Do physical therapy practices need a HIPAA Business Associate Agreement?

Yes — physical therapy practices that transmit health information electronically are covered entities under HIPAA. Any vendor that creates, receives, maintains, or transmits patient PHI on behalf of the practice must sign a BAA. This includes EMR/EHR vendors, billing companies, telehealth platforms, and IT support providers with system access.

What vendors does a physical therapy practice need a BAA with?

Physical therapy practices typically need BAAs with: EMR/EHR systems (WebPT, Clinicient, Prompt Therapy Solutions), billing companies and clearinghouses, telehealth platforms for remote PT sessions, outcome tracking and exercise software that stores patient data, IT support providers with remote system access, cloud storage used for patient records, and scheduling platforms that link patient identity to the practice.

Does a physical therapy practice need a BAA for telehealth?

Yes. Any telehealth platform used to conduct PT sessions with patients transmits PHI and requires a signed BAA. Standard Zoom, FaceTime, and non-healthcare video tools are not HIPAA compliant for PT sessions. HIPAA-compliant options include Doxy.me, SimplePractice Telehealth, and Zoom for Healthcare — all of which provide BAAs.

Physical Therapy Practices

HIPAA Business Associate Agreement for Physical Therapy Practices

Q: Does a solo physical therapist in private practice need a HIPAA BAA?

Yes. HIPAA applies to all healthcare providers who transmit health information electronically regardless of practice size. A solo PT using a billing company or cloud-based EMR must have BAAs in place with those vendors. The OCR does not have a small-practice exemption for BAA requirements.

By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read

Need a BAA right now?

Generate my BAA → See pricing →

Key Takeaways

✓ PT practices that transmit health data electronically are HIPAA covered entities
✓ EMR vendors, billing companies, and telehealth platforms all require signed BAAs
✓ Solo PT practices have the same BAA requirements as large multi-location clinics
✓ Standard video conferencing tools (Zoom free, FaceTime) are not HIPAA compliant for patient sessions
✓ Missing a BAA is a direct HIPAA violation, regardless of whether a breach occurred

Direct answer: Yes — physical therapy practices are HIPAA covered entities. Any vendor that accesses, stores, or processes patient PHI on your behalf must sign a Business Associate Agreement before handling that data. This includes your EMR vendor, billing company, telehealth platform, and IT support provider.

Physical therapy practices handle a significant volume of protected health information — treatment plans, progress notes, functional assessments, insurance records, and scheduling data tied to patient identities. Every vendor that touches that data is a business associate, and every business associate relationship requires a signed BAA under 45 CFR § 164.504(e).

Why Physical Therapy Practices Are HIPAA Covered Entities

Physical therapists who submit claims electronically — whether directly or through a billing company — are healthcare providers engaged in standard HIPAA transactions. That makes their practices covered entities, regardless of the number of therapists or patients involved.

This applies to:

Solo PT practitioners in private practice
Multi-therapist outpatient PT clinics
Hospital-based and rehabilitation-center PT departments
Home health physical therapy providers
Sports medicine and orthopedic PT practices
Pediatric physical therapy practices

What PHI Does a Physical Therapy Practice Handle?

Patient PHI in a PT context includes:

Patient demographics (name, address, date of birth, insurance ID)
Physician referrals and diagnosis codes (ICD-10)
Evaluation reports, functional assessments, and treatment plans
Progress notes documenting patient response to therapy
Home exercise program data tied to individual patients
Insurance authorization records and EOBs
Appointment scheduling data linked to patient identity

Vendors Physical Therapy Practices Need BAAs With

EMR / Practice Management Systems

WebPT, Clinicient (now part of Raintree), Prompt Therapy Solutions, TheraNest, and similar PT-specific EMRs store your clinical documentation, scheduling, and billing data. All major PT EMR vendors provide BAAs. If you set up your EMR without signing or acknowledging a BAA, contact your vendor's compliance team and request one.

Billing Companies and Clearinghouses

PT billing is complex — with authorization requirements, progress note tiers, and insurance-specific coding rules — many practices outsource it. Any billing company that handles your insurance claims must have a signed BAA with your practice. The billing company is the most common missed BAA in PT settings.

Telehealth Platforms

Remote PT sessions conducted via video require a HIPAA-compliant platform with a signed BAA. Doxy.me (HIPAA free tier available), Zoom for Healthcare, SimplePractice Telehealth, and TeleHealth by SimplePractice all offer BAAs. Do not use personal FaceTime, standard Zoom free tier, or Google Meet personal accounts for patient sessions.

Outcome Tracking and Exercise Software

Home exercise prescription platforms (HEP2go, MedBridge, Keet Health, Reflexion Health) that store patient-specific exercise data and track outcomes are handling PHI if the data is linked to an identifiable patient. Verify BAA availability before deploying any patient-facing platform.

IT Support Providers

If an IT company has remote access to the computers, servers, or cloud accounts where you store patient records, that IT company is a business associate. This includes managed IT service providers (MSPs) who handle updates, backups, and support. Most MSPs working in healthcare are familiar with the requirement and will have a standard BAA template.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word

Generate my BAA → See pricing →

No subscription · PDF + Word · Free watermarked preview

Frequently Asked Questions

Does a solo physical therapist in private practice need a BAA?

Yes. Practice size does not affect BAA requirements. A solo PT using any cloud-based EMR, billing service, or telehealth platform has the same HIPAA obligations as a large PT clinic. The OCR does not provide a small-practice exemption for missing BAAs.

My EMR vendor says they're HIPAA compliant — do I still need to sign their BAA?

Yes. "HIPAA compliant" refers to the vendor's security infrastructure. The BAA is a separate legal contract that creates enforceable obligations about how the vendor handles your patient data. You must execute the BAA — signing the vendor's standard agreement or providing your own — before transmitting any patient data.

What if a billing company won't sign a BAA?

You cannot use that company to process claims that involve patient PHI. A billing company that refuses to sign a BAA is either unaware of their HIPAA obligations (which is itself a red flag) or unwilling to accept liability — neither scenario is acceptable for a vendor who will handle your patients' insurance and clinical data.

More Specialty BAA Guides

Addiction Treatment Ambulance Services Behavioral Health Chiropractors Clinical Labs Concierge Medicine Dental Dental Labs Digital Health DSOs FQHCs Group Practices Health Plans Healthcare Staffing Healthtech Agencies Healthtech Startups Home Health Hospice Imaging Centers Medical Billing Medical Transcription Mental Health Apps Nurse Practitioners Nursing Homes Occupational Therapy Optometry Pharmacy Remote Patient Monitoring Revenue Cycle Management SaaS Companies Speech-Language Pathology Telehealth Therapists Urgent Care