Skip to Content
Close Icon

How to Manage HIPAA Risks for Your Physical Therapy Practice – 5 Best Practices You Can Begin TODAY!

Posted On: February 16, 2022

How to Manage HIPAA Risks for Your Physical Therapy Practice – 5 Best Practices You Can Begin TODAY!

Large practices may have the resources for a larger and more complex risk mitigation plan in regards to HIPAA, but even a small practice can effectively manage their risk in house with the following tips – and do it cost effectively.

It is important to be aware that PTs and PTAs must comply with HIPAA regulations.

One of the top priorities at your practice should be to assess possible data breaches at every turn. HIPAA defines “breach” as the acquisition, access, use, or disclosure of protected health information. Most businesses in the health care sector, including physical therapy and rehab practices, store a myriad of protected health information on file, including patient names, addresses, dates of birth, Social Security numbers, credit card numbers, etc. Each of these pieces of information is extremely valuable on the cyber black market, making any business in the health care industry, large or small, a prime target for a breach. And, the costs of a breach are increasing – practices could pay fines over $50,000 per patient record that is breached. That means, even for a small- to mid-sized practice, a breach could total millions and potentially lead to bankruptcy.

First and foremost, a risk assessment plan is mandatory in protecting your practice and avoiding a breach. At minimum, your risk assessment plan should include the following:

  1. Documentation is key. Document your risks, your procedures, your policies, AND your breaches. PTs who fall under HIPAA hold the burden of proof; you must be able to provide proof that you are and were compliant.

  2. Routinely assess your in-building risks – This is where you track and document your paper risk. Do you send out mail containing protected health information or give calls to patients? If so, how do you check and confirm your addresses/phone numbers? If a letter or voicemail is sent to the wrong person and information is shared, that is a breach.

  3. Routinely assess your technological risks – Look at your policies regarding use of the internet, and ask yourself the following questions:

  1. Can your employees access your internet through WiFi?

  2. Where are your patient files kept?

  3. Who has access to your patient files? Keep documentation of physical risks. Track each person who has access to personal files.

  1. As you continue to assess your risks, your policies should reflect them. Create or enhance a social media risk management plan. Hacks can happen through clicks on a computer or on your employees’ personal devices. Employees should not have access to Facebook or sites like it (unless that person’s job is running your company pages). The employee(s) who runs your company’s social media sites should be educated and reminded of how to use them without putting your company at risk.

  2. Educate your employees about HIPAA compliance, and be sure to consistently check for updates on changes to the law.

When handling protected health information, it is always better to be safe than sorry. It may take extra time and effort, but complying with HIPAA is necessary for a successful PT practice.

If you have any questions or concerns regarding the risk at your practice, contact your VGM Insurance Services Account Manager or contact us today at or 866-286-5288. Be sure to also ask about the online HIPAA training courses that are available through our affiliate company, VGM Education.



Denotes required fields