Operator-honest answers from a working SEO/AI shop in Encinitas to the questions occupational therapists in Del Mar actually ask: when you have to be HIPAA compliant, what to fix this week, what it costs, and which mistakes the OCR fines the fastest. California Board of Occupational Therapy (CBOT) aligned. NCSD-local. No fluff, no scare tactics, no $5K "compliance package" upsell.
Short answer: yes, in 2026, almost certainly. If you bill insurance electronically, use any EHR, email or text clients, or use telehealth, you're a HIPAA Covered Entity. Cash-only paper-only practices in Del Mar are increasingly rare — most NCSD practices are inside HIPAA scope.
Occupational Therapists-specific risk: Pediatric OT private practices in NCSD frequently navigate HIPAA + FERPA in parallel (school-contracted IDEA services trigger FERPA · private-pay services trigger HIPAA). Sensory profile assessments, fine-motor video recordings, and ADL documentation are all PHI. Parent-facing video of pediatric sessions sent via personal email is the most common quiet OT-specific violation.
OT-specific HIPAA EHRs with BAAs: Fusion Web Clinic, ClinicSource, WebPT (multi-discipline), TheraPlatform, TherapyAppointment. For sensory-assessment tools: Sensory Profile 2 (Pearson · signs BAAs), Brown Goodman SFA. For pediatric video documentation with BAA: SimplePractice video, Fusion video.
What most solo and 2-3 clinician occupational therapy practices in Del Mar actually run:
| Layer | Vendor (one of) | Cost / mo | BAA included? |
|---|---|---|---|
| EHR + Notes + Billing | See vendor cheatsheet | $49-$99 | Yes (auto on paid plans) |
| HIPAA Email | Paubox · Hushmail · Google Workspace + BAA | $10-$25 | Yes (Google = active BAA sign) |
| Telehealth (if used) | EHR-integrated · Doxy.me · Zoom for Healthcare | $0-$25 | Yes · NOT consumer Zoom |
| Texting | Spruce · OhMD · EHR portal | $15-$30 | Yes |
| Total · solo Del Mar practice | — | $80-$150/mo | — |
30 min. Upgrade to Google Workspace + BAA, Paubox, or Hushmail. Zoom: switch to Zoom for Healthcare or use EHR telehealth.
45 min. EHR · email · telehealth · scheduling · billing · cloud backup. No BAA = vendor cannot legally hold PHI.
20 min. Most EHRs auto-include. HHS free template at hhs.gov/hipaa.
20 min. EHR · email · cloud · password manager. Authenticator app preferred over SMS.
10 min. Mac FileVault · iPhone 6+ digit passcode · BitLocker on Windows. OCR safe harbor.
45 min. Free HHS SRA tool · re-do annually. Solo practice = one page is defensible.
| Pattern | Fine range | Avoid |
|---|---|---|
| Texting from personal phone | $25K-$100K | Spruce · OhMD · EHR portal |
| PHI from non-Workspace Gmail | $50K-$250K | Workspace + BAA · Paubox · Hushmail |
| Consumer Zoom for telehealth | $50K-$150K | Zoom for Healthcare · Doxy.me · EHR telehealth |
| No Notice of Privacy Practices | $10K-$50K | HHS template · EHR intake |
| Lost unencrypted laptop with PHI | $50K-$300K | FileVault · BitLocker · 10 min one-time |
| Category | Vendor | BAA process |
|---|---|---|
| Google Workspace | Self-serve admin console · MUST sign actively | |
| Paubox | Auto · encrypts outbound | |
| Hushmail Healthcare | Auto · cheap solo tier | |
| Telehealth | Doxy.me | Auto · free tier available |
| Telehealth | Zoom for Healthcare | Active BAA setup · consumer Zoom NOT compliant |
| Texting | Spruce | Auto · HIPAA 2-way SMS |
| Cloud | Google Workspace Drive | Auto if Workspace BAA · personal Drive NOT |
Del Mar is a small, affluent coastal community with a dense cluster of wellness, mental-health, integrative-medicine, and aesthetic practices serving the Del Mar / Carmel Valley / Solana Beach corridor. Practices are mostly solo or boutique 2-3 clinician operations in mixed-use village buildings — the same coastal shared-building physical-safeguard considerations as Cardiff and Solana Beach apply.
Del Mar neighborhoods we serve practices in: Del Mar Village · Carmel Valley-adjacent · Del Mar Heights · The Beach Colony · Powerhouse Park · ZIP 92014
Most Del Mar occupational therapy private practices fall under the same HIPAA + CMIA + California Board of Occupational Therapy (CBOT) stack. The Del Mar-local layer is mostly about physical safeguards — waiting-room privacy in mixed-use coastal buildings, shared HVAC/utilities with neighbor businesses, and coordinating BAA-eligible vendors who actually pick up the phone when you call from a 760-area-code line.
SideGuy operates out of Encinitas (next door) — we can do Del Mar-onsite compliance walkthroughs if needed, though 95% of practitioner-side HIPAA work is async/document-based and gets done faster over email + Zoom than in-person.
SideGuy is a one-operator AI + SEO + compliance shop in Encinitas, CA — next door to Del Mar.
| Tier | Price | What |
|---|---|---|
| SideGuy Hour | $150 | 1 hour async · walk your stack · one-page fix-list |
| Operator Audit | $250 | 3-5 day audit · written PDF · 30-min walkthrough |
| Practice Compliance Sprint | $2,000 | 10 days · audit + cleanup + drafts + migrations + annual SRA |
Yes if you bill insurance (Medi-Cal, commercial, IRWE/Vocational Rehab), use any EHR, share session videos with parents or patients, store evaluations digitally, or offer telehealth OT. Pediatric OTs working with school-aged children may also navigate FERPA in parallel for IDEA services · the rule of thumb is: services billed through insurance trigger HIPAA; school-contracted services under IDEA trigger FERPA.
Your Del Mar private practice operates under HIPAA + California CMIA + California Board of Occupational Therapy (CBOT). Del Mar is a small, affluent coastal community with a dense cluster of wellness, mental-health, integrative-medicine, and aesthetic practices serving the Del Mar / Carmel Valley / Solana Beach corridor. Practices are mostly solo or boutique 2-3 clinician operations in mixed-use village buildings — the same coastal shared-building physical-safeguard considerations as Cardiff and Solana Beach apply.
~$80-150/month total · EHR + email + signed BAAs · telehealth tier if used.
Yes. Free HHS template · most EHRs auto-generate · every new client signs receipt.
Yes — OCR enforces HIPAA federally against solo and small practices, not just hospitals. HHS OCR Breach Reports portal shows public enforcement.
Not legal advice. Operator-grade reference by working SEO/AI operators in Encinitas, CA · next door to Del Mar. Not attorneys. HHS OCR is the federal HIPAA authority. California enforces CMIA + California Board of Occupational Therapy (CBOT) state-board rules.