HIPAA Compliance Checklist for Speech Therapy Clinics (SLP Practices)

Running a speech-language pathology (SLP) practice means safeguarding Protected Health Information (PHI) across in-person care, documentation, and telepractice. This HIPAA compliance checklist guides you through practical, clinic-ready steps covering risk, security, vendor management, training, telehealth, data handling, and access control. Use it to harden your Electronic Health Records (EHR) workflows and demonstrate due diligence.

Conduct Risk Assessment

A documented, clinic-wide risk analysis is the foundation of HIPAA’s Security Rule. Identify where PHI is created, received, maintained, and transmitted, then evaluate threats, vulnerabilities, and the effectiveness of your safeguards. Turn the findings into a prioritized remediation plan with owners and timelines.

• Map PHI flows for intake, evaluations, treatment notes, telepractice sessions, billing, and referrals; include EHR, patient portal, email, cloud storage, mobile devices, and paper files.
• Inventory all systems and data stores; classify PHI sensitivity and quantity to gauge business impact if compromised.
• Assess risks such as device loss, misdirected messages, weak authentication, office break-ins, and teleconference eavesdropping.
• Rate likelihood and impact, note existing controls, calculate residual risk, and document a remediation roadmap.
• Establish an Incident Response Plan and test it; update the risk assessment annually and whenever technology or workflows change.

Ensure Data Security

Protect PHI with layered administrative, technical, and physical safeguards. Align daily operations with your written policies so controls work in practice, not just on paper.

Administrative safeguards

• Adopt “minimum necessary” and clean desk policies; define who may access which data and for what purposes.
• Create written procedures for password hygiene, device use, remote work, and sanctioned communication channels.
• Vendor oversight: evaluate security posture before contracting and monitor ongoing compliance.

Technical safeguards

• Apply Data Encryption Standards for PHI at rest and in transit; enable full-disk encryption on laptops and mobile devices.
• Use strong authentication and session timeouts; prefer multifactor authentication for EHR, portals, and telepractice tools.
• Patch operating systems and apps promptly; deploy endpoint protection and mobile device management to enforce settings.
• Enable logging and audit trails for access, changes, and exports; review alerts regularly.

Physical safeguards

• Restrict office access; lock file rooms and networking closets; use privacy screens in therapy areas.
• Secure workstations and tablets when unattended; avoid displaying PHI where clients or visitors can see it.
• Store backups and removable media in locked, controlled locations.

Operational practices

• Back up critical systems frequently; test restores and keep at least one encrypted, offline or immutable copy.
• Maintain and exercise the Incident Response Plan to detect, contain, eradicate, and recover from security events.
• Follow HIPAA Breach Notification Rule timelines—notify without unreasonable delay and no later than 60 days after discovery.

Execute Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI on your behalf must sign a Business Associate Agreement (BAA) before PHI is shared. For SLP practices, this commonly includes EHR providers, billing firms, telepractice platforms, cloud storage, IT support, transcription, and e-fax services.

• Identify all Business Associates and their subcontractors handling PHI; maintain a central vendor register.
• Execute BAAs covering permitted uses, safeguards, breach reporting, subcontractor flow-down, termination, and PHI return or destruction.
• Evaluate vendors for encryption, access controls, incident handling, and audit logging; favor evidence like independent assessments.
• Track renewal dates and contacts; review BAAs when services or regulations change.

Provide HIPAA Training and Documentation

Training turns policy into practice. Make it role-specific, practical, and recurring so staff know exactly how to protect PHI during evaluations, therapy, and follow-up.

• Deliver onboarding and annual refreshers covering privacy, security, minimum necessary, and Telepractice Security expectations.
• Document attendance, curricula, and policy acknowledgments; retain records to demonstrate compliance.
• Run tabletop exercises of your Incident Response Plan, including breach triage, internal reporting, and communication steps.
• Keep policies current; update training after incidents, technology changes, or process revisions.

Maintain Telehealth Compliance

Telepractice expands access but requires disciplined configuration and etiquette. Choose platforms that provide robust security controls and a BAA, and train clinicians to use them correctly.

Platform and configuration

• Use a telehealth solution with encryption, access controls, waiting rooms, and the ability to restrict recording.
• Enable unique session links or meeting IDs, lobby features, and host-only screen sharing; protect sessions with passcodes.
• If recording for clinical purposes, obtain consent, store files as PHI with encryption, and limit access through your EHR or secure repository.

Clinical workflow and etiquette

• Obtain and document patient consent for telepractice; verify identity and location at each encounter for safety planning.
• Ensure private surroundings, headset use, and camera placement that prevents exposure of unrelated PHI.
• Have contingencies for connectivity issues (e.g., switch to secure phone) and document any deviations.

Secure Storage and Transmission of Patient Data

Protect PHI through its full lifecycle—creation, use, sharing, archiving, and disposal. Apply consistent controls in your EHR, portals, and any auxiliary systems.

• Store PHI in systems that support encryption at rest, detailed audit logs, and Role-Based Access Control; avoid consumer-grade apps.
• Use secure channels for transmission: patient portals, secure messaging, SFTP, or encrypted email with enforced TLS; avoid standard SMS.
• Apply the minimum necessary standard and de-identify data when feasible for training, research, or quality improvement.
• Implement retention schedules and secure disposal (e.g., shredding paper, cryptographic wipe for media) with documented chain of custody.

Implement Access Control

Strong access control prevents inappropriate viewing or alteration of PHI. Define roles, verify identities, and continuously right-size permissions.

Role-Based Access Control

• Map roles (SLP, SLPA, front desk, biller, supervisor) to specific EHR permissions; grant only what each role needs.
• Separate duties for sensitive actions like exporting records or changing billing identifiers.

Accounts, authentication, and lifecycle

• Issue unique user IDs; require multifactor authentication for remote and privileged access.
• Set strong password rules and automatic session locks; use password managers for storage.
• Provision and deprovision promptly during hires, role changes, and terminations; revoke physical keys and badges.

Monitoring and review

• Enable EHR audit logs; spot-check access to high-profile or sensitive records.
• Conduct quarterly access reviews to remove stale accounts and tighten excessive permissions.

Summary and next steps

Start with a risk assessment, close the biggest gaps, and document every step. Lock in security controls, execute BAAs, train your team, and standardize Telepractice Security. With encryption, disciplined data handling, and Role-Based Access Control, your clinic can safeguard PHI and sustain compliant, patient-centered care.

FAQs

What is a Business Associate Agreement and why is it important?

A Business Associate Agreement (BAA) is a contract requiring vendors that handle PHI for your clinic to follow HIPAA safeguards. It defines allowed uses of PHI, required protections, breach reporting timelines, subcontractor obligations, and what happens to PHI when the relationship ends. Without a BAA, sharing PHI with that vendor is a compliance risk.

How do speech therapy clinics secure telehealth sessions?

Choose a platform that offers a BAA, strong encryption, waiting rooms, and host controls. Use unique meeting links, passcodes, and lobby features; restrict screen sharing and recording. Verify identity and location, ensure private surroundings, and store any recordings as PHI in secure systems with access limited by Role-Based Access Control.

What steps should be taken after a suspected HIPAA breach?

Activate your Incident Response Plan: contain the issue, preserve evidence, and assess scope and risk to individuals. Document actions, consult counsel as needed, and notify affected parties and regulators without unreasonable delay and no later than 60 days after discovery. Remediate root causes, update policies, and retrain staff to prevent recurrence.