HIPAA Compliance Guidelines for Speech Therapists: What SLPs Need to Know

HIPAA Overview and Covered Entities

What HIPAA covers for SLPs

These HIPAA compliance guidelines for speech therapists explain what SLPs need to know to safeguard Protected Health Information (PHI) across evaluation, treatment, and billing. If you transmit health claims or eligibility checks electronically, you are a covered entity and must comply with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule.

PHI includes any information that identifies a patient and relates to health status or care—names, dates of birth, therapy notes, diagnostic codes, payment details, and audio or video recordings used for assessment. Electronic PHI (ePHI) is PHI stored or sent in digital form and falls under the Security Rule.

Covered entities vs. business associates

SLPs, group practices, and clinics that handle electronic transactions are covered entities. Vendors that create, receive, maintain, or transmit PHI on your behalf—cloud EHRs, billing services, teletherapy platforms, IT providers—are business associates and require a signed Business Associate Agreement (BAA) before PHI is shared.

Core HIPAA rules you apply daily

• Privacy Rule: governs permissible uses and disclosures and patient rights.
• Security Rule: requires administrative, physical, and technical safeguards for ePHI.
• Breach Notification Rule: mandates timely notification after a breach.
• Minimum Necessary Standard: limit PHI use and disclosure to what is needed for the task.

Protecting Patient Rights

Access, amendments, and disclosures

• Right of access: provide records in the requested format when feasible within 30 days (one 30‑day extension if needed). Reasonable, cost‑based fees only.
• Amendments: allow patients to request corrections to therapy notes; if denied, document the rationale and the patient’s statement of disagreement.
• Accounting of disclosures: track non‑routine disclosures (e.g., those not for treatment, payment, or operations).

Consent, authorizations, and notices

• Obtain a written authorization for uses beyond treatment, payment, and healthcare operations, such as sharing recordings for education or marketing.
• Issue and post a clear Notice of Privacy Practices explaining how you handle PHI and patient rights.
• Honor requests for confidential communications (e.g., alternate phone or email) and reasonable restrictions on disclosures when practical.

Practical SLP examples

• When leaving reminders, use the Minimum Necessary Standard: “This is your appointment with the speech clinic on Tuesday at 2 p.m.” Avoid diagnostic details.
• Before sharing progress with a school or caregiver outside the care team, obtain a valid authorization unless a HIPAA exception applies.
• If a breach occurs, follow your Incident Response Plan and the Breach Notification Rule timelines.

Implementing Administrative Safeguards

Policies, training, and oversight

• Document policies for privacy, security, sanctions, and an Incident Response Plan; review and update at least annually and when your environment changes.
• Provide role‑based training at hire and periodically; record attendance and comprehension.
• Assign a privacy officer and a security officer (one person may serve both roles in small practices).

Access management and minimum necessary

• Use role‑based access so staff see only what they need (e.g., schedulers vs. clinicians).
• Implement onboarding/offboarding checklists to grant, modify, and promptly revoke access.
• Apply the Minimum Necessary Standard to queries, exports, and reports.

Contingency and documentation

• Create a contingency plan: routine backups, disaster recovery steps, and emergency‑mode operations to continue critical speech services.
• Keep a current inventory of systems and devices containing ePHI.
• Retain HIPAA documentation (policies, risk analyses, training logs, BAAs) for at least six years.

Ensuring Physical and Technical Safeguards

Physical safeguards

• Control facility access; secure paper charts in locked cabinets; use screen privacy filters in shared spaces.
• Implement workstation security: auto‑lock screens, position monitors away from public view, and log off between sessions.
• Manage devices and media: encrypt laptops and portable drives, track device custody, and shred or securely wipe before disposal.

Technical safeguards

• Access controls: unique user IDs, strong passwords, and multi‑factor authentication.
• Audit controls: enable logs for EHR, teletherapy, and file storage; review for anomalies.
• Integrity controls and backups: protect against unauthorized alteration and test restores.
• Transmission security: use encrypted channels for email, messaging, and teletherapy; avoid unsecure texting for PHI.
• Automatic logoff and session timeouts to reduce exposure on shared workstations.

Conducting Risk Assessments

A practical, repeatable process

• Scope and inventory: list where PHI/ePHI lives—EHR, teletherapy platform, email, laptops, mobile phones, backups, and paper files.
• Identify threats and vulnerabilities: unauthorized access, phishing, lost devices, misaddressed emails, weak configurations, unsecured Wi‑Fi.
• Analyze likelihood and impact; prioritize risks using a simple matrix.
• Select and implement safeguards; map each risk to specific administrative, physical, or technical controls.
• Document results in a risk register and create a remediation plan with owners and dates.
• Review at least annually and after major changes (new platform, office move, workforce changes).

What “good” looks like

• Evidence of decisions (why you chose encryption, MFA, or a secure portal).
• Proof of testing (backup restores, incident drills, access reviews).
• Updated BAAs and training tied to identified risks.

Managing Business Associate Agreements

When you need a BAA

You need a Business Associate Agreement before any vendor creates, receives, maintains, or transmits PHI for you—EHRs, clearinghouses, billing services, teletherapy platforms, cloud storage, appointment reminder tools, e‑fax, transcription, and IT support with PHI access.

What a solid BAA covers

• Permitted uses/disclosures of PHI and the Minimum Necessary Standard.
• Required safeguards aligned to the HIPAA Security Rule.
• Breach reporting duties and timelines, including subcontractor obligations.
• Right to audit or receive assurances, and procedures for return or destruction of PHI upon termination.

Due diligence tips

• Evaluate the vendor’s security practices (encryption, access controls, logging, certifications).
• Confirm where data is stored and how it is backed up and deleted.
• Ensure BAAs extend to subcontractors with access to your PHI.

Teletherapy and Secure Communication Compliance

Choosing and configuring platforms

• Select teletherapy vendors that sign BAAs and support encryption, waiting rooms, and role‑based access.
• Disable automatic recordings unless clinically necessary; if recording, obtain authorization, store securely, and apply retention limits.
• Verify patient identity at the start of sessions and document consent for telehealth.

Session privacy and data handling

• Conduct a “privacy sweep”: confirm the patient’s space is private; use headsets; avoid displaying other patient info on screen shares.
• Protect artifacts: store shared homework, audio files, and progress videos in your HIPAA‑enabled repository, not on personal devices.
• Apply updates promptly to operating systems and apps; use secure Wi‑Fi and a VPN when needed.

Messaging, email, and texting

• Use secure portals or encrypted email for PHI; do not use standard SMS for PHI.
• If a patient requests unencrypted email, explain risks and obtain a written acknowledgement before sending limited, Minimum Necessary content.
• Double‑check recipient addresses and use safeguards like delay‑send and disclaimers.

Conclusion

Strong HIPAA compliance for SLPs blends the Privacy Rule’s patient rights, the Security Rule’s layered safeguards, and a tested Incident Response Plan. By applying the Minimum Necessary Standard, maintaining reliable BAAs, and hardening teletherapy and communication workflows, you protect your patients and your practice.

FAQs.

What are key HIPAA requirements for speech therapists?

Know what counts as PHI, follow the HIPAA Privacy Rule for permissible uses and patient rights, and implement Security Rule safeguards for ePHI. Limit disclosures to the Minimum Necessary Standard, train your workforce, and maintain written policies, risk assessments, and an Incident Response Plan. Execute BAAs with all vendors handling PHI, and meet Breach Notification Rule timelines if an incident occurs.

How should speech therapists handle teletherapy to ensure HIPAA compliance?

Use a teletherapy platform that signs a BAA and supports encryption, access controls, and waiting rooms. Obtain and document consent, verify identity, and ensure both sides have private spaces. Disable default recordings; if recording is clinically necessary, get authorization and secure storage. Exchange homework and session materials through a HIPAA‑enabled portal or encrypted email, not personal accounts or SMS.

What steps are involved in a HIPAA risk assessment?

Define scope and inventory where PHI/ePHI resides; identify threats and vulnerabilities; evaluate likelihood and impact; select safeguards; document findings in a risk register with remediation plans; implement controls; and review at least annually or after major changes. Keep evidence of testing (e.g., backup restores, incident drills) and link training and BAAs to identified risks.

How can speech therapists ensure secure communication of PHI?

Adopt secure portals or encrypted email for PHI and avoid standard texting. Apply multi‑factor authentication, automatic logoff, and audit logging. Use the Minimum Necessary Standard in messages, confirm recipient identities, and store attachments only in HIPAA‑enabled systems. Provide patients with options for confidential communications and document any request to receive unencrypted email after risk acknowledgement.