HIPAA for Occupational Therapists

Occupational therapy practice covers more settings than almost any other clinical role. An OT may treat patients in an outpatient clinic in the morning, a hospital outpatient department at lunch, and a patient’s home in the afternoon, then submit notes for a school-based caseload that evening. Each setting changes which privacy rule applies and which safeguards matter most. This guide is for OTs, OTAs, and OT students working across clinic, home health, school, and community-based practice.

What occupational therapists need to know about HIPAA

Three obligations are central to OT practice.

First, identify which privacy rule governs the record. Under 45 CFR § 160.103, PHI is information created or received by a covered entity that relates to health care. School records about a student receiving services under an IEP are generally education records governed by FERPA, not HIPAA. The joint HHS and Department of Education guidance explains the boundary. An OT in private practice who also contracts with a school district may be operating under both rules with different paperwork for the same patient.

Second, apply reasonable safeguards across non-clinic settings. 45 CFR § 164.530(c) requires reasonable safeguards on PHI wherever it lives. In the home, that means encrypted tablets, headphone use during dictation, and discretion in how clinical conversations happen with family members in earshot. In a school, it means storing forms in a locked location and never leaving them in the front office.

Third, apply minimum necessary access. 45 CFR § 164.514(d) limits access to what each workforce member needs. Assistive technology assessments often include cognitive testing, sensory profiles, and functional limitation detail that should not be visible to non-clinical staff who are scheduling or billing.

PHI occupational therapists commonly encounter

The PHI footprint of OT work is broader than most realize. Initial evaluations document medical history, current diagnoses, prior level of function, home setup, and family situation. Treatment plans describe specific interventions for cognitive, sensory, motor, and ADL impairments. Progress notes include performance on standardized assessments. Assistive technology evaluations can include video of the patient’s communication, mobility, and home access. Home modification recommendations describe the patient’s residence in detail. Driving evaluations include cognitive testing results and recommendations that may affect a patient’s license. Equipment justification letters to insurers carry diagnosis and functional limitation information.

High-risk situations for occupational therapists

Four scenarios produce most OT compliance problems.

Home health visits with family members present. A spouse, adult child, or caregiver is often in the room. Discussing diagnosis, prognosis, or behavioral observations with the patient when others can hear is permitted only if the patient agrees or does not object, per 45 CFR § 164.510(b). Children, neighbors, or paid caregivers in the home create the same risk and require the same care.

Photos and videos in the home. Documenting a stair, a doorway, or a transfer is sometimes clinically necessary. Anything that captures the patient or their identifiable home is PHI. Use a clinic-managed device, store in an audited location, and obtain written authorization for any non-treatment use.

The HIPAA/FERPA boundary in schools. School-based OTs often have records that look like clinical notes but are actually education records under FERPA. Sending those records to an outside physician without parental consent in the FERPA-required form, or treating a HIPAA authorization as if it covered a school record, are common errors.

Mobile device loss. A tablet left in a car, a phone with PHI in a text thread, or a laptop with downloaded reports is the single most common breach reported by home health practices. Encryption and MDM are not optional.

HIPAA compliance checklist for occupational therapists

1. Confirm in writing for each setting whether HIPAA or FERPA governs the records you create, and adjust authorizations accordingly.
2. Use only clinic-managed, encrypted, MDM-enrolled devices for any PHI in the home or community.
3. Conduct sensitive parts of conversations with the patient privately and document who else was present during each home visit.
4. Apply minimum necessary in EMR roles so OTAs, students, and front-desk staff see only what they need for their function.
5. Lock devices and bags in the trunk during transit, never leave PHI in plain sight in a vehicle, and report any loss within the breach-notification timeline.

Training documentation requirements

45 CFR § 164.530(b) requires every covered entity to train workforce members on the policies and procedures with respect to PHI as necessary and appropriate for the workforce member to carry out their function. For OT practices that includes the HIPAA/FERPA boundary, mobile device use, in-home documentation, family-member disclosures, and the rules around photo and video capture. The clinic must document the date of training, the topics, the materials, and a signed acknowledgment from each workforce member, and retain those records for six years under 45 CFR § 164.530(j).

A small OT practice can satisfy this with an annual training session, a new-hire module before EMR access is granted, and a short retraining whenever a policy or vendor changes. PHIGuard customers attach signed acknowledgments to a workforce record with an immutable audit trail. See annual HIPAA training requirements for cadence and the workforce training hub for role-based curricula.

If your OT practice covers home, school, and clinic settings and you want one compliance program that handles all three - role-based access, BAA tracking for school districts and vendors, and audit-ready training records - see how PHIGuard delivers HIPAA compliance for small clinics on published plan details.