What's a Business Associate Agreement and who needs one?

A BAA is a contract you sign with any vendor that creates, receives, maintains, or transmits PHI on your behalf — your EHR, your email host, your telehealth platform, your cloud backup. If a vendor cannot provide a signed BAA, they cannot legally hold PHI for you.

2026 Operator Guide · PT · DPT · Encinitas · San Diego County

HIPAA for Physical Therapists in Private Practice

Q: Do I have to be HIPAA compliant as a private-practice physical therapist?

Yes if you bill insurance electronically (Medicare, commercial, workers comp, auto med-pay), use any EHR or scheduling system, share home-exercise-program videos with patients, store outcome measurements digitally, or offer telehealth PT. The California PT Board (PTBC) assumes you are HIPAA compliant. Cash-only paper-only PT practices in 2026 are extremely rare.

Q: What's the cheapest HIPAA-compliant stack for a solo physical therapy practice?

~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email (Paubox or Hushmail Pro ~$10-13/mo or Google Workspace with BAA) + signed BAAs with every vendor that touches PHI. Telehealth tier if you do telehealth. Total ~$80-150/mo for a solo full-stack.

Q: What gets a small physical therapy practice fined the fastest?

Three things, in order: (1) Texting clients from a personal phone without a BAA-eligible texting service, (2) Sending PHI from a Gmail account that's not Google Workspace with a signed BAA, and (3) Using consumer Zoom or FaceTime for telehealth instead of HIPAA tiers. OCR fines for small practices in 2024-2026 have ranged from $25K to $250K for these patterns.

Q: Do I need a Notice of Privacy Practices?

Yes — every HIPAA Covered Entity must provide a Notice of Privacy Practices (NPP) to each new client and post it on your practice website if you have one. Free template at hhs.gov/sites/default/files/ocr/privacy/hipaa/modelnotices/healthplan-A.pdf. Most EHRs auto-generate one in their intake flow.

Q: Is the OCR really fining small physical therapy practices?

Yes. The OCR publicly enforces HIPAA against small and solo practices, not just big hospital systems. The public enforcement portal at HHS OCR shows the names, dates, and dollar amounts.

Q: Anything California-specific I need beyond HIPAA?

Yes — California Confidentiality of Medical Information Act (CMIA) is stricter than HIPAA in several places, plus CA AB-2013 (AI disclosure) and CCPA/CPRA apply if you hit revenue/data thresholds. California PTBC requires 7-year record retention. CA AB-1612 (telehealth physical therapy) clarified that PT services can be delivered via telehealth across state lines if both states recognize PT compact (CA participates in PT Compact as of 2023). HIPAA + APTA Code of Ethics + PT Practice Act all stack.

Operator-honest answers from a working SEO/AI shop in Encinitas to the questions physical therapists actually ask: when you have to be HIPAA compliant, what to fix this week, what it costs, and which mistakes the OCR fines the fastest. California Physical Therapy Board (PTBC) aligned. No fluff, no scare tactics, no $5K "compliance package" upsell.

Skip to: Fix-This-Week Checklist → $250 Operator Audit (3-5 day signal-quality report)

What's in this page 1 · Do I actually need to be HIPAA compliant? 2 · Physical Therapists-specific risk patterns 3 · The minimum-viable HIPAA stack ($80-150/mo) 4 · The fix-this-week checklist (6 items · <3 hours) 5 · The 3 things that get small practices fined the fastest 6 · California layer (CMIA + AB-2013 + CCPA) + California Physical Therapy Board (PTBC) 7 · Vendor cheatsheet · who signs BAAs cleanly 8 · How SideGuy helps (if you want help) 9 · FAQ

1 · Do I actually need to be HIPAA compliant?

Short answer: yes, in 2026, almost certainly.

You are a HIPAA Covered Entity the moment any one of these is true:

You bill insurance — Medicare, Medi-Cal, commercial, workers comp — through electronic claims.
You use any cloud-based EHR or scheduling system.
You email or text a client anything identifying them as your client.
You use a patient portal for forms, payments, or messaging.
You store notes, intake forms, or treatment plans in cloud software.

Operator translation: if you are running anything besides a 100% cash, paper-records, phone-call-only physical therapy practice in 2026, you're inside HIPAA scope.

2 · Physical Therapists-specific risk patterns

Physical Therapists-specific risk: Movement-assessment video, range-of-motion measurements, gait-analysis recordings, and home-exercise-program (HEP) videos delivered to patients are all PHI. The #1 PT-specific gap: emailing HEP videos from a personal Gmail or sharing via consumer Dropbox · those need BAA-eligible delivery (WebPT video · MedBridge · practice EHR with HEP module).

Physical Therapists-specific vendor notes

PT-specific HIPAA EHRs with BAAs: WebPT (largest PT-specific platform), Clinicient (now WebPT Insight), Heno, Casamba, Practice Perfect, Net Health. For HEP video delivery: MedBridge (with BAA), WebPT HEP, Physitrack (with BAA). For outcome-measurement tools: FOTO, CareConnections — both sign BAAs.

3 · The minimum-viable HIPAA stack ($80-150/mo)

This is the stack most solo and 2-3 clinician physical therapy practices in 2026 actually run:

Layer	Vendor (one of)	Cost / mo	BAA included?
EHR + Notes + Billing	See vendor cheatsheet below	$49-$99	Yes (auto on signup for paid plans)
HIPAA Email	Paubox · Hushmail · Google Workspace + BAA	$10-$25	Yes (Google requires active BAA sign)
Telehealth (if used)	EHR-integrated · Doxy.me · Zoom for Healthcare	$0-$25	Yes — NOT consumer Zoom
Texting / SMS	Spruce · OhMD · EHR portal	$15-$30	Yes
Cloud backup (optional)	Google Workspace · Box for Healthcare	$0-$15	Yes (active BAA required)
Total · solo practice	—	$80-$150/mo	—

Signal: the most common over-spend we see is paying $5K-$20K for a one-time "HIPAA compliance package" or a $300+/mo "compliance platform". For a solo physical therapy practice without 50+ employees, you do not need that. You need 6 contracts, 4 settings, 2 documents, and an annual re-check.

4 · The fix-this-week checklist (6 items · <3 hours)

1. Stop using personal email / consumer Zoom / personal text messages

30 min. Anything sent from yourname@gmail.com with a client's first name + appointment is a HIPAA breach. Upgrade to Google Workspace + BAA, Paubox, or Hushmail. Same for Zoom — switch to Zoom for Healthcare or use your EHR telehealth.

2. Sign BAAs with every vendor that touches PHI

45 min. Make a folder (Drive folder works). Save signed BAA from EHR, email host, telehealth, scheduling, billing service, cloud backup. If a vendor cannot give you a BAA, they cannot legally hold PHI.

3. Publish a Notice of Privacy Practices

20 min. Most EHRs auto-include this in intake flow. If yours doesn't, use the HHS template at hhs.gov · Model NPP. Every new client signs that they received it.

4. Configure 2FA on every account that touches PHI

20 min. EHR · email · cloud storage · password manager. Use authenticator app (Authy · 1Password), not SMS where possible.

5. Encrypt your laptop and phone

10 min. Mac: System Settings → Privacy & Security → FileVault → On. iPhone: 6+ digit passcode auto-encrypts. This converts a stolen laptop from "reportable HIPAA breach" to "stolen laptop" (OCR safe harbor).

6. Write a one-page HIPAA Security Risk Assessment (SRA)

45 min. Required by HIPAA Security Rule. Solo practice = one-page is defensible. Free HHS interactive tool: healthit.gov SRA Tool. Re-do once a year.

5 · The 3 things that get small practices fined the fastest

Pattern	Typical fine range	How to avoid
1. Texting clients from a personal phone	$25K-$100K	Spruce, OhMD, or EHR portal
2. Sending PHI from Gmail (not Workspace + BAA)	$50K-$250K	Workspace + BAA, Paubox, or Hushmail
3. Consumer Zoom or FaceTime for telehealth	$50K-$150K	Zoom for Healthcare or Doxy.me or EHR telehealth
4. No Notice of Privacy Practices on file	$10K-$50K	HHS template + EHR intake flow
5. Lost / stolen unencrypted laptop with PHI	$50K-$300K	FileVault / BitLocker · 10 min one-time

6 · California layer (CMIA + AB-2013 + CCPA) + California Physical Therapy Board (PTBC)

CMIA · California Confidentiality of Medical Information Act — broader than HIPAA in some areas. Civil penalties up to $25K per violation + actual damages.
CA AB-2013 (AI Disclosure) — disclose AI use in your Notice of Privacy Practices (conservative posture).
CCPA / CPRA — applies if you hit thresholds (~$25M revenue OR 100K+ consumers). Most solo practices fall below.
CA breach notification — 72 hours written notification for breaches affecting 500+ records (stricter than HIPAA's 60 days).
California Physical Therapy Board (PTBC)-specific — California PTBC requires 7-year record retention. CA AB-1612 (telehealth physical therapy) clarified that PT services can be delivered via telehealth across state lines if both states recognize PT compact (CA participates in PT Compact as of 2023). HIPAA + APTA Code of Ethics + PT Practice Act all stack.

7 · Vendor cheatsheet · who signs BAAs cleanly

Physical Therapists-specific vendor notes

Category	Vendor	BAA process
Email	Google Workspace	Self-serve in admin console · MUST sign actively
Email	Paubox	Auto with subscription · encrypts outbound by default
Email	Hushmail for Healthcare	Auto with subscription · cheap solo tier
Telehealth	Doxy.me	Auto with any tier · including free
Telehealth	Zoom for Healthcare	Active BAA setup required · consumer Zoom is NOT compliant
Texting	Spruce	Auto with subscription · HIPAA-eligible 2-way SMS
Cloud storage	Google Workspace Drive	Auto if Workspace BAA signed · personal Drive is NOT
Cloud storage	Dropbox HIPAA	Auto with Business plan + BAA · sign actively

8 · How SideGuy helps (if you want help)

SideGuy is a one-operator AI + SEO + compliance shop in Encinitas, CA. For private-practice physical therapists:

Tier	Price	What
SideGuy Hour	$150 one-time	One hour, async-friendly · walk your stack · 2-3 gaps that matter · written one-page fix-list
Operator Audit	$250 one-time	3-5 day signal-quality audit · full setup · written PDF + 30-min walkthrough
Practice Compliance Sprint	$2,000 one-time	10 days · audit + cleanup + missing-document drafts + vendor migrations + re-usable annual SRA

5-min Self-Serve Worksheet (no meeting required) $250 Operator Audit Detail →

9 · FAQ

Do I have to be HIPAA compliant as a private-practice physical therapist?

Yes if you bill insurance electronically (Medicare, commercial, workers comp, auto med-pay), use any EHR or scheduling system, share home-exercise-program videos with patients, store outcome measurements digitally, or offer telehealth PT. The California PT Board (PTBC) assumes you are HIPAA compliant. Cash-only paper-only PT practices in 2026 are extremely rare.

What's the cheapest HIPAA-compliant stack for a solo physical therapy practice?

~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email + signed BAAs. Add telehealth tier if you do telehealth.

What gets a small physical therapy practice fined the fastest?

Texting clients from a personal phone, sending PHI from non-Workspace Gmail, and consumer Zoom for telehealth. OCR fines $25K-$250K.

Do I need a Notice of Privacy Practices?

Yes. Free HHS template. Most EHRs auto-generate one. Every new client signs that they received it.

What's a Business Associate Agreement?

A contract with any vendor that touches your PHI. If a vendor cannot provide one, they cannot legally hold PHI for you.

Is the OCR really fining small physical therapy practices?

Yes. HHS OCR Breach Reports portal shows names, dates, and dollar amounts publicly.

Anything California-specific?

Yes — CMIA, CA AB-2013 AI disclosure, CCPA if you hit thresholds, and California Physical Therapy Board (PTBC) record-keeping rules. California PTBC requires 7-year record retention. CA AB-1612 (telehealth physical therapy) clarified that PT services can be delivered via telehealth across state lines if both states recognize PT compact (CA participates in PT Compact as of 2023). HIPAA + APTA Code of Ethics + PT Practice Act all stack.

Can I use ChatGPT / Claude / AI for note-taking?

Only with a signed BAA from the AI vendor. Anthropic offers BAAs for Claude Enterprise. OpenAI for ChatGPT Enterprise. Google for Gemini through Workspace. Free / consumer tiers do NOT come with BAAs.

Related operator pages

Not legal advice. Operator-grade reference written by working SEO/AI operators in Encinitas, CA. Not attorneys. For licensure-specific or breach-specific questions consult a healthcare attorney. HHS OCR is the federal HIPAA enforcement authority. California enforces CMIA + state-board rules.