HIPAA Violation Examples Every Behavioral Health Practice Should Know

Most HIPAA violation examples in behavioral health don’t start with a data breach. They start with a hallway conversation about a client, a therapist texting a colleague about a case, or a front-desk staffer who forgot to hand out a privacy notice at intake.

The Office for Civil Rights (OCR) closed 2025 with 21 enforcement actions, the second-highest year on record.¹ And with new HIPAA rule changes taking effect February 16, 2026, the compliance bar just got higher.²

You don’t need a massive data breach to draw OCR’s attention. A missed records request will do it. Here’s what that actually looks like, and how to protect yourself.

What Is an Example of a HIPAA Violation? Real Cases from Behavioral Health

A counselor in Pittsburgh didn’t think refusing a parent’s request for their kid’s health records counted as a HIPAA violation. OCR disagreed. That cost David Mente $15,000.³

He’s not alone. Here are more HIPAA violation examples from behavioral health practices that ended up on OCR’s radar:

Green Ridge Behavioral Health paid $40,000 after OCR found they failed to conduct a risk analysis, had no policies for reviewing information system activity, and impermissibly disclosed the protected health information (PHI) of more than 14,000 patients.³ Not a cyberattack. Basic compliance gaps.

Beth Israel Lahey Health Behavioral Services, the largest behavioral health provider in eastern Massachusetts, settled for $70,000 after taking 8 months to provide a patient’s father with requested medical records.³ HIPAA’s Right of Access rule requires a response within 30 days.

Deer Oaks, The Behavioral Health Solution drew OCR’s attention in July 2025 for failing to conduct an accurate risk analysis.¹ Risk analysis is the single most-cited failure in enforcement actions.

In another case, a mental health center disclosed records to an auto insurer with valid authorization, then denied the patient access to her own records. The clinic’s therapists believed releasing them would cause harm, but they never offered the required review process.³

These aren’t edge cases. They’re documentation gaps, records request delays, and missing procedures: the kind of stuff that slips through when you’re busy seeing clients.

The 10 Most Common HIPAA Violations in Mental Health Practices

Those cases above all trace back to the same handful of mistakes. Here are the 10 most common HIPAA violations in behavioral health, and most aren’t about technology.

1. Skipping the risk analysis. The #1 cited violation in OCR enforcement actions.⁴ Many practices skip it entirely or run a partial assessment that doesn’t cover their full environment.

2. Improper PHI disclosure. Discussing a client’s case in the break room. Responding to a Google review with details that identify a patient. Sharing info with a concerned family member without written authorization.

3. Non-compliant telehealth platforms. Using Zoom’s free tier, FaceTime, or Google Meet for therapy sessions without a Business Associate Agreement (BAA). Telehealth exploded post-pandemic, but many practices never locked down compliance.

4. Denying patients access to their records. Refusing to release records because of an unpaid balance, or because a therapist believes disclosure could cause harm without offering the required review process. OCR’s Right of Access initiative specifically targets this.³

5. Missing Business Associate Agreements. Your cloud storage, billing clearinghouse, payment processor, or messaging tool touches PHI? You need a signed BAA.

6. Unencrypted communications. Texting appointment reminders via standard SMS. Emailing clinical notes without encryption. Starting in 2026, these get even harder to defend.²

7. Weak access controls. Shared login credentials, no audit trail, a front-desk staffer who can see clinical notes they don’t need. Multi-disciplinary teams make this especially tricky.

8. Improper records disposal. Unshredded paper records in the recycling bin. An old laptop donated without wiping the hard drive.

9. Missing Notice of Privacy Practices. One mental health center had to correct its intake process after failing to provide a privacy notice before a minor’s evaluation.³ Easy to overlook, easy to fix.

10. Psychotherapy note mishandling. These notes require separate authorization for disclosure, even for treatment purposes.⁵ Storing them in the general medical record or sharing them without that extra consent? Violation.

Picture a group practice in Charlotte with 12 clinicians. They stored client files in a shared Google Drive: no BAA with Google, no folder-level access controls between clinicians. When OCR came knocking, every file was a potential violation.

Quick test: when was your last risk analysis? If you can’t answer that, you’ve found your first red flag.

The 5 Main HIPAA Rules Every Behavioral Health Practice Should Know

Those 10 violations all trace back to five rules. Most practitioners know HIPAA exists. But can you name the actual rules? Here’s what they mean for your practice.

1. Privacy Rule. Governs how you use and disclose PHI. For behavioral health, there’s an extra layer: psychotherapy notes get special protection. You need separate patient authorization to share them, even with another treating provider.⁵

2. Security Rule. Requires administrative, physical, and technical safeguards for electronic PHI (ePHI).⁶ Translation: encrypted EHR, role-based access so therapists can’t see prescriber-only notes without reason, automatic audit logging, and secure telehealth.

3. Breach Notification Rule. When PHI gets exposed, you notify affected individuals within 60 days and report to HHS. For breaches affecting 500+ people, you notify the media too.⁷ Given the sensitivity of behavioral health records, breaches hit harder reputationally than in general healthcare.

4. Enforcement Rule. Sets the penalty tiers. Tier 1 (didn’t know): $145 per violation. Tier 4 (willful neglect, not corrected): up to $2.19 million per violation category.⁸ OCR’s Right of Access initiative has specifically targeted smaller practices.

5. Administrative Simplification Rules. Standards for electronic transactions and code sets. Affects how your billing system submits claims and runs eligibility checks with payers.

One more thing. Practices dealing with substance use disorder treatment must also comply with 42 CFR Part 2, which imposes stricter consent and disclosure requirements alongside HIPAA.⁹ The compliance deadline for the updated Part 2 rules is February 16, 2026, and penalties now align with HIPAA tiers.

A purpose-built behavioral health EHR addresses Rules 1-3 by design: encrypted ePHI, role-based access, audit trails, built-in telehealth, and proper record separation.

When Can HIPAA Be Violated? Permitted Exceptions You Should Know

HIPAA isn’t absolute. There are circumstances where disclosing PHI without patient authorization is legally permitted, and knowing the boundaries matters as much as knowing the restrictions.

Permitted disclosures without authorization include:⁵

• Treatment, Payment, and Healthcare Operations (TPO): sharing records with another treating provider, submitting claims to insurance, running quality reviews. The most common lawful disclosure.
• Required by law: court orders, judicial proceedings, workers’ compensation claims.
• Serious threat to health or safety: duty-to-warn situations. A therapist who believes a client poses a danger to themselves or others can disclose. Particularly relevant in behavioral health.
• Law enforcement: locating suspects, material witnesses, or missing persons. Specific criteria apply. You can’t hand over records on request.
• Public health activities: reporting child abuse/neglect, elder abuse, communicable diseases.

But here’s where behavioral health practitioners get tripped up.

Even when TPO applies, the minimum necessary standard requires you share only what’s needed. Not the entire chart. And psychotherapy notes are the exception to the exception: they still require separate authorization even when other records qualify for TPO disclosure.⁵

A well-meaning therapist sharing information with a concerned parent still needs written authorization. HIPAA requires it even when the family member seems genuinely invested in the client’s care.

Worth noting: three scenarios don’t count as reportable breaches. Unintentional access in good faith by an authorized employee, inadvertent disclosure between two authorized people at the same organization, and cases where the recipient couldn’t reasonably retain the information.⁷

How to Protect Your Practice from HIPAA Violations

The violations are real, the penalties are climbing, and the rules are getting stricter. But most of this is fixable. A lot of it comes down to the tools you use every day.

1. Conduct your annual risk analysis. If you take one thing from this article, make it this. OCR cites risk analysis failures in the majority of enforcement actions.⁴ Cover your full environment (EHR, telehealth, email, cloud storage, paper files) and update it when anything changes.

2. Use a behavioral health-specific, HIPAA-compliant EHR. Generic EHRs built for primary care don’t handle psychotherapy note separation, 42 CFR Part 2 consent requirements, or granular role-based access for multi-disciplinary teams. An EHR built for behavioral health handles this natively.

3. Train your team annually. Include real scenarios: what to do when a family member calls about a client, how to handle a subpoena, why you can’t discuss cases in the elevator.

4. Audit your vendor BAAs. Every vendor that touches PHI needs a signed Business Associate Agreement. Telehealth, cloud storage, billing, payments, appointment reminders. If you can’t find the BAA, you don’t have one.

5. Lock down telehealth. Use an integrated, HIPAA-compliant platform with a BAA. Not Zoom’s free tier. Not FaceTime.

PIMSY is HIPAA and 42 CFR Part 2 compliant, ONC-Certified, and built from day one for behavioral health. Role-based access controls, automatic audit trails, built-in encrypted telehealth, and a secure client portal for messaging: the compliance infrastructure is baked in, not bolted on.

Here’s the thing: an EHR vendor saying they’re HIPAA compliant doesn’t mean your practice is. But the right EHR makes compliance significantly easier to maintain.

HIPAA Compliance Starts with the Right Foundation

Most HIPAA violation examples in behavioral health aren’t dramatic breaches. They’re skipped risk analyses, slow records requests, non-compliant telehealth, and accidental disclosures. Preventable mistakes with real financial consequences.

With 2026 rule changes taking effect February 16 (including stricter behavioral health data protections, mandatory MFA, and the 42 CFR Part 2 alignment) now is the time to assess your compliance posture.²

The right EHR doesn’t just store records. It enforces compliance by design: access controls, encryption, audit trails, integrated telehealth, proper record separation. PIMSY was built for exactly this.

Ready to see how PIMSY handles HIPAA compliance for behavioral health? Request a demo.

—

Sources

¹HIPAA Violation Cases – Updated 2026

²New HIPAA Regulations in 2026

³All Case Examples – HHS Office for Civil Rights

⁴2025 Enforcement Trends: Risk Analysis Failures at the Center of HHS’s Multimillion-Dollar HIPAA Penalties

⁵Summary of the HIPAA Privacy Rule – HHS.gov

⁶Summary of the HIPAA Security Rule – HHS.gov

⁷Breach Notification Rule – HHS.gov

⁸What Are the Penalties for HIPAA Violations? – 2026 Update

⁹Fact Sheet: 42 CFR Part 2 Final Rule – HHS.gov