Speech Therapy Consent and HIPAA Compliance: What You Need to Know

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

Speech Therapy Consent and HIPAA Compliance: What You Need to Know

Kevin Henry

HIPAA

February 17, 2026

6 minutes read
Share this article
Speech Therapy Consent and HIPAA Compliance: What You Need to Know

Informed consent confirms that a patient—or a legally authorized representative—understands the nature, risks, benefits, and alternatives of speech-language services and agrees to proceed. You should explain goals, likely frequency and duration, potential outcomes, and any reasonable alternatives, including the option to refuse or stop treatment at any time.

Special situations to address

For minors, obtain consent from a parent or legal guardian; involve the child in age-appropriate assent when possible. For adults with limited decision-making capacity, document the authority of the surrogate. For telepractice, include technology risks, privacy safeguards, and contingency plans for service interruptions.

Documentation essentials

Use clear consent forms, record questions asked and answers provided, and note the date, time, and method (in-person, electronic, telehealth). Update consent when treatment plans change materially or new services begin. While consent to treat differs from HIPAA rules, capturing consent thoroughly supports overall Privacy Rule Compliance and reduces disputes.

Understanding HIPAA Privacy Rule

What counts as PHI and who must comply

Protected Health Information (PHI) includes any individually identifiable health data you create, receive, maintain, or transmit in any form. Covered entities—such as most clinics and solo practitioners—and their business associates must safeguard PHI and use or disclose it only as permitted by the Privacy Rule.

Permitted uses and disclosures

Without patient authorization, you may use or disclose PHI for treatment, payment, and health care operations. You may also disclose as required by law or to avert serious threats when specific conditions are met. Outside of these categories, you generally need HIPAA Authorization that is specific, time-limited, and revocable.

Patient rights you must support

Patients have rights to access and obtain copies of records, request amendments, receive an accounting of certain disclosures, restrict some uses, and submit Confidential Communications Requests (for example, alternate addresses or phone numbers). Your policies should make exercising these rights straightforward and timely.

How they differ

Consent is a patient’s agreement to receive evaluation and treatment. Authorization is a formal, written permission for uses or disclosures of PHI not otherwise permitted by the Privacy Rule. You can deliver care with consent to treat; you need HIPAA Authorization to share PHI for most non‑TPO purposes.

When authorization is typically required

Common triggers include releasing records to schools or third parties not involved in care, marketing communications, research participation, and disclosures of psychotherapy notes or highly sensitive information protected by stricter state laws. Ensure authorizations specify what will be disclosed, to whom, for what purpose, and for how long.

Applying Minimum Necessary Standard

Scope and key exceptions

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the least amount needed to accomplish a purpose. It does not apply to disclosures for treatment, to the individual, pursuant to HIPAA Authorization, or when required by law. For payment and operations, apply role-based access and targeted disclosures.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Practical strategies

  • Define role-based access so each staff member sees only what they need.
  • Use data segmentation in reports (e.g., therapy dates and CPT codes for billing without full session notes).
  • Standardize templates that exclude extraneous identifiers when not necessary.
  • Review recurring requests and pre-approve minimum data sets for speed and consistency.

Speech-therapy examples

  • When verifying benefits, share diagnosis codes and service dates, not full evaluations.
  • When coordinating with a school SLP, exchange only current goals and progress relevant to joint treatment.
  • When responding to a quality audit, send de-identified or limited data sets when permissible.

Managing Protected Health Information

Administrative, physical, and technical safeguards

Adopt written policies, designate a privacy and security officer, and conduct periodic risk assessments. Control physical access to records, secure workstations, and implement technical safeguards such as unique logins, encryption, automatic logoff, and audit logs. Maintain a breach response plan with clear internal reporting timelines.

Documentation and retention

Keep a records retention schedule that aligns with federal and state rules. Maintain Routine Disclosure Documentation to track non‑TPO or unusual disclosures and to support accounting requests. Verify business associate agreements with vendors that handle PHI, including EHRs, telehealth platforms, and billing services.

Handling individual requests

Process access and amendment requests promptly, using secure transmission options. Honor Confidential Communications Requests by accommodating alternative addresses, emails, or phone numbers when reasonable. When denying a request, provide written reasons and information about complaint processes.

Providing Notice of Privacy Practices

What to include

Your Notice of Privacy Practices must describe permitted uses and disclosures, patient rights, your legal duties, how to file complaints, and effective dates. It should also list whom to contact with questions and how to request restrictions or confidential communications.

Delivery and acknowledgment

Provide the notice no later than the first service encounter and make a good‑faith effort to obtain written acknowledgment of receipt. Post the notice prominently in the clinic and make it readily available electronically for telepractice or remote intake workflows.

Updating and version control

Review the notice periodically and update it when policies change. Keep prior versions and effective dates on file so you can demonstrate transparency and continuous Privacy Rule Compliance.

Training Staff for HIPAA Compliance

Core training topics

Cover Privacy Rule principles, Minimum Necessary Standard, secure documentation, patient rights, breach prevention and response, and proper use of email, texting, and telehealth tools. Include real speech-therapy scenarios to reinforce decision-making under pressure.

Frequency and evidence of completion

Provide onboarding training for new staff, annual refreshers, and just‑in‑time training after policy changes or incidents. Keep sign‑in sheets or certificates, training agendas, and assessment scores as proof of compliance and to guide performance improvement.

Culture and accountability

Encourage questions and near‑miss reporting without blame. Apply consistent sanctions for violations and recognize proactive privacy practices. Periodic drills improve response times and strengthen team confidence.

FAQs.

Consent is the patient’s agreement to receive services; authorization is a specific, written permission to use or disclose PHI for purposes not otherwise permitted, such as marketing or sharing with third parties unrelated to care. Authorization must identify the information, recipient, purpose, and expiration and can be revoked in writing.

When is written authorization required in speech therapy?

You generally need written HIPAA Authorization to release records to non‑treating third parties, to participate in research, for many marketing communications, or to disclose categories of information protected by stricter laws. Routine TPO activities—treatment, payment, and operations—do not require authorization.

How should speech therapists handle routine disclosures of PHI?

Limit each disclosure to the Minimum Necessary Standard, verify the requestor’s identity, and document what you shared when not clearly part of TPO. Maintain a Routine Disclosure Documentation log for non‑TPO or exceptional disclosures to support auditing and accounting requests.

What are the patient's rights under HIPAA in speech therapy contexts?

Patients can access and obtain copies of their records, request amendments, receive an accounting of certain disclosures, request restrictions, and make Confidential Communications Requests (e.g., alternate contact methods). You must provide a Notice of Privacy Practices explaining these rights and how to exercise them.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles