HIPAA Checklist for Occupational Therapists: A Step-by-Step Guide to Compliance

Understand HIPAA Privacy Rule

The HIPAA Privacy Rule sets the foundation for how you handle Protected Health Information (PHI) in your occupational therapy practice. It governs who can access PHI, when you may disclose it, and what authorizations are required.

Start by defining PHI in your setting, including verbal, paper, and electronic PHI (ePHI). Apply the minimum necessary standard to routine tasks like scheduling, billing, and coordination with caregivers or schools, and maintain a current Notice of Privacy Practices for patients.

Action checklist

• Map where PHI and ePHI are created, used, and stored across the patient journey.
• Assign a Privacy Officer to oversee requests, complaints, and disclosures.
• Implement role-based access so staff only see the PHI they need.
• Standardize authorizations, release-of-information workflows, and documentation retention.
• Create procedures for patient rights: access, amendments, restrictions, and accounting of disclosures.

Implement HIPAA Security Rule Safeguards

The Security Rule requires safeguards that protect the confidentiality, integrity, and availability of ePHI. Organize your HIPAA checklist around administrative safeguards, physical safeguards, and technical safeguards to ensure full coverage.

Administrative safeguards

• Designate a Security Officer and maintain written policies covering ePHI use, remote work, and telehealth.
• Perform risk analysis and risk management, including vendor and device inventories.
• Train the workforce, enforce sanctions for violations, and monitor adherence.
• Develop contingency plans: backups, disaster recovery, and emergency operations.

Physical safeguards

• Control facility access; secure therapy spaces, storage rooms, and file cabinets.
• Protect workstations with privacy screens and position monitors away from public view.
• Implement device and media controls: encryption, secure disposal, and chain-of-custody for laptops and tablets.

Technical safeguards

• Use unique user IDs, strong passwords, and multifactor authentication for systems with ePHI.
• Encrypt ePHI in transit and at rest; enable automatic logoff and session timeouts.
• Activate audit logs and regularly review access reports and anomaly alerts.
• Implement integrity controls and secure messaging for care coordination and telehealth.

Conduct Comprehensive Risk Assessment

A risk assessment reveals where ePHI could be exposed and which safeguards to prioritize. Make it repeatable, evidence-based, and aligned with your practice’s size, complexity, and technology stack.

Step-by-step approach

• Inventory assets that store or process ePHI: EHR, patient portal, billing tools, email, mobile devices, and cloud apps.
• Diagram data flows from intake to discharge, including referrals and outsourced services.
• Identify threats and vulnerabilities (e.g., lost devices, phishing, misdirected faxes, weak access controls).
• Score likelihood and impact; rank risks and document your rationale.
• Define mitigation actions, owners, budgets, and due dates; track to closure.
• Reassess after technology or workflow changes and at regular intervals.

Develop and Update Policies and Procedures

Policies translate HIPAA requirements into daily practice. Keep them current, practical, and accessible so staff can consistently protect PHI and meet breach notification requirements if incidents occur.

Core policy library

• Privacy: uses/disclosures, minimum necessary, authorizations, patient rights.
• Security: access management, passwords/MFA, encryption, device and media controls, remote work.
• Records: documentation standards, retention, and secure destruction.
• Incident response: reporting channels, triage, investigation, and breach decision-making.
• Telehealth and mobile device use: secure platforms, data storage, and messaging rules.
• Sanctions and workforce management: onboarding, termination, and role changes.

Governance practices

• Use version control with approval dates and responsible owners.
• Conduct policy reviews on a set cadence or when regulations or technologies change.
• Embed quick-reference checklists and job aids to drive compliance at the point of care.

Establish Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI on your behalf must sign business associate agreements (BAAs). BAAs define permitted uses of PHI, required safeguards, and reporting duties if incidents occur.

Practical steps

• Identify business associates: EHR and billing services, cloud storage, telehealth vendors, transcription, shredding, and IT support.
• Perform vendor due diligence and risk ranking before onboarding.
• Ensure BAAs address subcontractors, breach reporting timelines, and termination/return or destruction of PHI.
• Maintain a centralized BAA registry with contacts, effective dates, and renewal reminders.

Provide Staff HIPAA Training

Training equips your team to apply policies consistently and recognize risks in everyday tasks like intake, scheduling, and home health visits. Tailor content to roles and reinforce high-impact behaviors.

Training blueprint

• Onboard all new staff on Privacy and Security Rules, PHI handling, and incident reporting.
• Offer periodic refreshers and targeted modules on phishing, device security, and telehealth etiquette.
• Use scenarios specific to occupational therapy (pediatrics, schools, home visits, and caregiver communications).
• Document attendance, comprehension checks, and remediation actions for incomplete training.

Manage Breach Notification Procedures

Incidents happen. A clear, rehearsed process ensures you contain issues quickly and meet HIPAA breach notification requirements when applicable. Your plan should emphasize rapid detection, objective analysis, and timely communications.

Incident-to-notification workflow

• Detect and contain: secure systems, recover devices, and halt further disclosure.
• Escalate: notify your Privacy/Security Officer and open an incident record.
• Assess: conduct a structured risk assessment (e.g., nature of PHI, who received it, whether it was viewed/acquired, and mitigation performed).
• Decide: determine if the event is a breach requiring notifications; document your reasoning.
• Notify: prepare required notifications to affected individuals and, when applicable, regulators and other parties within required timeframes.
• Remediate: address root causes, update safeguards, and deliver staff coaching.
• Maintain evidence: preserve logs, copies of notices, and corrective action plans.

Conclusion

This HIPAA checklist helps you translate the Privacy and Security Rules into daily practice: know your PHI, secure ePHI with layered safeguards, continuously assess risk, keep policies current, manage vendors with BAAs, train your team, and execute a disciplined incident process.

FAQs

What are the key HIPAA requirements for occupational therapists?

Focus on protecting PHI and ePHI through the Privacy Rule’s minimum necessary standard and patient rights, and the Security Rule’s administrative, physical, and technical safeguards. Maintain written policies, conduct regular risk assessments, execute business associate agreements with vendors, train your workforce, and follow documented breach notification procedures when incidents occur.

How often should HIPAA training be conducted?

Provide HIPAA training at onboarding and offer periodic refreshers to reinforce behaviors and cover new risks or policy changes. Many practices adopt an annual cycle with interim micro-trainings for topics like phishing, remote work, and telehealth to keep knowledge current.

What steps are included in a HIPAA risk assessment?

Inventory systems and devices with ePHI, map data flows, identify threats and vulnerabilities, score likelihood and impact, prioritize risks, and implement mitigation plans with owners and deadlines. Document decisions, monitor progress, and reassess after significant changes or on a regular cadence.

What should be included in a breach notification procedure?

Define how to recognize and contain incidents, who to notify internally, how to perform the risk assessment, and criteria for determining if a breach occurred. Include templates for notices, required recipients, timelines, documentation requirements, and post-incident remediation steps to strengthen safeguards going forward.