Do physical therapy practices need a Notice of Privacy Practices?

Yes — physical therapy practices that electronically transmit billing claims (essentially all of them) are HIPAA covered entities under 45 CFR § 160.103. Solo PT, group practice, outpatient clinic, and hospital-affiliated PT all need an NPP. Distribute at the first patient visit, post in the clinic, and on the practice website.

What's distinctive about a PT NPP?

PT NPPs address common PT disclosures: communication with referring physicians and orthopedists, sharing imaging and progress notes with insurers for utilization review, exchanging records with athletic trainers or rehab equipment vendors, and disclosures for workers' compensation cases. Each is generally a treatment, payment, or operations use.

How do PT practices handle workers' compensation in the NPP?

Workers' comp claims often involve disclosure to employers, insurers, and case managers. The NPP should explicitly mention WC-related disclosures, and obtain a separate authorization where the WC scope exceeds standard treatment-payment-operations. State WC laws vary — check whether your state imposes additional consent requirements.

What about telehealth PT and remote patient monitoring?

Telehealth PT and RPM platforms are typically business associates, requiring BAAs. The NPP should disclose that PHI may flow through telehealth platforms and remote-monitoring services for treatment purposes. Patients receiving care via these channels still receive the NPP at intake — even if the encounter is virtual.

HIPAA Notice of Privacy Practices for Physical Therapy

By NPP Generator Editorial Team · Last reviewed Apr 28, 2026

Physical therapy practices — solo PTs, group outpatient clinics, and hospital-affiliated clinics — are HIPAA covered entities whenever they bill insurance electronically. That means you need a Notice of Privacy Practices under 45 CFR § 164.520, provided at intake, posted on your practice website, and posted at your clinic.

Quick facts for physical therapy practices

PT practices that bill Medicare, Medicaid, or commercial insurance are covered entities — the Medicare Part B PT benefit alone triggers covered-entity status
Plan-of-care signatures and progress-note exchanges with referring physicians fall under "health care operations" and do not require separate authorization
Workers' compensation disclosures have their own rules under 45 CFR § 164.512(l) and should be disclosed in the NPP
If your clinic uses remote monitoring, telehealth, or a patient app, the NPP must describe how PHI flows through those tools

Are you a HIPAA covered entity?

You are a covered entity if you electronically transmit any standard transaction: claims to Medicare or Medicaid, eligibility verification, claim-status inquiries, or referral authorizations. The vast majority of PT practices do — Medicare Part B billing is the most common trigger, but commercial insurance claims and workers' comp submissions also qualify.

If your practice uses a practice-management system like WebPT, Clinicient, Raintree, or TheraOffice, those platforms submit electronic transactions on your behalf. You are still the covered entity. The NPP obligation is yours, not the vendor's.

Referral physicians and plan-of-care coordination

PT practices routinely exchange PHI with referring physicians: initial evaluation reports, progress notes, updated plans of care, and discharge summaries. These disclosures fall under "health care operations" (coordination of treatment) and do not require separate patient authorization. Your NPP must disclose that this exchange happens as part of standard TPO use.

Workers' compensation disclosures

Workers' comp is a common payer for PT services. Under 45 CFR § 164.512(l), disclosures to workers' comp carriers, state workers' comp agencies, and employers (for the purposes of the workers' comp claim) are permitted without authorization to the extent required by state law. Your NPP should acknowledge this category of permitted disclosure explicitly.

Telehealth PT and remote monitoring

If your clinic offers telehealth visits, home-exercise apps with progress tracking, or wearable-based remote monitoring, the NPP must describe how PHI flows through those tools — which vendor processes the data, whether PHI is stored on the device, and how long data is retained. Each third-party tool needs a signed Business Associate Agreement; the NPP itself does not list vendors by name, but it must describe these categories of disclosure.

Distribution for PT practices

At first service: provide the NPP to each new patient at initial evaluation
Website: post on your clinic website (required)
Physical site: post in the waiting room at each clinic location
Acknowledgment: make a good-faith effort to get written acknowledgment; document refusals in the chart
Re-distribution: provide a new copy whenever the NPP is materially revised

More NPP guides by specialty

Addiction Treatment Centers Chiropractors Dental Practices Fqhc Home Health Hospice Mental Health Nurse Practitioners Occupational Therapy Optometry Pharmacy Small Medical Practices Speech Language Pathology Telehealth Therapists Urgent Care

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

More guides: What is an NPP · NPP requirements 2026 · Does my practice need an NPP? · NPP for small medical practices

Related: Specialty NPP guides

Addiction treatment Chiropractors Dental FQHC Home health Hospice Mental health Nurse practitioners