SLP HIPAA Compliance: Cloud, Schools, Teletherapy & PHI Security

To help you navigate this essential topic, I've even created a free worksheet to guide you in developing your own HIPAA policies and procedures for your home-based work environment! 

Let's break down some key areas, with a special spotlight on those cloud services many of us use daily.

The Cloud Conundrum: Google, Microsoft 365, and the BAA

This is where it gets real. Many of us use Google Workspace (Gmail, Docs, Drive) or Microsoft 365 (Outlook, Word, OneDrive) for our personal lives, and our schools or districts often use them too. They're super convenient, right? But here's the kicker: your free Google or Microsoft account is NOT HIPAA compliant for handling PHI. Full stop.

Why? Because for a service to be HIPAA compliant when dealing with PHI, you must have a Business Associate Agreement (BAA) with them. A BAA is a legally binding contract that outlines how a third-party service provider (like Google or Microsoft) will protect PHI on your behalf. Without one, you're on shaky ground.

So, what about districts using Google Workspace or Microsoft 365? This is a critical point. While most paid educational plans (often covered by FERPA – the Family Educational Rights and Privacy Act, which governs educational records) offer robust privacy, FERPA compliance doesn't automatically mean HIPAA compliance for you. PHI in a school setting often includes health diagnoses, medical history, or therapy notes related to health conditions. 

While these are typically considered education records under FERPA, as an individual SLP, if you bill Medicaid or other health plans, you are a HIPAA Covered Entity. This means the specific health information you handle is subject to HIPAA regulations, even within a FERPA-governed school environment.

For a district's Google Workspace or Microsoft 365 environment to be HIPAA compliant for PHI, they need to have specifically configured their accounts for HIPAA and, crucially, have signed a BAA with Google or Microsoft for that specific enterprise-level service. 

"Administrators must review and accept a BAA before using Google services with PHI. See what Google Workspace products can be used for HIPAA compliance in the HIPAA Included Functionality."  Google HIPAA Compliance with Google Workspace and Cloud Identity.

Your takeaway: Don't assume. If you're using a district's cloud services for anything that involves PHI (even if it's just student names and health-related goals within an IEP), it's your responsibility to confirm that the district has a BAA in place with their cloud provider for that specific service. And critically, confirm that the specific features and services you use are explicitly covered by that BAA. If they are not, or if no BAA is in place, you need to adjust your practices.  This might mean only using district-approved, HIPAA-compliant EHRs,  purchasing your own subscription, or secure local storage, such as the free LibreOffice Suite (See Technical Safeguards below).

Fortunately, I'd been super cautious and hadn't used my personal accounts frequently for student information, but it was a good wake-up call!

Beyond the Cloud: Other Key Considerations for HIPAA Happiness

While cloud services are a big piece of the puzzle, let's not forget the other vital aspects of keeping PHI safe, whether you're working at school or from home:

• Risk Analysis (aka "Playing Detective with Your Practice"): Before you even start working remotely or bringing files home, take a good look at your home setup. Where are the potential weak spots? Is your home Wi-Fi secure? Are your personal devices encrypted? Could your nosy family member or roommate accidentally see your screen? Identify these risks and make a plan to fix them. Document everything!
• Policies and Procedures (Your Personal HIPAA Rulebook): You're the boss of your home workspace, so write down your rules! How do you handle PHI on your personal devices? Where do you store it? What's your plan if something goes wrong (a "breach")? Having these written policies keeps you consistent and gives you a roadmap in a pinch. You should also be intimately familiar with your district's HIPAA policies.
• Workforce Training (Yes, You're the Workforce!): Even if it's just you, train yourself! Stay up-to-date on HIPAA and your own policies. And guess what? Document that training too!
• Business Associate Agreements (BAAs) - The BAA Buzz: We talked about this with cloud services, but it applies to almost any third-party service you independently contract that touches PHI. Your teletherapy platform (if you use one), your EHR, your billing service, even encrypted email services – they all need a BAA. Beware of "free" versions of platforms; they usually do NOT offer BAAs.
• Incident Response Plan (Your "Oh Crap" Protocol): What if your personal laptop gets stolen? What if you accidentally email PHI to the wrong person? Have a clear plan for what to do: contain the issue, investigate, notify affected individuals (and potentially HHS), and prevent it from happening again. Your district should also have a plan; know it!
• Physical Safeguards (Lock it Up!): Your home workspace needs to be private. Close the door, position your screen away from prying eyes, and lock up any physical paper records. Shred what you don't need securely when you're done! Never leave PHI visible or accessible to others in your home.
  

• Technical Safeguards (Your Digital Fort Knox):
• Encrypt EVERYTHING: All devices (laptops, desktops, external drives, mobile devices) used to store or access PHI must be encrypted. This is your best friend if a device is lost or stolen.
• Strong Passwords & MFA: Use complex, unique passwords, and enable multi-factor authentication (MFA) everywhere you can for accounts that contain PHI.
• Antivirus/Firewall: Keep your software updated and your firewalls active.
• Secure Network: Use a strong, secure home Wi-Fi connection. NEVER handle PHI on public Wi-Fi. If connecting to your school's network from home, always use their provided VPN if available.
• HIPAA-Compliant Platforms: If you provide teletherapy, use platforms specifically designed for HIPAA compliance, with end-to-end encryption and a BAA.
• Secure Communication: Stick to secure messaging within your EHR/school system or encrypted email for PHI. Avoid regular email, WhatsApp, or FaceTime for anything confidential.

A Crucial Note on "De-identification" and AI Tools

Here's a big one that's becoming more relevant with the rise of AI: 🚧simply removing a client's or student's name or a few obvious identifiers does NOT make the information safe to use🚧 with non-HIPAA compliant services, including general-purpose AI tools like Gemini or ChatGPT, or even education tools like MagicSchool.ai.

HIPAA has very specific and stringent rules for what constitutes truly "de-identified" information. It's far more complex than just deleting a name. If you use PHI, even seemingly "de-identified," with a service that doesn't have a BAA and isn't designed for PHI, you're risking a breach. This means:

• Do NOT copy/paste session notes, IEP sections, or any other PHI, even with names removed, into general AI tools like Gemini, ChatGPT, or other free online summarizers to help you write notes, develop goals, or for any other purpose. These services do not typically offer BAAs and are not designed to protect PHI.
• The data you input into these tools can become part of their training data, meaning your client's potentially re-identifiable information could be exposed or used in ways you can't control.

When in doubt, don't put it in a service without a BAA! This applies whether you're trying to draft a progress note at home or summarize a student's history.

Ready to Fortify Your Home Office?

Developing comprehensive HIPAA policies and procedures can feel daunting, but it's a crucial step in safeguarding your clients'/students' PHI. To make it easier, I've created a free, actionable worksheet to guide you through identifying your unique risks and writing down your specific policies for working from home.

Sign up to Download Your Free HIPAA Home Office Policies & Procedures Worksheet!

The Bottom Line

Navigating HIPAA can feel overwhelming, but it's crucial for protecting our clients/students and our professional integrity. Take it step-by-step. Conduct that risk analysis, get those BAAs in place for any services you control, and secure your devices and workspace. Always defer to and understand your district's policies first and foremost.


It's a journey, not a destination, so stay informed and don't be afraid to consult legal counsel or your district's HIPAA compliance officer if you have specific questions about your practice.

What are your biggest HIPAA challenges as an SLP, whether in a school or teletherapy setting? Is there anything you'd like to know more about?  Share your thoughts in the comments below!

Remember, you are awesome because you do the best with what you know – and taking steps toward HIPAA compliance is truly doing your best for your clients. Keep up the amazing work!