VPN for Physical Therapists: HIPAA Compliance for Telehealth and Remote PT

Physical therapy has undergone a permanent transformation. Before 2020, fewer than 5% of PT visits were delivered via telehealth. By 2025, 35–40% of physical therapy practices maintain active telehealth programs, and telehealth visits in PT rose by 45% in 2024 alone (SPRY PT / American Telemedicine Association). The global telerehabilitation market is now valued at $6.97 billion and growing at 14.5% annually through 2034 (Mordor Intelligence).

With that growth comes a compliance obligation that many PT practices are underprepared for. Every telehealth session, every home exercise program transmitted digitally, every clinical note updated remotely — all of it involves Protected Health Information (PHI) traveling across networks. Under HIPAA, that data must be encrypted in transit. A VPN is one of the most direct ways to satisfy that requirement.

This guide explains what HIPAA requires of physical therapists doing telehealth, where the compliance gaps typically appear, and what a VPN specifically protects.

Are Physical Therapists Subject to HIPAA?

Yes — unambiguously. Physical therapy practices that transmit health information electronically are covered entities under HIPAA. That includes virtually every PT practice in the US that accepts insurance, uses electronic health records, or communicates patient information by email, telehealth platform, or practice management software.

HIPAA's Security Rule requires covered entities to implement technical safeguards that protect ePHI (electronic Protected Health Information) in transit. Specifically:

• ePHI must be encrypted when transmitted over open networks (the internet, public WiFi, cellular networks)
• Remote access to any system containing ePHI must use secure, encrypted connections
• Home exercise programs, session notes, billing data, and clinical documentation shared digitally are all ePHI
• Every vendor who processes ePHI on your behalf must have a signed Business Associate Agreement (BAA)

The HHS Office for Civil Rights has made clear that VPN use is an expected technical control for remote access to systems containing ePHI. HIPAA-compliant remote access guidance for PT practices specifically lists encrypted VPN connections alongside MFA and audit logging as required controls.

Where Physical Therapists Are Most Exposed

Telehealth Sessions on Unencrypted Networks

Many PTs conduct telehealth visits from clinic offices, home offices, or community settings — not all of which have secure, encrypted network connections. Conducting a telehealth session over unencrypted public WiFi (a coffee shop, a coworking space, a hotel) transmits video data, session notes, and patient identifiers over a network that others can intercept. A VPN encrypts all of that traffic before it leaves your device.

Home Exercise Program Platforms

Digital HEP platforms (MedBridge, HEP2go, Theraflow, and others) transmit patient data outside your practice network. If those platforms process ePHI on your behalf, they require a BAA — and the connection between your device and their servers should be encrypted. A VPN ensures that the network leg of that transmission is protected, regardless of what network you're on (Patient Protect LLC).

Remote Documentation After Home Visits

Home health PTs and mobile practitioners who update EHR records after visiting patients often do so from their car, a patient's home network, or a public location. Transmitting clinical notes over these networks without VPN encryption is a HIPAA technical safeguard violation — and one that frequently goes undetected until a breach occurs.

Field Staff and Multi-Location Practices

PT practices with multiple clinic locations or staff working across sites face additional exposure. Field staff transmitting clinical documentation over public or guest WiFi networks must use a VPN as an equivalent control to an encrypted corporate network, according to HIPAA cybersecurity guidance for home health and rehab organizations.

What a VPN Actually Does for Your PT Practice

Encrypts ePHI in Transit

A VPN creates an encrypted tunnel between your device and the internet using AES-256-GCM encryption — the same standard used by US government agencies for sensitive data. Every telehealth session, every EHR update, every patient email transmitted while connected to the VPN is encrypted before it leaves your device. This directly satisfies HIPAA's technical safeguard requirement for encryption of ePHI in transit.

Protects Remote Access on Any Network

Whether you're in the clinic, working from home, or updating notes in your car between home visits, a VPN ensures your connection to your practice management system is always encrypted. You're not dependent on the security of whatever WiFi network you happen to be using.

Blocks Malicious Domains (Web Shield)

CyberFence includes Web Shield DNS filtering, which blocks connections to known phishing sites, malware distribution domains, and ransomware command-and-control servers at the DNS level. Healthcare practices — including PT clinics — are frequent targets of phishing attacks designed to steal login credentials for EHR systems. Web Shield stops those connections before they reach your browser.

Covers All Your Devices Under One Subscription

PT clinicians work across multiple devices — clinic workstations, personal laptops, tablets for telehealth, smartphones for quick documentation. CyberFence covers iOS, Android, macOS, Windows, and a browser-based Web App under a single subscription, so every device your practice uses for patient care is protected.

What a VPN Doesn't Replace

A VPN is one layer of HIPAA compliance — not the entire stack. A complete technical safeguard implementation for a PT practice also requires:

• Business Associate Agreements (BAAs) with every vendor handling ePHI — telehealth platform, HEP software, practice management system, cloud storage
• Multi-factor authentication (MFA) on EHR and practice management systems — stolen credentials account for nearly half of healthcare data breaches
• Full-disk encryption on all devices that store patient data locally
• Access controls limiting ePHI access to staff who need it for their specific role
• Audit logging to track who accessed what patient records and when
• Annual HIPAA risk assessment documenting your security posture and identified gaps

A VPN specifically addresses the "encryption of ePHI in transit" and "secure remote access" requirements — two of the most commonly cited gaps in PT practice HIPAA compliance.

CyberFence for Physical Therapy Practices

CyberFence is a US-based VPN and cybersecurity platform operated by Perez Technology Group in Orlando, Florida. For physical therapy practices, the relevant specifications are:

• AES-256-GCM encryption — meets HIPAA technical safeguard requirements for ePHI in transit
• Zero-log policy — no connection logs, no activity logs, no DNS query logs; your patient session activity is not recorded
• US-operated infrastructure — data routing stays within US-operated infrastructure, supporting HIPAA data sovereignty considerations
• Web Shield DNS filtering — blocks phishing, malware, and ransomware domains at the DNS level
• All platforms covered — iOS, iPadOS, Android, macOS, Windows, Web App — one subscription covers every device in your practice
• Teams plans with compliance documentation — practices with multiple clinicians can add seats under a Teams plan that includes HIPAA alignment documentation

At $7.35 per month on the annual plan, CyberFence costs less per month than the average administrative cost of a single HIPAA compliance inquiry — and significantly less than the average healthcare data breach, which affected 379,306 individuals per day on average in 2025 (HIPAA Journal, 2026).

The Bottom Line

Physical therapy is one of the fastest-growing telehealth sectors in US healthcare. That growth creates genuine HIPAA exposure for practices that haven't updated their technical safeguards to match the way they now deliver care.

If your PT practice conducts telehealth sessions, allows remote EHR access, uses digital home exercise platforms, or has staff working from multiple locations — you need encrypted connections. A VPN is the most practical way to deliver that encryption across every device and every network your clinicians use.