← All Resources

HIPAA Compliance for Physical Therapy & Rehab Clinics: The Complete 2026 Guide

March 20, 2026 · 8 min read

Physical therapy clinics operate under the same HIPAA rules as hospitals and physician offices. But the way PT is delivered — open treatment areas, hands-on care in shared spaces, home health visits, exercise video programs, and multi-location chains — creates privacy and security risks that most generic HIPAA guides never address.

If you’re a PT clinic owner or compliance lead, you’ve probably received generic HIPAA training that was written for a physician’s office. The examples don’t match your reality. Nobody in those training modules talks about what happens when a patient demonstrates their home exercise program on video in a gym-style treatment area, or how to handle ePHI when a therapist drives to three home health visits before returning to the clinic.

This guide covers the HIPAA challenges specific to physical therapy and rehabilitation settings — and what to do about them before the proposed 2026 Security Rule changes make the compliance bar significantly higher.

Why PT Clinics Face Unique HIPAA Challenges

Physical therapy is fundamentally different from most outpatient healthcare settings. A dermatologist sees patients in private rooms with closed doors. A PT clinic typically treats multiple patients simultaneously in a shared space, with therapists calling out exercise instructions, discussing progress, and coordinating with aides and techs — all within earshot of other patients.

This isn’t a design flaw. It’s how physical therapy works. Group treatment areas are efficient, allow therapists to supervise multiple patients, and are sometimes clinically necessary for functional training. But from a HIPAA perspective, every one of these operational realities is a potential violation waiting to happen.

The Office for Civil Rights (OCR) doesn’t give PT clinics a pass because open treatment is standard practice. If a patient files a complaint about overhearing another patient’s diagnosis discussed during treatment, OCR will investigate. And that investigation won’t stop at the complaint — it will review your entire compliance program.

Open Floor Plans and Shared Treatment Areas

This is the single biggest HIPAA challenge unique to physical therapy. Most PT clinics have some combination of open gym areas, treatment tables separated by curtains rather than walls, and shared exercise equipment. Patients are often within a few feet of each other during treatment.

The privacy risks are constant:

What you need to implement:

  1. Reasonable safeguards for verbal communications. HIPAA doesn’t require absolute silence — it requires reasonable efforts to limit incidental disclosures. Use lower voices for clinical discussions. Move sensitive conversations (new diagnoses, psychological factors, insurance issues) to a private area. Train staff on what constitutes minimum necessary information during treatment.

  2. Screen positioning and privacy filters. Every workstation in the treatment area must be positioned so that screens face away from patient traffic. Use privacy screen filters on monitors and tablets. Enable automatic screen lock after 60 seconds of inactivity — not five minutes.

  3. Scheduling boards and patient identifiers. If you use a whiteboard to track the day’s schedule, use patient initials or ID numbers rather than full names paired with treatment details. Better yet, move to a digital scheduling display visible only to staff.

  4. Documentation policies for the treatment floor. Paper documentation left on treatment tables, clipboards with patient information in shared areas, and printed home exercise programs sitting in the printer tray are all HIPAA exposures. Establish clear policies for when paper PHI can be on the treatment floor and how quickly it must be secured.

In 2016, the Minnesota-based Allina Health system paid $1.4 million to settle an OCR investigation that originated, in part, from the way patient information was handled in shared clinical spaces. The investigation revealed systemic failures in physical safeguards — the kinds of issues that open-plan PT clinics face every day.

Home Health Visits: Taking ePHI Outside the Facility

Physical therapists who provide home health services carry ePHI with them — on laptops, tablets, phones, and sometimes paper documentation. Every home visit creates HIPAA risk that doesn’t exist in a controlled clinic environment.

The risks specific to home health PT:

OCR has been clear that mobile device security failures are a leading cause of enforcement actions. In 2017, Lifespan Health System affiliated covered entities paid $1.04 million after an unencrypted laptop was stolen from an employee’s car. The device contained ePHI for over 20,000 patients. It didn’t matter that the theft wasn’t the employee’s fault — the failure was allowing unencrypted ePHI on a portable device in the first place.

What your home health PT program needs:

  1. Full-disk encryption on every device. Laptops, tablets, and phones used for patient care must have full-disk encryption enabled. Under the proposed 2026 Security Rule, this moves from addressable to required — there’s no more documenting why you chose not to encrypt.

  2. VPN for remote access. Therapists accessing your EHR from patient homes, coffee shops, or their own homes must use a VPN. Connecting over public or home Wi-Fi without a VPN exposes ePHI in transit.

  3. Remote wipe capability. Every mobile device must be enrolled in a mobile device management (MDM) system that allows you to remotely wipe the device if it’s lost or stolen. You need to be able to act within hours, not days.

  4. Prohibition on local storage. Patient information should be accessed through cloud-based systems, not downloaded and stored locally on devices. If local storage is necessary, it must be encrypted and automatically purged.

  5. Vehicle security policy. If therapists transport devices between visits, the devices should be locked in the trunk — not left on the passenger seat. This sounds basic, but it’s the exact scenario behind multiple OCR enforcement actions.

Multi-Location PT Chains: Maintaining Consistency Across Sites

Physical therapy is one of the most fragmented specialties in terms of practice structure. Many PT businesses operate 3, 5, 10, or more locations. Each location may have its own workflows, its own front desk staff, and its own habits around patient data handling.

HIPAA doesn’t care that your Westside location has great compliance practices. If your Eastside location is using shared logins, leaving patient charts on treatment tables, and faxing records to the wrong number, the entire organization is liable.

The multi-site challenges for PT chains:

What multi-site PT practices need:

  1. A single, centralized compliance program with policies that apply uniformly across all locations. Each site can have location-specific procedures (e.g., where the secure shredding bin is located), but the core policies must be the same.

  2. Annual compliance audits at every location, not just headquarters. Walk through each site and look at it through a patient’s eyes — what can they see, hear, and access?

  3. Centralized access management. One system for creating, modifying, and terminating user accounts across all locations. When a therapist at your North location transfers to your South location, their access should be updated the same day — not three weeks later.

  4. Standardized onboarding and offboarding procedures that are followed at every location, with documentation that can be produced during an audit.

For a deeper look at multi-site compliance, see our guide to HIPAA compliance for practices with multiple locations.

PT-Specific Documentation Requirements

Physical therapy documentation has its own HIPAA considerations that go beyond standard medical records.

Treatment notes in shared systems. Many PT clinics use EHR systems designed for general medical practice, with physical therapy-specific modules bolted on. These systems may not have granular enough access controls to limit what different staff roles can see. A front desk employee who needs access to scheduling shouldn’t automatically have access to detailed treatment notes, functional assessments, or psychosocial information documented by the therapist.

Functional outcome measures. PT documentation often includes detailed functional assessments — what a patient can and cannot do physically, their pain levels, their limitations in daily activities. This information is ePHI that requires the same protection as any medical record, but it’s also the type of information that gets casually discussed in treatment areas or left on clipboards.

Referral and communication with other providers. PTs frequently communicate with referring physicians, surgeons, primary care providers, and specialists. Each of these communications must use secure channels. Faxing treatment summaries to a referring physician’s office is common in PT — but misdirected faxes are one of the most common HIPAA breaches in healthcare. Verify fax numbers before every transmission, and consider moving to secure electronic messaging.

Workers’ compensation documentation. PT clinics that handle workers’ comp cases must navigate the intersection of HIPAA and state workers’ compensation laws. Workers’ comp cases often involve communication with employers, insurers, and attorneys — each interaction requires careful attention to what information can be disclosed, to whom, and under what authorization.

This is a rapidly growing risk area that many PT clinics haven’t addressed. The use of video and photography in physical therapy is expanding — for clinical purposes, patient education, and marketing.

Clinical use of video and photos:

Every one of these creates ePHI. A video of a patient performing exercises in your clinic, paired with any identifying information (even if it’s just stored in a folder with the patient’s name), is protected health information under HIPAA.

What you need:

  1. Written consent that covers the specific use. A general consent-to-treat form does not cover photography or video recording. You need a separate, specific authorization that explains what will be recorded, how it will be stored, who will have access, and how long it will be retained.

  2. Secure storage. Patient videos and photos must be stored in HIPAA-compliant systems — not on a therapist’s personal phone camera roll, not in a personal iCloud or Google Photos account, and not on an unencrypted USB drive. If therapists use their personal phones to record clinical video, you need a clear policy that requires immediate upload to a secure system and deletion from the personal device.

  3. Marketing use requires separate authorization. If you want to use a patient’s photo or video in marketing materials, social media, or your website, you need a separate HIPAA authorization specifically for that purpose. This is distinct from clinical consent. The authorization must describe the specific content, the intended use, and the patient’s right to revoke.

  4. Background patients. If you record a video of one patient in your open treatment area, other patients may be visible or audible in the background. Those background patients have not consented to being recorded. This is a violation. Record in private areas, or ensure no other patients are identifiable in the recording.

The social media trap: Many PT clinics post patient success stories, transformation photos, or exercise demonstrations on Instagram, Facebook, or TikTok. Even with the patient’s verbal permission, this is a HIPAA violation without a written authorization that specifically covers social media use. “They said it was fine” is not a defense in an OCR investigation.

Third-Party Billing Companies and BAAs

Physical therapy billing is notoriously complex — different payer requirements, prior authorization workflows, the 8-minute rule, and constant claim denials make outsourced billing common in PT. Over a third of PT practices use a third-party billing company or revenue cycle management service.

Every one of these billing companies is a business associate under HIPAA. They handle patient names, dates of birth, insurance information, diagnosis codes, treatment codes, and payment data. You need a signed Business Associate Agreement with each one.

But a signed BAA is not enough. Under the proposed 2026 Security Rule, covered entities would be required to verify that business associates have actually implemented the required safeguards. This means you can’t just sign the BAA and file it away — you need to understand how your billing company protects your patient data, whether they encrypt it, how they control access, and whether they’ve had any breaches.

What to verify with your billing company:

Don’t forget your other business associates. Beyond billing, PT clinics commonly have BA relationships with EHR vendors, cloud storage providers, IT support companies, telehealth platforms, patient engagement apps, secure messaging services, and — increasingly — AI-powered documentation tools. Each one needs a current BAA.

How the Proposed 2026 Security Rule Changes Affect PT Clinics

The proposed 2026 HIPAA Security Rule update represents the most significant overhaul in over two decades, and several changes hit PT clinics particularly hard. The final rule is expected around mid-2026, with a compliance deadline approximately 240 days after publication.

Key changes that matter for PT:

  1. No more “addressable” safeguards. Under the current rule, PT clinics could document why certain safeguards (like encryption or automatic logoff) weren’t feasible and implement alternative measures. Under the proposed rule, every safeguard would be required. No exceptions without a formal HHS waiver.

  2. Mandatory encryption everywhere. Every device that touches ePHI — the tablet a home health therapist carries, the laptop at the front desk, the workstation in the treatment area — must have full-disk encryption. This is no longer optional.

  3. Mandatory multi-factor authentication. Every system containing ePHI must require MFA. For PT clinics with shared workstations in treatment areas, this means rethinking how therapists log in between patients. Speed matters in a clinical setting, but convenience can’t override security.

  4. Business associate verification. You’ll need to obtain written verification from every business associate that they’ve implemented the required safeguards. For a PT clinic with a billing company, EHR vendor, telehealth platform, and IT support provider, this means managing verification for multiple vendors annually.

  5. 72-hour incident reporting to HHS. The proposed rule would require notification to HHS within 72 hours of activating your incident response plan — not 72 hours after discovering a breach (the current requirement for large breaches is 60 days). This compressed timeline means your incident response plan must be rehearsed and ready, not sitting in a binder on a shelf.

For the full breakdown, see our detailed analysis of the proposed 2026 HIPAA Security Rule changes.

PT Practice HIPAA Compliance Checklist

Use this as a starting point to evaluate your practice’s current compliance posture. This is not exhaustive — a full risk analysis covers significantly more — but it addresses the PT-specific gaps that most clinics miss.

Physical Safeguards

Home Health and Mobile Devices

Photos and Video

Business Associate Agreements

Training and Documentation

Multi-Location (if applicable)

For a more comprehensive assessment, take our HIPAA Risk Assessment Quiz or download our 93-Point HIPAA Compliance Checklist.

How ComplyMD Helps PT Clinics Stay Compliant

Physical therapy practices don’t need another binder of generic HIPAA policies that were written for a hospital. You need compliance guidance that understands open treatment areas, home health workflows, multi-site operations, and the specific ways PT clinics create, store, and share patient information.

ComplyMD is built for practices like yours. Our platform provides:

HIPAA compliance for PT clinics isn’t about checking boxes. It’s about building systems that protect your patients and your practice in the specific environment where you deliver care. The open gym, the home visit, the exercise video, the multi-site scheduling system — each one requires thought, not just a form.

Join the ComplyMD early access waitlist to get PT-specific compliance tools before the 2026 Security Rule changes take effect.

Ready to simplify your HIPAA compliance?

ComplyMD helps small healthcare practices build and maintain a complete HIPAA compliance program — without the consultant price tag.

Join the Waitlist