HIPAA Compliance
The Most Common HIPAA Violations in Chiropractic Practices (2026)
OCR enforcement data and chiropractic-specific breach patterns reveal five violations that hit chiropractic offices hardest — including the personal injury records trap that most compliance guides never address.
The Most Common HIPAA Violations in Chiropractic Practices (2026)
Chiropractic practices face a HIPAA violation landscape that is shaped by factors specific to their specialty — and most compliance guides written for healthcare broadly never address them. The personal injury records environment. The open treatment bay. The attorney records request that arrives on official letterhead but without a valid authorization. The billing service that has been processing insurance claims for years without a signed BAA.
These are not theoretical risks. They are the patterns that OCR investigations of chiropractic practices consistently reveal — and the patterns that produce enforcement consequences for practices that believed their compliance situation was "probably fine."
This post covers five HIPAA violations that are most common and most consequential for chiropractic practices, with specific attention to the scenarios unique to chiropractic that generic compliance content misses.
The Enforcement Context
Chiropractic practices are covered entities subject to the full HIPAA fine schedule. The tier structure — ranging from $137 per violation for unknowing violations to $2.1 million per violation category per year for willful neglect — applies regardless of practice size or specialty.
OCR investigations of chiropractic practices are most commonly triggered by:
Patient complaints — particularly in personal injury and workers' compensation contexts where patients believe their records were disclosed to insurance adjusters, employers, or opposing legal counsel without proper authorization.
Breach notifications — following ransomware attacks, device loss, or unauthorized access events that require mandatory reporting to OCR.
Random audits — OCR's audit program targets covered entities of all sizes. Chiropractic practices are not exempt from random selection.
In each case, the investigation examines the same foundational elements: Security Risk Analysis, Business Associate Agreements, workforce training, access controls, and incident response capability.
Violation 1: Unauthorized Disclosure of Personal Injury Records
Citation: §164.502 and §164.508
This is the most chiropractic-specific HIPAA violation on this list — and the one most likely to generate patient complaints that trigger OCR investigations.
Chiropractic practices treating motor vehicle accident, workers' compensation, and personal injury patients operate in a legal environment where records are frequently requested by parties who are not the patient. Attorneys, insurance adjusters, independent medical examiners, and opposing legal counsel routinely contact chiropractic offices for records. The compliance failure occurs when practices produce records in response to these requests without a valid HIPAA authorization from the patient.
What constitutes a valid HIPAA authorization:
Under §164.508, a valid authorization for disclosure of PHI to a third party must include:
- A description of the information to be used or disclosed
- The name of the person authorized to make the disclosure
- The name of the person to whom disclosure is authorized
- A description of the purpose of the disclosure
- An expiration date or expiration event
- The patient's signature and date
- A statement of the patient's right to revoke the authorization
A letter on law firm letterhead requesting patient records is not a valid authorization. It does not include all required elements. Producing records in response to an attorney request without a valid patient authorization is a disclosure violation — even if the attorney represents the patient and the patient presumably wants the records disclosed.
The insurance adjuster scenario:
A workers' compensation insurer sends a standard form requesting treatment records. The form may be the insurer's internal authorization document. It may not meet HIPAA's authorization requirements. Practices that produce records in response to adjuster requests without verifying authorization adequacy are creating violations with each production.
What to do:
Establish a documented records request protocol. Every request from a third party — attorney, insurance adjuster, employer, independent medical examiner — must be accompanied by a valid HIPAA authorization before records are produced. Train the staff member responsible for records requests to review authorization adequacy, not just authorization existence.
Violation 2: Missing Business Associate Agreements With Billing Services
Citation: §164.308(b)(1)
Active chiropractic practices route significant volumes of ePHI through billing services and insurance clearinghouses. Every one of these relationships requires a signed BAA. The volume and routine nature of these transactions means that a missing BAA is not an isolated incident — it is a continuous, ongoing violation that accumulates with every claim processed.
The specific gap in chiropractic practices:
Third-party billing services are extremely common in chiropractic — many practices outsource billing entirely to reduce administrative overhead. The billing service receives patient demographic data, diagnosis codes, treatment codes, and insurance information for every patient claim. This is ePHI, and the billing service is a Business Associate. A missing BAA with the billing service means every claim transmitted to that service is an unauthorized disclosure.
Clearinghouse sub-processors present a more subtle problem. A practice may have a BAA with its primary clearinghouse — but that clearinghouse uses sub-processors to route and process claims. If the primary BAA does not adequately bind sub-processors, the exposure runs through layers the practice has never reviewed.
The Change Healthcare precedent:
The Change Healthcare breach of 2024 — which exposed an estimated 190 million patient records and disrupted claims processing across the country — demonstrated exactly what happens when a clearinghouse sub-processor is compromised. Practices that had BAAs with Change Healthcare's primary entity discovered that the BAA provided limited protection when the actual data exposure occurred through a subsidiary network. The lesson for chiropractic practices: BAA review should extend to the sub-processor layer, especially for clearinghouses and billing platforms processing high volumes of ePHI.
What to do:
Conduct a vendor audit. List every entity that receives patient data in the course of billing and claims processing. Verify BAA status for each. Request copies of primary vendor BAAs and review whether sub-processor obligations are adequately addressed.
Violation 3: Missing or Outdated Security Risk Analysis
Citation: §164.308(a)(1)(ii)(A)
The most commonly cited deficiency across all OCR enforcement actions applies fully to chiropractic practices. The Security Risk Analysis is required, ongoing, and the foundational document that OCR will request in any investigation.
For chiropractic practices, the SRA must cover every system that stores, processes, or transmits ePHI — including systems that many chiropractors do not think of in compliance terms:
The practice management system is obvious. Less obvious:
The imaging referral workflow. When a chiropractor orders an X-ray or MRI and transmits patient information to the imaging center, that transmission is an ePHI flow that the SRA must address. How is the referral sent? By fax (is the receiving fax number verified)? By email (is it encrypted)? Through a portal (does the portal vendor have a BAA)?
Personal devices used for clinical documentation. A chiropractor who dictates notes on a personal iPhone, photographs intake forms for documentation purposes, or accesses the PMS from a personal laptop has introduced those devices as ePHI systems. Each must be addressed in the SRA.
Backup systems. An unencrypted external hard drive used for backup is unsecured ePHI at rest. Cloud backup services without BAAs are unauthorized Business Associate relationships.
The SRA must also be updated. A chiropractic practice that completed an SRA two years ago and has since switched PMS vendors, added a new billing service, or started using electronic intake forms has an outdated SRA. The update requirement is not optional — it is part of the ongoing compliance obligation.
What to do:
Conduct a current, documented SRA. If you have a prior SRA, assess whether it covers your current systems and update it for any changes since it was last completed. Produce a Risk Management Plan that documents specific remediation actions for identified gaps.
Violation 4: Verbal PHI Disclosure in Open Treatment Environments
Citation: §164.530(c) and §164.502(b) (Minimum Necessary)
This violation is uniquely common in chiropractic practices because of how chiropractic care is typically delivered — in open adjustment bays, semi-private treatment areas, and high-traffic clinical environments where multiple patients are present simultaneously.
The violation occurs in three specific scenarios:
Front desk verbal disclosure. Staff confirming patient appointments, insurance status, or treatment information in a reception area where other patients can hear. "Mr. Johnson, your insurance declined the coverage for today's adjustment" said at the front desk while three other patients are waiting is a disclosure of Mr. Johnson's PHI to unauthorized individuals.
Treatment area conversation. A provider discussing a patient's diagnosis, treatment history, or clinical findings in an adjustment bay where the next patient can hear. The minimum necessary standard requires that PHI sharing be limited to what is needed for treatment — it does not require absolute privacy, but it does require reasonable safeguards to limit incidental disclosures.
Paper intake forms in public spaces. Intake forms completed in the waiting room or left visible at the front desk expose PHI to other patients. Forms should be completed in private areas where feasible, or collected promptly to limit exposure.
HIPAA's incidental disclosure guidance acknowledges that some exposure is unavoidable in healthcare settings and does not require perfect privacy. What it requires is that the practice implement reasonable safeguards to limit incidental disclosures — and that these safeguards be documented.
What to do:
Conduct a physical walkthrough of your office. Document what PHI exposure exists in the current layout. Implement reasonable safeguards — repositioning screens, establishing verbal privacy protocols, managing paper forms. Document the safeguards implemented and obtain staff acknowledgment of the policies.
Violation 5: Terminated Staff Access Not Revoked
Citation: §164.308(a)(3)(ii)(C)
Chiropractic practices experience relatively high staff turnover — front desk coordinators, billing staff, and chiropractic assistants change more frequently than in some other healthcare settings. Each departure requires immediate access revocation. Each revocation that is delayed or missed is an ongoing HIPAA violation.
The specific exposure:
A front desk coordinator who leaves a chiropractic practice and retains active credentials to the PMS can access patient records, insurance information, and billing data indefinitely — until someone notices and removes the account. In a busy practice where the departure was unexpected or contentious, this revocation often does not happen on the day of departure.
The personal injury context makes this violation more consequential:
A former staff member of a personal injury chiropractic practice with retained system access has access not just to appointment histories but to the full treatment records of patients whose cases may be in active litigation. The potential for impermissible disclosure — to attorneys, to insurers, or for personal use — is elevated in this environment.
What to do:
Build access revocation into your termination process as a required, same-day step. Implement role-based access controls that tie permissions to individual accounts, so that deactivating the account removes all access simultaneously. Document each revocation with the date and the name of the person who completed it.
The Pattern Across All Five Violations
Each violation on this list has the same root cause as HIPAA violations across all healthcare specialties: compliance treated as completed rather than maintained. The SRA was done once. The BAAs were executed with the PMS vendor but not reviewed for years. The staff member departed and the access revocation reminder never happened.
What makes chiropractic practices distinctive is the specific context in which violations produce consequences. The personal injury environment means records disclosure violations are more likely to be noticed and reported. The high billing volume means BAA gaps are accumulating thousands of violations per year rather than dozens. The open treatment environment means physical PHI exposure is happening every clinical day.
What to Do Right Now
The free Patient Protect risk assessment shows you where your chiropractic practice stands across the categories that matter most in OCR enforcement — including authorization procedures, BAA status, SRA currency, and access control policies.
See how Patient Protect addresses these violations →
Read the complete compliance guide for chiropractic practices →
See real enforcement cases and fine amounts →
Track breach intelligence in your area →
This post is based on publicly available data from the HHS Office for Civil Rights enforcement database and HHS guidance documents, as of April 2026. It is provided for informational purposes and does not constitute legal advice.