HIPAA Compliance for Occupational Therapy Practices
Occupational therapy sits in a corner of healthcare where protected health information (PHI) rarely stays inside a clinic. OT practitioners document patients in their kitchens, their classrooms, and their workplaces, and the records they keep — functional capacity evaluations, activities-of-daily-living (ADL) assessments, home-safety photos, adaptive-equipment recommendations, and detailed progress notes — are unusually descriptive about a person’s home life and disability status. That makes HIPAA compliance for occupational therapy practices a question of where the data travels as much as how it is stored.
What makes HIPAA distinct for occupational therapy
Three features of OT raise the stakes. First, home- and community-based therapy means PHI leaves the building on laptops, phones, and paper — often documented on the spot. Second, pediatric OT, frequently delivered in schools or early-intervention programs, creates parental access rights and overlaps with FERPA when services are part of an IEP. Third, tele-rehabilitation sessions capture a patient’s home environment on video, where a bookshelf, a medication bottle, or a family member can appear on screen. Each of these is a realistic disclosure pathway that a generic compliance checklist will miss.
Vendors compound the picture. OT practices lean on scheduling tools, documentation and EMR platforms, outcome-measurement apps, and durable medical equipment suppliers. Every one of those that touches PHI needs a signed Business Associate Agreement (BAA) before data flows — including the tele-rehab platform and any cloud transcription service used for note-taking.
The Security Risk Analysis is non-negotiable
The foundation of any OT practice’s program is the Security Risk Analysis (SRA) required under the HIPAA Security Rule at 45 CFR § 164.308(a)(1)(ii)(A). This is not a checkbox; it is an accurate, thorough assessment of the confidentiality, integrity, and availability of every system that creates, receives, maintains, or transmits electronic PHI. For OT that explicitly includes mobile devices used in the field, the tele-rehab platform, and any personal phone a therapist uses to photograph a home setup. The SRA must be documented, reviewed when systems change, and paired with a risk-management plan that actually closes the gaps it finds. A missing or stale SRA is the single most common finding in Office for Civil Rights (OCR) enforcement actions.
The proposed 2026 Security Rule update
Practices should also watch the proposed update to the HIPAA Security Rule. OCR published a Notice of Proposed Rulemaking (NPRM) in December 2024 that would, among other things, make currently “addressable” safeguards mandatory, require encryption of ePHI at rest and in transit, mandate multi-factor authentication, and require asset inventories and network mapping. This rule is not final — it remains a proposal, and if finalized it carries an expected 240-day compliance window from the date the final rule is published. The practical takeaway for OT practices: encryption on field laptops and phones, and MFA on your EMR, are worth implementing now rather than waiting.
How Medcurity helps
Medcurity gives occupational therapy practices a guided Security Risk Analysis, BAA tracking, policy templates, and ongoing risk-management workflows in one place — built so a clinical team without a dedicated compliance officer can complete and maintain it. Pricing is $499/year (about $42/month) for a single practice; larger or multi-site organizations can request a quote. For the wider program, see our HIPAA compliance checklist, and if your practice also delivers physical rehabilitation, our guide to HIPAA compliance for physical therapy covers overlapping field-documentation risks.
Frequently Asked Questions
Does HIPAA apply to occupational therapy delivered in a patient’s home?
Yes. PHI does not lose protection because it is created off-site. Home-based OT documentation, including photos of a patient’s living space, must be encrypted on the device, transmitted securely, and stored in a HIPAA-compliant system covered by your SRA.
How does HIPAA interact with school-based pediatric OT and FERPA?
When OT is provided as part of a student’s education record under IDEA, FERPA generally governs those records rather than HIPAA. The same therapist’s private-practice or clinic records remain under HIPAA. Practices serving both settings must keep the records — and the access rules — separate.
Do I need a BAA with my tele-rehabilitation platform?
Yes. Any platform that transmits or stores video sessions or notes containing PHI is a business associate and requires a signed BAA before you use it with patients.
How often should an OT practice update its Security Risk Analysis?
The SRA should be reviewed at least annually and whenever you adopt new technology, change vendors, move locations, or experience a security incident. It is an ongoing process, not a one-time document.