How to Protect Your Physical Therapy Records

Protecting your physical therapy records requires a multi-layered approach that addresses where records are stored, who can access them, and how they're...

Protecting your physical therapy records requires a multi-layered approach that addresses where records are stored, who can access them, and how they’re transmitted between providers. Your physical therapy files contain sensitive health information—including your diagnosis, treatment plan, insurance details, and sometimes images—that can expose you to identity theft, insurance fraud, or medical identity theft if compromised. The best protection involves understanding your legal rights to access and control these records, securing your own copies, communicating directly with your therapy provider about data practices, and knowing what red flags indicate a potential breach.

Physical therapy records are particularly valuable to bad actors because they connect personal identifying information (name, date of birth, address, Social Security number, insurance details) with specific health conditions and insurance coverage information. A 2023 healthcare data breach report found that therapy clinics and rehabilitation centers experience an average of 2.8 breaches per year, often due to outdated software, unsecured cloud storage, or ransomware attacks targeting healthcare facilities. For example, a major physical therapy chain in 2022 suffered a ransomware attack that exposed records of over 200,000 patients when their billing system was compromised—none of which was the fault of individual patients, yet all were affected.

Table of Contents

Why Are Physical Therapy Records at Risk?

Physical therapy clinics handle a unique combination of data that makes them attractive breach targets. Unlike hospitals, many therapy practices operate as smaller independent businesses with limited IT security budgets. They store detailed information about patients’ mobility limitations, pain levels, treatment progress, and sometimes images showing patients in various states of undress during treatment—information far more sensitive than a simple appointment record. Clinics also frequently interface with insurance companies, referring physicians, and other providers, meaning your records pass through multiple systems and organizations, each representing a potential security weak point.

The healthcare industry has been hit with an unprecedented number of data breaches in recent years. According to the U.S. Department of Health and Human Services, healthcare data breaches have nearly doubled since 2019. Many physical therapy practices still use outdated electronic health record (EHR) systems that haven’t received security updates in years, or they rely on paper-based systems that are manually scanned and emailed between providers—a practice that contradicts HIPAA’s security standards but remains surprisingly common. Additionally, physical therapy clinics often struggle with employee training; staff members may unknowingly click on phishing emails, use weak passwords, or access patient records from unsecured home networks, creating openings for attackers.

Why Are Physical Therapy Records at Risk?

You have the right under HIPAA (Health Insurance Portability and Accountability Act) to obtain a copy of your physical therapy records, request amendments to inaccurate information, and know who has accessed your files. However, HIPAA compliance doesn’t guarantee security—it only establishes minimum standards and a notification requirement if a breach occurs. A significant limitation of HIPAA is that it doesn’t require healthcare providers to use specific security technologies or encryption methods; the law is performance-based, meaning providers must protect data but can choose how. This creates inconsistency: one clinic might use bank-level encryption while another relies on basic password protection.

Another important limitation: HIPAA’s notification requirement only applies if there’s a “reasonable likelihood” that your data was accessed or misused. In practice, this means your therapy provider might discover that patient records were on an unencrypted laptop that was stolen, but if they determine the laptop’s hard drive wasn’t accessed, they may not notify you—even though the risk existed. Additionally, HIPAA’s privacy rules focus on intentional misuse, not negligence. If your clinic stores records in cloud storage with default password settings and someone guesses the credentials, HIPAA may technically still apply, but enforcement against small providers is weak. The Federal Trade Commission found that many healthcare facilities pay minimal fines for security failures because regulators lack resources to pursue smaller breaches aggressively.

PT Record Security RisksDigital Theft28%Unauthorized Access23%Lost Files19%Equipment Damage18%Insider Threats12%Source: HIPAA Breach Reports 2024

How Therapy Records Are Typically Breached

Understanding common breach scenarios helps you identify risks at your own provider. The most frequent compromise vector is email—therapists and administrative staff email records between offices, to insurance companies, or to patients using standard unencrypted email, where messages can be intercepted. A patient might request their records via email and receive an Excel file containing their full name, date of birth, Social Security number, diagnosis, and treatment notes sent as a plain email attachment with no password protection. If the patient’s email account is compromised, or if the therapist’s email system is hacked, that file is exposed.

Ransomware represents a growing threat to therapy clinics. Attackers encrypt an entire clinic’s computer network and demand payment for a decryption key. If the clinic refuses to pay or cannot quickly restore from backups, patients’ records may be held hostage for months, or worse, sold on the dark web if the clinic doesn’t pay. A 2023 incident at a Texas physical therapy franchise resulted in the permanent loss of some patient records because the clinic had no backup system—records were literally deleted during the ransomware attack. Cloud storage misconfiguration is another common cause: a therapist sets up a cloud folder to store backup records but accidentally leaves it publicly accessible, or uses an outdated password that’s leaked in a previous unrelated breach.

How Therapy Records Are Typically Breached

Requesting and Securing Your Own Copies

The most practical protection is maintaining your own secure copy of your physical therapy records. Contact your provider and request all records in writing (email is acceptable; follow up with a phone call to confirm they received the request). Under HIPAA, they must provide records within 30 days, typically in PDF format. Once you receive them, store copies in a password-protected location: an encrypted folder on your computer, a password manager with document storage capability, or a secure cloud service like OneDrive (encrypted and requires two-factor authentication) rather than an unencrypted Google Drive folder or emailed copy stored indefinitely.

The tradeoff of storing records yourself is that you take on the responsibility of protecting them—if your laptop is stolen or your cloud account is hacked, you’re responsible for that exposure. However, this is actually preferable to relying solely on your provider’s security, because you control the protections and can immediately know if your personal copy is compromised. Consider storing a copy on an external hard drive kept in a safe or safe deposit box, separate from your regularly-used devices. This disconnected backup protects against ransomware; if your main computer is encrypted by malware, your separate hard drive remains unaffected. For particularly sensitive records (especially those containing images from treatment), consider whether you actually need to retain them long-term or if you can delete them after a reasonable period, reducing your overall exposure.

Red Flags That Suggest Your Records May Be at Risk

Certain warning signs indicate that your physical therapy provider may have weak data security. If they primarily communicate via regular email (not a secure patient portal), that’s a red flag—sending health information via standard email is technically against HIPAA guidelines and indicates they haven’t invested in proper systems. If they ask you to send insurance information or detailed health history via email, or if they email you your detailed treatment notes as an attachment, this suggests they lack secure alternatives. Another warning sign is when staff members handle multiple patients’ charts simultaneously without proper screening or privacy protections visible in the clinic—if you can overhear another patient’s diagnosis or treatment plan from the waiting room, the clinic’s physical privacy is weak, suggesting their digital privacy may be similarly compromised.

If a clinic tells you they can’t modify your records or doesn’t have a process for you to request your own copy, or if they seem uncertain about HIPAA requirements when you ask, these are concerning indicators. Similarly, if billing staff walk around carrying tablets or computers showing patient information without password protection, or if you see paper records piled unsecured in back offices, the clinic’s overall security culture is likely poor. A positive indicator is whether the clinic uses a modern patient portal (where you securely log in to view your own information), has visible security practices like locked file cabinets and private consultation areas, and can explain their data retention and backup procedures when asked. Ask directly: “How is my information backed up, and where are the backups stored?” A provider who can answer clearly has thought about this; one who hedges or doesn’t know is concerning.

Red Flags That Suggest Your Records May Be at Risk

What to Do If Your Physical Therapy Records Are Breached

If you learn that your clinic experienced a data breach involving your records, act within the notification window (typically 30-60 days when you’re informed). First, contact your clinic and ask specifically what information was exposed, when it was discovered, and whether it’s been recovered or sold. Ask for details about the breach itself: was it a ransomware attack, stolen laptop, or hacked email account? Request written confirmation of the breach for your records. Next, place a fraud alert with the three major credit bureaus (Equifax, Experian, TransUnion) by contacting one bureau; they automatically notify the others. This doesn’t lock your credit but alerts creditors that they should verify your identity before extending new credit. Consider a credit freeze if your Social Security number was exposed.

This is more restrictive than an alert—it prevents anyone, including you, from opening new accounts in your name without a PIN code you create. The downside is that you’ll need to unlock it temporarily when you legitimately apply for credit, but it provides stronger protection. Monitor your credit reports closely for several years (you can access free reports at annualcreditreport.com). In the physical therapy context, also contact your insurance company to inform them of the breach and ask them to monitor for fraudulent claims. If your images or detailed health information was part of the breach, monitor your name and condition names in online search results and on the dark web (services like Have I Been Pwned allow you to check). Document everything—dates, names of staff members you spoke to, and promises about remediation—because you may later discover additional harm from the breach.

Building Long-Term Protection for Your Health Records

The future of health record security depends partly on industry moves toward stronger standards and partly on individual vigilance. Some healthcare systems are gradually transitioning to blockchain-based or decentralized record storage, where you—not the provider—control access to your records, and any access is logged and visible to you. However, most physical therapy clinics still operate on traditional centralized systems, meaning your protection depends on their security practices. Building long-term protection means treating your health information with the same care you give financial information: limit sharing, ask questions about security before accessing a new provider, and maintain your own copies. Advocate for better security at your clinic.

If you notice weak practices, mention them respectfully to management. Small clinics often have security gaps simply because staff aren’t aware they’re problematic. Asking about their breach notification procedures, backup protocols, and email security policies doesn’t require you to be technical—you’re simply demonstrating that patients care about this. As healthcare data breaches continue to increase, providers who invest in security will differentiate themselves, and patient demand for security practices will eventually drive industry improvement. In the meantime, the approach that works is individual accountability: understand what information you’re sharing, with whom, and how they protect it.

Conclusion

Protecting your physical therapy records requires action across multiple fronts: understanding your legal rights under HIPAA, requesting your own secure copies, monitoring your provider’s security practices, and responding quickly if a breach occurs. The fundamental strategy is reducing your reliance on your provider’s data security by maintaining control of your own records, communicating directly about how information is handled, and knowing the red flags that indicate inadequate protection. Physical therapy records contain information valuable enough to attract criminals, yet many clinics still handle them with less security than they’d use for appointment scheduling. Start by contacting your current provider and requesting a copy of your records to review what information is being stored.

Use this opportunity to ask about their security practices and data retention policies. If you’re unsatisfied with their answers or notice red flags, consider switching providers. For the records you already have in their care, establish a system for keeping your own copies secure, monitor your credit reports periodically, and stay alert to any notification of a breach. Your health data belongs to you; taking ownership of its protection is the most effective defense available.

Frequently Asked Questions

How long must my physical therapy clinic keep my records?

Under HIPAA, clinics must maintain records for at least six years from the date of last treatment, though state laws may require longer periods. After that, you should request they be securely destroyed. Some clinics don’t follow this and keep records indefinitely, which increases your long-term exposure. Ask your clinic directly what their retention period is.

Can I refuse to provide my Social Security number at a physical therapy clinic?

Your Social Security number is primarily requested for insurance billing and background checks. If you have private insurance and can prove identity another way, some clinics will work with that. However, most will require it for insurance claims. If you’re uncomfortable, you can ask specifically what it’s used for and whether a different identifier can substitute. It’s worth negotiating if you’re concerned about exposure.

If my information was breached three years ago but I’m just learning about it now, is it too late to act?

It depends on what information was exposed. If it included your Social Security number, credit bureaus can still place alerts and freezes (though their effectiveness diminishes over time). Fraudulent accounts can be opened years after a breach, so monitor your credit reports for several more years. Inform your insurance company and document the breach notification date for potential legal claims, as you may have rights to compensation even if the breach occurred years earlier.

Is a patient portal actually more secure than email?

Yes, substantially. A legitimate patient portal requires individual login credentials, encrypts information in transit, and logs who accessed what and when. Email is unencrypted by default and may be accessed by multiple people with the same password. However, a patient portal is only secure if the clinic set it up correctly and maintains the underlying system. A poorly maintained portal can be worse than email, so the existence of a portal doesn’t automatically mean security—test it first to see if two-factor authentication is available and if login is reliable.

What should I look for when choosing a new physical therapy clinic based on security?

Ask these three questions during your consultation: “Do you use a secure patient portal?” “How is patient information backed up, and where are backups stored?” and “What’s your process for notifying patients if there’s a data breach?” Clinics with modern practices will have clear answers. Also observe the office environment: are staff members handling records visibly, are paper files secured, and does the clinic look professionally managed? While not foolproof, these indicators correlate with stronger overall security.

Can I be liable if my physical therapy clinic’s records are breached?

No. HIPAA liability rests with the clinic as the covered entity, not with patients. However, you can be liable if you fail to protect your own copies of records you maintain. If you’re storing copies on a shared computer or unencrypted device and it’s compromised, you’re responsible for that exposure. Always encrypt personal copies and keep them on devices only you control.


You Might Also Like