How Massage Therapists Can Avoid HIPAA Violations: Practical Tips for Everyday Compliance

HIPAA Applicability to Massage Therapists

Know when HIPAA actually applies

HIPAA applies to you if you are a Covered Entity or a Business Associate. You are a Covered Entity when you transmit health information electronically in connection with standard transactions with health plans, such as submitting insurance claims through a clearinghouse. You are a Business Associate when another Covered Entity gives you access to Protected Health Information (PHI) to perform services on its behalf.

Common scenarios

• Self-pay, no insurance billing, and no services for a Covered Entity: typically not a Covered Entity, but you still should safeguard client data.
• Electronic billing to health plans or use of a clearinghouse: you are a Covered Entity and must run a documented HIPAA Compliance Program.
• Working inside a clinic, hospital, or chiropractor’s office that bills insurers: you may be part of that Covered Entity or a Business Associate depending on the arrangement.
• Corporate wellness or sports-team contracts: you might be a Business Associate if you handle PHI on the client’s behalf.

Action steps

• Decide your status in writing and update it if your billing or partnerships change.
• If you are a Covered Entity or Business Associate, implement required policies, training, and a Security Risk Assessment.
• If not covered, adopt reasonable privacy and security safeguards to meet client expectations and reduce risk.

Understanding Protected Health Information

What counts as PHI

Protected Health Information is any health-related information that identifies a person or could reasonably identify them. In massage therapy, PHI often includes intake forms, SOAP notes, referral details, treatment plans, scheduling notes that mention conditions, and communications about pain, injuries, or diagnoses. When PHI is stored or transmitted electronically, it becomes electronic PHI (ePHI).

What is not PHI

De-identified data that cannot be linked back to a person is not PHI. Pure payment card data is regulated by payment-card rules, not HIPAA; however, when card data appears within a record that also contains health information, the combined record may be PHI.

Minimum necessary

Apply the minimum necessary standard: collect, use, and share only what is needed for treatment, payment, or operations. Avoid documenting unnecessary details about family members, employers, or unrelated conditions.

Implementing Privacy Rule Requirements

Notice of Privacy Practices (NPP)

• Provide a clear Notice of Privacy Practices to clients at their first visit and keep a copy available in your office or website if you are a Covered Entity.
• Obtain written acknowledgment of receipt and retain it in the record.
• Update the NPP when your uses, disclosures, or contact methods change.

Permitted uses and disclosures

• Treatment, payment, and health care operations are generally permitted without additional authorization.
• For marketing, testimonials with names or images, or sharing with third parties not involved in care or operations, use a signed HIPAA authorization.

Client rights you must honor

• Access: provide timely access or copies of records.
• Amendment: allow clients to request corrections or addendums.
• Restrictions and confidential communications: accommodate reasonable requests, such as contacting a client only by email or at a specific number.
• Accounting of disclosures: be able to report certain disclosures not related to treatment, payment, or operations.

Everyday privacy practices

• Do not discuss client conditions in public areas; keep charts out of sight.
• Use sign-in practices that avoid revealing health conditions.
• Limit what you leave on voicemails or text messages; share only the minimum necessary.

Securing Electronic PHI

Access control and authentication

• Give each user a unique login; remove access promptly when roles change.
• Use strong passwords and multifactor authentication for email, practice software, cloud storage, and telehealth tools.

Encryption and device protection

• Encrypt all laptops, tablets, and smartphones that store or can access ePHI; enable auto-lock and remote wipe.
• Encrypt data at rest in cloud services and ensure encryption in transit (HTTPS, secure email portals, or secure messaging).

Secure communications

• Avoid ordinary SMS or unencrypted email for PHI unless you use a secure solution or obtain client consent after explaining the risks.
• Use secure e-fax or patient portals for referrals, care coordination, and document exchange.

Patch, backup, and monitor

• Update operating systems and apps promptly; remove unsupported devices from service.
• Maintain tested backups using a 3-2-1 approach (three copies, two media, one offsite) and protect backups with encryption.
• Turn on audit logs wherever available; review for unusual access.

Physical safeguards

• Lock rooms and cabinets that contain files or devices with ePHI.
• Position screens away from public view; use privacy filters where needed.

Managing Business Associate Agreements

When a Business Associate Agreement (BAA) is required

Sign a Business Associate Agreement with any vendor that creates, receives, maintains, or transmits PHI for you. Common examples include practice management or EHR platforms, cloud email and storage used with PHI, e-fax and secure texting services, billing companies and clearinghouses, IT providers with potential access to PHI, backup vendors, and forms or telehealth platforms.

Vendors that typically do not need a BAA

Pure “conduits” like the postal service do not need a BAA. Payment processors that only move funds and do not need PHI generally are not Business Associates. When in doubt, ask the vendor whether they will sign a BAA and how they handle PHI.

What to include in your BAA

• Permitted uses and disclosures of PHI and a requirement to follow HIPAA safeguards.
• Timely breach reporting and cooperation with your Breach Notification Rules obligations.
• Subcontractor “flow-down” requirements so downstream vendors also protect PHI.
• Termination rights, data return or destruction, and assistance with audits.

Conducting Risk Assessments and Remediation

Perform a Security Risk Assessment

• Inventory where PHI lives: paper files, devices, email, cloud apps, and backups.
• Map how PHI flows into, within, and out of your practice.
• Identify threats and vulnerabilities, then rate likelihood and impact to prioritize risks.

Create and execute a remediation plan

• Address high risks first: encrypt devices, enable MFA, limit access, update BAAs, and fix insecure workflows.
• Document decisions, timelines, and the controls you implement; this is core to a strong HIPAA Compliance Program.
• Reassess at least annually or when you adopt new technology, move locations, or change vendors.

Prepare for incidents and breaches

• Establish an incident response procedure to contain, investigate, and document events.
• Use the four-factor assessment to decide whether an incident is a reportable breach and follow Breach Notification Rules to notify affected individuals (and, when required, regulators).
• Maintain records of incidents, decisions, and notifications for the required retention period.

Providing Training and Education

Build skills and awareness

• Provide HIPAA training at onboarding and refreshers annually; tailor content to roles (front desk, therapists, billing).
• Teach practical habits: minimum necessary, clean desks, secure texting, phishing awareness, and device hygiene.
• Keep attendance logs and signed acknowledgments of policies and your Notice of Privacy Practices.

Reinforce through policy and leadership

• Publish concise policies staff can use daily; review them during team meetings.
• Run short drills for lost devices, misdirected faxes, or suspicious emails to build muscle memory.
• Apply a fair sanctions policy and celebrate proactive reporting to sustain a healthy culture.

Conclusion

Everyday compliance comes from clear boundaries around PHI, secure technology, informed vendor choices, routine Security Risk Assessments, and practical training. Decide your HIPAA status, document your HIPAA Compliance Program, and refine it as your practice evolves. These steps reduce risk, protect clients, and keep your focus on safe, effective care.

FAQs.

What makes a massage therapist a covered entity under HIPAA?

You are a Covered Entity if you electronically transmit health information in standard transactions with health plans, such as submitting insurance claims or eligibility checks through a clearinghouse. If you do only self-pay and do not conduct those transactions, you are usually not a Covered Entity. You may still be a Business Associate if a Covered Entity gives you PHI to perform services on its behalf.

How should therapists protect electronic PHI?

Use unique logins and multifactor authentication, encrypt all devices and cloud storage, patch software promptly, and maintain tested backups. Limit PHI in email and texts, prefer secure portals or e-fax, and review audit logs. Perform a Security Risk Assessment at least annually and when your technology or vendors change.

When is a Business Associate Agreement required?

Sign a Business Associate Agreement with any vendor that creates, receives, maintains, or transmits PHI for you—such as EHR or practice software, cloud email and storage used with PHI, e-fax and secure messaging, billing services and clearinghouses, IT providers with PHI access, backups, and telehealth or forms platforms. Pure payment processors and mail carriers typically do not require BAAs.

What are common HIPAA violations for massage therapists?

Frequent issues include leaving charts visible, using unencrypted devices, texting PHI over ordinary SMS, failing to provide a Notice of Privacy Practices, missing BAAs with vendors handling PHI, skipping Security Risk Assessments, and delaying required actions under Breach Notification Rules after an incident.