HIPAA violations aren't abstract concerns—they result in real fines, real investigations, and real damage to practices. Understanding what violations look like helps you avoid them.
This guide covers actual violation examples, penalty ranges, and the common mistakes that put therapists at risk.
HIPAA Penalty Structure
Civil Penalties
| Tier | Violation Type | Penalty Per Violation | Annual Cap |
|---|---|---|---|
| 1 | Unknowing | $100 - $50,000 | $1.5 million |
| 2 | Reasonable cause | $1,000 - $50,000 | $1.5 million |
| 3 | Willful neglect (corrected) | $10,000 - $50,000 | $1.5 million |
| 4 | Willful neglect (not corrected) | $50,000+ | $1.5 million |
Criminal Penalties
| Offense | Fine | Imprisonment |
|---|---|---|
| Knowing disclosure | Up to $50,000 | Up to 1 year |
| False pretenses | Up to $100,000 | Up to 5 years |
| Intent to sell or harm | Up to $250,000 | Up to 10 years |
Beyond Federal Penalties
- State attorney general actions
- Licensing board complaints
- Malpractice liability
- Reputational damage
- Loss of insurance panel participation
Common Violation Categories
1. Impermissible Disclosures
Sharing PHI without authorization or permitted exception.
Examples:
- Telling a client's employer about their treatment
- Discussing a client by name in a consultation group without consent
- Sharing client information with family without authorization
- Posting about clients on social media (even without names)
2. Lack of Safeguards
Failing to protect PHI appropriately.
Examples:
- Unencrypted laptop with client data stolen
- Paper records left in unsecured location
- EHR accessed without password protection
- Records disposed of in regular trash
3. Failure to Have BAAs
Using vendors without Business Associate Agreements.
Examples:
- Telehealth via standard Zoom without healthcare plan
- Storing records in personal Dropbox without BAA
- Using answering service without BAA
- Email via standard Gmail with PHI
4. Denial of Patient Access
Not providing records when clients request them.
Examples:
- Refusing to provide copies of records
- Excessive delays (beyond 30 days)
- Unreasonable fees for record copies
- Requiring client to explain why they want records
5. No Risk Assessment
Failing to conduct and document security risk assessment.
Examples:
- Never formally evaluated security risks
- No documentation of risk analysis
- No plan to address identified risks
Real Violation Scenarios for Therapists
Scenario 1: The Unencrypted Laptop
What happened: Therapist's laptop with client records was stolen from their car. Laptop wasn't encrypted.
HIPAA issues:
- Lack of encryption (Security Rule)
- Breach of 500+ client records
- No device security policy
Consequences:
- Required to notify all affected clients
- Report to HHS
- OCR investigation
- Corrective action plan
- Potential fines
Prevention: Encrypt all devices. Never leave devices with PHI in vehicles.
Scenario 2: Telehealth Platform Without BAA
What happened: Therapist used standard Skype for video sessions for two years, believing it was "secure enough."
HIPAA issues:
- Using non-compliant platform
- No BAA with Microsoft for Skype
- Impermissible transmission of PHI
Consequences:
- Violation discovered during routine compliance check
- Required corrective action
- Transition to compliant platform
- Documentation of violation
Prevention: Only use platforms that provide BAAs. Verify before using.
Business Associate Agreements →
Scenario 3: The Social Media Post
What happened: Therapist posted on professional Facebook page: "Had an incredibly difficult session today with a client who's been through terrible childhood trauma. This work is hard but rewarding."
HIPAA issues:
- Even without naming client, PHI may be identifiable
- Clients may recognize themselves
- Impermissible disclosure
Consequences:
- Client complaint to OCR
- Investigation
- Licensing board complaint
- Required to remove post and implement social media policy
Prevention: Never post anything about clients, even vaguely. Assume clients will see it.
Scenario 4: Email Breach
What happened: Therapist sent detailed session summary to wrong email address (typo in address).
HIPAA issues:
- Impermissible disclosure
- Breach of individual's PHI
- No email encryption
Consequences:
- Required to notify affected client
- Assess whether recipient accessed/deleted info
- Document incident
- Implement safeguards (email encryption, address verification)
Prevention: Use encrypted email for PHI. Verify addresses before sending. Consider secure portals instead.
HIPAA Compliant Email and Texting →
Scenario 5: Improper Records Disposal
What happened: Therapist closed practice and put boxes of old client files in dumpster behind office building.
HIPAA issues:
- Improper disposal of PHI
- Records accessible to anyone
- Multiple clients' PHI exposed
Consequences:
- Files discovered by building staff
- Complaint filed
- OCR investigation
- Significant fines
- Required to retrieve and properly destroy records
Prevention: Shred paper records or use certified destruction service. Get certificate of destruction.
Scenario 6: No HIPAA Training Documentation
What happened: Small group practice had no formal HIPAA training program. Staff received informal guidance but nothing was documented.
HIPAA issues:
- Required training not documented
- No evidence of compliance efforts
- Willful neglect argument possible
Consequences:
- Discovered during audit following unrelated complaint
- Required to implement formal training program
- Document all training going forward
- Corrective action plan
Prevention: Document all HIPAA training, even for solo practitioners training themselves.
Scenario 7: Improper Disposal of Records
What happened: A therapist closes their practice and puts client files in the regular trash behind their office building. A passerby finds files containing names, diagnoses, and session notes scattered in the alley after garbage collection.
HIPAA issues:
- PHI must be rendered unreadable and indecipherable before disposal
- Paper records require shredding or incineration
- Electronic records require secure wiping or physical destruction of storage media
Prevention: Use a HIPAA-compliant shredding service, maintain a shredding log, and establish a formal records destruction policy.
Scenario 8: Social Media Disclosures
What happened: A therapist posts on LinkedIn: "Had a breakthrough session today with a client struggling with their divorce. So rewarding when the lightbulb goes on!" A colleague recognizes the client from context clues—the therapist had mentioned seeing a mutual acquaintance.
HIPAA issues:
- Even without names, combining details (timing, presenting issue, location) can make individuals identifiable
- This is an impermissible disclosure
Prevention: Never post about specific sessions, even vaguely. If sharing clinical insights, use composites or clearly hypothetical examples with no temporal connection to real sessions.
Scenario 9: Talking in Public Spaces
What happened: Two therapists share an office suite and discuss a client's case in the hallway while waiting for coffee. Another client in the waiting room overhears the client's name and details about their custody dispute.
HIPAA issues:
- PHI disclosed in a manner where unauthorized individuals can overhear constitutes an impermissible disclosure
- Even accidental disclosures are violations
Prevention: Conduct all client discussions in private spaces with doors closed. Use white noise machines in waiting areas. Implement the "minimum necessary" standard—only discuss what's essential.
Scenario 10: Snooping in Records
What happened: A therapist's office manager, curious about a celebrity client they recognize in the waiting room, accesses the client's file to read their diagnosis and session notes despite having no work-related reason to do so.
HIPAA issues:
- Access to PHI must be limited to the minimum necessary for job functions
- Viewing records without a legitimate work purpose is a violation, even by workforce members with technical access
Prevention: Implement role-based access controls, audit log reviews, and clear workforce policies. Train staff that curiosity does not justify access.
Scenario 11: Failure to Provide Access to Records
What happened: A client requests a copy of their treatment records. The therapist, concerned the client will misinterpret clinical notes, refuses to provide them and ignores follow-up requests for three months.
HIPAA issues:
- HIPAA's Privacy Rule gives individuals the right to access their PHI
- Covered entities must respond within 30 days (with one 30-day extension if needed)
- Outright denial without valid legal basis violates access rights
Prevention: Establish a records request policy. Respond within required timeframes. If you have concerns, offer to review records together with the client rather than denying access.
Scenario 12: Insecure Telehealth Platforms
What happened: During the pandemic, a therapist quickly sets up video sessions using a standard Zoom account (not Zoom for Healthcare). Session recordings are automatically saved to an unsecured cloud folder.
HIPAA issues:
- Telehealth platforms used for sessions containing PHI must be HIPAA-compliant with a signed BAA
- Standard consumer video apps lack required security features and don't offer BAAs
Prevention: Use only HIPAA-compliant telehealth platforms with signed BAAs. Disable automatic recording. Verify encryption settings.
Recent Enforcement Trends
Increased Focus Areas
HHS Office for Civil Rights has emphasized:
- Right of Access: Multiple settlements for failing to provide records to patients
- Risk Analysis: Penalties for no documented risk assessment
- Business Associates: Increased scrutiny of vendor relationships
- Telehealth Compliance: Post-pandemic focus on telehealth security
Small Provider Enforcement
While large healthcare organizations receive the biggest fines, small providers—including therapists—face enforcement:
- OCR investigates all complaints
- Small practices subject to same rules as large organizations
- Lack of resources isn't a defense
- "I didn't know" isn't a defense
How Violations Get Discovered
Client Complaints
Most common trigger. Clients may complain about:
- Unauthorized disclosures
- Inability to access records
- Concerns about security
Breach Reports
When breaches occur:
- Must notify HHS for breaches of 500+
- HHS investigates reported breaches
- May uncover other compliance issues
Audits
Random or targeted audits examining:
- Policies and procedures
- BAAs
- Risk assessments
- Training documentation
- Security measures
Other Investigations
- Licensing board investigations
- Malpractice claims
- Whistleblower reports
Responding to a Violation
If You Discover a Violation
- Contain immediately — Stop the violation
- Document — Record what happened, when, how
- Assess — Who was affected? What information?
- Notify if required — Breach notification rules may apply
- Correct — Implement measures to prevent recurrence
- Document correction — Show you've addressed the issue
If You Receive an OCR Complaint
- Don't panic — Many complaints don't result in penalties
- Respond promptly — Meet all deadlines
- Be honest — Don't hide or destroy evidence
- Document compliance efforts — Show what you've done
- Consider legal counsel — For serious complaints
- Cooperate — Resistance increases scrutiny
Protecting Yourself
Documentation Is Key
If it's not documented, it didn't happen:
- Document training (even self-training)
- Keep BAAs on file
- Record risk assessments
- Maintain security policies
- Document incident responses
Regular Compliance Checks
Periodic self-audit:
- Review all vendors for BAAs
- Check security measures
- Update policies as needed
- Refresh training
Insurance
Consider:
- Cyber liability insurance
- Professional liability with HIPAA coverage
- Understand what's covered
Frequently Asked Questions
- What is the penalty for a HIPAA violation?
- Penalties range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. Penalties depend on the level of culpability: unknowing violations receive lower penalties, while willful neglect with no correction attempts receives the maximum. Criminal penalties including imprisonment apply for knowing violations.
- Do I have to report a HIPAA violation?
- Breaches affecting 500 or more individuals must be reported to HHS within 60 days and require media notification. Breaches affecting fewer than 500 individuals must be logged and reported annually. All affected individuals must be notified. Some breaches qualify for exceptions if PHI was encrypted or if the information is unlikely to have been compromised.
- Can I get in trouble for an accidental HIPAA violation?
- Yes, though penalties are lower for violations despite reasonable care. Accidental violations still require breach analysis, potential notification, and corrective action. Documentation that you had policies in place and acted in good faith significantly reduces penalties. The key is demonstrating you took reasonable precautions.
- What should I do if I discover a HIPAA violation?
- Immediately contain the breach, document what occurred, conduct a risk assessment, determine notification requirements, and implement corrective actions. Acting quickly and transparently significantly reduces penalties and reputational damage.
- Are there HIPAA violations that don't require reporting?
- Yes. Three exceptions exist: (1) unintentional acquisition by workforce member acting in good faith, (2) inadvertent disclosure between authorized persons, and (3) good faith belief that the recipient couldn't retain the information. Additionally, if PHI was encrypted per HIPAA standards, it's not considered a reportable breach.
HIPAA violations are preventable. The most common issues—lack of BAAs, inadequate safeguards, poor training documentation—are addressable. Invest in compliance now rather than penalties later. Document everything. When in doubt, protect PHI.