Speech therapy practices that operate outside hospital systems or large group practices face the same HIPAA obligations as any other covered entity, with less administrative infrastructure to support them. A practice with two or three therapists and an office administrator handles the same Privacy Rule, Security Rule, and Breach Notification Rule requirements as a 200-person clinic — the rules do not scale down with practice size.
PHI Risks Specific to Speech Therapy Practices
Session documentation and progress notes. Every session note links a patient to a diagnosed condition — a speech disorder, swallowing difficulty, fluency disorder, or language delay. These records are PHI and must be protected in storage and during transmission to referral sources, schools, or insurance companies.
Evaluation reports. Comprehensive speech and language evaluations contain detailed clinical findings, standardized test scores, and functional recommendations. These reports are frequently requested by schools, other therapists, and insurers. Each external transmission requires a valid authorization or a documented treatment, payment, or operations purpose.
School-district referrals and the HIPAA-FERPA boundary. Many private speech therapy practices receive referrals from public school districts under IEP arrangements. The legal framework here is genuinely complex.
SLPs who are employed directly by a public school operate under FERPA, not HIPAA. FERPA governs education records at schools that receive federal funding, and when an SLP is a school employee, the records they create are education records under FERPA — HIPAA does not apply to those records.
Private SLP practices contracting with schools are in a different position. Records the school holds about a student are FERPA records. Records the private practice creates about that same student while providing contracted services are typically HIPAA records — they are created by a covered entity in the course of providing healthcare services. The distinction matters for disclosure rules, parent access rights, and breach notification obligations.
The practice should have a documented policy — reviewed by counsel — for handling records that span this boundary. HHS and the Department of Education have published joint guidance (linked in the sources above) addressing this overlap.
Telepractice PHI. Speech therapy delivered via telehealth involves transmitting real-time audio and video of clinical sessions, which may include a patient demonstrating communication difficulties. The platform used must meet Security Rule requirements, and any vendor providing the platform is a business associate.
Pediatric records and parent authorization. Speech therapy practices serving pediatric patients must manage parent or guardian authorization for PHI disclosures, while also tracking when adolescent patients may have independent authorization rights under applicable state law.
Common Compliance Gaps
Small speech therapy practices most often identify these gaps: no documented minimum necessary policy for what to include when faxing records to schools or referring physicians, and training documentation that exists as a sign-in sheet rather than a per-employee record with content documentation.
What PHIGuard Provides
PHIGuard is configured by a practice administrator and does not require technical staff. The platform provides:
- Training tracking per §164.530(b), with per-employee completion records
- Incident log with guided breach risk assessment per 45 CFR 164.402
- BAA tracking for telepractice vendors, billing companies, and school-district relationships
- Policy and risk analysis templates for annual Security Rule documentation
- Immutable audit trail on all compliance records
Pricing is per practice, not per therapist. Essentials at $99/month, Clinic at $249/month, Group at $499/month. See plan details and tier limits, or visit the HIPAA compliance overview for background on the Privacy Rule requirements that apply to speech therapy practices.