HIPAA covers health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with covered transactions. A physical therapy, outpatient rehab, or occupational therapy clinic that bills insurance electronically is a covered entity. The electronic protected health information moving through your EMR, scheduling system, home-exercise app, and referral exchange with physicians is exactly what the Security Rule was written to safeguard.
Outpatient therapy clinics are small businesses that assume HIPAA is only for hospitals.
Many physical therapy practices run lean, with a handful of clinicians and a busy front desk, and treat HIPAA as a hospital problem. The rules do not work that way. A solo therapist who bills insurance electronically is as much a covered entity as a large health system, and the Office for Civil Rights has pursued small outpatient providers.
The safeguards scale to the size of the clinic, but the obligation does not disappear because the practice is small. We confirm your covered-entity status during onboarding and scope a program that fits an outpatient clinic rather than a hospital.
Therapy data lives across the EMR, scheduling, referral exchange, and patient-facing apps.
Each patient record carries names, dates of birth, insurance and billing details, diagnoses, plans of care, and progress notes. That combination of identity and health information is precisely the ePHI the Security Rule protects, and it flows through more systems than clinics expect.
It sits in your EMR and documentation platform, your scheduling system, and the referrals you exchange with physicians and hospitals. It also reaches home-exercise and telehealth apps that patients use from their own devices, and the claims you send to many different payers. Each of those systems is a place ePHI can be exposed, and each one falls within the safeguards the rule requires.
Multiple locations and high turnover make access control the daily challenge.
A clinic that grows to several locations shares an EMR across front-desk stations, treatment-floor workstations, and tablets that move between rooms. Physical therapy also sees steady turnover among aides, technicians, and front-desk staff, which means accounts are created and closed constantly.
The breaches that hit outpatient clinics most often trace to preventable causes: shared or weak credentials, accounts left active after someone leaves, phishing and email-account compromise, and lost or stolen laptops and tablets. Unique user IDs with MFA, disciplined onboarding and offboarding, security awareness training, and device encryption each close one of those paths, and each is a control the Security Rule expects.
The Security Risk Analysis is the required starting point, and a Business Associate Agreement defines who is responsible for what.
The Security Rule explicitly requires a Security Risk Analysis, and it is the specification investigators ask about first after an incident. A clinic that cannot produce a current, thorough SRA has a documented gap regardless of what technology it has purchased. We conduct the analysis across your full environment, pair each risk with the safeguard that addresses it, and keep it current as you add locations, staff, and apps.
When Cyber One Solutions manages systems that store or transmit your ePHI, or when our staff can access that data during support, HIPAA treats us as your Business Associate, and that relationship is governed by a signed Business Associate Agreement before work begins. The BAA sets out how we safeguard your ePHI and support your obligations. It does not transfer your covered-entity duties to us. You remain the covered entity accountable for HIPAA compliance; our role is to implement and manage the controls and give you the evidence that they are working.