HIPAA Compliance for Physical Therapy Practices

1. Open Gym Environment & Privacy Management

Physical therapy operates in shared open gym spaces where multiple patients exercise simultaneously. Patient privacy expectations are lower in open gyms, but you must still limit visibility of treatment plans and sensitive data.

• Never post patient names with exercise assignments; use IDs only
• Position computer screens away from patient view; prevent others from seeing names/diagnoses
• Train staff to discuss treatment plans privately, not loudly in open gym
• Limit exercise plan visibility to assigned therapist and patient only
• Obtain consent acknowledging open gym environment and reduced privacy expectations

2. Exercise Video Recording & Educational Use

Video recording exercises for patient education (homework, form correction) requires explicit written consent. Many practices record without consent, assuming it's educational. Each recording is PHI and requires authorization.

• Obtain written consent before recording any patient exercise video
• Specify in consent: recording purpose, how video will be stored, who can access
• Encrypt exercise videos in storage and transit (TLS 1.2+)
• Limit video access to treating therapist and patient
• Allow patients to request video deletion; establish deletion timeline

3. Group Therapy Sessions & Multi-Patient Privacy

Group physical therapy sessions (group stretching, aquatic classes, wellness groups) involve multiple patients. Information shared in group sessions is still PHI and requires privacy protections and confidentiality agreements.

• Require confidentiality agreements from all group participants before attendance
• Document group session attendance and general activities (not individual patient details)
• Limit access to group session notes to treating therapists and participants
• Educate participants about group privacy expectations
• Document any group therapy breaches (member sharing another's information)

4. Outcome Measurement & Functional Assessment Data

Physical therapy outcome measures (functional outcome assessments, pain scales, mobility scores) are increasingly collected and transmitted to payers for quality reporting and reimbursement. Secure transmission and access control are essential.

• Encrypt outcome data in transit to payers using TLS 1.2+ or secure file transfer
• Encrypt outcome data at rest in assessment databases
• Implement audit logging for all outcome data access
• Obtain consent for outcome data sharing with payers (may be in insurance authorization)
• Allow patients to access their own outcome data and historical trends

5. Workers Compensation Documentation & Insurer Reporting

Workers compensation patients have therapy funded by insurers. Documentation must be sent to insurers and may be shared with employers. Balance clinical documentation with privacy protections for workers comp patients.

• Obtain signed workers comp authorization before releasing documentation to insurers
• Send progress notes and medical records via encrypted email or secure portals (not unsecured email)
• Document only information required for workers comp purposes (function, treatment, prognosis)
• Do not share detailed clinical assessments unless required for medical necessity determination
• Maintain separate authorization documentation for each insurer/employer

6. Athletic Training & Team Settings

Some practices provide athletic training services in school or team settings. Team members, coaches, and parents may have access to player medical information. Manage privacy and access carefully in team environments.

• Establish clear written policies on who accesses athlete medical records (athlete, parents, coaches, physicians)
• Require coaches to respect confidentiality—do not discuss athlete injuries publicly
• Obtain FERPA (Family Educational Rights and Privacy Act) compliance if school-based
• Encrypt all athlete medical records in transit and at rest
• Document consent/authorization for athlete information disclosure to team personnel

7. Telehealth & Virtual Exercise Instruction

Physical therapy increasingly uses telehealth for home exercise programs and remote consultations. Telehealth video transmission and patient home privacy require special protections.

• Use HIPAA-compliant video platforms (not Zoom, FaceTime, personal video)
• Encrypt telehealth video transmission end-to-end
• Obtain consent for telehealth visits and video recording of sessions
• Educate patients about home privacy (close doors, minimize background visibility)
• Document telehealth visit with date, participants, duration, and content

8. Access Controls & EHR Security

Physical therapy practices increasingly use electronic health records (EHRs) to document patient plans, progress, and outcomes. Access controls must limit staff to assigned patients and authorized functions.

• Implement role-based access: therapists access their patients; admin staff access scheduling only
• Encrypt EHR systems in transit (TLS 1.2+) and at rest (AES-256)
• Log all EHR access with user ID, timestamp, and data accessed
• Implement multi-factor authentication for administrative access
• Quarterly review access rights for personnel changes or role modifications

Top Violations in PT Practices

• Unauthorized Video Recording (28% of PT breaches): Recording patient exercises without consent for educational materials; OCR penalties $50,000-$300,000
• Unencrypted Workers Comp Documentation (24% of PT breaches): Emailing patient records unencrypted to insurers; data breach during transmission; OCR penalties $50,000-$500,000+
• Inadequate Open Gym Privacy (20% of PT breaches): Patient names visible on treatment plans; other patients see diagnoses/exercises; privacy violation
• Inadequate Group Therapy Privacy (18% of PT breaches): Group participants discuss each other's information outside confidentiality agreement; practice liable
• Insecure Outcome Data Reporting (12% of PT breaches): Functional outcome data transmitted unencrypted to payers; data breach of assessment information

Penalty Examples

Video Recording Breach: Practice records patient exercises without consent, uploads to private YouTube for patient access, video discovered by OCR during audit; violation of unauthorized recording; OCR penalties $100,000-$500,000+

Workers Comp Email Breach: Therapist emails progress notes to workers comp insurer via unencrypted email; intercepted in transit; breach affecting 500+ patients' workers comp records; notification costs ($250K+), OCR penalties ($500K-$5M)

Tier 1 Violations: $100-$50,000 per violation for unaware failures (inadequate training, missing consent forms)