HIPAA Risk Assessment for Speech Therapists: Step-by-Step Guide and Checklist

A focused HIPAA risk assessment helps you identify how Protected Health Information (PHI) is handled in your speech therapy practice and what threats could compromise it. This step-by-step guide shows you how to scope, analyze, and mitigate risks using Administrative Safeguards, Physical Safeguards, and Technical Safeguards, then document and review your program with confidence.

Use the following sections in order. Each ends with a short checklist you can copy into your working documents.

Define the Scope

Map your practice, people, and PHI

Start by listing every setting and workflow where PHI appears: private practice clinic, home office, telepractice, community visits, and mobile work. Include how you schedule, deliver care, document, bill, and communicate. A clear scope prevents blind spots later in the Risk Analysis.

Identify data, systems, and vendors

• Data: intake forms, therapy notes, voice/video recordings, AAC device data and logs, images, progress reports, superbills, claims, portal messages, emails, texts, faxes, and backups.
• Systems: EHR/practice management, teletherapy platforms, patient portals, email, e-fax, cloud storage, computers, tablets, phones, Wi‑Fi, routers, firewalls, and authentication tools.
• People: SLPs, assistants, students/CFs, billers, contractors, answering services, IT support, and any Business Associate handling PHI.
• Vendors: ensure Business Associate Agreements (BAAs) with EHRs, billing/clearinghouses, telepractice platforms, cloud storage, e-fax, transcription, messaging, analytics, and shredding services.

Clarify roles and boundaries

Define who is a covered workforce member, who is a Business Associate, and the minimum necessary access each person needs to do their job. Note any shared spaces or devices, remote work, and bring-your-own-device (BYOD) situations.

Scope checklist

• List all places PHI is created, received, maintained, transmitted, and disposed.
• Inventory assets: devices, applications, networks, storage, and paper media.
• Identify workforce and Business Associates; collect and review BAAs.
• Document data flows from intake to archiving/destruction.
• Record assumptions and exclusions to avoid gaps.

Conduct a Risk Analysis

Use a consistent method

For each asset and workflow, identify threats (e.g., theft, mishandling, malware, misdirected messages) and vulnerabilities (e.g., no encryption, shared logins, unlocked cabinets). Evaluate likelihood and impact on confidentiality, integrity, and availability of PHI, then rate risk (such as Low/Medium/High) and note existing controls.

Focus on speech therapy realities

• Telepractice sessions: insecure platforms, weak meeting controls, unauthorized recording, or screen-sharing mishaps.
• Mobile work: lost or stolen phones/tablets with ePHI, or unencrypted voicemail containing names and diagnoses.
• AAC ecosystems: device repairs, data sync to vendor clouds, and loaner devices changing hands.
• Communication: emails/texts/faxes sent to the wrong recipient, or portal messages accessed by unintended parties.
• Ransomware or outages: inability to access schedules, therapy notes, or treatment plans during downtime.

Prioritize what to fix first

Rank risks using a simple likelihood × impact scale. High risks (e.g., unencrypted mobile devices, no incident response plan, or no backups) get immediate attention and specific mitigation steps, deadlines, and owners.

Risk Analysis checklist

• Build an asset-and-workflow list tied to PHI.
• Identify threats and vulnerabilities for each item.
• Score likelihood and impact; assign a risk rating.
• Document current controls and gaps.
• Propose mitigations with owners and target dates.

Implement Administrative Safeguards

Policies, procedures, and governance

• Access management: define role-based access and the minimum necessary standard; set procedures for onboarding, role changes, and rapid offboarding.
• Information handling: clear rules for documentation, photographing/recording, AAC data, and sharing PHI with families, schools, and payers.
• Privacy/communications: patient rights, requests for restrictions, and secure use of email, portal, e-fax, and text.
• Retention and destruction: how long to keep records and how to dispose of paper and electronic media securely.

Business Associate Agreements

Maintain a BAA inventory and vet each vendor’s safeguards before onboarding. Your BAAs should describe permitted uses/disclosures, required protections, subcontractor flow-down, breach reporting timeframes, and termination/return-or-destruction of PHI.

Training and workforce security

• Provide initial and periodic HIPAA training tailored to speech therapy workflows (telepractice etiquette, recording control, AAC data handling).
• Run phishing awareness and password/MFA refreshers; document attendance and comprehension.
• Apply sanctions consistently for policy violations.

Security Incident Response and contingency planning

• Incident Response: define how to detect, contain, investigate, and remediate incidents; maintain an incident log and decision records.
• Contingency: create and test backup, disaster recovery, and emergency-mode operations plans so you can deliver care during outages.

Administrative Safeguards checklist

• Publish current policies/procedures and review them at least annually.
• Implement role-based access, onboarding/offboarding, and sanctions.
• Execute, track, and periodically re-evaluate all Business Associate Agreements.
• Deliver and record workforce training and phishing simulations.
• Test Security Incident Response and contingency plans and log results.

Implement Physical Safeguards

Facility and workstation protections

• Control physical access to offices, file rooms, and networking closets; use keys/badges and maintain visitor logs.
• Position screens away from public view; use privacy filters in shared spaces and enable auto-lock on idle.
• Ensure telepractice occurs in private rooms with sound control; avoid recording by default.

Devices and media

• Secure and track laptops, tablets, phones, AAC loaners, and removable media; enable full-disk encryption and remote wipe.
• Lock paper files; use secure carts/bags when traveling; never leave devices in vehicles.
• Shred paper and securely wipe or destroy drives before disposal or reuse.

Physical Safeguards checklist

• Document facility access controls and visitor procedures.
• Harden workstations with screen locks and privacy protections.
• Inventory and label devices; apply cable locks where appropriate.
• Implement secure storage and disposal for paper and media.

Implement Technical Safeguards

Access controls and authentication

• Assign unique user IDs; prohibit shared logins; require strong passwords and multi-factor authentication (MFA) for EHR, portal, and remote access.
• Set automatic logoff/timeouts and session lock policies across devices and apps.

Audit controls and monitoring

• Enable audit logs for EHR, telepractice, email, and file storage; retain logs according to policy.
• Review access reports and anomaly alerts on a defined schedule; investigate suspicious activity promptly.

Integrity and transmission security

• Encrypt ePHI at rest and in transit; use secure portals or encrypted email for PHI, and avoid unencrypted SMS.
• Apply change control and patching; use anti-malware, DNS filtering, and endpoint protection.
• Implement safeguards to prevent improper alteration or destruction of ePHI.

Network and endpoint protections

• Segment networks; secure Wi‑Fi with strong encryption; disable default router settings; use a firewall and VPN for remote work.
• Manage devices with mobile device management (MDM) or equivalent; enable remote wipe and lost-mode features.

Backups and recovery

• Maintain encrypted, versioned backups following a 3‑2‑1 approach (onsite, offsite, and offline/immutable where feasible).
• Test restores regularly and document results.

Technical Safeguards checklist

• Enforce unique IDs, strong passwords, MFA, and auto‑lock.
• Enable, retain, and review audit logs.
• Encrypt data at rest and in transit; standardize secure messaging.
• Harden endpoints and networks; patch promptly.
• Back up ePHI securely and test restores on a schedule.

Document Findings and Actions

Create a risk register and remediation plan

Compile a risk register listing each finding, its rating, planned mitigation, responsible owner, target date, status, and residual risk. Track decisions explaining why certain risks are accepted, transferred, or reduced.

Maintain evidence and records

• Policies and procedures with approval dates; training materials and attendance logs.
• Asset/device inventories; BAA inventory and vendor due diligence notes.
• Audit log summaries, backup/test reports, patch reports, and incident logs.

Versioning and retention

Use version-controlled folders or binders with clear naming and date stamps. Follow your record retention policy for both paper and electronic files, including backups and logs.

Documentation checklist

• Publish a current risk analysis report and risk register.
• Record remediation plans with owners and deadlines.
• Store policies, BAAs, training, logs, and evidence in a central repository.
• Apply version control and retention schedules consistently.

Conduct Regular Reviews

Cadence and triggers

Review and update your HIPAA risk assessment at least annually and whenever significant changes occur: new EHR or telepractice vendors, major staffing changes, new locations, new services, or a security incident.

Test, audit, and improve

• Run tabletop exercises for Security Incident Response and downtime procedures.
• Spot-check access and audit logs; validate least-privilege access quarterly.
• Re‑evaluate Business Associate risks and BAAs periodically.

Measure what matters

• Metrics: training completion rate, time to revoke access, patch compliance, backup restore success, number of open high risks, and incident response timeliness.
• Use metrics to prioritize next-quarter mitigations and budget requests.

Regular Reviews checklist

• Schedule annual and change-driven reassessments.
• Test incident response and recovery plans; capture lessons learned.
• Audit access, logs, and vendor controls; refresh BAAs as needed.
• Track KPIs and update the remediation roadmap quarterly.

FAQs

What is the purpose of a HIPAA risk assessment for speech therapists?

It enables you to identify where PHI exists in your speech therapy workflows, evaluate threats and vulnerabilities, and implement Administrative, Physical, and Technical Safeguards to reduce risk to reasonable and appropriate levels while supporting clinical care.

How often should speech therapists conduct a HIPAA risk assessment?

Perform a comprehensive assessment at least annually and any time you introduce material changes—such as new telepractice platforms, EHRs, locations, or vendors—or after a security incident that reveals new risks.

What are the key safeguards required under HIPAA for protecting PHI?

HIPAA centers on Administrative Safeguards (policies, training, access management, BAAs, Security Incident Response, and contingency planning), Physical Safeguards (facility, workstation, and device controls), and Technical Safeguards (access, audit, integrity, transmission, and security technologies like encryption and MFA).

How should speech therapists document their HIPAA risk assessment findings?

Create a written risk analysis report and a living risk register showing each risk, rating, mitigation, owner, and due date. Maintain supporting evidence—policies, training logs, BAAs, audit/backup reports, and incident logs—with version control, approval dates, and retention schedules.