Open gym, six patients, one screen facing the wrong way. That's a HIPAA problem
Your PTs treat patients side by side, snap range-of-motion photos on their phones, and text home exercise programs to patients. The open-clinic layout that makes PT work also makes HIPAA harder. EZBunny covers the privacy scenarios your team faces every day.
Train my PT teamHIPAA is the federal law that protects patient health information. Annual training is the industry standard.
Breaches affecting 500+ individuals are published on the HHS Breach Portal (the "Wall of Shame"), a permanent, public record. Training your team is the most effective way to avoid it.
And it gets stricter. States like California (CMIA) and Texas (HB 300) impose penalties beyond federal HIPAA. Your team needs to meet the highest standard.
25+ courses your PT team actually needs
Beyond HIPAA, your team needs OSHA safety training, fraud prevention, cybersecurity awareness, and state-specific compliance. EZBunny covers it all in one subscription.
Browse All Courses →The privacy risks built into PT clinic design
$200,000 for records in an unencrypted Google Drive
Patient exercise programs and workers' comp details stored in a shared Google Drive without encryption. The clinic paid $200,000.
PTs and aides finish between patients
Audio-narrated lessons with quick knowledge checks. Your PTs, PTAs, aides, and front desk staff finish during a lunch break or slow period. No full-day seminar.
Range-of-motion videos on personal phones
Before/after photos and gait videos taken on a PT's personal phone. They sit in the camera roll, synced to the cloud, right next to vacation photos. That's PHI on an unsecured device.
See every clinician and aide's status
Your dashboard shows who's trained, who's overdue, and who just started, across every location if you run multiple clinics. Export a compliance report in two clicks.
Home exercise programs texted to patients
A PT texts a patient their HEP with their name, diagnosis, and treatment goals. That text is now PHI sitting in an unencrypted message thread on both phones.
New aide starts? Already reminded
When you add a new team member, EZBunny sends them a training invite. When a certificate's about to expire, they get a nudge. Nobody slips through the cracks.
Open gym = open to privacy incidents
Six patients being treated in the same space. A computer screen facing the wrong direction. A printed exercise sheet left on the leg press. Every day in an open clinic is a HIPAA obstacle course.
Certificates with built-in verification
Each certificate has a unique ID and public verification link. Auditors and surveyors can verify it in seconds using the unique ID or QR code. No phone calls needed.
One price for PTs, PTAs, aides, and front desk. Everyone
No per-seat charges. No hidden fees. Cancel anytime.
Beyond HIPAA: All the Training Physical Therapy Clinics Need
HIPAA is just the start. Here's what PT teams also need.
OSHA Safety (Required)
PTs and PTAs have occupational exposure to bloodborne pathogens when treating post-surgical, wound care, and injury rehabilitation patients. Required: Bloodborne Pathogens and OSHA General Safety. Infection Control is strongly recommended by state PT boards and accreditation bodies.
Mandatory Reporting (Required)
Physical therapists are mandatory reporters in most states. Your team encounters patients with signs of domestic violence, elder abuse, and child abuse during treatment. Mandatory Reporting training ensures your staff understands their legal obligations and documentation requirements.
Documentation & Medical Records
Medicare billing for PT requires meticulous documentation of medical necessity, functional goals, and progress. Coding errors and underdocumented records are among the most common triggers for PT billing audits. Medical Records Compliance training directly reduces your audit risk.
Fraud, Waste & Abuse
PT practices billing Medicare and Medicaid are common targets for FWA audits. CMS FWA training is required for providers billing Medicare. Compliance & Ethics training covers the broader OIG framework and helps billing staff avoid patterns that trigger audits.
Cybersecurity Awareness
Multi-location PT chains use centralized EHR systems that can be compromised via phishing. Cybersecurity awareness helps front desk and billing staff recognize phishing attempts that target practice management accounts and patient portal credentials.
Business Associate Awareness
Your billing company, EHR vendor, and referral platform are Business Associates under HIPAA. Your staff needs to understand BA relationships and ensure that patient data sent to third parties goes through BAA-covered channels only.
Training by Role
Different roles need different courses. Here's a breakdown for PT clinic teams.
| Role | Core Courses | Additional |
|---|---|---|
| Physical Therapist (PT) | HIPAA Privacy & Security, Bloodborne Pathogens, Mandatory Reporting, Medical Records, OSHA General Safety, Sexual Harassment Prevention | CMS FWA if billing Medicare; Telehealth Privacy if applicable |
| Physical Therapist Assistant (PTA) | HIPAA Privacy & Security, Bloodborne Pathogens, Infection Control, OSHA General Safety, Sexual Harassment Prevention | |
| Occupational Therapist (OT) | HIPAA Privacy & Security, Bloodborne Pathogens, Mandatory Reporting, Medical Records, OSHA General Safety, Sexual Harassment Prevention | |
| Rehab Aide / Tech | HIPAA Privacy, Bloodborne Pathogens, OSHA General Safety, Sexual Harassment Prevention | Infection Control |
| Front Desk / Scheduler | HIPAA Privacy & Security, Sexual Harassment Prevention, Business Associate Awareness | Phishing & Risk Analysis |
| Billing / Insurance Staff | HIPAA Privacy & Security, CMS FWA, Compliance & Ethics, Medical Records, Sexual Harassment Prevention | |
| Clinic Manager | HIPAA Privacy & Security, CMS FWA, Compliance & Ethics, Mandatory Reporting, Medical Records, Sexual Harassment Prevention | Cybersecurity |
State-Specific Requirements
State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here.
- If you operate in California: CMIA privacy training; cultural competency CE for licensed PTs and OTs; workplace violence prevention (SB 553)
- If you operate in Texas: HB 300 privacy training within 90 days of hire - Texas penalties up to $1.5M per incident
- If you operate in Florida: HIV/AIDS training for applicable licensed practitioners per FL Statute 381.0034
- If you operate in New York: Infection control every 4 years for licensed PTs and OTs (PHL Section 239); sexual harassment prevention annually
Proposed changes to the HIPAA Security Rule (expected 2026) may expand cybersecurity requirements for PT clinics. Browse all 25+ courses →
HIPAA questions we hear from PT clinics
How does HIPAA apply to open PT clinic layouts?
Open layouts require documented safeguards: lowered voices, positioned treatment areas, and private rooms for sensitive discussions. HIPAA requires reasonable safeguards for conversations that can be overheard by other patients in adjacent bays. Train staff on managing PHI in open environments. You don't need to rebuild, but you need documented policies and training.
Can physical therapists share exercise programs electronically?
Yes, but patient-specific exercise programs are PHI and must be sent through HIPAA-compliant channels. Sending them via standard email or text is not compliant unless the patient consents after being informed of the risks. HIPAA-compliant portals or encrypted email are safest. Generic exercise handouts without patient identifiers are not PHI and can be shared freely.
Are patient progress photos and videos HIPAA-protected?
Yes. Any photo or video that can identify a patient is PHI and must be stored in a HIPAA-compliant system. They must be taken with consent, stored in compliant systems (not personal camera rolls), and access-restricted. Never share patient images via text or social media. Marketing use requires separate written HIPAA authorization.
What HIPAA training do PT aides and rehab techs need?
Every PT aide, rehab tech, and front desk staff member who interacts with patients or accesses any patient information must complete HIPAA training. Even staff who only set up equipment may overhear clinical conversations and need to understand confidentiality requirements. Training covers Privacy Rule, Security Rule, and breach notification.
How does HIPAA affect PT billing and insurance documentation?
All electronic billing transmissions must be encrypted, and staff should only access records they need for their role. PT billing transmits significant PHI: demographics, ICD-10 codes, CPT codes, functional scores, and treatment plans. Third-party billing companies need signed BAAs. Paper superbills and EOBs must be stored securely and shredded when no longer needed.
What are the HIPAA rules for clinical documentation in PT?
All clinical documentation (evaluations, daily notes, assessments, and discharge summaries) is PHI and must be in HIPAA-compliant systems. Position screens so other patients can't see records. Don't leave printed documentation on treatment tables. Electronic systems should auto-lock after brief inactivity and require unique credentials per staff member.
Cover every clinic, every location
Set up takes about 5 minutes. Try it free for 14 days.
Get started freeRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.