Common HIPAA Violations Occupational Therapists Should Know—and How to Avoid Them

As an occupational therapist, you handle Protected Health Information (PHI) in clinics, schools, homes, and telehealth sessions. Even small missteps can trigger significant HIPAA consequences, from patient harm to steep penalties. This guide highlights common pitfalls and shows you how to prevent them in daily practice.

You’ll learn practical controls for Electronic Health Record (EHR) Security, Patient Authorization Requirements, Data Encryption Standards, and Breach Notification Procedures—so you can deliver excellent care while staying compliant.

Unauthorized Access to Patient Information

What it looks like

“Snooping” in a chart out of curiosity, sharing PHI in hallways or elevators, leaving screens unlocked, or opening records for patients not under your care are frequent violations. Paper PHI left on desks or in unlocked cars during home visits also counts.

How to avoid it

• Apply the minimum necessary standard: open only the records you need for the task at hand.
• Use unique logins and multi-factor authentication; never share passwords or badges.
• Enable automatic screen locks and position monitors to prevent shoulder surfing.
• Store paper files in locked cabinets; use sign-out logs for chart movement.
• Adopt a strict BYOD policy: no patient images on personal devices; use organization-approved capture tools that store directly to the EHR.
• Run routine audit-log reviews and enforce a written sanction policy when inappropriate access occurs.

Safeguarding Electronic Health Records

Technical safeguards to prioritize

• Meet current Data Encryption Standards: strong encryption for data at rest (for example, AES-256) and in transit (for example, TLS 1.2+).
• Require multi-factor authentication for remote access and EHR logins.
• Keep systems patched, use endpoint protection, and restrict USB storage.
• Implement role-based access and promptly disable accounts when roles change or staff depart.
• Maintain daily, tested backups (including an offline copy) and document restore drills.
• Monitor audit trails for unusual access patterns and investigate promptly.

Administrative and physical controls

• Perform a risk analysis annually and after major changes; update your risk management plan.
• Segment networks, secure Wi‑Fi, and isolate clinical devices from guest networks.
• Use mobile device management with remote wipe for tablets and phones used in care.
• Sign Business Associate Agreements before vendors handle PHI, confirming Electronic Health Record (EHR) Security expectations.

Obtaining and Documenting Patient Consent

Know the rules

The HIPAA Privacy Rule allows PHI use and disclosure for treatment, payment, and healthcare operations without separate authorization. For other uses—marketing, research without a waiver, media, or releasing records to schools or employers—you must meet Patient Authorization Requirements.

What proper authorization includes

• Specific description of the information, purpose, recipient, expiration date or event, and the patient’s right to revoke.
• Patient (or legal representative) signature and date, with relationship/authority noted when applicable.
• Plain-language statements about potential re-disclosure and how to revoke.

Documentation tips

• Capture signatures electronically within the EHR or scan paper forms immediately.
• Record verbal consent when permitted: date/time, who obtained it, and exactly what was authorized.
• Track expirations and revocations; stop disclosing once an authorization is revoked.
• Use separate, explicit consent for photos, videos, telehealth participation, and caregiver access.

Common pitfalls to avoid

• Relying on a general intake form for disclosures that require a specific authorization.
• Missing signatures, dates, or expiration terms.
• Discussing patient details with family or school staff without verifying authorization.

Proper Disposal of Protected Health Information

Paper PHI

• Use locked shred bins and cross-cut shredders; never place PHI in regular trash or recycling.
• If using a disposal vendor, require a chain of custody and a certificate of destruction.

Electronic PHI

• Before redeploying or disposing of devices, use secure wipe methods or physically destroy drives per accepted sanitization guidelines.
• Remove PHI from copiers, scanners, and fax memory; clear print queues.

Hidden sources of PHI

• Appointment stickers, therapy worksheets, home program labels, and whiteboards all contain PHI—erase or destroy after use.
• Securely handle wristbands, specimen labels, and misfed fax pages.

Retention and holds

• Follow state and organizational retention schedules; apply legal holds when notified.
• Document your disposal procedures and keep destruction logs.

Conducting Regular Staff HIPAA Training

Design effective Compliance Training Programs

• Provide onboarding and at least annual refreshers; add targeted sessions after incidents or major changes.
• Use role-based scenarios relevant to occupational therapy: home visits, school IEP meetings, telehealth, and device photos.
• Cover Privacy Rule basics, security hygiene (phishing, passwords, device locks), breach reporting, and secure communication practices.

Prove it happened

• Track dates, attendees, topics, and materials; keep completion scores or attestations.
• Link training outcomes to audits and your sanction policy to drive real behavior change.

Employing Secure Communication Methods

Email and texting

• Use encrypted email or a patient portal; keep PHI out of subject lines and verify recipients before sending.
• Adopt a secure texting platform with remote wipe and message retention; avoid consumer SMS apps for PHI.
• If a patient insists on unencrypted email, explain the risks and document their preference.

Phone, fax, and in-person conversations

• Verify caller identity using call-backs or passcodes before discussing PHI.
• Confirm fax numbers, use cover sheets, and retrieve pages immediately; document misdirected faxes and mitigation.
• Hold sensitive conversations in private spaces and share only the minimum necessary.

Telehealth

• Use a HIPAA-eligible platform with a Business Associate Agreement; obtain and document telehealth consent.
• Ensure privacy at both ends: headphones, door closed, and no unintended listeners.

Recognizing and Reporting HIPAA Breaches

What qualifies as a breach

A breach is any unauthorized acquisition, access, use, or disclosure of unsecured PHI. Limited exceptions include good‑faith, unintentional access by a workforce member within their scope, inadvertent disclosures between authorized persons, and situations where the recipient could not reasonably retain the information.

Immediate response steps

• Contain the incident: stop the disclosure, retrieve or secure the PHI, and activate remote wipe if needed.
• Complete a documented risk assessment considering the PHI’s sensitivity, the recipient, whether it was actually viewed, and mitigation performed.
• Notify your privacy or security officer promptly according to internal policy.

Breach Notification Procedures

• For confirmed breaches, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For incidents affecting 500 or more individuals in a state or jurisdiction, notify HHS and local media; for fewer than 500, record and report to HHS annually.
• Business associates must alert the covered entity of breaches they discover; maintain documentation for all notifications and decisions.

Conclusion

Preventing common HIPAA violations comes down to disciplined access control, robust EHR security, precise authorization workflows, secure disposal, strong training, safe communication, and prompt reporting. Build these safeguards into everyday OT practice to protect patients and keep your organization compliant.

FAQs

What are the most common HIPAA violations in occupational therapy?

Frequent issues include snooping in charts, discussing PHI in public areas, misdirected faxes or emails, weak passwords and no MFA, missing or incomplete authorizations for non‑TPO disclosures, unsecured mobile devices, and tossing PHI in regular trash instead of secure disposal.

How can occupational therapists secure electronic health records?

Use strong encryption, multi-factor authentication, role-based access, regular patching, tested backups, audit-log monitoring, and mobile device management. Confirm vendors meet Electronic Health Record (EHR) Security expectations through Business Associate Agreements.

What steps should be taken to obtain patient consent properly?

Differentiate routine TPO uses from those needing authorization. Provide plain-language forms that list the information, purpose, recipient, expiration, and revocation rights; verify identity; capture signature and date; store promptly in the EHR; and track expirations and revocations.

How should PHI be disposed of to remain compliant?

Shred paper using locked bins and cross-cut shredders; maintain destruction logs for vendor pickups. For electronic media, securely wipe or physically destroy drives and clear device memories and print queues. Don’t forget labels, worksheets, and whiteboards that may contain PHI.