Privacy Laws and Protected Health Information

By Lisa Bakewell

Massage and bodywork professionals live in a shadowy gray area when it comes to complying with the 1996 Health Information Portability and Accountability Act (HIPAA). The act protects all “individually identifiable health information” held or transmitted by a covered entity (or its business associate) in any form or media—whether electronic, paper, or oral.
The HIPAA Privacy Rule calls this information protected health information (PHI). And, because PHI may be stored on paper, transmitted electronically, or even conveyed in conversation, national privacy and security requirements come into play.
Individually identifiable health information (including demographics) relates to the past, present, or future health (or condition) of your client; services you provide; payments for services (past, present, or future); and the identification of your clients. Many common identifiers include your client’s name, address, birth date, and Social Security number.
Beginning in 2003, privacy guidelines took effect that govern access to—and distribution of—a person’s PHI. These guidelines are important to massage therapists and bodyworkers because, although they don’t write prescriptions, they use products (and perform services) that may impact a client. Bodywork professionals may also ask clients about their medical histories, which also falls under HIPAA privacy laws.

How Do I Stay in Compliance with HIPAA and PHI?

Although HIPAA privacy laws are not clear where massage and bodywork professionals are concerned, it is best to comply with the law and eliminate potential problems. Those working in similar businesses are required to follow laws regarding the use or disclosure of health information and may provide services to health insurance companies while processing claims.
Technically, massage therapists do not fall into the protected health information (PHI) category, but there seems to be a consensus that they should act as if they do. Following are some areas to consider to maintain compliance with HIPAA privacy laws and, specifically, PHI.

Information Storage

Consider all the places you keep personal client information—including computers, hard copies, and your phone—that would be considered protected health information. Yikes! Right?
Use the following tips to help keep your patient information private.

PHI data on computers:

• Use an antivirus program to prevent attacks to your hard drive.
• Use a firewall to block unauthorized access while still permitting outward communication.
• Download/install security updates.
• Use a strong password. (See “Password Tips” on page 77.)
• Use caution when opening emails with attachments.
• Do not open personal email on your business computer.
• Back up your records.

Hard copy files:

• Store records in a location only accessible to you and your employees.
• Shred files that are no longer needed.
• Keep records out of public view.
• After use, return files immediately to the secure location.

PHI data on cell phones:

• Password protect cell phones. A case was settled in June of 2016 where an iPhone containing a vast amount of PHI, including Social Security numbers, treatment and diagnosis information, medications, and more, was stolen. The facility was fined $650,000.1
• Store cell phones in a secure location at all times. Unfortunately, if devices containing PHI are not secured, they are subject to the possibility of loss or theft. If the information stored on such devices is not encrypted or password protected, the loss or theft of the device becomes an even more severe issue.
The bottom line is this: PHI records must be secure at all times. Also, if information is going to be transmitted to someone else via computer, cell phone, or hard copy, a consent form should be signed by your client.

Private Conversations

Keep PHI conversations confidential. Make sure you have privacy when conversing about client details. Casual conversation can be more revealing than you realize. Mentioning anything about your clients publicly is disrespectful and shows a lack of professionalism and a disregard for HIPAA requirements.

We Appreciate Feedback …

Research shows that 91 percent of people regularly or occasionally read online reviews, and 84 percent trust the reviews as much as a personal recommendation.2 What people say about you online matters, and asking your clients to provide service reviews is perfectly legal. Your clients can even mention you or your staff members by name, and they can also provide information about the services they’ve received.

But …

Beware of confirming client statements in online reviews. Confirming the statements in their review also confirms they’re a customer—and may even disclose the types of treatments they received. Saying any more than “We appreciate your feedback” might land you in hot water regarding HIPAA privacy regulations. Confirming they’re a client or even that they had a particular treatment is a way of revealing private and sensitive information. Keep your review responses vague in order to avoid violations.

What is PHI?

To clarify what constitutes protected health information (PHI), listed below are 18 “personal identifiers” that individually—or linked with any other personal identifier—could reveal the identity of an individual, their medical history, or payment history:
• Account numbers
• Certificate or license numbers
• Dates directly related to an individual
• Device identifiers and serial numbers
• Email addresses
• Fax numbers
• Fingerprints, retinal prints, and voice prints
• Full face or any comparable photographic images
• Geographical identifiers
• Health insurance beneficiary numbers
• IP addresses
• Medical record numbers
• Names or parts of names
• Phone numbers
• Social Security numbers
• Any other unique identifying characteristic (tattoos, birthmarks, etc.)
• Vehicle license plate numbers
• Web URLs
Adapted from HIPAA Journal. “HIPAA Explained.” Accessed June 2019.

How Do I Protect Myself?

For added protection in complying with HIPAA and PHI regulations, consider waivers and disclaimers.

Disclaimers Add a Layer of Protection

Trying to maintain the confidentiality of your clients may be easier by adding disclaimers to your social media profile—and any other forums you use. For example, if you have a blog, include a disclaimer that tells people you’re not giving medical advice—and make sure you don’t. The internet is a public venue, so if clients are posting comments, they should know they could be posting private information to a public group of people. Make them aware, and you won’t have to worry about violating HIPAA rules.

Sign a Waiver, Please

If you take any photos of clients, make sure you have permission before publishing. Even blocking out facial features—or only showing a part of the body—does not guarantee anonymity. Unless they’ve signed a waiver, do not include any clients on social media posts or other marketing materials.

Have There Been Any HIPAA Updates?

Although HIPAA was enacted in 1996, there have been just a handful of updates. The most notable updates were the introduction of the HIPAA Privacy Rule and Security Rule in 2003, the HIPAA Enforcement Rule in 2006, the incorporation of Health Information Technology for Economic and Clinical Health Act (HITECH Act) requirements in 2009, and the HIPAA Omnibus Final Rule in 2013. Following are some of the most prominent changes.

Business Associates

Business associates are no longer just employees but may be third parties, including outside billing firms, transcription services, collection agencies, data backup firms, etc., that might have access to PHI. Your practice is now liable for the actions of any business associates.


Marketing now includes any communication regarding a treatment or service offered by a third party where you or your business associate will be compensated. If this occurs, your client needs to authorize the marketing effort before it begins.

Selling Information

Disclosing PHI for payment must be authorized by your client in advance, and the authorization must disclose (in writing) that you are being compensated for providing PHI. Note that compensation is not strictly monetary; it can also be in the form of goods and services.

Patient Privacy Notices

Several modifications to patient privacy notices occurred in the 2013 update. One change is to communicate to patients how their PHI will be used. Also, patients are entitled to receive a copy of their PHI in an electronic form within 30 days instead of 90.

Patient-Directed PHI Restrictions

Patients may now restrict certain disclosures of their PHI to their health plan or insurance carrier if they pay for services out of pocket.

Monetary Penalties

A single violation penalty ranges from $100 to $50,000, depending on the perceived level of culpability. Violations can be added together, though, until they reach a cap of $1.5 million per calendar year.

Breach of PHI

The definition of a breach of PHI was substantially changed in 2013. Previously, the presumption was “no breach unless significant risk of harm.” Now, the presumption is “breach unless you can show a low probability of PHI being compromised.”

Password Tips

Creating a strong password is easier than you think. Follow these simple tips to protect yourself online:
• Make your password eight characters or longer, using a combination of letters, numbers, and symbols.
• Use a long passphrase, such as a news headline or book title, and add in some punctuation and capitalization.
• Make passwords hard to guess. Leave out personal information, which is often easy to find on social media.
• Substitute letters with numbers, punctuation marks, or symbols to create words. For example, @ can replace the letter “A” and an exclamation point (!) can replace the letters “I” or “L.”
• Get creative by using phonetic replacements, such as “PH” instead of “F.” Or make deliberate, but obvious, misspellings (“enjin” instead of “engine”).
• Keep your password a secret.
• Use different passwords for different accounts and devices. That way, attackers won’t have access to all your accounts with one password.
• Always opt to take advantage of stronger authentication where available. For example, a one-time PIN, texted to your mobile device, will provide an added layer of security.

Adapted from: Homeland Security. “Creating a Password Tip Card.” Accessed June 2019. www.dhs.gov/sites/default/files/publications/Best%20Practices%20for%20Creating%20a%20Password.pdf.

HIPAA Resources

• American Health Information Management Association—
• HIPAA Hotline—800-368-1019 or ocrmail@hhs.gov
• US Department of Health and Human Services Health Information Privacy—www.hhs.gov/hipaa


HIPAA is primarily focused on protecting patient privacy in the doctor’s office, the emergency room, and the hospital, but, as massage and bodywork professionals, you use products and procedures that may affect your clients. Because you care about the well-being of your clients, you gather pertinent and, most likely, confidential information to care for them professionally. This private information is exactly the information you want to protect to stay HIPAA compliant.
When sharing client information—no matter how trivial it may seem—follow HIPAA guidelines to keep you and your business protected. Avoiding these potential pitfalls will ease your mind and alleviate any uncertainty about HIPAA compliance for PHI.


1. Jim Johnson, “Top 10 Most Common HIPAA Violations,” December 3, 2016, accessed June 2019, www.grouponehealthsource.com/blog/top-10-most-common-hipaa-violations.
2. Craig Bloem, “84 Percent of People Trust Online Reviews as Much as Friends. Here’s How to Manage What They See,” Inc., July 31, 2017, www.inc.com/craig-bloem/84-percent-of-people-trust-online-reviews-as-much-.html.

Lisa Bakewell is a full-time freelance writer, editor, perpetual learner, and lover of life in Chicagoland. Her areas of writing expertise span a multitude of topics that include health and wellness, travel, parenting, personal/company profiles, technology, and a plethora of  “how-to” articles (her favorite!). She can be reached at lbakewell@att.net.