HIPAA Notice of Privacy Practices for Physical Therapy
Physical therapy practices — solo PTs, group outpatient clinics, and hospital-affiliated clinics — are HIPAA covered entities whenever they bill insurance electronically. That means you need a Notice of Privacy Practices under 45 CFR § 164.520, provided at intake, posted on your practice website, and posted at your clinic.
Quick facts for physical therapy practices
- PT practices that bill Medicare, Medicaid, or commercial insurance are covered entities — the Medicare Part B PT benefit alone triggers covered-entity status
- Plan-of-care signatures and progress-note exchanges with referring physicians fall under "health care operations" and do not require separate authorization
- Workers' compensation disclosures have their own rules under 45 CFR § 164.512(l) and should be disclosed in the NPP
- If your clinic uses remote monitoring, telehealth, or a patient app, the NPP must describe how PHI flows through those tools
Are you a HIPAA covered entity?
You are a covered entity if you electronically transmit any standard transaction: claims to Medicare or Medicaid, eligibility verification, claim-status inquiries, or referral authorizations. The vast majority of PT practices do — Medicare Part B billing is the most common trigger, but commercial insurance claims and workers' comp submissions also qualify.
If your practice uses a practice-management system like WebPT, Clinicient, Raintree, or TheraOffice, those platforms submit electronic transactions on your behalf. You are still the covered entity. The NPP obligation is yours, not the vendor's.
Referral physicians and plan-of-care coordination
PT practices routinely exchange PHI with referring physicians: initial evaluation reports, progress notes, updated plans of care, and discharge summaries. These disclosures fall under "health care operations" (coordination of treatment) and do not require separate patient authorization. Your NPP must disclose that this exchange happens as part of standard TPO use.
Workers' compensation disclosures
Workers' comp is a common payer for PT services. Under 45 CFR § 164.512(l), disclosures to workers' comp carriers, state workers' comp agencies, and employers (for the purposes of the workers' comp claim) are permitted without authorization to the extent required by state law. Your NPP should acknowledge this category of permitted disclosure explicitly.
Telehealth PT and remote monitoring
If your clinic offers telehealth visits, home-exercise apps with progress tracking, or wearable-based remote monitoring, the NPP must describe how PHI flows through those tools — which vendor processes the data, whether PHI is stored on the device, and how long data is retained. Each third-party tool needs a signed Business Associate Agreement; the NPP itself does not list vendors by name, but it must describe these categories of disclosure.
Distribution for PT practices
- At first service: provide the NPP to each new patient at initial evaluation
- Website: post on your clinic website (required)
- Physical site: post in the waiting room at each clinic location
- Acknowledgment: make a good-faith effort to get written acknowledgment; document refusals in the chart
- Re-distribution: provide a new copy whenever the NPP is materially revised
Generate your PT practice NPP in under 5 minutes
Our generator captures PT-specific TPO language, workers' comp disclosures, and referral-coordination uses. Output is a clean PDF plus editable Word file.
Start your NPP — $49