HIPAA Compliance for Cash-Based Physical Therapy Practices: Essential Guidance for 2025

Many physical therapists running cash-based practices assume HIPAA does not apply to them. Without insurance billing, electronic claims submissions, or involvement in standard HIPAA-covered transactions, federal privacy rules can seem irrelevant. However, that assumption can be risky.

While true cash-only models may not always qualify as “covered entities” under HIPAA, handling electronic protected health information (PHI) can still create compliance obligations. These obligations may arise directly or through business associate agreements (BAAs) with vendors. State privacy laws also often mirror or exceed HIPAA requirements, which makes strong data protection essential for maintaining patient trust and avoiding liability.

This guide clarifies HIPAA’s scope for cash-based physical therapists, highlights common compliance mistakes, and outlines practical steps based on U.S. Department of Health and Human Services (HHS) guidance and current enforcement trends.

1. Understanding HIPAA’s Scope: Does It Apply to Your Cash-Based Practice?

The Health Insurance Portability and Accountability Act of 1996, strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act and influenced by the 21st Century Cures Act, sets national standards for protecting health information. HIPAA’s Privacy and Security Rules protect PHI, which includes any identifiable health information that is transmitted or maintained in any form.

Who Qualifies as a Covered Entity

Under 45 C.F.R. §160.103, a “covered entity” includes healthcare providers who electronically transmit health information in connection with standard transactions such as claims or eligibility inquiries.

A cash-based physical therapy practice that only accepts out-of-pocket payments and never participates in those electronic transactions is generally not a covered entity.

However, you may still create HIPAA-related responsibilities if you:

• Use electronic health records, patient portals, or secure messaging for treatment coordination

• Send PHI by email, text, or mobile apps

• Work with vendors that process PHI on your behalf

In these cases, business associate agreements may be required under 45 C.F.R. §164.502(e). The HIPAA Security Rule also applies to electronic PHI (ePHI) for all covered entities and requires safeguards such as encryption and access control.

Examples of PHI in a PT setting include:

• Patient names, phone numbers, and addresses

• Treatment plans and clinical notes

• Payment information for therapy sessions

• Exercise videos, injury photos, or messages that reveal health information

In summary, not billing insurance does not mean you are exempt from HIPAA. Electronic handling of PHI often brings your practice under its reach. Following HIPAA standards is the best way to protect your business and comply with similar state privacy laws.

2. Common HIPAA Mistakes in Cash-Based PT Practices

Even if your practice is not technically covered by HIPAA, applying its principles reduces the risk of a data breach or privacy complaint. For those that are covered, noncompliance can lead to major penalties.

The most frequent issues include:

1. Using unsecured tools:
Standard Gmail, iMessage, or Google Forms without encryption or a BAA violate 45 C.F.R. §164.312, which covers technical safeguards for ePHI. Many small practices have suffered data breaches due to insecure communication channels.

2. Combining marketing and PHI:
Using patient contact lists for marketing without written authorization violates 45 C.F.R. §164.508. Keep patient communication lists separate from marketing audiences.

3. Missing written policies and training:
HIPAA requires documented privacy and security policies, breach notification plans (45 C.F.R. §§164.400–414), and workforce training (45 C.F.R. §164.530). Even if HIPAA does not directly apply, documented procedures show reasonable care under state law.

3. How to Build Compliance Without Overcomplicating It

HIPAA compliance scales with your practice size. The goal is to demonstrate that you take patient privacy seriously. These are the key steps based on HHS guidance.

Step 1: Use secure technology
Select software that provides encryption, audit logs, and if applicable, a BAA. Avoid using consumer apps to collect or send PHI.
(45 C.F.R. §164.312(e)(1) – Transmission security)

Step 2: Train your staff
Provide privacy or HIPAA training at hire and annually thereafter. Keep a written record of completed training.
(45 C.F.R. §164.530(b) – Training requirements)

Step 3: Prepare a breach response plan
Create a documented process for identifying and reporting data breaches. Notify affected patients within 60 days and HHS if the incident involves more than 500 individuals.
(45 C.F.R. §§164.400–414 – Breach notification)

Step 4: Control access to PHI
Grant PHI access only to people who need it for work purposes. Review permissions periodically and remove access immediately when an employee or contractor leaves.
(45 C.F.R. §164.312(a)(1) – Access management)

DPT Preneur’s CRM is built on a HIPAA-compliant foundation with encrypted messaging, secure form collection, automatic backups, and 24/7 support. This allows cash-based PTs to grow with confidence and compliance.

4. Penalties and Real-World Risks

For covered entities, HIPAA civil penalties in 2025 range from $137 to $2,973,416 per violation category per year (adjusted for inflation). The tiers are as follows:

1. Unknowing violations: $137 to $68,928

2. Reasonable cause: $1,379 to $137,292

3. Willful neglect, corrected: $13,785 to $275,000

4. Willful neglect, uncorrected: $68,928 to $2,073,000

Criminal penalties for knowingly violating HIPAA can include fines up to $250,000 and imprisonment up to ten years.

The larger cost, however, is reputational. In a cash-based model, patient trust drives referrals. A single data breach can undo years of goodwill and credibility.

5. Strengthen Your Practice with DPT Preneur

Many physical therapists have faced audits or complaints because they assumed cash-only status exempted them from privacy rules. DPT Preneur provides integrated, HIPAA-compliant systems that keep your practice secure while maintaining smooth operations.

Our platform offers encrypted communication, secure forms, access management, and automated marketing that separates PHI from advertising. You can scale your business without legal or technical risk.

Ready to protect your business and accelerate growth?

Book a DPT Preneur Compliance & Automation Call

Key Takeaway

Even if HIPAA does not technically apply to your practice, using HIPAA standards as your benchmark ensures compliance with overlapping state and federal laws. More importantly, it builds a foundation of trust with your patients, which is the most valuable asset a cash-based PT can have.