HIPAA Compliance At Home: Cloud, Schools, Teletherapy & PHI Security

By /
The word "HIPAA" in large white letters at the top, above a red heart with a white electrocardiogram line running through it, all within a silver shield shape. Below the heart and shield are the words "at home" in black, bold letters.

HIPAA in Your PJs (or Post-School Hours)

Hey SLP fam!

Top secret document with 'DECLASSIFIED' stamp and black redaction bars over text, illustrating information that has been partially obscured."
Even with extensive redactions like those seen here, simply blacking out information may not be enough to meet HIPAA’s stringent de-identification requirements.

Let’s talk about HIPAA compliance at home. I know it’s something that might make your brain do a little loop-de-loop! Whether you’re rocking the teletherapy life from your home office, hustling in a school building, or bringing a stack of papers (or digital files!) home to tackle after hours, you’re dealing with sensitive information.

I remember grad school, taking out the black Sharpie to strike through names and addresses on stacks of papers. It’s what we did, back in the day, to share ideas about goals and treatment plans without breaking client confidentiality. Even with extensive redactions like those seen here, simply blacking out information may not be enough to meet HIPAA’s stringent de-identification requirements. And in the digital age… well, let me share with you.

My HIPAA Compliance wake-up call:

I recently had a bit of an “aha!” moment (or maybe more of an “uh-oh!” moment) for HIPAA compliance at home. I don’t even remember how I found out, but I realized my free Google account wasn’t exactly HIPAA-compliant for handling student info. And that got me thinking… if I was a bit fuzzy on this, how many of us are? Especially when we step outside the secure walls of our schools or clinics?

It turns out, even when you’re comfy in your PJs or working from your kitchen table after school, you’re still 100% responsible for protecting your clients’ Protected Health Information (PHI), even from your family members (who could probably care less). HIPAA doesn’t care if you’re in a fancy clinic, a bustling school, or your spare bedroom – the rules are the same for how you handle that information.

To help you navigate this essential topic, I’ve even created a free worksheet to guide you in developing your own HIPAA policies and procedures for your home-based work environment!  Let’s break down some key areas, with a special spotlight on those cloud services many of us use daily.

HIPAA Compliance In The Cloud: Google, Microsoft 365, and the BAA

A 3D illustration of a blue and white cloud icon with a key inserted into a keyhole on its side, symbolizing secure cloud access.
Unlocking secure and HIPAA-compliant cloud data management.

This is where it gets real. Many of us use Google Workspace (Gmail, Docs, Drive) or Microsoft 365 (Outlook, Word, OneDrive) for our personal lives, and our schools or districts often use them too. They’re super convenient, right?

But here’s the kicker: your personal Google or Microsoft account is NOT HIPAA compliant for handling PHI. Full stop.

Why? HIPAA compliance when dealing with PHI requires a Business Associate Agreement (BAA) with third parties (like Google). A BAA is a legally binding contract that outlines how a third-party service provider will protect PHI on your behalf. Without one, you’re on shaky ground.

Districts Using Cloud Services: A Critical Distinction

So, what about districts using Google Workspace or Microsoft 365? 

This is a critical point. While most paid educational plans (often covered by FERPA – the Family Educational Rights and Privacy Act, which governs educational records) offer robust privacy, FERPA compliance doesn’t automatically mean HIPAA compliance for you. 

PHI in a school setting often includes health diagnoses, medical history, or therapy notes related to health conditions. While these are typically considered education records under FERPA, as an SLP, if you bill Medicaid or other health plans, you are a HIPAA Covered Entity. This means the specific health information you handle is subject to HIPAA regulations, even within a FERPA-governed school environment.

For a district’s Google Workspace or Microsoft 365 environment to be HIPAA compliant for PHI, they need to have specifically configured their accounts for HIPAA. Crucially, they need a signed BAA with Google or Microsoft for that specific enterprise-level service.

Administrators must review and accept a BAA before using Google services with PHI. See what Google Workspace products can be used for HIPAA compliance in the HIPAA Included Functionality.

Google HIPAA Compliance with Google Workspace and Cloud Identity

Your HIPAA Compliance at Home Takeaway:

Don’t assume. If you’re using a district’s cloud services for anything that involves PHI (even if it’s just student names and health-related goals within an IEP), it’s your responsibility to confirm that the district has a BAA in place with their cloud provider for that specific service. 

And critically, confirm that the specific features and services you use are explicitly covered by that BAA. If they are not, or if no BAA is in place, you need to adjust your practices.  This might mean only using district-approved, HIPAA-compliant EHRs,  purchasing your own subscription, or secure local storage, such as the free LibreOffice Suite (See Technical Safeguards below).

Fortunately, I’d been super cautious and hadn’t used my personal accounts frequently for student information, but it was a good wake-up call!

Beyond the Cloud: Other Key Considerations for HIPAA Happiness

While cloud services are a big piece of the puzzle, let’s not forget the other vital aspects of keeping PHI safe, whether you’re working at school or from home.

Core Pillars for HIPAA Compliance at Home

A closed padlock and a set of keys resting on an open book titled "Professional Standards Committee," with a pen nearby.
Locking down your home practice with strong HIPAA compliance policies and procedures.
Risk Analysis (aka “Playing Detective with Your Practice”)

Before you even start working remotely or bringing files home, take a good look at your home setup. Where are the potential weak spots? Is your home Wi-Fi secure? Are your personal devices encrypted? Could your nosy family member or roommate accidentally see your screen? Identify these risks and make a plan to fix them. Document everything!

Workforce Training (Yes, You’re the Workforce!)

Even if it’s just you, train yourself! Stay up-to-date on HIPAA and your own policies. And guess what? Document that training too!

Policies and Procedures (Your Personal HIPAA Rulebook)

You’re the boss of your home workspace, so write down your rules! How do you handle PHI on your personal devices? Where do you store it? What’s your plan if something goes wrong (a “breach”)? Having these written policies keeps you consistent and gives you a roadmap in a pinch. You should also be intimately familiar with your employer’s HIPAA policies, if applicable.

Business Associate Agreements (BAAs)

We talked about this with cloud services, but it applies to almost any third-party service you independently contract that touches PHI. Your teletherapy platform (if you use one), your EHR, your billing service, even encrypted email services – they all need a BAA. Beware of “free” or even personal versions of platforms; they usually do NOT offer BAAs.

Incident Response Plan (Your “Oh Crap” Protocol)

What if your personal laptop gets stolen? What if you accidentally email PHI to the wrong person? Have a clear plan for what to do: contain the issue, investigate, notify affected individuals (and potentially HHS), and prevent it from happening again. Your district should also have a plan; know it!

A hand reaching towards a smartphone screen that displays a prominent blue fingerprint graphic, indicating biometric security or digital access.
Securing Protected Health Information with robust digital safeguards.

Physical & Technical Considerations for HIPAA Compliance At Home

Physical Safeguards (Lock it Up!)
  • Ensure your home workspace is private.
  • Close the door and position your screen away from prying eyes.
  • Lock up any physical paper records containing PHI.
  • Shred unneeded documents securely when done.
  • Never leave PHI visible or accessible to others in your home.
Technical Safeguards (Your Digital Fort Knox)
  • Encrypt EVERYTHING: All devices (laptops, desktops, external drives, mobile devices) storing or accessing PHI must be encrypted. This is crucial if a device is lost or stolen.
  • Strong Passwords & MFA: Use complex, unique passwords. Enable multi-factor authentication (MFA) everywhere possible for accounts with PHI.
  • Antivirus/Firewall: Keep your software updated and firewalls active.
  • Secure Network: Use a strong, secure home Wi-Fi connection. NEVER handle PHI on public Wi-Fi. If connecting to your school’s network from home, always use their provided VPN if available.
  • HIPAA-Compliant Platforms: For teletherapy, use platforms specifically designed for HIPAA compliance, with end-to-end encryption and a BAA.
  • Secure Communication: Stick to secure messaging within your EHR/school system or encrypted email for PHI. Avoid regular email, WhatsApp, or FaceTime for anything confidential.

A Crucial Note on “De-identification” and AI Tools

The letters "AI" in white on a black rectangle, overlaid on a blue circuit board background, surrounded by three large red question marks.

Here’s a big one that’s becoming more relevant with the rise of AI…

**Simply removing a client’s or student’s name or a few obvious identifiers does NOT make the information safe to use.**

General-purpose, free AI tools like Gemini or ChatGPT, or even education tools like MagicSchool.ai, are NOT HIPPA compliant. Even if you pay for Gemini Pro, there is no BAA unless it comes with a Workspace plan.

HIPAA De-identification is Stringent

HIPAA has very specific and stringent rules for what constitutes truly “de-identified” information. It’s far more complex than just deleting a name. If you use PHI, even seemingly “de-identified,” with a service that doesn’t have a BAA and isn’t designed for PHI, you’re risking a breach. This means:

Do NOT copy/paste session notes, IEP sections, or any other PHI, even with names removed, into general AI tools like Gemini, ChatGPT, or other free online summarizers to help you write notes, develop goals, or for any other purpose. These services do not typically offer BAAs and are not designed to protect PHI.

The data you input into these tools can become part of their training data, meaning your client’s potentially re-identifiable information could be exposed or used in ways you can’t control.

When in doubt, don’t put it in a service without a BAA! This applies whether you’re trying to draft a progress note at home or summarize a student’s history.

Ready to HIPAA-Happy Your Home Office?

A red, starburst-shaped graphic with bold yellow text "FREE!" and green text "DOWNLOAD", serving as a call to action for a free resource.

Developing comprehensive HIPAA policies and procedures for home can feel daunting, but it’s a crucial step in safeguarding your clients’/students’ PHI. To make it easier, I’ve created a free, actionable worksheet to guide you through identifying your unique risks and writing down your specific policies for working from home.

Sign up to Download Your Free HIPAA Compliance Home Office Policies & Procedures Worksheet!

Want exclusive freebies?

We don’t spam! Read our privacy policy for more info.

See the subscription guide for more information!

The Bottom Line

HIPAA compliance in the cloud or at home can feel overwhelming, but it’s crucial for protecting our clients/students and our professional integrity. Take it step-by-step. Conduct that risk analysis, get those BAAs in place for any services you control, and secure your devices and workspace. Always defer to and understand your district’s policies first and foremost.

Silver shield icon with 'HIPAA & BAAs' in bold white text and a red heart showing a white heartbeat line, symbolizing HIPAA compliance and data security.

It’s a journey, not a destination, so stay informed and don’t be afraid to consult legal counsel or your district’s HIPAA compliance officer if you have specific questions about your practice.

Want to know more?  Check out Navigating Business Associate Agreements as an SLP: Your HIPAA BAA Guide.

What are your biggest HIPAA challenges as an SLP, whether in a school or teletherapy setting? Is there anything you’d like to know more about?  Share your thoughts in the comments below!

Stylized illustration of a female SLP working at a laptop, with a glowing, translucent AI figure behind her, symbolizing AI as a supportive assistant. Text reads: 'AI & SLPs'.

Coming up next – an 8-part series on AI & SLPs!

Remember, you are awesome because you do the best with what you know – and taking steps toward HIPAA compliance at home is truly doing your best for your clients.

Keep up the amazing work!

Mrs. Speech Signature
facebook icon
Instagram Icon
pinterest icon
LinkedIn Icon
YouTube icon
TeachersPayTeachers Icon
Mrs. Speech Books Icon
MailTo Icon

Social Media Icons: designed by rawpixel.com – Freepik.com

, , , , , ,

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top