Practice Management 
Common HIPAA violations

HIPAA violations can lead to serious consequences for both therapists and clients. Maintaining client confidentiality is essential for therapists. If a client’s Protected Health Information (PHI) is misused or mishandled in a way that breaches HIPAA regulations, a HIPAA violation can occur.
Summary
- HIPAA violations can have serious legal, financial, and reputational consequences for therapists, including fines, lawsuits, and loss of client trust.
- Common HIPAA violations include improper disclosure of PHI, insecure communication, unauthorized access to records, improper disposal of documents, and social media missteps.
- Preventing HIPAA breaches requires proactive steps like staff training, using encrypted communication tools, and implementing clear privacy policies and breach response plans. Using a HIPAA compliant EHR like TheraPlatform can help you stay compliant.
- Therapists must stay vigilant and regularly update their compliance measures to protect client confidentiality and support the long-term success of their practice.
Streamline your practice with One EHR
- Scheduling
- Flexible notes
- Template library
- Billing & payments
- Insurance claims
- Client portal
- Telehealth
- E-fax

The purpose of the Health Insurance Portability and Accountability Act (HIPAA) is to safeguard clients’ Protected Health Information. PHI includes any information that can be used to identify an individual and relates to healthcare services received, payment for services, or health status.
For therapists, maintaining confidentiality not only protects client trust but it is also critical for avoiding legal and financial penalties.
Here are some common HIPAA violation examples therapists should be aware of and their potential consequences. We’ll also explore helpful tips for avoiding HIPAA violations.
Practice Management + EHR + Telehealth
Mange more in less time in your practice with TheraPlatform

Common HIPAA violation examples
HIPAA violations can occur in several ways, and they often happen unintentionally. Here are some common HIPAA violation examples for therapists to be aware of:
Improper disclosure
This includes discussing a client’s PHI in public areas where others can overhear, such as waiting rooms or elevators. Sharing PHI with unauthorized individuals, including family or friends, is also considered a HIPAA violation.
Insecure communication
PHI cannot be sent via unencrypted email or unsecured text messaging, as this poses a significant risk for information being intercepted. Therapists must use secure, HIPAA- compliant messaging platforms and emails.
Unauthorized access
Therapists cannot view client records without a legitimate clinical need. This includes accessing records out of curiosity or looking at information of clients you are not treating. Therapists must only access PHI if they have a clear clinical purpose to do so.
Improper disposal
Disposing of paper documents with PHI in regular trash instead of shredding is a HIPAA violation. Therapists must store paper documents containing any identifying client information in a secure, locked location. When the documents are no longer needed, they must be shredded.
To prevent unauthorized access of electronic data, information should be securely deleted.
Lost or stolen devices
Misplacing laptops, phones, or USB drives containing unencrypted PHI can lead to a breach of data. It’s essential for therapists to implement strong passwords and use technology that offers encryption.
Some devices offer the ability to clear data remotely if needed. This offers extra protection to ensure that sensitive client information is not inadvertently released to unauthorized individuals.
Social media missteps
Posting about clients or sharing identifiable information on social media without consent can be a HIPAA violation. Even if a client’s name is not used, providing anecdotal information may be enough to identify an individual.
Free Resources for Therapists
Click below and help yourself to peer-created resources:

Failure to obtain consent
Therapists must obtain explicit signed consent before using or disclosing PHI for non-treatment purposes such as marketing or research.
Therapy practices should develop standardized, detailed forms that clients or legal guardians can sign to provide clear consent. The form should state what information may be shared (ex: photographs) and what the proposed purposes are.
Therapists should also require clients or caregivers to provide written consent before the therapist communicates with other individuals regarding the client’s care. This includes designated family members and professionals outside of the therapy practice, such as teachers.
Data breaches
Cyberattacks can occur due to lack of proper data security measures. Lack of encrypted software, weak passwords, or use of outdated software are common vulnerabilities.
When conducting teletherapy sessions, a HIPAA compliant video conferencing platform should be used to ensure privacy protection.
Consequences of HIPAA Violations
Fines and penalties
HIPAA Violations can result in significant fines. Financial penalties range from $100 to $50,000 per violation. This amount depends on factors such as the severity of the breach and whether it resulted from willful neglect.
Reputational damage
When a HIPAA violation occurs, the therapist’s professional credibility can be severely damaged. It can also cause a loss of client trust, and make it difficult to attract new clients.
Legal action
Affected clients may follow lawsuits against therapists for causing a HIPAA violation. They can seek damages for harms such as financial losses or emotional distress.
Preventing HIPAA violations
Therapists can avoid harsh consequences by following actionable steps to prevent HIPAA violations.
- Staff training: Regular education on HIPAA compliance and confidentiality practices is essential. Training should cover topics such as data security measures and procedures for reporting breaches.
- Secure systems: Using encrypted communication tools and secure storage solutions can help prevent a data breach. Therapists should use secure messaging, encrypted platforms for teletherapy services, and password protected EHR systems.
- Policies and procedures: Implement clear guidelines for handling PHI and reporting breaches. Develop a plan to address any potential data breaches. This can include notifying the Department of Health and Human Services (HHS) as well as the affected clients.
Maintaining HIPAA compliance is both a legal requirement and fundamental ethical responsibility for therapists. Avoiding HIPAA violations safeguards clients’ privacy and helps protect their professional relationship with the therapist. This helps ensure success and longevity for the therapist’s practice.
Therapists should practice ongoing vigilance to ensure compliance with HIPAA regulations. Providing staff training and implementing robust security measures helps maintain confidentiality of clients’ Protected Health Information (PHI). Therapists should regularly review and update compliance measures to prevent data breaches that may have significant legal, professional, and financial implications.
Streamline your practice with One EHR
- Scheduling
- Flexible notes
- Template library
- Billing & payments
- Insurance claims
- Client portal
- Telehealth
- E-fax

Resources
TheraPlatform is an all-in-one EHR, practice management, and teletherapy software built for therapists to help them save time on admin tasks. It offers a 30-day risk-free trial with no credit card required and supports mental and behavioral health, SLPs, OTs, and PTs in group and solo practices.
More resources
- Therapy resources and worksheets
- Therapy private practice courses
- Ultimate teletherapy ebook
- The Ultimate Insurance Billing Guide for Therapists
- The Ultimate Guide to Starting a Private Therapy Practice
- Mental health credentialing
- Insurance billing 101
- Practice management tools
- Behavioral Health tools
Free video classes
- Free on-demand insurance billing for therapist course
- Free mini video lessons to enhance your private practice
- 9 Admin tasks to automate in your private practice
References
Heath, M., Porter, T. H., & Silvera, G. (2022). Hospital characteristics associated with HIPAA breaches. International Journal of Healthcare Management, 15(2), 171-180. DOI: https://doi.org/10.1080/20479700.2020.1870349 .
Oakley, A. (2023). HIPAA, HIPPA, or HIPPO: What Really Is the Heath Insurance Portability and Accountability Act?. Biotechnology Law Report, 42(6), 306-318.
https://www.liebertpub.com/doi/abs/10.1089/blr.2023.29329.aso
Wells, Julia. (2023). digital checkup on hipaa: modernizing healthcare privacy standards for telehealth services. Federal Communications Law Journal, 75(2), 227-250. DOI: https://heinonline.org/HOL/Page?handle=hein.journals/fedcom75&div=14&g_sent=1&casa_token=Q9GXUInlKLIAAAAA:uyEN_UWF_bbmBXTdv7IcrbRowkrRvCK3pQ8SA5qW7vDx2Pj-uRPC5nwBoiTDsQBTVFlEr4QFtw&collection=journals