Skip to main content
Welcome to the Office of the Professions’ newly redesigned website. Portions of this site may still be under development, so if you experience any issues or have any questions please submit a Website Feedback Form.
  • NYSED Homepage
  • Disclaimer
  • Contact Us
  • NYSED Employment
  • Board Members Only

Disclaimer: Law, rules and regulations, not Guidelines, specify the requirements for practice and violating them constitutes professional misconduct. Not adhering to this Guideline may be interpreted as professional misconduct only if the conduct also violates pertinent law, rules and regulations.


The federal Health Insurance Portability and Accountability Act, HIPAA, went into effect April 14, 2003. HIPAA establishes rules concerning the release, transfer, access or divulging of an individual's protected health information (PHI) among health plans, health care clearing houses or health-care providers (covered entity). HIPAA is designed to protect the confidentiality of information related to the patient's past, present or future physical or mental health and treatment.

PHI includes all individually identifiable health information, whether transmitted by electronic media, maintained in any electronic media, or maintained or communicated in any other form or medium, oral, written or recorded, that identifies the individual. PHI also includes health information where there is a reasonable basis to believe that the information could be used to identify the individual. When deciding what information may be legally provided to another person or organization, HIPAA states that such information must be limited to that which is reasonably necessary to accomplish the purpose for which the request is made. An authorization form signed by the patient (or guardian) authorizes the disclosure of protected health information, and it may be revoked at any time.

To be in compliance with HIPAA, OT professionals need to:

  • Maintain patient confidentiality (See Confidentiality).
  • Obtain a written release from the patient or guardian following disclosure of HIPAA guidelines (Rules for services provided in schools are different and covered by FERPA - see below.)
  • Follow HIPAA rules when transmitting patient information.

To obtain further information, see the HIPAA Web site

FERPA Family Educational Rights and Privacy Act

According to FERPA, within a school setting, personal information about a child may not be released without the parent's consent unless it is:

  • given to school officials or teachers with a legitimate educational interest, State and local educational authorities, or certain individuals designated under Federal Law
  • used to meet a requirement under Federal Law

Personal information includes:

  • the name of the child, the name of the parent(s), and the names of other family members
  • the home address of the child
  • the child's social security number
  • the child's date of birth
  • a description that would make it possible to identify the child
  • to obtain further information, see the FERPA Web site