How Occupational Therapists Can Avoid HIPAA Violations: Practical Tips and a Compliance Checklist

Protecting patient privacy is central to your role as an occupational therapist. HIPAA sets specific standards for handling Protected Health Information (PHI) and requires consistent Privacy Rule Compliance across daily workflows, technology, and vendor relationships.

This guide translates requirements into clear actions and a practical compliance checklist you can apply in clinics, home health, schools, and telehealth settings.

Prevent Unauthorized Access to Patient Information

Key Practices

Limit access using role-based permissions so staff see only the minimum necessary information. Assign unique user IDs, require strong passwords, and enable Multi-Factor Authentication for all systems that store or transmit PHI.

Secure workstations and paper files. Position screens away from public view, enable automatic screen locks, and store charts in locked areas. Conduct periodic Audit Log Reviews to detect inappropriate access early.

Checklist

• Apply role-based access; remove access immediately when roles change or staff depart.
• Require strong passwords and Multi-Factor Authentication on EHRs, email, and remote access.
• Use privacy screens, auto-locks, and locked storage for paper records.
• Review audit logs on a set schedule; investigate anomalies and document outcomes.

Safeguard Electronic Health Records

Technical Safeguards

Encrypt data in transit and at rest, and deploy Endpoint Protection on laptops, tablets, and phones used for documentation. Keep operating systems and applications patched, and segment your network to isolate clinical systems from guest Wi‑Fi.

Run an organization-wide Security Risk Assessment at least annually and after major changes. Validate your vendors’ security practices and sign Business Associate Agreements with any service that handles PHI.

Checklist

• Enable full-disk encryption and secure backups with restore testing.
• Install Endpoint Protection and mobile device management with remote wipe.
• Restrict admin rights; keep systems patched and firewalls enabled.
• Complete a documented Security Risk Assessment; track and remediate findings.
• Execute Business Associate Agreements with EHR, billing, telehealth, and messaging vendors.

Obtain and Document Patient Consent

Best Practices

Provide a Notice of Privacy Practices and document receipt. Obtain and record patient consent for routine uses and secure a specific authorization for non-routine disclosures, marketing, or sharing with third parties not involved in treatment, payment, or operations.

Document the scope of consent, dates, and any expiration. Record revocations promptly and honor patient preferences about communication channels when feasible.

Checklist

• Capture signed consent/authorization in the EHR with date, purpose, and expiration.
• Verify identity before releasing PHI; use minimum necessary details.
• Record patient communication preferences (phone, portal, encrypted email).
• Log and process revocations without delay.

Dispose of Protected Health Information Properly

Physical PHI

Use locked shred bins for paper and label them clearly. Shred immediately after retention periods expire, and secure transport if a vendor handles destruction.

Digital PHI

Sanitize devices before reuse or disposal using industry-standard media wiping methods. Remove PHI from scanners, copiers, and removable media, and keep certificates of destruction from vendors.

Checklist

• Apply documented retention schedules; dispose on time.
• Shred paper and destroy labels, wristbands, and notes containing identifiers.
• Wipe or destroy hard drives, USBs, and mobile devices; keep proof of destruction.

Conduct Regular Staff HIPAA Training

What to Cover

Train all workforce members—clinicians, front desk, students, and contractors—on HIPAA basics, role-specific procedures, phishing awareness, and incident reporting. Reinforce real OT scenarios like home visits, school settings, group sessions, and telehealth.

Maintain records of attendance, dates, and content. Update training when policies change, new technology is introduced, or risks emerge.

Checklist

• Provide training at onboarding and refresh at least annually.
• Test comprehension; document completion and corrective actions.
• Include Privacy Rule Compliance, minimum necessary, and breach reporting steps.

Employ Secure Communication Methods

Do’s and Don’ts

Use secure messaging platforms and patient portals backed by Business Associate Agreements. Encrypt email containing PHI and confirm recipient identity before sending. Keep voicemails minimal and avoid discussing sensitive details in public or shared spaces.

For telehealth, use private rooms, headsets, and unique meeting links with waiting rooms enabled. Prohibit unencrypted texting or consumer apps that lack proper safeguards.

Checklist

• Route PHI through secure, encrypted tools; avoid personal email and SMS.
• Verify recipients and use the minimum necessary information.
• Configure telehealth with authentication, waiting rooms, and locked sessions.

Recognize and Report HIPAA Breaches

Immediate Actions

If PHI is lost, stolen, or improperly disclosed, act quickly: contain the issue, preserve logs and evidence, and assess risk. Common steps include resetting credentials, disabling access, and retrieving or wiping devices.

Notification Requirements

Conduct a risk assessment to determine if PHI was compromised. When notification is required, notify affected individuals without unreasonable delay and no later than 60 days from discovery, and follow additional reporting rules based on the number of affected individuals.

Checklist

• Stop the exposure, document events, and perform a documented risk assessment.
• Notify individuals and regulators within required timeframes; keep copies of notices.
• Mitigate harm, retrain staff, and update policies to prevent recurrence.

Summary and Next Steps

Build strong foundations—access controls, encryption, Audit Log Reviews, training, secure communications, and clear breach response. Revisit your Security Risk Assessment regularly and keep Business Associate Agreements current to sustain compliance over time.

FAQs

What are the most common HIPAA violations by occupational therapists?

Frequent issues include discussing PHI in public areas, snooping in records without a need to know, unsecured texting or email, lost or stolen devices without encryption, improper disposal of records, missing Business Associate Agreements, skipped Audit Log Reviews, and inadequate or infrequent staff training.

How can occupational therapists secure electronic health records?

Use Multi-Factor Authentication, strong unique passwords, encryption in transit and at rest, Endpoint Protection with timely patching, role-based access, routine backups with restore tests, ongoing Audit Log Reviews, a documented Security Risk Assessment, and BAAs with all vendors touching ePHI.

What steps should be taken after a HIPAA breach?

Contain and investigate immediately, preserve system logs, perform a risk assessment, notify your privacy/security lead, and issue required notifications without unreasonable delay and within 60 days when applicable. Mitigate harm, retrain staff, and revise policies to prevent a repeat.

How often should HIPAA training be conducted for staff?

Provide training at onboarding, refresh it at least annually, and add targeted sessions whenever policies, technology, roles, or risks change. Keep detailed records of attendance, dates, and curriculum.