HIPAA for Massage Therapists

HIPAA for Massage Therapists – Just do it.

Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to help protect the privacy of patients especially when health care professionals are using electronic billing, fax and email to send information back and forth.  There is so much confusion over whether or not a massage therapist has to implement HIPAA and whether they are a covered entitity or not.

Just do it. Protect clients health information. It’s the ethical thing to do.

The 18 identifiers that make health information PHI are:

  • Names
  • Dates, except year
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Any unique identifying number or code

To find out if you need to be HIPAA compliant you can go to the US Dept of Health website  it says:

A Covered Entity is one of the following:  A Health Care Provider…..but only if they transmit any information in an electronic form in connection with a transaction for HHS has adopted a standard.

and look at the PDF but here is what it basically says:

Does the person, business or agency transmit (send) any covered transactions electronically?  If NO, then it says the person is not a covered entity.

So the question then is – what is a covered transaction?  They explain it clear as mud in the PDF.

In the book, Introduction to Massage Therapy By Mary Beth Braun, she says this about a covered transaction:

Covered transactions include using any electronic means to transmit a persons health insurance information such as claims, enrollment, eligibility, explanation of benefits (EOB), premiums, claims status, referral certification, or authorization, and coordination of plan benefits.  If your business performs any transactions electronically (computer, electronic media storage,  email, internet, personal data assistants etc), then your business is considered to be a covered entity.

Cherie Sohnen-Moe in this Massage and Bodywork Magazine article also says that even if you don’t send things electronically that you need to be HIPAA compliant.

When you maintain client records, gather information from a client, engage in oral communication or transmit records (whether electronic or not), you are considered a covered entity.

If you work for or with other doctors/healthcare providers that are HIPAA compliant, you also have to be compliant.

There are also many state privacy laws that are stricter than HIPAA. Implementing HIPAA is just good practice whether or not you legally are or are not required to.

When I took classes in HIPAA, the attorney who taught it said:
“Oh vey… are you still asking if you need to be HIPAA compliant and questioning whether or not you need to be compliant?”

It is really the best way to be sure that your practice upholds the highest security and privacy laws/rules and protects clients to the best of your ability.

Steps to HIPAA Compliance

To be HIPAA compliant you will need to create a manual for your office that gives the details about what you will be doing under various circumstances with clients information.  You will need to have clients sign your HIPAA policy and let them know of any changes in the way you will use their information or secure their information.

So what do you need to do to become HIPAA compliant?

  • You need someone in your office to be in charge of this (YOU!) and create a manual.  If you hire people to work for you, they need to be aware of the rules.
  • Create privacy policies on how you will keep personal health information private.
  • Install locks on your computer and file cabinets
  • Create a privacy notice for email/text communications
  • Give each client a Notice of Privacy Policies form to sign.
  • Don’t let clients see your appointment books with the names of people
  • Get and National Provider Number (NPI) (Directions from Vivian Madison Mahoney on Massage Today) so that you can bill electronically
  • If you collect people’s email address on your intake form, tell them how you will be using it.
  • If you plan on selling your business you will need to ensure privacy is maintained with the new owner.


Get the latest information and details of implementing HIPAA in your massage business in my book Massage Insurance Billing Manual. (2019)

Articles online:

An Update on HIPAA Living the Law By Cherie Sohnen-Moe Originally published in Massage & Bodywork magazine, December/January 2004.

HIPAA recommendations by Susan Salvo on Massageprofessionals.com

What You Need to Know About HIPAA Requirements – Gregg Neely, Massage Magazine

Does your scheduling software need to be HIPAA Compliant? Massage and Bodywork Magazine

Is your Massage Therapy Intake Form Compliant? Discovery Point School of Massage

HIPAA for Professionals from HHS