HIPAA Compliance for Speech Therapists: A Practical Guide and Checklist

Privacy and Security Measures

As a speech therapist, you handle Protected Health Information (PHI) every day—intake forms, evaluation reports, therapy notes, and billing records. HIPAA requires you to limit use and disclosure to the minimum necessary, uphold patient rights, and safeguard PHI across paper, verbal, and electronic formats.

Post and distribute a clear Notice of Privacy Practices, define who may access PHI and why, and keep a log of non‑routine disclosures. Pair administrative and physical safeguards (policies, locked storage, clean desk rules) with technical controls like Encrypted Communication, access controls, and Multi-Factor Authentication.

Privacy and security checklist

• Map PHI flows from referral to discharge; document where PHI is created, stored, transmitted, and disposed.
• Provide a Notice of Privacy Practices and obtain patient acknowledgement; keep acknowledgements on file.
• Apply the minimum necessary rule to schedules, voicemails, emails, and shared documents.
• Assign unique user IDs, enable Multi-Factor Authentication, and restrict access by role.
• Use Encrypted Communication for email, messaging, and file exchange; prefer secure portals over open email.
• Secure paper records in locked cabinets; enable automatic screen lock and device encryption on laptops and phones.
• Document and test HIPAA Breach Notification procedures; keep an incident intake form handy.

Documentation to keep

• Privacy and security policies, workforce acknowledgements, and sanction procedures.
• Disclosure log, access/amendment request records, and current Notice of Privacy Practices.
• Inventory of systems and devices that store or access PHI.

Annual Risk Assessment and Remediation

Complete a formal security risk analysis at least annually and whenever your environment changes (new EHR, telehealth platform, or office move). Your Risk Assessment Report should identify threats, rate likelihood and impact, evaluate current controls, and prioritize remediation.

Create an action plan with owners, timelines, and budgets. Track progress, re-test high risks, and close items with evidence (screenshots, invoices, or policy updates). Fold lessons learned into policies, training, and vendor requirements.

Risk assessment checklist

• Inventory ePHI assets (EHR, telehealth, billing, email, cloud storage, mobile devices, backups).
• Map data flows and confirm encryption in transit and at rest.
• Review user access, privilege levels, audit logs, and account termination procedures.
• Run vulnerability and patch management reviews on endpoints and network devices.
• Test backup restorations; verify offsite and offline copies exist.
• Exercise your incident response plan and HIPAA Breach Notification steps.
• Publish a dated Risk Assessment Report and remediation plan; re-assess after major changes.

Business Associate Agreements

A Business Associate Agreement (BAA) is required with any vendor that creates, receives, maintains, or transmits PHI for you. Typical business associates include EHR and telehealth platforms, billing services and clearinghouses, transcriptionists, IT support, eFax and email providers, cloud storage, shredding, and backup vendors.

Your BAA should define permitted uses and disclosures, security obligations, subcontractor flow-downs, breach reporting timelines, and PHI return or destruction at contract end. Vet security posture before signing and record where the vendor stores data.

BAA checklist

• Determine if a vendor is a business associate; if yes, execute a Business Associate Agreement (BAA) before sharing PHI.
• Verify encryption standards, access controls, audit logging, and Multi-Factor Authentication.
• Limit shared PHI to the minimum necessary; de-identify data when feasible.
• Maintain a centralized BAA repository; review annually and upon service changes.
• Terminate vendor access and certify PHI return/destruction at contract close.

HIPAA Training and Documentation

Train all workforce members on HIPAA privacy, security, and your practice’s procedures at onboarding and at least annually. Include role-based modules for clinicians, front office, and billing, plus phishing and social engineering awareness.

Keep evidence: training dates, rosters, materials used, and policy acknowledgements. Retain HIPAA-related documentation for at least six years from the date of creation or last effective date. Also track patient rights requests (access, amendment) and respond within required timeframes.

Training and documentation checklist

• Annual HIPAA, security, and telehealth-specific training with scenario-based exercises.
• Signed policy acknowledgements and sanctions for non-compliance.
• Logs for access, disclosures, and complaints; documented outcomes.
• Current policies, Risk Assessment Report, BAAs, and Breach Notification plan stored securely.

Telehealth Compliance Requirements

Choose a telehealth platform that will sign a BAA, uses strong encryption, and gives you controls (waiting rooms, admit/lock, disable recording). Provide telehealth consent if required, verify the patient’s identity and physical location at every session, and confirm a private environment.

Send invitations with minimal PHI, prefer portals over open email, and avoid public Wi‑Fi. If patients request less secure channels, obtain written acknowledgement of risk and keep it on file—then still minimize PHI and prefer Encrypted Communication whenever possible.

Telehealth checklist

• Platform with BAA, encryption, unique meeting links, waiting room, and host-only recording controls.
• Document telehealth consent and emergency procedures (local EMS, contact person, and address confirmation).
• Use headphones and a private workspace; disable on-screen notifications during sessions.
• Share materials via secure portals; avoid storing PHI locally unless devices are encrypted and backed up.
• Log sessions and document clinically relevant information in the EHR promptly.

State-Specific HIPAA Regulations

HIPAA sets a federal floor; states may impose stricter rules on privacy, consent, minors’ records, sensitive health information, breach timing, and record retention. When telehealth crosses borders, the patient’s location often determines which state protections apply.

Maintain a concise state-law matrix that lists consent requirements, breach deadlines, and retention rules for the states you serve. Train staff on these differences and update your policies and Notice of Privacy Practices addenda accordingly.

State-law checklist

• Capture and verify patient location at intake and each telehealth session.
• Apply the more stringent rule when state law exceeds HIPAA’s protections.
• Incorporate state-specific consent and disclosure rules into workflows and forms.
• Align breach notification timelines with state requirements while meeting HIPAA Breach Notification obligations.
• Review and update the matrix annually or after legal changes.

Security Technologies and Protocols

Implement a balanced security stack that fits your practice size while meeting HIPAA’s safeguard standards. Focus on identity, encryption, endpoint protection, network security, monitoring, and continuity.

Identity and access controls

• Unique user IDs, least-privilege roles, automatic logoff, and session timeouts.
• Multi-Factor Authentication for EHR, email, cloud storage, VPN, and telehealth.
• Password manager with strong, unique credentials and phishing-resistant MFA where available.

Encryption and data protection

• Device encryption on laptops and mobiles; encrypted backups with periodic restore tests.
• TLS and AES-256 (or comparable) to ensure encryption in transit and at rest.
• Use secure portals or Encrypted Communication for sending and receiving PHI.

Endpoint and network security

• Automated updates, patch management, and endpoint protection/EDR.
• Mobile device management with remote wipe and app control for any device accessing PHI.
• Business-grade firewall/router, WPA3 Wi‑Fi, segmented guest network, and VPN for remote access.

Monitoring, incident response, and continuity

• Enable audit logs in EHR and key systems; review alerts for failed logins and unusual access.
• Written incident response playbooks covering HIPAA Breach Notification, evidence collection, and communications.
• 3‑2‑1 backups, defined recovery objectives, downtime documentation procedures, and periodic tabletop exercises.

Conclusion

To stay compliant, embed privacy into daily workflows, run a yearly risk analysis with a clear Risk Assessment Report, sign BAAs with all PHI-handling vendors, train and document rigorously, enforce secure telehealth practices, account for stricter state rules, and operate a right-sized security stack with encryption and Multi-Factor Authentication.

FAQs.

What are the key privacy requirements under HIPAA for speech therapists?

Use and disclose only the minimum necessary PHI, provide and explain your Notice of Privacy Practices, restrict access by role, maintain a disclosure log, and safeguard PHI across paper, verbal, and electronic forms. Honor patient rights to access and request amendments, and keep your policies, training, and breach procedures documented.

How often must speech therapists complete HIPAA training?

Provide training at onboarding, whenever policies or technology change, and at least annually. Keep dated rosters, materials, and acknowledgements for your records, and tailor modules to roles (clinicians, front office, billing, and telehealth).

What should be included in a HIPAA breach response plan?

Clear incident intake steps, triage and containment procedures, forensics and documentation, risk assessment of PHI compromise, HIPAA Breach Notification timelines and templates, roles and contact lists (leadership, legal, vendors), and post-incident remediation with lessons learned. Test the plan with periodic tabletop exercises.

How do speech therapists ensure telehealth sessions comply with HIPAA?

Use a platform that signs a BAA and supports encryption, waiting rooms, and host-controlled recording. Verify patient identity and location, obtain telehealth consent if required, ensure a private setting, limit PHI in invites, prefer secure portals, and document sessions in the EHR. Incorporate these steps into your risk assessment and staff training.