HIPAA Checklist for Physical Therapists: Practical Steps to Stay Compliant

Conduct Risk Assessments

A HIPAA Security Rule risk analysis is your starting line. Map how Protected Health Information (PHI) enters your practice (intake forms, EHR, email, telehealth), where it’s stored, who touches it, and how it leaves. Identify threats and vulnerabilities, rate likelihood and impact, and document a prioritized remediation plan with owners and due dates.

What your risk assessment should include

• Complete inventory of systems, devices, apps, and vendors that create, receive, maintain, or transmit PHI.
• Data-flow diagrams for ePHI, including backups and mobile use.
• Threat and vulnerability analysis (technical, physical, and administrative).
• Risk register with scoring, mitigation steps, and target timelines.
• Evidence of fixes (screenshots, tickets, change logs) and residual risk decisions.

How often to assess

Perform a comprehensive assessment at least annually and whenever you make material changes—new EHR, telehealth platform, office relocation, or a security incident. Treat it as a living program, not a one-time project.

Be HIPAA Audit ready

Keep your methodology, findings, decisions, and remediation evidence neatly organized. Auditors will look for a repeatable process, proof of action, and leadership sign-off.

Develop Policies and Procedures

Written policies operationalize the Privacy, Security, and Breach Notification Rules. Translate legal requirements into plain, step-by-step instructions your team can follow consistently.

Core documents to implement

• Notice of Privacy Practices (NPP) provided at first visit and posted in your practice and online; track acknowledgments of receipt.
• Minimum Necessary Standard procedures: role-based access, need-to-know disclosures, and data minimization on forms and reports.
• Privacy and Security policies: access management, password/MFA, device use, remote work, texting, email, telehealth, and data retention.
• Contingency and backup plan: recovery time objectives, offsite backups, and test results.
• Sanction policy and workforce clearance procedures.
• Documentation retention: keep required HIPAA records and decisions for at least six years.

Operationalize and review

Assign a Privacy Officer and a Security Officer. Version-control your policies, review them annually, and update when technology or workflows change. Maintain attestations that staff read and understand updates to stay HIPAA Audit ready.

Execute Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI for you is a Business Associate. Common examples include EHR and billing vendors, cloud storage, IT support, telehealth platforms, appointment reminders, secure email or texting services, and shredding companies. Ensure each one signs a Business Associate Agreement (BAA), and require the same from their subcontractors.

What to include in each BAA

• Permitted and required uses/disclosures of PHI and the Minimum Necessary Standard.
• Administrative, technical, and physical safeguards to protect PHI, including encryption and access controls.
• Obligation to report incidents and breaches to you without unreasonable delay (set a specific timeline in the BAA).
• Requirement that subcontractors agree to the same restrictions and safeguards.
• Individual rights support (access, amendment) when applicable.
• HHS inspection rights, term/termination rights, and PHI return or destruction at contract end (or protections if destruction is infeasible).

Due diligence and tracking

Vet vendors for security posture, keep a current BAA inventory, and calendar renewal dates. Document security questionnaires and reviews to demonstrate ongoing oversight.

Implement Technical Safeguards

Technical controls protect ePHI across your devices, network, and cloud services. Focus on preventing unauthorized access, preserving integrity, and maintaining auditability.

Access controls

• Unique user IDs, role-based access, and the principle of least privilege.
• Multi-factor authentication for EHR, email, VPN, and any remote access.
• Automatic logoff and session timeouts on workstations and mobile devices.

Audit controls and integrity

• Centralized audit logs for EHR, file access, and admin changes; retain and review logs regularly.
• Change management and integrity checks to detect improper alteration or destruction of ePHI.
• Versioned, tested backups with periodic restore drills.

Transmission and device security

• Encryption in transit (TLS) and at rest for endpoints and cloud storage.
• Mobile Device Management (MDM) for encryption, remote wipe, and app control; disable auto-forwarding of PHI.
• Secure messaging and telehealth platforms with a signed Business Associate Agreement.
• Patch management, endpoint protection, firewalling, and segmented Wi‑Fi (guest vs. internal).

Establish Physical Safeguards

Protect PHI in your facility and on your devices. Control who can enter, where workstations are placed, and how media is stored and disposed of.

Facility and workstation controls

• Locked server/network rooms, visitor sign-ins, access badges or keys, and after-hours procedures.
• Workstations positioned away from public view, privacy screens, and automatic screen locks.
• Clean-desk expectations and secure printers, scanners, and fax workflows.

Device and media protection

• Asset inventory and labeling for laptops, tablets, and portable drives.
• Secure transport of devices during home visits; use lockable bags and do not leave devices unattended in vehicles.
• Media reuse and disposal using recognized destruction methods; document chain of custody.

Provide Staff Training

Your workforce is your strongest control when trained well. Deliver practical, role-based training that shows exactly how to handle PHI during scheduling, treatment, billing, and patient communications.

Program essentials

• Onboarding plus annual refreshers covering the Privacy, Security, and Breach Notification Rules.
• Scenarios specific to physical therapy—open gym areas, family/caregiver interactions, and telehealth etiquette.
• Security awareness: phishing recognition, device security, and incident reporting.
• Attestations, quizzes, training logs, and remediation for missed or failed modules to stay HIPAA Audit ready.

Maintain Breach Response Plan

An Incident Response Plan gives you a playbook to detect, contain, investigate, and recover from suspected incidents. Define roles, escalation paths, evidence preservation, decision criteria, and communication templates.

Breach Notification Rule essentials

• Determine if there was a breach of unsecured PHI by assessing the nature of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.
• If a breach occurred, notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery. Include what happened, types of PHI involved, steps individuals should take, what you are doing to mitigate harm, and contact information.
• Report breaches of 500 or more individuals to HHS and prominent media in the affected area; report breaches involving fewer than 500 individuals to HHS annually within the required timeframe. Maintain a breach log.
• Require Business Associates to notify you without unreasonable delay, following the timelines set in your BAA.
• After action: remediate root causes, retrain staff, update policies, and document everything.

Conclusion

Build compliance into daily operations: assess risk regularly, document clear procedures, lock down vendors with solid BAAs, layer technical and physical safeguards, train your team, and practice your response plan. Done consistently, these steps keep PHI protected and position your clinic for a successful HIPAA Audit.

FAQs

What are the key technical safeguards for physical therapists?

Prioritize unique user IDs, role-based access, and multi-factor authentication; encrypt data in transit and at rest; enable automatic logoff; maintain centralized audit logs; implement reliable, tested backups; use Mobile Device Management for remote wipe and configuration; patch systems promptly; protect endpoints and segment networks; and use secure, BAA-backed messaging and telehealth tools.

How often should HIPAA risk assessments be conducted?

Conduct a comprehensive assessment at least annually and whenever you introduce new technology, change workflows or locations, engage a new vendor handling PHI, or experience a security incident. Treat it as an ongoing cycle: assess, remediate, verify, and monitor.

What must be included in a Business Associate Agreement?

A compliant BAA defines permitted uses/disclosures of PHI, requires safeguards and the Minimum Necessary Standard, obligates timely incident and breach reporting, flows obligations down to subcontractors, addresses individual rights support when applicable, grants HHS inspection rights, sets terms for return or destruction of PHI at termination (or continued protections if infeasible), and includes termination rights for material breach.

How should breaches be reported under HIPAA?

After confirming a breach of unsecured PHI, notify affected individuals without unreasonable delay and no later than 60 days from discovery, with all required content. Report to HHS as required, and to prominent media if 500 or more individuals in a state or jurisdiction are affected. Log smaller breaches and submit them to HHS annually. Ensure Business Associates alert you promptly per your BAA so you can meet your timelines.