Occupational therapy practices work across multiple settings — outpatient clinics, hospitals, patients’ homes, schools, and long-term care facilities. That breadth of setting creates dispersed PHI exposure. Records generated in one setting get transmitted to another. Staff carry clinical documentation into environments they do not control. Vendors providing telehealth, billing, and scheduling services each touch PHI in different ways.
PHI Risks Specific to Occupational Therapy Practices
Functional assessment records. OT assessments document a patient’s ability to perform daily activities, often including fine motor function, cognitive capacity, and home safety. These records are detailed and sensitive. Transmitting them to a referring physician, an insurer, or a school requires a documented purpose and, in most cases, a minimum necessary review before sharing the full record.
Home assessment documentation. When an OT conducts a home visit, the assessment record documents the patient’s home environment, assistive technology needs, and functional deficits in a personal setting. This record is PHI. Notes or photographs taken during a home visit should not be stored on personal devices without a documented mobile device policy and appropriate security controls.
Multi-setting care coordination. An OT working with a post-stroke patient may coordinate with a neurologist, a physical therapist, a case manager, and a skilled nursing facility. Each coordination exchange is a PHI disclosure. Verbal communications over personal phones, faxes to facilities without confirmed numbers, and emails without encryption controls are common exposure points.
School and pediatric records. OT practices serving pediatric patients through school-district contracts encounter the HIPAA-FERPA boundary. Records the practice creates about a student while providing contracted services are typically HIPAA records. The practice needs a documented policy for this distinction and a BAA with the school district where applicable.
Workers’ compensation and employer-requested OT. OT services ordered at the request of an employer — such as a functional capacity evaluation (FCE) to determine return-to-work fitness — present a HIPAA boundary issue. HIPAA specifically addresses workers’ compensation disclosures at 45 CFR 164.512(l): covered entities may disclose PHI to workers’ compensation insurers, state agencies, and employers to the extent authorized by state workers’ compensation law. However, when an employer (not a covered entity) is paying for and directing the evaluation, the OT practice should be explicit about who the “client” is, what records the employer is authorized to receive, and what the worker retains rights over. Records created for a workers’ compensation FCE are still PHI, but the disclosure framework is governed by 164.512(l) and the applicable state workers’ comp statute rather than standard treatment-purpose rules. Document the legal basis for each employer-directed disclosure.
Billing and insurance documentation. OT billing frequently requires functional status documentation that is more detailed than standard CPT coding. Insurers may request full progress notes during audits. The practice must have documented policies for responding to insurer record requests under the minimum necessary standard.
Common Compliance Gaps
Private OT practices most often identify these gaps: no formal mobile device policy for therapists carrying clinical notes on personal tablets or phones during home visits, and training documentation that covers office staff but not contracted or per-diem therapists who rotate through the practice.
What PHIGuard Provides
PHIGuard gives OT practice administrators a compliance management system that does not require technical expertise to operate. The platform includes:
- Workforce training tracking with per-employee timestamps per §164.530(b), covering full-time and contract therapists
- Incident log with guided breach risk assessment per 45 CFR 164.402
- BAA tracking for billing companies, telehealth vendors, and school-district relationships
- Compliance task templates for risk analysis and annual policy review
- Immutable audit trail on all compliance records
Pricing is per practice. Essentials at $99/month, Clinic at $249/month, Group at $499/month. See plan details and tier limits, or visit the HIPAA compliance overview for the regulatory requirements that apply to OT practices.