Speech Therapy Records Privacy: Who Can Access Your Files and How They’re Protected

When you or your child works with a speech-language pathologist (SLP), the information created during treatment becomes part of your health record. This guide explains who may access those speech therapy records, how the HIPAA Privacy Rule protects them, and the practical safeguards providers use to keep them private. It offers general information for educational purposes and is not legal advice; always confirm details with your provider and applicable state law.

Access Rights to Speech Therapy Records

Who can access by default

• You, the patient. You have a right to inspect and obtain copies of your designated record set, which typically includes assessments, treatment plans, progress notes, test results, and billing information.
• Personal representative. A person legally authorized to act on your behalf (for example, under a health care power of attorney) generally has the same access you do.
• Covered entity workforce. Staff of the speech therapy practice or clinic may access only the minimum necessary information to perform their job duties (scheduling, billing, quality review, or direct care).
• Business associates. Vendors (e.g., cloud record platforms, billing services) may access Protected Health Information under a written Business Associate Agreement that imposes HIPAA duties.

Special considerations for minors

Parents or legal guardians are commonly treated as a minor’s personal representative and may access the child’s records, subject to exceptions under state law (e.g., emancipated minors) and protections in sensitive situations such as abuse investigations. School-based therapy in public K–12 settings is often governed by FERPA, meaning student education records—not PHI—apply; access rules there follow education privacy requirements rather than HIPAA.

The minimum necessary standard

Outside of direct patient access, disclosures must follow the HIPAA “minimum necessary” rule: share only what’s needed for the task at hand. Practices typically use role-based access controls to enforce this.

Definition of Protected Health Information

What counts as PHI in speech therapy

Protected Health Information (PHI) is individually identifiable health information—paper, electronic, or oral—created or received by a covered entity that relates to a person’s health, care, or payment. In speech therapy, PHI commonly includes case histories, evaluation results (e.g., articulation and language assessments), treatment goals, progress data, audio/video used for clinical purposes, and invoices.

What is not PHI

• De-identified data. Information stripped of direct and indirect identifiers so individuals cannot reasonably be re-identified.
• Work product not part of the designated record set. Personal memory aids kept separately by an SLP may fall outside the accessible record, provided they are not used to make decisions about you. Practices should define this clearly in policy.
• Education records under FERPA. For school-based services subject to FERPA, those records are not PHI and are protected under education privacy rules.

Confidentiality Obligations of Speech Therapists

Core duties under the HIPAA Privacy Rule

• Use and disclose PHI only as permitted by law or authorization.
• Apply the minimum necessary standard for non-treatment uses.
• Provide a Notice of Privacy Practices (NPP) that explains how PHI may be used, your rights, and how to exercise them.
• Maintain administrative, physical, and technical safeguards consistent with the HIPAA Security Rule for electronic PHI.
• Train staff, maintain policies, and document processes to demonstrate compliance.

Ethical and contractual duties

SLPs also follow professional Confidentiality Obligations and ensure Business Associate Agreements with vendors who handle PHI. Many practices audit access logs and conduct periodic risk analyses to verify that confidentiality is functioning as intended.

Authorized Disclosures of Records

Disclosures that do not require a specific authorization

• Treatment, Payment, and Health Care Operations (TPO). Sharing within and across providers to coordinate care, obtain payment, and run practice operations.
• As required by law. For example, court orders or mandated public health reporting.
• Health oversight and audits. Disclosures to agencies overseeing health care compliance.
• Law enforcement and judicial proceedings. Only under defined conditions and limited to minimum necessary.
• To avert a serious threat. Disclosures made in good faith to prevent or lessen a serious, imminent threat to health or safety.
• Limited family/friend involvement. With your agreement or when you have the opportunity to object and do not, a provider may share relevant information with a person involved in your care or payment.
• De-identified and limited data sets. Information without identifiers or with limited identifiers under a data use agreement.

Disclosures that require your written authorization

• Releases to third parties for purposes beyond TPO (e.g., employer requests, marketing).
• Sharing notes or materials you and your provider agree to treat as especially sensitive.

Practices should explain common Authorized Disclosures in their NPP and obtain signed authorizations when required. State laws can be stricter than HIPAA; providers follow the more protective rule.

Secure Storage and Record Protection

Technical safeguards for ePHI

• Access control. Unique user IDs, strong authentication (preferably multi-factor), and role-based permissions.
• Encryption. Protect PHI “in transit” and “at rest” with modern encryption; consider crypto-erasure for retired media.
• Audit trails and monitoring. Log access, edits, and disclosures; review logs routinely.
• Resilience. Backups, redundancy, and tested recovery plans to maintain integrity and availability.

Administrative and physical safeguards

• Policies and training. Annual training, sanctions for violations, and documented procedures for Secure Record Storage.
• Vendor management. Business Associate Agreements, due diligence, and periodic reviews.
• Facility security. Locked file rooms, clean-desk rules, visitor logs, and workstation timeouts.

Breach response at a glance

If a potential breach occurs, practices investigate promptly, mitigate harm, notify affected individuals when required, and improve controls to prevent recurrence.

Patient Rights Regarding Records

Access and copies

• Timelines. Providers generally have 30 days to respond to an access request, with one 30-day extension available when explained in writing.
• Format. You may request paper or electronic copies in a readily producible format.
• Fees. Only reasonable, cost-based fees for copying, mailing, or portable media may be charged.

Requesting amendments

• Right to correct. You can ask to amend inaccurate or incomplete information; providers usually have 60 days to respond, with one 30-day extension if needed.
• If denied. You can submit a statement of disagreement that becomes part of the record.

Additional rights

• Restrictions. Request limits on certain disclosures (e.g., when you paid out of pocket in full).
• Confidential communications. Ask to be contacted at a specific address, email, or phone.
• Accounting of disclosures. Receive a list of certain non-routine disclosures (generally up to the prior six years; routine TPO is excluded). Providers typically have up to 60 days to respond, plus one 30-day extension if needed.
• Notice of Privacy Practices. You are entitled to receive and review the NPP that explains these rights.

Secure Storage and Record Protection

Note: This section is intentionally provided above. To maintain the required outline order, key points are summarized here for quick reference.

• Protect PHI with access controls, encryption, and audit logging.
• Train staff and enforce policies for Secure Record Storage.
• Use vetted vendors under Business Associate Agreements.
• Maintain backups and incident response plans.

Proper Disposal of Speech Therapy Records

Retention and end-of-life planning

HIPAA sets privacy and security standards but does not prescribe a single federal retention period for medical records. Retention is driven by state law and payer or accreditation rules. Many providers keep adult records for several years and retain minor records until after the age of majority plus an additional period. Ask your provider how long they keep records and how you can request deletion when allowed.

Record Disposal Procedures

• Papers. Cross-cut shredding, pulping, or incineration so documents cannot be reconstructed.
• Electronic media. Crypto-shredding, secure wiping per recognized standards, degaussing (for magnetic media), or physical destruction of storage that cannot be sanitized.
• Chain of custody. Document who handled the records, when, and how destruction occurred; obtain certificates of destruction from vendors.
• Backups and replicas. Apply the same destruction to all copies, including off-site backups, test environments, and removable media.

Practical safeguards for small practices

• Lock and limit access to file rooms; store keys securely.
• Use encrypted cloud systems vetted for HIPAA and covered by Business Associate Agreements.
• Schedule periodic disposal days and maintain logs to prove compliance.

Conclusion

Effective speech therapy records privacy rests on clear access rules, strong confidentiality practices, precise Authorized Disclosures, and robust security. When you know your rights, review the Notice of Privacy Practices, and choose providers committed to Secure Record Storage and sound Record Disposal Procedures, your information stays protected throughout its life cycle.

FAQs

Who is allowed to access speech therapy records?

You, your lawful personal representative, and the provider’s workforce may access records, with vendors accessing only under Business Associate Agreements. Others need your authorization unless a disclosure is permitted by law (for treatment, payment, operations, or specific exceptions).

What safeguards protect the privacy of speech therapy records?

Providers implement technical controls (encryption, access control, audit logs), administrative measures (policies, training, vendor agreements), and physical protections (locked storage, device security). These measures align with the HIPAA Privacy Rule and Security Rule to protect PHI.

How can patients correct errors in their speech therapy records?

Submit a written amendment request to your provider. They generally have 60 days to respond (with one 30-day extension). If denied, you can add a statement of disagreement that stays with the record.

What are the rules for disposing of speech therapy records?

Disposal must prevent reconstruction of PHI. Paper is cross-cut shredded or pulped; electronics are securely wiped, degaussed, or destroyed. Providers document the process and ensure all copies—including backups—are addressed, following applicable state retention rules before destruction.