HIPAA Rules for Occupational Therapists: A Practical Compliance Guide
HIPAA Applicability to Occupational Therapists
As a healthcare provider, you are a HIPAA covered entity if you transmit any patient information electronically in connection with standard transactions such as claims, eligibility checks, referrals, or authorizations. Most occupational therapy practices that bill insurers or use an EHR fall under HIPAA.
If you do not conduct electronic standard transactions, you may not be a covered entity. However, if you work for a hospital, clinic, or home health agency, you must follow that organization’s HIPAA policies as part of its workforce. In school settings, student records are generally protected by FERPA rather than HIPAA, but services you deliver outside the education record can still be HIPAA-governed.
Some organizations operate as hybrid entities, designating healthcare components that must comply with HIPAA. When in doubt, map your services and billing flows to determine whether HIPAA applies and which internal units are in scope.
- Do you submit electronic insurance claims or eligibility checks? If yes, HIPAA likely applies.
- Do vendors create, receive, maintain, or transmit patient data for you? If yes, Business Associate Agreements are required.
- Are you part of a larger system? Follow that entity’s HIPAA governance structure.
Understanding Protected Health Information
Protected Health Information (PHI) is individually identifiable information about a person’s health, care received, or payment for care. It includes obvious identifiers (name, address, full-face photos) and less obvious ones (device serial numbers, IP addresses, or unique codes) when they can be tied to a person.
Electronic Protected Health Information (ePHI) is PHI stored or transmitted electronically—your EHR notes, scheduling records, billing files, emails, text messages, telehealth recordings, wearable data, and cloud backups. Paper PHI and spoken PHI are also protected and require the same privacy controls.
De-identified data is not PHI because identifiers have been removed or masked. A limited data set (with certain identifiers removed) can be used for operations, research, or public health with a data use agreement. Treat any dataset you can re-identify in practice as PHI.
- Be alert to incidental disclosures in open gyms, waiting areas, and group sessions.
- Use private spaces for sensitive discussions, and position screens to prevent shoulder surfing.
- Apply minimum-necessary access to schedules, reports, and team communications.
Implementing HIPAA Privacy Rule Standards
Permitted uses and disclosures
You may use and disclose PHI for treatment, payment, and healthcare operations without patient authorization. Other disclosures (for example, marketing or most research) generally require written authorization. Disclosures to public health or law enforcement are allowed only under specific conditions.
Minimum necessary and role-based access
Limit each use, disclosure, and staff member’s access to the minimum necessary to do the job. Configure role-based permissions in your EHR, restrict report fields, and avoid sharing full charts when a summary will meet the need.
Notice of Privacy Practices (NPP)
Provide patients with your NPP at intake and post it prominently. The NPP explains permitted uses, patient rights, how to file a complaint, and how to contact your privacy officer. Keep a record of acknowledgments or good-faith efforts to obtain them.
Patient rights
- Access: Provide records generally within 30 days; if you maintain ePHI, offer an electronic copy in the requested readily producible format.
- Amendment: Document and act on amendment requests; append clearly if you deny.
- Accounting of disclosures: Track non-routine disclosures as required.
- Restrictions and confidential communications: Honor reasonable requests, including restrictions on disclosures to health plans when the patient pays in full out-of-pocket.
Authorizations and special cases
Obtain signed authorizations for uses not otherwise permitted, such as marketing communications or sharing PHI with non-treating third parties. Verify identity before releasing PHI, and apply extra caution with minors, guardians, and sensitive services.
Privacy Rule Compliance documentation
Adopt written policies, assign a privacy officer, and maintain records of decisions, logs, and NPP versions. Retain documentation for at least six years and review policies annually or after significant changes in workflows or law.
Ensuring HIPAA Security Rule Compliance
Risk analysis and risk management
Start with a formal risk analysis that inventories where ePHI lives and moves—EHR, laptops, mobile devices, email, telehealth, and backups. Evaluate threats and vulnerabilities, assign likelihood and impact, and implement controls to reduce risks to a reasonable and appropriate level.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Administrative safeguards
- Assign a security officer, define sanctions, and review system activity (audit logs, access reports, alerts).
- Manage workforce security with background checks, onboarding/offboarding, and role-based access.
- Develop an incident response plan, contingency plans, backups, and disaster recovery procedures.
Physical safeguards
- Control facility access; secure treatment areas and server/network closets.
- Define workstation use; add privacy screens and auto-lock timeouts.
- Manage device and media: encrypt, track inventory, and securely dispose of drives and paper.
Technical safeguards
- Encrypt ePHI at rest and in transit; secure email and portals for patient communications.
- Enable audit controls and centralized logging; review for anomalies.
- Harden systems with patching, anti-malware/EDR, firewalls, and secure configurations.
Access Control Mechanisms
- Unique user IDs, strong passwords, and multi-factor authentication for remote or privileged access.
- Role-based permissions and least privilege; quarterly access reviews and rapid de-provisioning.
- Automatic logoff, session timeouts, and emergency access procedures (break-glass) with auditing.
Security Safeguards for mobile and telehealth
- Mobile device management with encryption, remote wipe, and screen locks on smartphones and tablets.
- Use vetted telehealth platforms that support encryption and BAAs; verify camera/microphone privacy.
- Protect home and clinic Wi‑Fi with WPA2/3, separate guest networks, and updated routers.
Managing Breach Notification Requirements
What counts as a breach
A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. Assess incidents using four factors: the nature and extent of data involved, who received it, whether the PHI was actually viewed or acquired, and the extent of mitigation. Certain unintentional or intra-entity disclosures may not be breaches, and properly encrypted data may qualify for safe harbor.
Breach Notification Procedures
- Individuals: Notify without unreasonable delay and no later than 60 calendar days after discovery. Include what happened, types of PHI, steps individuals should take, what you are doing, and how to contact you.
- HHS: For 500+ affected individuals, notify within 60 days of discovery; for fewer than 500, log the incident and report to HHS within 60 days after the end of the calendar year.
- Media: If 500+ residents of a state or jurisdiction are affected, notify prominent media outlets.
Immediate response steps
- Contain and secure systems; preserve logs and evidence.
- Investigate and document; complete the risk assessment.
- Engage affected Business Associates if involved; coordinate timelines.
- Mitigate harm (e.g., credit monitoring, password resets) and update policies to prevent recurrence.
Establishing Business Associate Agreements
When you need a BAA
Execute Business Associate Agreements before sharing PHI with vendors that create, receive, maintain, or transmit PHI on your behalf. Common examples include EHR and practice-management vendors, billing services, cloud storage and backup providers, telehealth platforms, transcription services, IT support with system access, and document shredding services.
BAAs are generally not required for true conduits that only transmit data without persistent storage (e.g., postal services), or for banks processing standard payments. When a vendor stores or can access ePHI, a BAA is required.
What to include
- Permitted uses/disclosures and prohibition on unauthorized use.
- Required Security Safeguards for ePHI, including breach detection and reporting duties.
- Subcontractor flow-down requirements, access/accounting support, and right to audit.
- Termination rights, return or destruction of PHI, and documentation retention.
Vendor due diligence
Assess vendor security programs, encryption, access controls, breach history, and insurance. Verify they can meet your Breach Notification Procedures and support patient rights requests. Reassess high-risk vendors annually.
Conducting Staff Training and Education
Who, when, and how often
Train all workforce members—including clinicians, front office, students, and contractors—on HIPAA policies and role-specific procedures. Provide onboarding training before access to systems and refresher training at least annually and after material policy or technology changes.
Core topics to cover
- Privacy Rule basics, minimum necessary, and acceptable communications.
- Security Rule essentials: phishing awareness, secure passwords, device handling, and incident reporting.
- Access Control Mechanisms, audit trails, and sanctions for violations.
- Breach recognition and first-response playbooks for lost devices or misdirected messages.
Practice and documentation
Use scenario-based drills (e.g., voicemail left on wrong number, lost tablet, or misdirected fax) and tabletop exercises. Document attendance, content, dates, and test results; address gaps with targeted coaching and policy updates.
Key takeaways
Map where PHI and ePHI flow, enforce minimum-necessary access, implement layered technical and physical controls, and prepare for incidents with clear Breach Notification Procedures. With sound policies, Business Associate Agreements, and regular training, you can operationalize HIPAA compliance in daily occupational therapy practice.
FAQs.
What PHI must occupational therapists protect under HIPAA?
You must protect all individually identifiable information related to a patient’s health, the care you provide, or payment for that care. This includes names, contact details, dates of service, images and videos, diagnostic and therapy notes, scheduling and billing records, device identifiers, and any data that can reasonably identify the person—whether on paper, spoken, or as Electronic Protected Health Information.
How should occupational therapists implement the Security Rule?
Conduct a risk analysis, then apply administrative, physical, and technical controls sized to your practice. Encrypt devices and backups, enable multi-factor authentication, enforce Access Control Mechanisms with least privilege and automatic logoff, review audit logs, maintain secure telehealth workflows, and create contingency plans with tested backups and incident response procedures.
When is a Business Associate Agreement required?
Before any vendor creates, receives, maintains, or transmits PHI for you—such as EHR platforms, billing companies, cloud storage, telehealth services, shredding vendors, and IT support with system access. Pure conduits that do not store PHI (for example, the postal service) generally do not need a BAA, but most cloud or hosted services do.
What are the steps after a HIPAA breach?
Contain the incident, preserve evidence, and investigate promptly. Perform the four-factor risk assessment, decide if notification is required, and initiate Breach Notification Procedures: notify affected individuals without unreasonable delay (no later than 60 days), report to HHS as required, and notify media for large local breaches. Mitigate harm, correct root causes, and document every action.
Table of Contents
- HIPAA Applicability to Occupational Therapists
- Understanding Protected Health Information
- Implementing HIPAA Privacy Rule Standards
- Ensuring HIPAA Security Rule Compliance
- Managing Breach Notification Requirements
- Establishing Business Associate Agreements
- Conducting Staff Training and Education
- FAQs.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.