HIPAA Risk Assessment for Physical Therapy Clinics

Why Physical Therapy Clinics Face Distinct HIPAA Risk Exposure

Physical therapy clinics handle some of the most sensitive categories of protected health information (PHI) in outpatient care: injury histories, functional assessments, imaging orders, insurance authorizations, and progress notes that document a patient's daily physical limitations. Yet many PT practices operate with lean administrative staff and IT budgets calibrated for a small clinic, not a healthcare enterprise — which creates a specific set of compliance gaps that the HIPAA Security Rule's required risk assessment is designed to surface.

The HIPAA Security Rule (45 CFR § 164.308(a)(1)) requires every covered entity — including physical therapy clinics — to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). This is not a one-time checkbox. HHS's Office for Civil Rights (OCR) has repeatedly cited incomplete or absent risk analyses as the primary driver of enforcement actions against small and mid-size healthcare providers.

This guide walks physical therapy practice owners and administrators through the full risk assessment process: what to inventory, how to evaluate threats, how to document findings, and what controls to prioritize. It also covers the physical and operational factors unique to PT settings — including portable devices, telehealth platforms, and third-party billing vendors — that standard risk templates often miss.

What the HIPAA Security Rule Actually Requires

The Security Rule applies to ePHI — any PHI that is created, received, maintained, or transmitted in electronic form. For a physical therapy clinic, this includes your electronic health records (EHR) system, patient scheduling software, billing platforms, telehealth video tools, email containing patient information, and any portable devices (tablets, laptops) used by therapists during or after sessions.

Under 45 CFR § 164.308(a)(1)(ii)(A), the required risk analysis must:

• Identify the scope of all ePHI your clinic creates, receives, maintains, or transmits
• Identify all reasonably anticipated threats to that ePHI
• Assess the current security measures already in place
• Determine the likelihood and potential impact of each threat
• Assign a risk level to each identified vulnerability
• Document the entire process and retain that documentation

The companion implementation specification at § 164.308(a)(1)(ii)(B) requires you to implement security measures sufficient to reduce identified risks to a reasonable and appropriate level. These aren't suggestions — they are addressable specifications, meaning you must implement them or document why an equivalent alternative was chosen.

For a thorough overview of the broader compliance framework, see our HIPAA compliance guide covering all three rules and their interaction.

Step 1: Define the Scope — Map Every ePHI Data Flow

The foundation of any valid HIPAA risk assessment is a complete ePHI inventory. Physical therapy clinics frequently undercount their data assets because ePHI flows through more systems than the EHR alone. Begin by mapping every location where ePHI exists or passes through.

Systems to Include in Your PT Clinic Inventory

Start with your core clinical platforms: your EHR or practice management system, your scheduling and appointment reminder tool (many send SMS or email containing appointment details that qualify as ePHI), and your billing software or clearinghouse portal. Add any telehealth platform you use for remote sessions — these became common after the 2020 public health emergency and many clinics never formally assessed them.

Beyond software, physical therapy clinics often have ePHI in less obvious locations:

• Portable tablets or laptops therapists carry between treatment rooms or take off-site for home health visits
• Shared workstations at the front desk where intake forms, insurance cards, and referral faxes are scanned and stored
• Cloud storage or shared drives used informally for uploading exercise videos, home programs, or outcomes data
• Email accounts, particularly personal Gmail or Outlook accounts staff may use when the clinic's system is unavailable
• Fax-to-email gateways, which receive physician referrals and imaging results as digital files
• Third-party billing vendors or virtual front desk services who access your systems via remote desktop or direct integration

Document each system, who has access, whether it is hosted on-premise or in the cloud, and what type of ePHI it processes. This inventory becomes the scope boundary for all subsequent risk analysis steps.

Step 2: Identify Threats Specific to PT Clinic Environments

Healthcare threat analysis tends to focus on large hospital systems, but physical therapy practices face a distinct threat profile driven by their size, patient demographics, and operational model. The HHS guidance on risk analysis instructs covered entities to consider threats specific to their environment — not just generic industry threats.

Ransomware and Phishing

The 2024 Verizon Data Breach Investigations Report found that healthcare remains among the most targeted sectors for ransomware, with system intrusion accounting for the largest share of incidents. For PT clinics, the most common entry point is a phishing email targeting front desk staff or billing coordinators — roles that regularly receive external emails from insurance companies, attorneys, and referring physicians, making social engineering effective. A single compromised credential can expose your entire EHR if multi-factor authentication (MFA) is not enforced.

Lost and Stolen Devices

Therapists who conduct home health visits or work across multiple clinic locations frequently carry tablets, laptops, or personal smartphones with patient information. Physical theft of an unencrypted device is a reportable breach under HIPAA regardless of whether the data is ever actually accessed. Device encryption and remote-wipe capability are not optional safeguards in a mobile care environment.

Vendor and Business Associate Risk

Most PT clinics use at least three to five third-party vendors who access or process ePHI: EHR vendor, billing service, clearinghouse, telehealth platform, and possibly a managed IT provider. Each of these relationships requires a signed business associate agreement template for healthcare vendors. Absent a BAA, your clinic bears liability for that vendor's handling of your patients' data. A complete risk assessment inventories all vendor relationships and confirms BAA status for each.

Insider Access and Privilege Creep

Staff turnover in outpatient PT is high relative to other healthcare settings. When employees leave — or when roles change — access privileges often remain active longer than they should. Reviewing user access against the minimum-necessary standard (45 CFR § 164.514(d)) and terminating credentials promptly are controls that directly reduce insider threat exposure.

Step 3: Evaluate Physical Safeguards in the Clinic Setting

The HIPAA Security Rule's Physical Safeguards standard (45 CFR § 164.310) is often underweighted in risk assessments for outpatient practices. Physical therapy clinics present specific exposure points that a desk-based office does not.

Workstation Visibility

Treatment tables are frequently positioned so that a therapist's laptop screen — displaying the patient's chart — is visible to other patients in an open gym layout. This is a real-world gap between the HIPAA Minimum Necessary standard and typical PT clinic design. Workstation use policies should specify screen orientation, privacy filter requirements, and automatic logoff timers (15 minutes of inactivity is a common standard).

Front Desk Exposure

The check-in and check-out process at many PT clinics involves staff reading patient information aloud, displaying intake forms on a counter-facing monitor, or printing superbills in an area accessible to patients. Each of these scenarios is a physical safeguard gap. Your risk assessment should document these observations and assign a risk level based on the volume of patients who could overhear or observe PHI.

Paper-to-Digital Transitions

Many PT clinics receive paper referrals from physicians, scan them into the EHR, and then leave the originals in an unsecured inbox or recycling bin. The HIPAA Security Rule applies to ePHI specifically, but the Privacy Rule's minimum-necessary and safeguarding requirements cover paper PHI as well. Your risk assessment scope should note paper PHI handling even if the primary remediation focus is electronic systems.

For clinics managing mental health comorbidities alongside physical rehabilitation — a common scenario in chronic pain and post-surgical recovery — additional sensitivity considerations apply. See our analysis of HIPAA compliance for mental health practices for guidance on psychotherapy notes and substance use records.

Documenting Risk Levels and Building Your Risk Management Plan

A HIPAA risk assessment without documentation is legally equivalent to no risk assessment at all. OCR investigators reviewing your compliance will request the written assessment; an oral explanation of what you evaluated does not satisfy the requirement.

Risk Rating Methodology

Use a consistent scoring matrix that evaluates each identified threat against two dimensions: likelihood (how probable is this threat given your current controls?) and impact (what would be the effect on ePHI confidentiality, integrity, or availability?). Rate each dimension on a three-point scale (high/medium/low or 3/2/1) and multiply to derive an overall risk score. Document the rationale for each rating — this is what gives the assessment defensibility under audit.

High-risk findings (scores of 6-9 on a 9-point matrix) require immediate remediation planning. Medium-risk findings (3-4) require a documented plan with a target date. Low-risk findings should still be documented even if no immediate action is taken, as they demonstrate that the item was considered and evaluated.

The Risk Management Plan

For each high and medium finding, document:

• The specific vulnerability and system it affects
• The control or action selected to reduce the risk
• The responsible individual or role
• The target completion date
• The follow-up mechanism (next assessment, quarterly review, etc.)

Retain your completed risk assessment and risk management plan for a minimum of six years from the date of creation or the date it was last in effect — whichever is later — per 45 CFR § 164.316(b)(2).

For guidance on what constitutes a reportable event if a vulnerability is exploited before remediation, review the HIPAA breach notification requirements that govern your disclosure timeline and obligations.

Telehealth and Remote Access: The Post-2020 Risk Gap

The rapid expansion of telehealth in physical therapy — first mandated by pandemic necessity and now a permanent service line for many clinics — introduced ePHI risks that most pre-2020 risk assessments did not contemplate. If your clinic adopted a telehealth platform during the public health emergency and has not formally assessed it since, that gap is a likely finding in any OCR investigation.

Key questions to address for telehealth and remote work in your risk assessment:

• Is your telehealth platform covered by a Business Associate Agreement, and does it meet the HIPAA Security Rule's technical safeguard requirements?
• Do therapists access your EHR from personal home networks or personal devices? If so, what controls (VPN, MFA, device management) are in place?
• Are telehealth session recordings stored, and if so, where and with what access controls?
• How are patients authenticated before telehealth sessions to prevent impersonation?

The HHS telehealth enforcement discretion period ended in 2023. Platforms used since that date must meet the same technical safeguard standards as any other ePHI-handling system in your environment.

Staff who handle patient data remotely or via mobile devices should also complete regular security awareness training. Our review of HIPAA employee training requirements outlines what the Security Rule specifically requires for workforce education.

How Often Physical Therapy Clinics Must Reassess

The HIPAA Security Rule does not specify a fixed reassessment interval — it requires that your risk analysis be kept current and that you reassess whenever environmental or operational changes occur. HHS guidance and enforcement precedent suggest that an annual review cycle is the practical minimum for most covered entities.

For a physical therapy clinic, trigger events that should initiate a new assessment or targeted review include:

• Adding a new EHR, billing platform, or telehealth tool
• Onboarding a new IT vendor or managed service provider
• Opening a new clinic location or expanding to home health services
• A workforce reduction or high-turnover period where access credentials may not have been revoked promptly
• Any suspected or confirmed security incident, even if it did not rise to the level of a reportable breach
• A change in ownership or acquisition by a larger practice group

Documenting the rationale for each reassessment — and the date it was conducted — demonstrates a proactive compliance posture that regulators and cyber insurers view favorably. Many cyber liability policies now require evidence of a completed HIPAA risk assessment as a condition of coverage or renewal.

Physical therapy clinics that share patient data with or refer to dental practices, cosmetic medicine providers, or other outpatient specialists should also verify that those referral relationships include appropriate data handling agreements. For adjacent compliance context, see our analysis of HIPAA compliance requirements for cosmetic medical spas.