switch to secure portals or encrypted apps with a BAA.
• Improper disposal: shred paper and sanitize or destroy drives before disposal.
• Wrong-recipient errors: use verified contact lists and double-check before sending.
• Social media mishaps: never post client stories, photos, or details that could identify an individual—even if names are omitted.

Conclusion

Consistent, practical controls—grounded in Risk Assessments, clear policies, strong Access Controls, and reliable Encryption Standards—allow you to protect PHI while delivering effective therapy. Build habits, document decisions, and partner with vendors under a solid BAA to keep your practice compliant and trusted.

FAQs.

What are the key HIPAA requirements for speech therapists?

Know what constitutes PHI, follow the Minimum Necessary Standard, provide a Notice of Privacy Practices, and obtain valid authorizations for non-routine disclosures. Implement Security Rule safeguards through administrative, physical, and technical controls; train your team; maintain BAAs with vendors; and document everything you do to protect privacy and security.

How can speech therapists secure electronic PHI?

Use strong Access Controls with unique IDs and multi-factor authentication, encrypt devices and transmissions, enable automatic logoff, and review audit logs. Keep software patched, deploy endpoint protection, restrict storage to approved systems, and rely on secure portals or encrypted messaging with vendors that sign a BAA.

What steps should be taken if a HIPAA breach occurs?

Activate your Incident Response Procedures: contain the issue, preserve evidence, and assess whether unsecured PHI was compromised. Determine notification obligations, inform affected individuals and authorities within required timelines, and implement corrective actions. Document every decision and update policies and training to prevent recurrence.

How should telehealth services comply with HIPAA?

Choose a telepractice platform that offers a BAA, strong encryption, and audit trails. Verify client identity, secure the environment with headphones and camera placement, and avoid recording unless authorized. Store notes only in approved systems, use updated devices and secure networks, and document telehealth consent and expectations.