HIPAA BAA Requirements for Speech-Language Pathologists

By BAA Generator Editorial  ·  Updated Apr 20, 2026  ·  5 min read

Speech-language pathologists have one of the highest telehealth adoption rates in healthcare — driven by the nature of speech and language services, which often translate well to video delivery, and by geographic access challenges in underserved areas. This makes teletherapy compliance a particularly important issue for SLP practices. Alongside standard HIPAA requirements for documentation and billing, SLPs must navigate the nuances of AAC (augmentative and alternative communication) technology that may sync patient data to cloud services.

Why Speech-Language Pathologists Are HIPAA Covered Entities

SLPs are healthcare providers under HIPAA when they transmit health information electronically in connection with covered transactions. This applies to the majority of practicing SLPs, including those who:

• Operate outpatient private practices billing insurance (Medicare, Medicaid, commercial)
• Work in hospital-based SLP departments that submit electronic claims
• Provide home health SLP services billing Medicare
• Operate telehealth SLP platforms with licensed clinicians
• Work in skilled nursing facilities with SLP services

SLPs who operate entirely on a cash-pay basis without submitting any electronic transactions may fall outside the covered entity definition — but this is rare, and any practice using EHR or billing software should operate as if HIPAA applies.

What PHI Speech-Language Pathologists Handle

SLP practices hold PHI including:

• Evaluation reports covering articulation, language, fluency, voice, and swallowing
• Treatment plans and session notes documenting progress toward communication goals
• Standardized assessment scores linked to patient identifiers
• Referral letters and coordination with physicians and specialists
• Insurance and billing records with diagnosis codes
• Patient demographic information

Vendors SLPs Typically Need BAAs With

SLP Documentation Platforms and EHRs

Therabill, WebPT, SimplePractice, TheraNest, and Fusion Web Clinic are the most commonly used platforms for SLP documentation and practice management. All offer HIPAA BAAs for paying subscribers. SimplePractice and TheraNest are particularly popular among solo SLPs in private practice. WebPT and Fusion are more common in multi-discipline outpatient settings. Initiate the BAA request before entering the first patient record.

Teletherapy Platforms

Teletherapy has become core to SLP practice, particularly for pediatric articulation therapy, adult stuttering treatment, and voice therapy. Teletherapy platforms must sign HIPAA BAAs before being used for patient sessions. HIPAA-compliant options purpose-built for therapy — Doxy.me, Zoom for Healthcare, and platforms like Presence and Telehealth by SimplePractice — offer BAAs. Standard consumer Zoom, FaceTime, and Google Meet do not provide HIPAA BAAs through their free or standard tiers.

AAC Software and Cloud Sync Services

Augmentative and alternative communication (AAC) software (Proloquo2Go, Snap Core First, TouchChat, LAMP Words for Life) is often used as part of SLP treatment for patients with complex communication needs. Many AAC apps offer cloud backup and sync features that store device vocabulary and usage data in the cloud. When these cloud services store data linked to an identifiable patient in a clinical context, they may be handling PHI and require BAA evaluation. Not all AAC vendors have historically prioritized HIPAA compliance — SLPs using these tools in clinical settings should verify BAA availability.

Billing Companies and Clearinghouses

SLP practices that outsource billing must obtain BAAs from billing companies and clearinghouses. These vendors receive claim data with patient diagnoses (ICD-10 codes for communication disorders, dysphagia), dates of service, and insurance information — all PHI requiring protection.

School-Based SLP: FERPA vs. HIPAA

Many SLPs work in school settings, providing services under IEPs (Individualized Education Programs) or 504 plans. The FERPA/HIPAA boundary is the same as for school-based OTs: when therapy records are maintained by the school as part of the student's educational record, FERPA governs and HIPAA's school exception applies. When an SLP bills Medicaid independently for school-based services, HIPAA may apply to those billing records.

The practical implication: school districts generally need data sharing agreements governed by FERPA rather than HIPAA BAAs when sharing student records with SLP contractors. But if the same SLP maintains a private practice and bills Medicaid for their school-based services, they need HIPAA compliance for those billing records alongside their FERPA obligations.

Common Vendor BAA Table for SLPs

Common Compliance Gaps for SLP Practices

The most frequent BAA gaps in SLP settings: (1) using consumer-grade video for teletherapy without realizing it requires a HIPAA-compliant alternative; (2) not evaluating AAC cloud sync services for PHI handling when they are used in clinical contexts; (3) missing BAAs with billing companies because the relationship predates formal compliance awareness; and (4) confusion about the FERPA/HIPAA boundary leading to either non-compliance in school settings or unnecessary complexity in clinical settings.

For a parallel perspective on allied health provider BAA obligations, see our guide on BAA requirements for occupational therapists. For guidance on vendor BAA evaluation, see does your vendor sign a HIPAA BAA.

Frequently Asked Questions

Do speech-language pathologists need HIPAA BAAs?

Yes. SLPs who transmit health information electronically in connection with covered transactions are HIPAA covered entities. They must sign BAAs with every vendor handling PHI on their behalf — including documentation platforms, billing companies, teletherapy tools, and potentially AAC cloud services. Practice size does not reduce this obligation.

What software platforms for SLPs sign BAAs?

Therabill, WebPT, SimplePractice, TheraNest, and Fusion Web Clinic all offer HIPAA BAAs. The BAA must be actively requested — it is not automatically included with a subscription. For AAC software with cloud features, check with the vendor's compliance team, as BAA availability varies by product and plan level.

Does teletherapy for speech require a HIPAA BAA?

Yes. Any teletherapy platform used for SLP sessions must sign a HIPAA BAA before patient sessions begin. Consumer-grade video tools are not HIPAA-compliant for clinical use. HIPAA-compliant options include Doxy.me, Zoom for Healthcare, Presence, and teletherapy features built into HIPAA-compliant EHR platforms.

Does school-based speech therapy require HIPAA BAAs?

Usually FERPA, not HIPAA, governs school-based speech therapy records when the SLP is a school employee and records are part of the student's educational record. However, when an SLP independently bills Medicaid for school-based services, HIPAA may apply to those billing records. SLPs working across both settings should evaluate each record category separately.