By Specialty

HIPAA Risk Analysis for a Physical Therapy Practice

5 min read · Last reviewed May 22, 2026

PT practices are full HIPAA covered entities

A physical therapy practice that bills payers electronically is a covered entity under 45 CFR 160.103, and that triggers the full Security Rule. The risk analysis requirement at 164.308(a)(1)(ii)(A)(1)(ii)(A)) is the same one that applies to a primary care office or a hospital. The HHS Guidance on Risk Analysis does not vary by specialty.

PT practices often run leaner IT than physician offices. That lean stack still needs a written, dated risk analysis covering every system that touches ePHI.

The ePHI inventory in a PT setting

The typical small PT or OT clinic carries:

  • A rehab-focused EHR or general outpatient EHR (WebPT, TheraOffice, Raintree, Prompt, Net Health, Practice Perfect, Clinicient)
  • Documentation tablets and home-exercise app integrations
  • Patient outreach and recall systems
  • Payer eligibility and authorization platforms
  • Outpatient claims clearinghouse
  • Outcome assessment tools (FOTO, KOOS, DASH, ODI scoring platforms)
  • Functional capacity evaluation tools
  • Wearables and remote therapeutic monitoring devices for RTM CPT codes (98975-98981)
  • Telehealth platform
  • Marketing automation and review-request tools
  • Physical and digital exercise plans printed or emailed to patients
  • Personal phones used for after-hours communication with patients

For each system, write down the data flow, who has access, retention, backup, and Business Associate Agreement status under 45 CFR 164.504(e)).

Threats common in outpatient rehab

The risk analysis must consider reasonably anticipated threats. For PT clinics the recurring patterns include:

  • Open-floor gym layouts where documentation screens are visible to other patients
  • Shared documentation laptops cycled between treatment areas
  • Per-patient handouts printed and left at workstations between sessions
  • Patient walk-by tablets used for self-check-in
  • Pelvic-floor and other sensitive treatment documentation
  • Workers' compensation correspondence with employers (mind the disclosure scope at 164.512(l)))
  • Home health visits performed by a PT employee using a tablet on home wifi
  • RTM data uploaded from patient-owned wearables to the clinic's monitoring platform
  • Personal phones used to text exercise videos or follow-ups to patients
  • Cloud storage accounts (Google Drive, OneDrive) used for ad hoc document sharing without a BAA
  • Direct-access practices that collect payer eligibility but lack physician oversight

Each scenario gets a likelihood and impact rating consistent with NIST SP 800-30 and the HIPAA-specific application in NIST SP 800-66 r2.

Workers' compensation is HIPAA-adjacent but not exempt

Workers' compensation is one of the few payer relationships with a specific Privacy Rule disclosure provision at 164.512(l)). PT practices that take a high volume of workers' comp cases need to document how minimum-necessary applies to employer and adjuster communications and how ePHI flowing to those parties is logged and protected. The Security Rule still governs the electronic transmission.

Mapping to the Security Rule

The analysis output must cover:

The mapping must address every standard and each implementation specification. Addressable specifications need documented decisions (implement, alternative, or not reasonable and appropriate with reasoning).

Multi-site practices need scope clarity

PT groups often run 3 to 12 clinics under one tax ID. The risk analysis is at the covered-entity level, so a multi-site group writes one analysis that scopes each location's facility access controls, network topology, and device inventory. The Affiliated Covered Entity arrangement at 164.105(b)) and the Organized Health Care Arrangement structure at 164.501 are options for groups with shared workforce or shared records, and the SRA should state which (if any) applies.

Re-evaluation cadence

Section 164.308(a)(8)(8)) requires periodic evaluation. The OCR guidance is explicit that risk analysis is ongoing. The practical pattern is annual full refresh plus event-triggered refreshes whenever a major change occurs (new clinic, new EHR module, new RTM vendor, breach, payer audit).

What the binder contains

A defensible PT clinic SRA package usually contains:

  • A dated ePHI inventory and scope statement
  • Site-by-site facility and workstation review notes
  • A threat and vulnerability list with likelihood and impact ratings
  • A safeguard inventory tied to each Security Rule standard
  • A risk register with residual risk and remediation plan
  • Decisions on addressable specifications
  • Telehealth and RTM platform review records
  • Sign-off by the Security Official under 164.308(a)(2)(2))
  • A re-evaluation schedule

How D3rx supports this

D3rx SRA Binder Studio is a self-directed SRA documentation aid for outpatient rehab practices. It walks the Security Rule specifications in plain English, prompts for site-by-site detail, surfaces RTM and telehealth questions, and assembles the resulting binder with citations back to HHS, OCR, eCFR, and NIST. It does not replace counsel; it is a point-in-time documentation aid, and the practice remains responsible for the substance of every answer.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR 160.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
  2. 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
  3. Guidance on Risk Analysishttps://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
  4. 45 CFR 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
  5. 164.512(l)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.512#p-164.512(l
  6. SP 800-30https://csrc.nist.gov/pubs/sp/800/30/r1/final
  7. SP 800-66 r2https://csrc.nist.gov/pubs/sp/800/66/r2/final
  8. 164.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
  9. 164.310https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
  10. 164.312https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
  11. 164.105(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.105#p-164.105(b
  12. 164.501https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.501

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides