
HIPAA compliance has a reputation for being intimidating, and for good reason. The rules are dense, the penalties are real, and the responsibility ultimately lands on the practice owner, not the software vendor or the consultant. Yet the day-to-day work of staying compliant is far more manageable than the legalese suggests. It comes down to a set of concrete habits and safeguards that, once in place, quietly protect your patients and your practice.
This checklist is written for the people who actually run therapy practices: physical therapists, occupational therapists, speech-language pathologists, and mental health clinicians who need to know what to do rather than wade through statutory citations. Work through each section, check off what you have covered, and flag what still needs attention. Compliance is not a one-time project; it is an ongoing posture, and this guide is built to be revisited.
Understanding What HIPAA Actually Requires
Before the checklist itself, it helps to understand the shape of the law. HIPAA is organized around a few core rules, and nearly everything you need to do maps back to them.
- The Privacy Rule governs how protected health information, or PHI, can be used and disclosed.
- The Security Rule covers electronic PHI specifically and requires administrative, physical, and technical safeguards.
- The Breach Notification Rule dictates what you must do if PHI is exposed.
- The Omnibus Rule extends direct liability to business associates, meaning your vendors carry obligations too.
Protected health information is broader than most people assume. It includes obvious things like diagnoses and treatment notes, but also names, addresses, appointment dates, phone numbers, and any other detail that could identify a patient in a health context. If your practice creates, receives, stores, or transmits any of it, HIPAA applies to you.
The Security Rule also distinguishes between required and addressable specifications. Addressable does not mean optional; it means you must either implement the safeguard or document why an equivalent alternative is reasonable for your practice. That documentation habit runs through everything below.
The Administrative Safeguards Checklist
Administrative safeguards are the policies, procedures, and people-focused controls that form the foundation of compliance. They are also where auditors look first.
Designate responsibility
- [ ] Appoint a HIPAA Privacy Officer and a Security Officer. In a small practice these can be the same person, and that person can be the owner, but the role must be explicitly assigned.
- [ ] Document who is responsible for reviewing policies, handling complaints, and responding to incidents.
Conduct and document a risk analysis
- [ ] Perform a security risk assessment that inventories where PHI lives, how it moves, and where it is vulnerable. This is not optional; it is one of the most commonly cited gaps in enforcement actions.
- [ ] Rank the risks you find and create a written risk management plan to address them over time.
- [ ] Repeat the assessment at least annually and whenever you adopt new technology or change workflows.
Write and maintain policies
- [ ] Maintain written privacy and security policies covering access, disclosure, minimum necessary use, and incident response.
- [ ] Keep a clear sanction policy describing consequences for staff who violate procedures.
- [ ] Review and date your policies regularly so you can show they are living documents, not shelf decoration.
Manage workforce access
- [ ] Apply the minimum necessary standard: each staff member should only access the PHI their job requires.
- [ ] Maintain a process to grant, modify, and immediately revoke access when roles change or someone leaves.
- [ ] Keep a record of who has access to what.
The Technical Safeguards Checklist
Technical safeguards are where your software choices carry the most weight. This is the section where the right platform does much of the heavy lifting for you, and the wrong one leaves gaps you may not even see.
Control access to systems
- [ ] Assign every user a unique login. Shared accounts make it impossible to trace who did what and are a direct compliance failure.
- [ ] Enforce strong password requirements and enable two-factor authentication wherever PHI is accessible.
- [ ] Configure automatic logoff so unattended workstations do not leave charts exposed.
Network-level protections matter just as much as login controls. Your systems should sit behind properly configured firewalls & 2FA, which together block unauthorized access and add a second verification layer that stops most credential-based attacks even when a password is compromised.
Encrypt data everywhere
- [ ] Ensure PHI is encrypted at rest on servers and devices.
- [ ] Ensure PHI is encrypted in transit whenever it moves across networks, including telehealth sessions, patient messages, and portal activity.
- [ ] Confirm that any mobile devices or laptops used for clinical work are encrypted.
If you are moving to or already using cloud-based tools, it is worth understanding the shared-responsibility model in depth. This guide on what therapists need to know about data security in cloud-based software explains where the vendor's obligations end and yours begin, which is exactly the kind of clarity an auditor expects you to have.
Maintain audit controls
- [ ] Use software that records who accessed which record, when, and what they did. These logs are not just a compliance requirement; they are your evidence trail if a question ever arises.
- [ ] Review these logs periodically for unusual activity rather than only after an incident.
Audit logging is one of the least glamorous and most important technical safeguards. If the term is unfamiliar, the audit trails glossary breaks down what a proper trail captures and why it matters when you need to demonstrate exactly how PHI was handled.
Ensure integrity and availability
- [ ] Protect PHI from improper alteration or destruction through version controls and access restrictions.
- [ ] Maintain regular, encrypted backups and test that you can actually restore from them.
- [ ] Have a contingency plan for how you would keep operating and protecting data during an outage or disaster.
Spend less time on admin, more time with patients
See how TheraPro360 brings scheduling, notes, telehealth, and billing into one HIPAA-compliant platform.
The Physical Safeguards Checklist
It is easy to focus on cyber threats and forget that a great deal of PHI exposure is physical. These controls are simple but genuinely important.
- [ ] Secure workstations so screens are not visible to patients or visitors in waiting areas.
- [ ] Use privacy screens on devices in shared or public-facing spaces.
- [ ] Lock away or shred any paper records rather than leaving them on desks or in open bins.
- [ ] Control physical access to servers, network equipment, and any room where devices with PHI are stored.
- [ ] Maintain a policy for device disposal that ensures drives are wiped or destroyed before any hardware leaves your control.
Staff Training and Awareness
Technology and policy only work if your people follow them. Human error remains one of the leading causes of breaches, which makes training a frontline defense rather than a formality.
Build a real training program
- [ ] Train every new hire on HIPAA before they touch PHI.
- [ ] Provide refresher training at least annually, and again whenever policies or systems change.
- [ ] Keep dated records of who completed training, since documentation is what you show if you are ever audited.
Cover the threats that actually cause breaches
- [ ] Teach staff to recognize phishing and social engineering, which are behind a large share of real-world incidents.
- [ ] Reinforce that PHI should never be shared over unsecured channels like personal text or standard email.
- [ ] Make it clear how to report a suspected incident immediately, without fear of blame, so problems surface early.
A culture where staff feel safe reporting a mistake catches breaches faster than any policy document. The goal is not perfection; it is quick detection and honest response.
Business Associate Agreements and Vendor Management
Any outside company that handles PHI on your behalf is a business associate, and HIPAA holds you responsible for choosing them carefully. This includes your practice management software, billing services, telehealth provider, cloud storage, and even IT contractors with system access.
- [ ] Obtain a signed Business Associate Agreement (BAA) from every vendor that touches PHI. No BAA means you should not be sharing data with them, full stop.
- [ ] Verify that each vendor's own security practices are credible before you trust them with patient data.
- [ ] Keep BAAs organized and current, and revisit them when contracts renew or services change.
- [ ] Confirm your practice management platform is genuinely HIPAA-compliant rather than merely marketed as such.
Choosing software with compliance built into its foundation removes an enormous amount of this burden. A HIPAA-compliant patient management platform handles encryption, access controls, and audit logging for you, and a reputable vendor will readily provide a BAA. For a therapist-focused view of exactly what to look for when evaluating tools, this HIPAA software checklist is a strong companion to this article.
Breach Response: Have a Plan Before You Need One
Even careful practices can experience an incident. What separates a manageable event from a catastrophic one is preparation.
- [ ] Maintain a written incident response plan with clear roles and steps.
- [ ] Know the notification timelines and requirements for informing affected individuals and the appropriate authorities.
- [ ] Document every incident, including near misses, along with how you responded and what you changed afterward.
- [ ] Treat each incident as a learning opportunity that feeds back into your risk analysis.
Putting It All Together
HIPAA compliance is not a wall you build once and forget. It is a rhythm: assess risk, close gaps, train people, verify vendors, and repeat. The practices that handle it well are rarely the ones with the biggest budgets. They are the ones that made compliance a routine part of how they operate and that chose tools which do the technical heavy lifting for them.
That last point is where your software decision matters most. TheraPro360 is an all-in-one, HIPAA-compliant practice management platform built for PT, OT, SLP, and mental health practices, with encryption, unique-user access controls, audit logging, and secure telehealth engineered in from the start. Instead of stitching together separate tools and hoping the compliance seams hold, you get a single system designed to protect PHI across scheduling, documentation, billing, and patient communication.
If you want to see how much of this checklist a purpose-built platform can handle for you, contact us for a compliance-focused walkthrough. Getting your safeguards right protects your patients, your license, and the practice you have worked hard to build.
Frequently Asked Questions
How often should a therapy practice do a HIPAA risk assessment?
At minimum once a year, and additionally whenever you make a significant change such as adopting new software, moving offices, or altering how PHI flows through your practice. The risk assessment is not a one-time document; it is meant to be revisited so that new vulnerabilities get identified and addressed as your practice evolves.
Do small therapy practices really have to comply with HIPAA?
Yes. HIPAA applies to covered entities regardless of size, so a solo practitioner is subject to the same core requirements as a large clinic. The safeguards scale to your practice, meaning a small office can meet its obligations with proportionate policies and the right compliant software, but the responsibility itself does not shrink.
What is a Business Associate Agreement and do I need one?
A Business Associate Agreement is a contract between your practice and any vendor that handles PHI on your behalf, such as your practice management software or billing service. It legally binds the vendor to protect that data. You need a signed BAA from every such vendor before sharing patient information with them, and operating without one is itself a compliance violation.
Does using HIPAA-compliant software make my practice automatically compliant?
No, though it removes a large share of the technical burden. Compliant software handles safeguards like encryption, access controls, and audit logging, but you are still responsible for administrative policies, staff training, physical security, risk assessments, and vendor agreements. The software is a powerful foundation, not a complete substitute for a compliance program.
What should I do first if I suspect a data breach?
Follow your incident response plan: contain the exposure, document what happened and what data was involved, and assess the scope. HIPAA sets specific timelines and requirements for notifying affected individuals and authorities, so acting quickly matters. Having a written plan and prompt response in place before an incident occurs is what keeps a breach manageable.

Dr. Eva Lassey PT, DPT has honed her expertise in developing patient-centered care plans that optimize recovery and enhance overall well-being. Her passion for innovative therapeutic solutions led her to establish DrSensory, a comprehensive resource for therapy-related diagnoses and services.
View profile
Irina Shvaya is the Founder of eSEOspace, a Software Development Company. She combines her knowledge of Behavioral Neuroscience and Psychology to understand how consumers think and behave.
View profileReady to simplify your practice?
See how TheraPro360 brings scheduling, notes, telehealth, and billing into one place.


