HIPAA Business Associate Agreement for Physical Therapy Practices
By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ PT practices that transmit health data electronically are HIPAA covered entities
- ✓ EMR vendors, billing companies, and telehealth platforms all require signed BAAs
- ✓ Solo PT practices have the same BAA requirements as large multi-location clinics
- ✓ Standard video conferencing tools (Zoom free, FaceTime) are not HIPAA compliant for patient sessions
- ✓ Missing a BAA is a direct HIPAA violation, regardless of whether a breach occurred
Physical therapy practices handle a significant volume of protected health information — treatment plans, progress notes, functional assessments, insurance records, and scheduling data tied to patient identities. Every vendor that touches that data is a business associate, and every business associate relationship requires a signed BAA under 45 CFR § 164.504(e).
Why Physical Therapy Practices Are HIPAA Covered Entities
Physical therapists who submit claims electronically — whether directly or through a billing company — are healthcare providers engaged in standard HIPAA transactions. That makes their practices covered entities, regardless of the number of therapists or patients involved.
This applies to:
- Solo PT practitioners in private practice
- Multi-therapist outpatient PT clinics
- Hospital-based and rehabilitation-center PT departments
- Home health physical therapy providers
- Sports medicine and orthopedic PT practices
- Pediatric physical therapy practices
What PHI Does a Physical Therapy Practice Handle?
Patient PHI in a PT context includes:
- Patient demographics (name, address, date of birth, insurance ID)
- Physician referrals and diagnosis codes (ICD-10)
- Evaluation reports, functional assessments, and treatment plans
- Progress notes documenting patient response to therapy
- Home exercise program data tied to individual patients
- Insurance authorization records and EOBs
- Appointment scheduling data linked to patient identity
Vendors Physical Therapy Practices Need BAAs With
EMR / Practice Management Systems
WebPT, Clinicient (now part of Raintree), Prompt Therapy Solutions, TheraNest, and similar PT-specific EMRs store your clinical documentation, scheduling, and billing data. All major PT EMR vendors provide BAAs. If you set up your EMR without signing or acknowledging a BAA, contact your vendor's compliance team and request one.
Billing Companies and Clearinghouses
PT billing is complex — with authorization requirements, progress note tiers, and insurance-specific coding rules — many practices outsource it. Any billing company that handles your insurance claims must have a signed BAA with your practice. The billing company is the most common missed BAA in PT settings.
Telehealth Platforms
Remote PT sessions conducted via video require a HIPAA-compliant platform with a signed BAA. Doxy.me (HIPAA free tier available), Zoom for Healthcare, SimplePractice Telehealth, and TeleHealth by SimplePractice all offer BAAs. Do not use personal FaceTime, standard Zoom free tier, or Google Meet personal accounts for patient sessions.
Outcome Tracking and Exercise Software
Home exercise prescription platforms (HEP2go, MedBridge, Keet Health, Reflexion Health) that store patient-specific exercise data and track outcomes are handling PHI if the data is linked to an identifiable patient. Verify BAA availability before deploying any patient-facing platform.
IT Support Providers
If an IT company has remote access to the computers, servers, or cloud accounts where you store patient records, that IT company is a business associate. This includes managed IT service providers (MSPs) who handle updates, backups, and support. Most MSPs working in healthcare are familiar with the requirement and will have a standard BAA template.
Generate a BAA for your PT practice
Preview the full BAA structure free, or pay $49 one-time to get a clean, signable PDF and editable Word file with your actual practice and vendor information. No subscription required.
Generate BAA for Free →Frequently Asked Questions
Does a solo physical therapist in private practice need a BAA?
Yes. Practice size does not affect BAA requirements. A solo PT using any cloud-based EMR, billing service, or telehealth platform has the same HIPAA obligations as a large PT clinic. The OCR does not provide a small-practice exemption for missing BAAs.
My EMR vendor says they're HIPAA compliant — do I still need to sign their BAA?
Yes. "HIPAA compliant" refers to the vendor's security infrastructure. The BAA is a separate legal contract that creates enforceable obligations about how the vendor handles your patient data. You must execute the BAA — signing the vendor's standard agreement or providing your own — before transmitting any patient data.
What if a billing company won't sign a BAA?
You cannot use that company to process claims that involve patient PHI. A billing company that refuses to sign a BAA is either unaware of their HIPAA obligations (which is itself a red flag) or unwilling to accept liability — neither scenario is acceptable for a vendor who will handle your patients' insurance and clinical data.