Making sure you are following all the rules and regulations regarding HIPAA compliance as a new therapy practice owner can be stressful and confusing! In this article, we’ll go over the main policies of HIPAA compliance and the tools you can use to make sure you maintain HIPAA regulations within your physical, occupational or speech therapy practice.

What is HIPAA and Why Is It Important:
The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 and requires covered entities to comply with certain rules to help protect patient’s health information (

As therapists and assistants, we are subject to HIPAA requirements and you can face penalties for noncompliance, so it is important to try your best to follow HIPAA standards.

What penalties could you face?
“The minimum fine is $100 per violation and that is for those covered entities that were unaware of a breach and are deemed reasonably compliant with HIPAA ” according to the APTA. However, if you are willfully neglecting HIPAA and refuse to make corrections if you are notified of a breach, then you could be fined $50,000 per violation! I wanted to share this to highlight that government organizations understand HIPAA regulations can be complex and so they do give you time to correct anything that may not be following HIPAA standards before giving you a penalty. So just try your best!

Key HIPAA Compliance Steps:
According to the APTA, here are some key steps to take:

  • Risk Assessment Plan: It is mandatory to create a plan in protecting your patients your information.
    • Document your risks
    • Document your procedures
    • Document your policies
    • Document your breaches
    • Document your routine assessment of risks
    • Document you employee education of HIPAA

What are some examples of things to document include where are your patient files stored, who has access to your patient files, can your employee’s access your internet, and so much more according to VGM Insurance (

  • Try to encrypt your computer, email and test messages – basically any communication according to Security Rules 164.312 needs to be encrypted. How can you perform encrypted communication?  Often an EMR will include the ability to safety communicate with your patient in the form of texting and email. HelloNote includes secure messaging within it’s EMR platform.
  • Store your records securely.  You can store your records securely several ways:
    • Locked cabinet – although this is not as secure as the other methods below.
    • Securely save your documents on an encrypted and password-protected computer or external drive.
    • Keep your records in an EMR, such as HelloNote which is HIPAA compliant and securely saves your files.
  • Create and store secure passwords.  I recommend using LastPass to help secure your passwords. It has a great chrome extension that automatically with 1 click will store any new password and allow you to share your passwords securely with a virtual assistant or other employees without them being able to see your password.  There are many more password software’s, but LastPass is very affordable, widely used and user friendly.
  • Data Backup Encryption:  Any data you are storing or using must be encrypted. The best way to comply with this is to use an EMR system that can help securely store and encrypt your patient files. HelloNote is a great example of an EMR that offers HIPAA compliance including data encryption and encrypted backups.
  • Privacy Notice: This is an easy step. Simply make sure you have a privacy notice on your website as well as on any paperwork and if you are a brick and mortar location, a sign visible for your patient without requiring them to request this information (

What to do if you discover that you’ve had a breach of privacy?
If you have had a breach of information, then a notification within 60 days (or the limit specified by your state law) is required.  It is required that you mail notification by first class mail or email if your patient’s have indicated that they preferred email contact.

You should include a “description of the breach, description of type of unsecured PHI involved, if the PHI was acquired or viewed, whether the PHI was acquired or viewed, to whom the PHI may have been disclosed, the nature and extent of the PHI involved, the extent to which risk to the PHI has been mitigated, the steps the individual should take to protect him or herself, and the entity’s contact information.

HIPAA compliance is important, and this article is really an attempt to overview and simplify the main points of HIPAA . Please continue to keep up to date on HIPAA regulations as these policies are changing every year. Good news is that many HIPAA compliant standards can be met easily with an EMR system and HelloNote is happy to answer your questions as to how our EMR system can help maintain your HIPAA compliance.


Request a Demo