HIPAA BAA Requirements for Occupational Therapists

By BAA Generator Editorial  ·  Updated Apr 20, 2026  ·  5 min read

Occupational therapists work in a wide range of settings — outpatient clinics, hospitals, home health, pediatric practices, and schools — and their HIPAA obligations shift based on how and where they practice. OTs in private practice or clinic settings have straightforward HIPAA BAA requirements similar to other healthcare providers. OTs in school-based settings face the added complexity of FERPA, a separate federal law that governs educational records and may apply instead of or alongside HIPAA.

Why Occupational Therapists Are HIPAA Covered Entities

Occupational therapists are healthcare providers under HIPAA when they transmit health information electronically in connection with a covered transaction. In practice, this means any OT who submits insurance claims electronically — to Medicare, Medicaid, or commercial insurers — is a covered entity subject to HIPAA's full requirements, including the BAA rule.

OT settings that are clearly HIPAA-covered include:

• Private outpatient OT clinics (solo or group)
• Hospital-based OT departments submitting claims
• Home health agencies with OT staff
• Skilled nursing facilities with OT services billing Medicare
• Pediatric therapy practices billing insurance for OT
• Telehealth OT practices

OTs who operate on a pure self-pay basis and never submit electronic transactions may technically fall outside the covered entity definition — but this is increasingly rare, and any practice using EHR software that transmits data should operate as if HIPAA applies.

What PHI Occupational Therapists Handle

OT practices handle PHI that includes:

• Evaluation reports and clinical assessments (fine motor, sensory processing, ADL function)
• Treatment plans and progress notes
• Patient demographic and insurance information
• Functional outcome measures and home exercise programs
• Referral and coordination of care correspondence
• Billing records including diagnosis and CPT codes

Vendors Occupational Therapists Typically Need BAAs With

OT Documentation Platforms and EHRs

WebPT, TheraOffice, Fusion Web Clinic, Clinicient, and SimplePractice are the most commonly used documentation platforms in occupational therapy. All offer HIPAA BAAs to paying subscribers. WebPT, originally built for physical therapy, has expanded to cover OT and other allied health disciplines and is widely used by multi-discipline outpatient clinics. Request the BAA before entering any patient data.

Billing Companies

OT practices that outsource billing to third-party medical billing companies must obtain BAAs from those vendors. Billing companies receive claim data containing patient diagnoses, functional limitations, CPT codes, and insurance information — all PHI. This requirement applies regardless of whether the billing company specializes in OT or handles multiple specialty types.

Telehealth Platforms

Telehealth OT has grown significantly, particularly for pediatric sensory and fine motor assessments and for adult ADL coaching. Any telehealth platform used for OT sessions that transmits identifiable patient information must sign a BAA. Consumer-grade video tools (standard Zoom, FaceTime, Google Meet) are not HIPAA-compliant for clinical use.

Home Health Agency Partners

OTs working for or contracting with home health agencies share PHI with those agencies. The direction of the BAA relationship depends on the structure: if the OT is a contractor to the agency, the agency typically executes a BAA with the OT as their business associate.

FERPA vs. HIPAA for School-Based OT

School-based OT services create a unique compliance intersection. FERPA (the Family Educational Rights and Privacy Act) protects educational records maintained by schools and educational agencies. When an OT is employed directly by a school district and creates therapy records as part of a student's Individualized Education Program (IEP), those records are typically education records under FERPA — and HIPAA generally does not apply (the HIPAA school exception at 45 CFR § 160.103).

However, when a school-based OT is an independent contractor who bills Medicaid directly for school-based services, the billing records may be subject to HIPAA. Additionally, if an OT maintains separate clinical records outside the educational record system, HIPAA may apply to those records even in a school setting. OTs practicing in both school and clinic settings should carefully determine which framework governs each category of records.

Common Vendor BAA Table for Occupational Therapists

Common Compliance Gaps for OT Practices

Frequent BAA gaps in OT settings include: (1) using a consumer-grade video platform for telehealth sessions rather than a HIPAA-compliant tool; (2) working with a billing company for years without ever executing a BAA; (3) not understanding the FERPA/HIPAA boundary and either under-protecting school records or over-complicating educational record access; and (4) using a documentation platform's free tier, which often lacks BAA provisions available only in paid plans.

For more information on how HIPAA applies to allied health providers, see our guide on BAA requirements for physical therapists and our post on how to check whether your vendor signs a BAA.

Frequently Asked Questions

Do occupational therapists need HIPAA BAAs?

Yes. OTs who transmit health information electronically in connection with covered transactions — including billing insurance — are HIPAA covered entities. They must sign BAAs with every vendor that creates, receives, maintains, or transmits PHI on their behalf. Practice size does not reduce this obligation.

What EHR platforms for OT sign BAAs?

WebPT, Fusion Web Clinic, TheraOffice, Clinicient, and SimplePractice all offer HIPAA BAAs. The BAA must be actively requested — it is not automatically part of a software subscription. Contact each vendor's compliance or customer success team to initiate the agreement before entering patient data.

Does school-based occupational therapy require HIPAA BAAs?

It depends. When an OT is a school district employee and therapy records are part of the student's educational record under an IEP, FERPA applies and HIPAA generally does not. When an OT bills Medicaid independently for school-based services, HIPAA may apply to those billing records. OTs in both settings should evaluate each record category separately to determine which law governs.

What is the difference between FERPA and HIPAA for school-based OT?

FERPA protects education records maintained by schools; HIPAA protects health records maintained by healthcare covered entities. For school-based OT, records maintained as part of a student's IEP by the school are education records under FERPA — HIPAA's school exception generally applies, meaning HIPAA does not. Records created by an OT operating independently as a healthcare provider billing Medicaid may be HIPAA-covered. When FERPA applies, the governing privacy regime is FERPA, not HIPAA.