HIPAA Risk Assessment for Occupational Therapists: Step-by-Step Guide and Compliance Checklist

Define the Scope of PHI

A HIPAA risk assessment helps your occupational therapy practice systematically identify how you create, receive, maintain, and transmit Protected Health Information (PHI). Begin by defining scope—people, processes, technology, and locations that handle PHI in any form (electronic, paper, audio, photo, or video).

Map where PHI lives and flows in routine OT care:

• EHR/EMR patient charts, evaluations, plans of care, progress notes, discharge summaries, and outcome measures.
• Scheduling and billing systems, payer portals, clearinghouses, and superbills.
• Paper intake and consent forms, therapy worksheets, and rehabilitation logs.
• Photos and videos documenting function or creating home exercise plans.
• Telehealth platforms, patient portals, secure messaging, email, and fax.
• Laptops, tablets, smartphones, cameras, scanners, printers, USB drives, cloud storage, backups, and archives.
• Off‑site contexts: home health, school-based services, skilled nursing facilities, inpatient rehab, and vehicles.

Clarify who touches PHI and under what authority: occupational therapists, OTAs, front-desk staff, students, contractors, interpreters, billing services, IT providers, and any cloud vendors that must sign Business Associate Agreements (BAAs).

Document boundaries and assumptions: in-scope facilities and remote work locations, bring-your-own-device (BYOD) rules, retention requirements, and minimum necessary uses. Produce three deliverables: a PHI data map, an asset inventory, and an initial Risk Register capturing identified risks and owners.

Identify Assets Threats and Vulnerabilities

Create a complete inventory of assets that store or process PHI, then list credible threats and the vulnerabilities that could be exploited.

• Assets: ePHI and paper records; EHR, practice management, telehealth, portal, email, and cloud storage; laptops, tablets, smartphones, cameras, printers, network gear, and portable media; treatment areas, front desks, vehicles, and home-visit environments; workforce members and third parties (billing, IT, shredding, and cloud providers).
• Threats: ransomware, malware, phishing and business email compromise; device theft or loss; unauthorized access or snooping; misdirected email or fax; natural hazards (fire, flood, severe weather, power loss); and privacy exposure during home or school visits.
• Vulnerabilities: unencrypted or unmanaged devices; shared logins and weak passwords; no MFA; missed patches or unsupported software; excessive privileges; open or guest Wi‑Fi without network segmentation; unlocked file storage; improper media disposal; screens visible to others; inconsistent onboarding/offboarding; missing BAAs; and lapses in minimum necessary practices.

Record each threat–vulnerability pair as a risk statement in your Risk Register, noting affected assets, existing controls, and a preliminary severity rating.

Analyze Likelihood and Impact

Estimate how likely each risk is to occur and how severe the consequences would be, considering current controls. Use a simple 1–5 scale for both likelihood and impact, then calculate a risk score (likelihood × impact) to rank priorities.

• Likelihood factors: exposure time (e.g., mobile devices in the field), ease of exploitation, past incidents, vendor posture, and human error frequency.
• Impact factors: patient privacy and safety, operational downtime (missed treatments and revenue), regulatory costs, contractual penalties, and reputational harm.
• Categories: 1–5 Low, 6–10 Moderate, 11–15 Significant, 16–25 Critical. Example—lost unencrypted tablet used for home visits: L=3, I=5, Score=15 (Significant). Misdirected fax with PHI: L=2, I=4, Score=8 (Moderate).

Document rationale, dependencies, and assumptions next to each score in the Risk Register to make reviews repeatable and defensible.

Select and Plan Controls

Administrative Safeguards

• Establish policies and procedures for privacy, security, minimum necessary, sanctions, and role-based access aligned to OT workflows.
• Define workforce management: background checks as appropriate, unique user IDs, onboarding/offboarding checklists, and documented responsibilities.
• Maintain ongoing risk management: keep the Risk Register current and develop Risk Treatment Plans with owners, budgets, and deadlines.
• Vendor management: perform diligence, sign BAAs, define security requirements, and set exit/transition procedures.
• Contingency planning: data backup, disaster recovery, emergency mode operations, and downtime documentation for patient care continuity.
• Incident response and breach notification: decision trees, containment steps, timelines, evidence handling, and communication templates.
• Plan and schedule internal Compliance Audits to verify control performance and documentation quality.

Technical Safeguards

• Encrypt data at rest on laptops, tablets, and smartphones; enforce TLS for data in transit; use secure messaging for PHI.
• Enable multi-factor authentication (MFA) for EHR, email, portals, VPN, and remote access.
• Apply least privilege through role-based access; prohibit shared accounts; review permissions regularly.
• Require automatic logoff and screen locks; harden telehealth settings; restrict local recordings unless necessary.
• Use mobile device management (MDM) for configuration, patching, remote wipe, and app control.
• Implement vulnerability management and timely patching; deploy anti-malware/EDR; add email security (SPF, DKIM, DMARC) and phishing protection.
• Collect audit logs for EHR, authentication, and admin actions; enable alerts and periodic log reviews.
• Consider data loss prevention (DLP) and blocking auto-forwarding of PHI from email to personal accounts.

Physical Safeguards

• Control facility access to treatment and records areas; log visitors when feasible.
• Secure workstations with privacy screens, locked positions, and cable locks where appropriate.
• Protect devices and media with asset tags, chain-of-custody, and secure disposal (shredding, degaussing/wiping).
• Mitigate environmental risks with surge protection, UPS units, and leak/smoke detection in record storage areas.

Risk Treatment Plans

• For each prioritized risk, specify selected controls, target residual risk, owner, budget, milestones, and success metrics.
• Choose a treatment option: mitigate, transfer (e.g., privacy/cyber insurance), avoid, or accept with justification and a review date.
• List policy updates, workflow changes, and training required for effective adoption.
• Update the Risk Register as controls are implemented and re-score to confirm risk reduction.

Implement Train and Test

• Implement: execute controls in phases—start with quick wins (enable MFA, encrypt all devices, lock down guest Wi‑Fi), then roll out MDM, logging, and backup improvements; standardize secure templates for email, consent, and telehealth invitations.
• Train: deliver role-based training for therapists, assistants, and front desk; include phishing awareness, photos/video handling, minimum necessary, identity verification, and incident reporting; train new hires at onboarding and refresh at least annually.
• Test: run tabletop incident drills, phishing simulations, access reviews, and restore-from-backup tests; verify remote wipe on lost-device scenarios; periodically test telehealth settings for privacy and audio/video security.

Monitor and Maintain Compliance

Embed privacy and security into daily operations and measure performance over time.

• Assign Security and Privacy Officer roles (combined is acceptable in smaller practices) to own the program and reporting.
• Track metrics: training completion, MFA coverage, percentage of encrypted devices, patch currency, backup success, incident closure times.
• Review logs and alerts routinely; investigate anomalies and document outcomes.
• Conduct quarterly access recertifications and offboarding audits to remove unused accounts and reclaim devices.
• Maintain a patch and vulnerability management cadence; scan monthly or after major changes.
• Oversee vendors: refresh BAAs, review security attestations, and reassess risk after service changes.
• Schedule internal Compliance Audits and readiness checks for external assessments.
• Repeat risk assessments at least annually and whenever major changes occur (new EHR, telehealth expansion, relocation, or after an incident).
• Keep living documentation: Risk Register, Risk Treatment Plans, policies, procedures, training logs, audit results, and incident records.
• Drive continuous improvement with root-cause analyses and updates to controls, workflows, and training.

By scoping PHI, cataloging risks, scoring and prioritizing them, and implementing Administrative Safeguards, Technical Safeguards, and Physical Safeguards through disciplined Risk Treatment Plans, you build resilient, patient-centered operations and stay audit-ready year-round.

FAQs

What is the purpose of a HIPAA risk assessment for occupational therapists?

It identifies how your practice creates, receives, maintains, and transmits PHI, uncovers threats and vulnerabilities, and prioritizes safeguards so you can reduce breach risk, maintain continuity of care, and demonstrate compliance during reviews or audits.

How often should occupational therapists conduct a HIPAA risk assessment?

Perform a risk assessment at least annually and whenever significant changes occur—such as adopting a new EHR, expanding telehealth, relocating, onboarding a major vendor, or after a security incident. HIPAA expects ongoing risk analysis rather than a one-time review.

What are common vulnerabilities found in occupational therapy practices?

Frequent issues include unencrypted or unmanaged mobile devices, shared logins, missing MFA, misdirected faxes or emails, photos/videos stored on personal phones, open guest Wi‑Fi, unlocked file cabinets, incomplete offboarding, missing BAAs, and unreliable backups or restore procedures.

How can occupational therapists ensure ongoing HIPAA compliance after assessment?

Maintain a current Risk Register, execute Risk Treatment Plans with clear owners and deadlines, train staff regularly, monitor logs and alerts, conduct Compliance Audits, review vendor risk and BAAs, retest backups and incident response, and re-assess risks at least annually and after major changes.