Riverd
Compliance & Professional Standards

HIPAA for Solo Massage Therapists: What You Actually Have to Do

HIPAA for Solo Massage Therapists: What You Actually Have to Do

If you are a solo Licensed Massage Therapist trying to figure out HIPAA for massage therapists in plain English, here is the short version: most solo cash-pay LMTs are not HIPAA covered entities. Your state licensing board has confidentiality rules that almost certainly do apply to you, and those are usually the rules that matter for day-to-day practice.

This article walks through who HIPAA actually covers, the four scenarios that flip a solo LMT into HIPAA scope, the practical privacy baseline every practice should run regardless, and what your state board likely requires on top.

This article is for informational purposes only and does not constitute legal advice. HIPAA and state confidentiality rules are jurisdiction-specific and change. Consult an attorney licensed in your state for specific guidance.

The honest answer: most solo cash-pay LMTs are not HIPAA covered entities

The Health Insurance Portability and Accountability Act applies to "covered entities," which are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with specific transactions defined by the rule. The definition lives in 45 CFR §160.103, and the U.S. Department of Health and Human Services Office for Civil Rights publishes a plain-language summary at HHS.gov: Covered Entities and Business Associates.

The phrase to focus on is "transmits any health information in electronic form in connection with a transaction covered by this subchapter." Those transactions are billing-related: claims, eligibility checks, remittance advice, and similar exchanges with health plans. A solo LMT who sees clients on a cash-pay basis and never sends an electronic claim to an insurance plan is, in HIPAA terms, generally not a covered entity.

That does not mean privacy rules do not apply to you. State licensing boards have their own confidentiality rules for massage therapists, and those rules are binding on your license whether or not HIPAA is in the picture. The American Massage Therapy Association walks through this distinction in its practice resources for HIPAA and confidentiality. For the average solo cash-pay LMT, the operative rules are state board rules, not HIPAA.

A note for international readers: this post covers United States federal and state rules. If you practice in Canada, the United Kingdom, the European Union, or anywhere else, your privacy regime is different (PIPEDA, UK GDPR, GDPR, and so on), and you should look up the equivalent rules in your jurisdiction.

The practical takeaway from this distinction is that the question "do I need to be HIPAA compliant?" is often the wrong starting point for a solo LMT. The better starting point is "what privacy rules apply to my license, and what does my state board require?" In most cash-pay solo practices, answering the second question correctly also answers the first one by default, because state board confidentiality requirements are usually as strict as, or stricter than, the technical baseline a HIPAA program would establish. If you build the privacy program your state board demands, you have already done most of the work.

The four scenarios that flip you into covered-entity status

Plenty of solo LMTs do fall inside HIPAA scope, often without realizing it. Here are the four common paths.

1. You bill any insurance directly. Auto-injury claims, workers' compensation, and any private health plan billing fall under this. The moment you submit a claim electronically (or use a third-party service that does it for you), you are conducting a HIPAA-covered transaction and the rule applies. Consider a solo LMT in Austin who sees mostly cash clients but takes the occasional auto-injury referral and submits claims to the at-fault driver's insurer through a billing service. That practice is a covered entity for HIPAA purposes, even though most of the schedule is cash-pay.

2. You submit electronic claims through a clearinghouse. Even if you never touch the claim file yourself, a clearinghouse that submits standard electronic claims on your behalf brings the same result. HHS makes this explicit in its covered-entity guidance linked above.

3. You are employed by, or contract with, a covered entity. If you work inside a physical therapy clinic, chiropractic office, or hospital outpatient department that bills insurance, you are likely operating under their HIPAA program as part of their workforce or as a business associate. Check with the practice owner or compliance officer to confirm which agreements you are bound by.

4. HSA and FSA cards, on their own, do not flip you. This is a common worry. Accepting an HSA or FSA card is a payment method, not an electronic claim transaction with a health plan. Taking the card does not, by itself, make you a covered entity. What can change the picture is if the card network or your processor requires you to submit any HIPAA-standard transaction as part of accepting the card. If you are unsure, ask your processor in writing. When in doubt, treat the records as if HIPAA applied. The cost of running a tighter privacy program is low; the cost of getting it wrong is not.

A note on combinations. Most practices that get caught off guard are not running one of these scenarios; they are running two or three at once. A solo LMT who takes occasional auto-injury referrals (scenario one), uses a billing service that batches claims through a clearinghouse (scenario two), and rents a treatment room one day a week inside a chiropractic office that bills Medicare (scenario three) is firmly inside HIPAA scope. If any single one of these applies, treat your records the way HIPAA expects them to be treated and document the decision in writing. It is easier to build the program once than to retrofit it after a complaint.

What you actually have to do, whether HIPAA applies or not

Whether you are a covered entity or just bound by your state board, the practical baseline looks the same. Here is the working checklist.

  1. Encrypted storage for digital client records. Anything cloud-based with TLS in transit and AES-256 at rest meets the bar. Local laptops should have full-disk encryption turned on (FileVault on macOS, BitLocker on Windows).
  2. Access control. Only you, and any named staff, can read client notes. If you share a device with family, that is not access control.
  3. A written confidentiality policy clients sign at intake. One page. Plain language. What you collect, who can see it, how long you keep it, and how a client can request a copy.
  4. Records retention per your state board. Commonly four to seven years from the last session, longer for minors. Look up your state board's exact number.
  5. A breach response plan. A single paragraph is fine for a solo practice. Who you call if a laptop is lost or an account is compromised, what you tell affected clients, and the timeline.
  6. Business Associate Agreements with vendors that handle PHI. Required if HIPAA applies to you. A best-practice habit even if it does not.

Two of these deserve a closer look. Records retention is the item solo LMTs most often get wrong, because the rule is set by your state board, not by HIPAA. HIPAA itself does not set a clinical-records retention period; it sets a six-year retention requirement for HIPAA program documentation (policies, training records, and so on), which is a different thing. The clinical-records number is a state-board number, and it varies. Look it up once, write it on your policy page, and put a calendar reminder on the date of any planned destruction. The breach response plan is the other item that gets skipped because it sounds bigger than it is. For a solo practice, a paragraph that names the device, the account, the client list, and the notification timeline is enough. The discipline is in actually rehearsing it once a year, not in writing fifteen pages.

Software that helps you do this without thinking about it

This is where practice software earns its keep. Riverd stores client records with at-rest encryption, role-based access control, and a full audit log of who viewed or edited a record. The platform provides the technical controls; you still run the privacy program (intake forms, retention decisions, and breach response are practitioner-level work, not software features). For the infrastructure side, see Riverd's encryption and access controls. For how those controls show up in the records workflow itself, see Riverd's client management.

A note on language: no software product can make your practice HIPAA compliant on its own. Compliance is a program, not a feature. What good software does is make the technical controls boring and consistent so you can spend your time at the table with clients.

Riverd stores client records with at-rest encryption, role-based access, and a full audit log. Free up to 20 appointments a month. See how it works.

State board rules: what your license actually requires

This is the part most solo LMTs skip and later regret. Every state's massage licensing board sets its own confidentiality and records rules, and those rules apply to your license whether or not HIPAA does.

The Federation of State Massage Therapy Boards publishes the FSMTB Model Practice Act, which many state boards adapt into their own rules. The model act covers client records, confidentiality, and the conditions under which records can be released. Read your board's actual statute and rules; the model act is a starting point, not a substitute.

A few examples to make this concrete. The California Massage Therapy Council, the certifying body for the state, sets CAMTC standards of practice and ethics that govern certified massage therapists, including obligations around client confidentiality and the conditions under which records can be released. The Texas Department of Licensing and Regulation publishes massage therapy program rules that include client record requirements and rules about written consent for disclosure. The Florida Board of Massage Therapy publishes its statutes and rules covering confidentiality and records release. Numbers like retention period, allowable release conditions, and required intake disclosures vary by state, so the only safe move is to read your own board.

If your board's rules feel ambiguous (and they often do), call the board directly and ask. Most state board offices will answer plain-language questions about confidentiality, retention, and client-record release without charge, and many keep practice-FAQ pages on their websites. Document the answer you get with the date you asked and the staff member you spoke with. That kind of contemporaneous note is exactly what you would want in front of you if a complaint ever came in, and it costs nothing to keep.

A related habit worth building: write SOAP notes that would make sense to any reader who is allowed to see them. If you want a refresher on documentation that holds up under review, see our companion posts on session documentation best practices and AI SOAP notes and insurance billing in 2026, or use the free SOAP note generator. For the broader business and legal context around running a solo practice, the Massage Therapy Complete Practice Guide collects the operational pieces in one place. You can also browse all our posts on this topic in the compliance hub.

Key Takeaways

  • Most solo cash-pay LMTs are not HIPAA covered entities, but state board confidentiality rules are binding on your license.
  • Four scenarios (direct insurance billing, electronic claims through a clearinghouse, employment with a covered entity, and certain processor-driven HSA setups) can flip you into HIPAA scope.
  • Encrypted storage, access control, a written confidentiality policy, records retention, and a breach response plan are the practical baseline regardless of HIPAA status.
  • Read your state board's actual statute and rules. The Model Practice Act is a starting point, not a substitute for the rules that apply to your license.

Frequently Asked Questions

Do massage therapists need to be HIPAA compliant?+
Only if they meet the definition of a covered entity under [45 CFR §160.103](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103), which generally means transmitting health information electronically in connection with a billing-related transaction. A solo cash-pay LMT who never bills insurance is generally not a covered entity. State board confidentiality rules still apply.
Does taking an HSA or FSA card make me a HIPAA covered entity?+
Not on its own. HSA and FSA cards are payment methods, not electronic claim transactions with a health plan. Accepting the card does not, by itself, bring you into HIPAA scope. If your processor or card network requires any HIPAA-standard electronic transaction as a condition of acceptance, the picture changes, so ask in writing.
How long do I have to keep client records?+
It depends on your state board. Many state boards require somewhere between four and seven years from the last session, with longer retention for minors. Check your specific board (for example, [CAMTC](https://www.camtc.org/) in California, [TDLR](https://www.tdlr.texas.gov/massage/massage.htm) in Texas, or the [Florida Board of Massage Therapy](https://floridasmassagetherapy.gov/statutes-and-rules/)) for the number that applies to your license.

Ready to simplify your practice?

Join the new standard for well-being professionals.

Start Free

No credit card required