Occupational therapists fall under the covered entity designation for HIPAA when they render services with their clients. As advances in technology continue and occupational therapy moves into the virtual space, it is important to be compliant with the latest laws, such as HIPAA.
Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103).
As an occupational therapist student, sole proprieter practicing under your name, DBA/FBN, LLC, or other company either in private practice, consulting, education, or another purpose — it’s likely that you need to adhere to HIPAA standards.
By the way, if you are regularly using Zoom for “business-related” purposes, I would consider subscribing instead of using the personal plan (free) as I am not sure if this would violate their ToS. A zoom subscription is relatively affordable if you use it regularly and is likely able to be written off as a business expense for tax purposes.
You may need to obtain an NPI number as well.
Disclaimer: Now I am by no means an expert on this topic and if you are unsure, you should consult with an attorney or consultant who is familiar with HIPAA in the particular state that you practice in.
The process of becoming HIPAA compliant on Zoom is fairly straightforward.
- Subscribe to a healthcare provider plan (choose from dropdown instead of general plan) on zoom (any plan besides personal) has this offering. As prices with any business will change with time, I won’t quote specific pricing, but Zoom is competitive and their healthcare option is not going to be much more expensive than a non-healthcare subscription.
- Read the Business Associate & HIPAA agreement.
- Agree to the Business Associate & HIPAA agreement.
- Comply with the most up-to-date HIPAA and state law where you practice when using Zoom with clients and discussing and/or transmitting protected health information.
Follow best-practice for digital security, privacy, and HIPAA-related matters including locking your workstations, not sharing your computer or Zoom password, not sharing protected health chats, transcripts, files, or Zoom recordings without consent, and so on.
Always obtain consent before recording or using client’s faces for branding/marketing, education, or even just saving to your computer or to the cloud. I have not played around with Zoom too much but they also offer a Cloud saving option and it would be interesting to see how this is seen in the eyes of HIPAA — but that’s a topic for another day.
Hope this helps!