HIPAA Requirements for Occupational Therapists: What You Need to Know to Stay Compliant

HIPAA Applicability to Occupational Therapists

As an occupational therapist, you are a HIPAA covered entity if you provide health care and transmit any standard electronic transactions, such as electronic claims or eligibility checks, to a health plan or clearinghouse. If you only accept cash or paper claims and never send standard electronic transactions, HIPAA may not apply directly, though state privacy laws likely still do.

Common transactions that make you a covered entity include:

• Electronic claims/encounters and remittance advice
• Eligibility and benefits inquiries and responses
• Claim status requests and responses
• Referral and prior authorization requests

If you are employed by a hospital, clinic, or school and function as part of their workforce, you follow that organization’s HIPAA policies. You are not a business associate when you provide treatment; however, you must execute business associate agreements with vendors that handle patient data for you (for example, your EHR or billing service).

Understanding Protected Health Information

Protected Health Information (PHI) is any individually identifiable health information you create, receive, or maintain in any form. Electronic protected health information (ePHI) is PHI stored or transmitted electronically, including notes in your EHR, scheduling data, videos of functional assessments, and outcome measures.

Use the minimum necessary standard when accessing or disclosing PHI for payment and operations. Share only what is reasonably needed for the task at hand, and de-identify data whenever possible. If you use a limited data set, ensure a data use agreement is in place.

In occupational therapy, typical PHI includes evaluations, treatment plans, ADL/IADL progress, pain scores, home exercise videos, and caregiver communications. Remember that images, handwriting samples, and environmental photos can also contain identifiers.

Implementing HIPAA Privacy Rule

Provide a Notice of Privacy Practices to each patient at their first visit, post it prominently in the clinic, and keep it available upon request. Obtain and retain acknowledgment of receipt or document a good-faith effort if the patient declines to sign. Review and update your notice when your practices change.

Honor patient rights promptly: timely access to records, requests for amendment, accounting of certain disclosures, confidential communication preferences, and reasonable restriction requests. Train your staff to route and fulfill these requests within required timelines and to document each step.

Use or disclose PHI without patient authorization only for treatment, payment, and health care operations, and for specific public-interest purposes permitted by HIPAA. For marketing, most research, and many employer or school disclosures, obtain a valid authorization. Apply the minimum necessary standard and role-based access in daily workflows.

Applying HIPAA Security Rule

The Security Rule protects ePHI wherever it resides—EHRs, telehealth platforms, billing systems, email, cloud storage, laptops, tablets, and smartphones. Start with a documented risk analysis to identify where ePHI lives, threats and vulnerabilities, and the likelihood and impact of each risk. Then implement risk management steps and re-evaluate periodically and after major changes.

Build a contingency plan that includes data backup, disaster recovery, and emergency mode operations. Test your plan, document results, and refine procedures. Align administrative, physical, and technical safeguards so policies match real-world workflows and technology.

Administrative Safeguards for Compliance

Designate a privacy official and a security official to oversee your HIPAA program. Develop written policies for access, authorizations, breach response, sanctions, and workforce training. Ensure role-based access so staff can view only what they need.

• Conduct and update a formal risk analysis and risk management plan
• Provide initial and ongoing workforce training with documented attendance
• Implement security incident procedures, including breach investigation and notification
• Define a sanction policy and apply it consistently for violations
• Schedule periodic evaluations of your HIPAA program and document outcomes

Physical Safeguards in Practice

Control physical access to areas where PHI is stored or discussed. Use locked rooms or cabinets for paper files, secure device storage, visitor sign-in, and escort policies. Position workstations to reduce shoulder-surfing and use privacy screens in open treatment spaces.

Manage devices and media carefully: maintain an inventory, restrict removal offsite, use secure transport cases, and sanitize or shred before reuse or disposal. Adopt a clean desk policy so PHI is never left unattended.

Technical Safeguards and Security Measures

Implement access controls with unique user IDs, strong passwords, and multi-factor authentication. Configure automatic logoff and role-based permissions in your EHR and telehealth tools so staff see only the necessary data.

Encrypt ePHI in transit and at rest. Use secure messaging instead of standard SMS for clinical content, and ensure email with PHI uses appropriate encryption or a patient portal. Enable and routinely review audit logs to monitor access, detect anomalies, and support investigations.

• Integrity controls such as checksums, versioning, and robust backups
• Malware protection, timely patching, and mobile device management with remote wipe
• Transmission security on public networks via VPN and TLS

Managing Business Associate Agreements

Business associates are vendors that create, receive, maintain, or transmit PHI on your behalf. Typical partners include EHR and billing vendors, cloud storage providers, telehealth platforms, IT support, transcription, shredding, and answering services. Before sharing PHI, you must have executed business associate agreements in place.

Strong agreements define permitted uses, require safeguards and breach reporting, flow obligations to subcontractors, support access and amendment requests, and require return or destruction of PHI at termination. Vet vendors, document due diligence, and retain signed agreements for at least six years.

Compliance in Telehealth Services

Choose a telehealth platform that provides encryption and will sign business associate agreements. Configure settings to disable unauthorized recording, restrict file sharing, and log access. Use secured, patched devices and a private workspace; advise patients to do the same.

Before each session, verify identity, confirm the patient’s physical location for emergencies, obtain telehealth consent when required, and document these steps. Have a fallback plan if connectivity fails and avoid discussing PHI over unsecured channels.

When sending home exercise programs or assessments electronically, apply the minimum necessary standard, ensure transmission security, and store any resulting ePHI in your designated systems—not on personal devices.

Navigating State-Specific Regulations

HIPAA sets a federal baseline; state laws that are more protective of privacy or grant greater patient rights take precedence. Map the states where you practice or where patients reside, then track requirements for consent, minors, sensitive information, breach notification timelines, and record retention.

Build a simple matrix of state rules, update it periodically, and reflect differences in your policies, Notice of Privacy Practices, and staff training. For multi-state telehealth, verify licensure, consent, and modality requirements before treating patients across state lines.

Conclusion

HIPAA compliance for occupational therapists is a continuous program: know when HIPAA applies, safeguard PHI and ePHI with layered administrative, physical, and technical controls, execute solid vendor agreements, and adapt workflows for telehealth and state laws. Document what you do, train your team, and revisit your risk analysis regularly to stay compliant.

FAQs

What makes an occupational therapist a covered entity under HIPAA?

You are a covered entity if you are a health care provider who transmits any standard electronic transactions—such as electronic claims, eligibility checks, remittance advice, claim status, or prior authorizations—to a health plan or clearinghouse. If you never conduct these electronically, HIPAA may not apply directly, but you should still follow state privacy laws and best practices.

How should PHI be protected in occupational therapy?

Limit access using role-based permissions and the minimum necessary standard, secure paper records physically, and protect electronic protected health information with encryption, access controls, automatic logoff, and audit logs. Train staff, document policies, and verify that vendors handling PHI have signed business associate agreements.

What are the key administrative safeguards required by HIPAA?

Conduct a documented risk analysis and implement a risk management plan; assign privacy and security officials; provide workforce training and apply sanctions for violations; establish security incident and breach response procedures; manage role-based access; execute and maintain business associate agreements; and perform periodic evaluations of your program.

How do HIPAA rules apply to occupational therapy provided via telehealth?

Use a secure platform that encrypts data and will sign a business associate agreement, secure endpoints on both sides, and ensure private environments. Verify identity and location, obtain any required telehealth consent, document each session appropriately, and apply transmission security and minimum necessary principles to all remote communications and shared materials.