HIPAA Compliance Checklist for Massage Therapists: A Step-by-Step Guide

If you collect, chart, or bill for client health information, you must handle it with care. This HIPAA compliance checklist helps you determine applicability, safeguard Protected Health Information (PHI), and implement practical controls—from a Security Risk Assessment to Data Encryption and HIPAA-Compliant Communication.

Use this guide to build clear policies, train staff, and document decisions. The steps and examples are tailored to massage therapy so you can apply Covered Entity rules and Business Associate Agreement obligations confidently.

HIPAA Applicability to Massage Therapists

Start by deciding how HIPAA applies to your practice. You are likely a Covered Entity if you transmit health information electronically in connection with standard insurance transactions (for example, submitting claims or checking eligibility). A cash-only practice that avoids standard transactions may not be a Covered Entity.

You may also be a business associate when you provide services for a Covered Entity that involve PHI—such as working inside a chiropractic or physical therapy clinic with access to charts. In that case, you must sign a Business Associate Agreement and follow applicable Security Rule safeguards.

Even if HIPAA does not apply directly, clients expect privacy and state laws still apply. Adopt the security practices below as best practice for any massage therapy setting.

Quick self-check

• Do you submit claims, check eligibility, or receive remittance advice electronically?
• Does an EHR or billing platform conduct standard transactions on your behalf?
• Do you handle PHI while serving another provider? If so, obtain a Business Associate Agreement.
• Document your decision, rationale, and review date.

Understanding Protected Health Information

PHI is any individually identifiable information about a client’s health, care, or payment that can be linked to them. Electronic PHI (ePHI) is PHI stored or transmitted electronically. Protect both with appropriate administrative, physical, and technical safeguards.

PHI examples in massage practice

• Intake forms with medical history, injuries, medications, and allergies.
• SOAP notes, treatment plans, progress photos, and referrals.
• Appointment reminders that reference diagnoses or clinical details.
• Insurance data and payment information when linked to health services.

De-identified information—where identifiers are removed and cannot reasonably be linked back—is not PHI. Obtain client authorization before sharing PHI with third parties and use HIPAA-Compliant Communication channels.

Implementing Minimum Necessary Standard

Limit the PHI you access, use, and disclose to the minimum necessary to accomplish the task. This standard applies especially to payment and operations; for treatment, broader sharing is permitted, but a “minimum necessary” mindset still reduces risk.

• Define role-based access so each person sees only what they need.
• Set up Unauthorized Access Controls: unique logins, strong authentication, automatic logoff, and audit logs.
• Standardize external requests with forms that specify what is needed and why.
• De-identify PHI for training, case reviews, or marketing.
• Verify identity before releasing information and record the disclosure.

Maintain written procedures for common scenarios—referrals, insurer requests, subpoenas—and the precise steps you follow, including documentation and approvals.

Conducting Risk Assessments

A Security Risk Assessment identifies where ePHI lives, what could go wrong, and how you will lower risk to a reasonable level. It drives your safeguards, priorities, and budget.

Step-by-step

• Inventory systems and media: EHRs, scheduling apps, email, mobile devices, cloud storage, and backups.
• Map data flows: collection, storage, transmission, sharing, and disposal.
• Identify threats and vulnerabilities: theft, phishing, lost devices, misconfiguration, weak passwords, or poor backups.
• Rate likelihood and impact to determine risk levels.
• Select safeguards: Data Encryption, access controls, secure backups, vendor BAAs, staff training, and incident response.
• Create a remediation plan with owners, milestones, and target dates.

Review and update the assessment at least annually and whenever you switch systems, move offices, or experience an incident. Keep evidence: the report, policies, training logs, and risk treatment decisions.

Establishing Business Associate Agreements

Sign a Business Associate Agreement with every vendor that creates, receives, maintains, or transmits PHI on your behalf. No PHI should flow to a vendor until a BAA is fully executed.

Common vendors that require a BAA

• EHR/billing platforms and patient portals.
• Cloud storage, backup, and file-sync services.
• Secure email, e-fax, or messaging providers used for PHI.
• Appointment, telehealth, or digital intake-form apps.
• IT support, managed service providers, and shredding/data-destruction services.

What a BAA must cover

• Permitted and required uses/disclosures of PHI.
• Administrative, physical, and technical safeguards; subcontractor flow-down.
• Breach reporting duties and timelines.
• Support for access, amendment, and accounting of disclosures.
• Return or destruction of PHI at termination and any retention conditions.
• Right to audit, attestations, or security questionnaires.

Retain signed BAAs, verify vendor security practices, and limit PHI sharing to what the BAA allows.

Enabling Device Encryption

Apply Data Encryption to protect ePHI both at rest and in transit. Combine encryption with layered controls for a strong, real-world defense.

Encryption at rest

• Enable full-disk encryption on laptops and desktops.
• Turn on device encryption for smartphones and tablets.
• Encrypt removable media—or avoid using it for PHI.
• Store backups in encrypted form and protect recovery keys.

Encryption in transit

• Use secure portals or encrypted email/messaging for PHI.
• Ensure TLS-secured connections; avoid unencrypted SMS for PHI content.

Harden devices with strong passcodes, multi-factor authentication, automatic lock, and remote-wipe. Maintain an asset inventory, restrict personal cloud backups, and enable monitoring and audit logs as part of your Unauthorized Access Controls.

Ensuring Secure PHI Disposal

Build disposal into your workflow to prevent lingering risk from old records and devices. Treat paper and electronic media with the same rigor.

Paper PHI

• Use locked shred bins and cross-cut shredding.
• If using a shredding company, execute a Business Associate Agreement and obtain a certificate of destruction.
• Purge only after your retention period and any legal holds.

Electronic PHI

• Use secure-wipe tools to overwrite storage or destroy media physically.
• Delete PHI from cloud services, backups, and email archives per policy.
• Keep a disposal log with date, media, method, and staff initials.

Set clear retention timelines that satisfy payer, licensing, and state requirements, and train staff to follow them consistently.

Conclusion

Confirm applicability, define what counts as PHI, apply the Minimum Necessary Standard, perform a Security Risk Assessment, execute BAAs, enforce Data Encryption and Unauthorized Access Controls, and dispose of PHI securely. Together, these steps create a practical, defensible HIPAA program for a massage therapy practice.

FAQs.

What qualifies a massage therapist as a covered entity under HIPAA?

You are a covered entity if you electronically transmit health information in connection with standard transactions (such as insurance claims, eligibility checks, or remittance advice). A cash-only practice that does not conduct standard transactions is generally not a covered entity. If you handle PHI for another provider—such as working in a clinic—you may be a business associate and must sign a Business Associate Agreement and comply with applicable safeguards.

How should massage therapists secure electronic PHI?

Encrypt devices and data, enforce strong authentication, and keep systems patched. Use HIPAA-Compliant Communication (secure portals, encrypted email/messaging) for PHI, maintain role-based access, enable automatic logoff, and keep audit logs. Back up data securely, segment networks when possible, train staff, and repeat your Security Risk Assessment regularly to validate controls.

What are the requirements for Business Associate Agreements?

A BAA must define permitted uses/disclosures of PHI, require appropriate safeguards (including subcontractor compliance), and set breach notification duties and timelines. It should also describe support for access/amendment/accounting requests, require return or destruction of PHI at termination, and may include audit or attestation rights. Keep executed BAAs on file and share only the minimum necessary PHI with each vendor.

How can massage therapists conduct an effective HIPAA risk assessment?

Inventory where ePHI resides, map data flows, and list threats and vulnerabilities. Score likelihood and impact to prioritize risks, then select controls such as Data Encryption, access restrictions, secure backups, staff training, and incident response. Document your remediation plan with owners and dates, keep evidence of progress, and reassess at least annually or after major changes or incidents.