HIPAA for Speech-Language Pathologists

Speech-language pathologists document some of the most detailed patient records in any clinical setting - evaluation reports that capture cognitive and communication function, session-by-session progress notes, treatment plans that span months or years, and assessments that often include sensitive diagnostic findings about neurological conditions, developmental disorders, and acquired communication impairments. Every one of those records is protected health information under HIPAA.

In a small clinic without a dedicated compliance team, the SLP is often the person generating PHI without a structured system to manage disclosure requests, authorization tracking, or training documentation. This guide focuses on the HIPAA obligations that apply specifically to your role.

What Speech-Language Pathologists Need to Know About HIPAA

The Minimum Necessary Standard Governs Every Chart Access

Under 45 CFR § 164.514(d), your clinic must make reasonable efforts to limit PHI access to the minimum necessary to accomplish the intended purpose. For SLPs, this means accessing only the records relevant to the patient you are actively treating, and only the information you need for the specific clinical purpose at hand.

If you are conducting an initial voice evaluation, you need the referral information, relevant medical history, and prior voice-related records. You do not need to browse unrelated treatment records, prior discharge summaries from other specialties, or documentation from providers outside your scope.

If you are a supervisor reviewing a clinical fellow’s session notes for one patient, the minimum necessary standard does not permit accessing other patients’ records through the same process unless you have a direct supervisory role in those cases.

Your EHR access permissions define what the system allows. The minimum necessary standard defines what HIPAA requires. The two are not the same thing, and you are responsible for the second regardless of what the first permits.

Authorization Is Required for Most Third-Party Disclosures

SLPs frequently receive disclosure requests from sources outside the treatment relationship - schools requesting progress reports, employers asking about functional communication capacity, insurance carriers requesting records beyond what was submitted for billing, and attorneys requesting documentation for legal proceedings.

Under 45 CFR § 164.508, a written authorization signed by the patient or their authorized representative is required before releasing PHI to any of these parties, unless a specific Privacy Rule exception applies. The treatment exception at 45 CFR § 164.506(c) permits disclosures to other treating providers - a neurologist co-treating a patient with aphasia, for example - without a separate authorization. But this exception does not extend to schools, employers, attorneys, or family members who are not part of the treatment team.

The authorization must be specific: it must name the recipient, describe the information to be released, and state an expiration date or event. A blanket “release my records” authorization does not satisfy these requirements for an ongoing disclosure relationship.

The Privacy Rule Does Not Create a Treatment Obligation to Share

One of the most common misunderstandings among SLPs is that HIPAA is primarily a disclosure mandate - that it tells you what you must share. In fact, the Privacy Rule primarily restricts what you may share. You are generally permitted to disclose PHI for treatment, payment, and healthcare operations without authorization, but you are not required to disclose it in response to third-party requests even when a patient asks you to. You may disclose only through the clinic’s established authorization process, not informally.

PHI Speech-Language Pathologists Commonly Encounter

SLP-generated PHI covers a wide range of documentation categories:

Evaluation and assessment records contain findings from standardized testing, clinical observation, language and speech samples, voice analysis results, swallowing study interpretations, and cognitive-communication screening outcomes. These records frequently include diagnostic impressions that are among the most sensitive categories of health information.

Session notes and progress documentation track treatment goals, therapy activities, patient response to intervention, and changes in functional communication status. In pediatric settings, these notes also capture parent or caregiver interaction observations, which may incidentally include family health information.

Treatment plans outline the clinical rationale for ongoing services, expected outcomes, and timelines. They are often the records most frequently requested by schools, insurance carriers, and referral sources.

Referral communications include letters and reports sent to or received from physicians, neurologists, otolaryngologists, and other providers. When you receive a referral document, you become a holder of that document’s PHI and are responsible for protecting it.

Telepractice session records in clinics offering remote SLP services include video session logs, digital homework submissions, and any asynchronous communications with patients or caregivers. These records are subject to the HIPAA Security Rule in addition to the Privacy Rule.

High-Risk Situations for Speech-Language Pathologists

Sharing Progress Information With Schools and Teachers

This is the highest-frequency compliance gap for SLPs in outpatient clinical settings. A child’s teacher calls asking for an update on their student’s fluency goals. An IEP coordinator asks for a copy of the child’s evaluation report. A school-based SLP contacts you for coordination notes.

None of these situations permit disclosure without authorization. A teacher’s interest in a student’s progress - however well-intentioned - does not create a treatment relationship. An IEP coordinator is not the patient’s treating provider. A school-based SLP at a different institution is not part of your treatment team unless a formal care coordination relationship has been established in writing.

The correct response is to obtain a signed authorization from the parent or guardian that names the specific school, IEP coordinator, or school-based provider as an authorized recipient, describes the records to be shared, and states the authorization period.

Discussing Patient Status in Shared Clinical Spaces

Outpatient therapy clinics often have multiple providers working in adjacent treatment rooms, shared waiting areas, and common documentation spaces. Verbal discussions about a patient’s diagnosis, prognosis, or session performance in earshot of other patients or the waiting room are impermissible disclosures under 45 CFR § 164.530(c), which requires physical safeguards to prevent incidental disclosure.

This applies to conversations at the front desk about scheduling changes that mention a patient’s treatment type, verbal case consultations in hallways, and therapy activities that produce audible speech or language samples from the patient in a space where others can hear identifying information.

Responding to Informal Requests From Family Members

Parents of adult patients sometimes contact the clinic asking for progress reports or treatment notes. Adult patients, even those with significant communication disorders, retain their own HIPAA rights. Unless the adult patient has designated a personal representative under 45 CFR § 164.502(g), their parents do not have automatic access to their records regardless of the nature of the patient’s disability.

For adult patients who lack capacity to manage their own health information, a legal guardian designation is typically required before family members can access records. The clinic should have a documented process for verifying personal representative status before releasing PHI.

Failing to Safeguard Evaluation Reports Between Sessions

Printed evaluation reports, therapy materials marked with patient identifiers, and session planning documents left visible between sessions - on a desk, in an unlocked drawer, in a shared printer tray - are physical PHI requiring active safeguarding under 45 CFR § 164.530(c). SLPs who move between treatment rooms or clinic locations often handle more paper PHI than other clinical staff. Each handoff point is a potential exposure.

HIPAA Compliance Checklist for Speech-Language Pathologists - 5 Items

1. Obtain a signed authorization before releasing records to schools, employers, insurance carriers, or attorneys. Do not release evaluation reports, session notes, or treatment plans based on a verbal request or an informal email from any of these parties, regardless of the stated reason. Route all requests through the clinic’s Privacy Officer or designated authorization process.

2. Apply the minimum necessary standard when accessing patient charts. Access only the documentation you need for the specific clinical purpose you are performing. If you are reviewing records to prepare for a swallowing evaluation, you do not need to read through unrelated psychiatric or surgical history unless it is directly relevant to the referral.

3. Safeguard all physical PHI including therapy materials, evaluation printouts, and planning documents. Lock or secure any document containing patient identifiers when you leave a treatment room. Do not leave printed evaluation reports in shared spaces, and do not use patient names on materials visible to other patients.

4. Verify personal representative status before disclosing records to family members of adult patients. A signed legal guardianship document or a patient-designated personal representative authorization is required. Do not assume a family member’s request is authorized based on their relationship to the patient.

5. Route all external disclosure requests through the clinic’s established process. Do not fulfill record requests directly, even when they seem routine. The clinic’s Privacy Officer must review authorization, confirm the request is valid, track the disclosure in the designated accounting log, and coordinate the response.

Training Documentation Requirements

Under 45 CFR § 164.530(b), your clinic must train all workforce members on HIPAA Privacy Rule policies and procedures, and must document that training. For SLPs, training documentation must reflect role-specific content - not just generic HIPAA awareness training.

The clinic must maintain written records of:

• The date each SLP completed initial HIPAA training
• The date and content of any subsequent training when policies changed
• The SLP’s acknowledgment of the clinic’s privacy policies
• Training records for any clinical fellows or supervised staff the SLP oversees

Training documentation must be retained for six years under 45 CFR § 164.530(j). In a small clinic, the Privacy Officer - who may be the practice manager or clinic administrator - is responsible for ensuring these records exist and are current.

If your clinic has not conducted SLP-specific training on authorization requirements, minimum necessary access, and school and employer disclosure rules, that gap needs to be closed before any disclosure request is handled informally.

For a full breakdown of what annual HIPAA training must cover for clinical staff, see annual HIPAA training requirements. For a complete overview of workforce training obligations across roles, visit workforce training resources.

PHIGuard gives practice managers a built-in compliance task system to track SLP training completion, manage authorization logs, and document disclosure decisions - with current pricing. See how at PHIGuard HIPAA.