HIPAA Violations in Therapy Practices: What OCR Enforces and What Most Therapists Get Wrong

Mental health records are the most valuable category of healthcare data on dark markets. More than credit card numbers. More than standard medical records. A complete mental health profile — diagnosis, treatment history, session notes, medication, trauma disclosures — commands a dark-market price of $280 to $310 per record, compared to $30 to $50 for a credit card. The immutability of the information and its value for extortion, fraud, and identity theft drives the premium.

This is not an abstract threat landscape. It is the operational context in which therapy practices handle some of the most sensitive information their patients will ever disclose to anyone.

OCR's enforcement data for behavioral health reveals a pattern that is both predictable and preventable. The violations that produce the largest consequences are not the result of sophisticated cyberattacks on well-defended systems. They are the result of common operational gaps: missing agreements, inadequate risk analysis, consumer platforms used for clinical communication, and information disclosed without the specific authorization behavioral health records require.

This post covers six violations that OCR enforcement data shows are most consequential for therapy and behavioral health practices — including two that are unique to behavioral health and that most compliance guides never address.

---

The Behavioral Health Enforcement Landscape

Behavioral health practices face the same fine schedule as all covered entities. The tier structure is the same. The per-violation and per-category maximums are the same. What differs is the trigger landscape.

For therapy practices, patient complaints are a disproportionately common OCR investigation trigger. The intimacy of the therapeutic relationship means patients are more attuned to potential mishandling of their information — and more likely to file complaints when they believe it has occurred. A patient who discovers their therapist discussed their case by name in a consultation, or who receives an insurance Explanation of Benefits that discloses treatment details to a family member on the same policy, is more likely to contact OCR than a dental patient whose X-ray was transmitted unencrypted.

The enforcement consequence is the same regardless of how the investigation was triggered.

---

Violation 1: Improper Disclosure of Psychotherapy Notes

Citation: §164.508(a)(2)

This is the violation most specific to therapy practice — and the one most often triggered by therapists who believe they are complying with HIPAA while in fact violating it.

Psychotherapy notes, as defined by HIPAA, have heightened disclosure protections. They cannot be disclosed even with a standard treatment authorization. Disclosing them requires a specific, separate written authorization that explicitly identifies what notes are being released, to whom, and for what purpose.

The violations occur in several ways:

Insurance audits and utilization reviews: A managed behavioral health organization requests clinical records for utilization review. The practice produces records — including session process notes — under a standard treatment authorization. If those notes qualify as psychotherapy notes, the disclosure requires a separate, psychotherapy-note-specific authorization that was not obtained.

Coordination of care disclosures: A patient's primary care physician requests records. The practice sends a complete clinical file, including session notes. Same problem — if the session notes qualify as psychotherapy notes, they cannot be disclosed under a standard treatment authorization to another provider without psychotherapy-note-specific consent.

Subpoenas and legal requests: A family court subpoenas therapy records in a custody proceeding. The practice produces records under the assumption that a court order compels disclosure. Psychotherapy notes can be withheld from certain court orders — the law is specific about when they must be produced and when they can be protected.

The catch: Psychotherapy notes only qualify for heightened protection if they are "kept separate" from the general treatment record. Many therapists keep all clinical documentation in a single chart — which means their session notes technically do not qualify as protected psychotherapy notes, making them subject to standard authorization requirements. This does not make the situation better. It means session notes that therapists believe are protected are actually producible under standard authorizations, including insurance requests.

What to do: Establish and document a clear separation practice. Keep session process notes — what was discussed, the emotional content of the session, your clinical impressions — in a separate, clearly labeled file. Keep the general treatment record (diagnosis, treatment plan, progress markers, administrative information) in the main chart. Document this practice in your privacy policies and train yourself and any staff on it.

---

Violation 2: Non-Compliant Telehealth Platforms

Citation: §164.312(e)(2)(ii) and §164.308(b)(1)

Since the end of COVID-era enforcement discretion in May 2023, every telehealth therapy session must comply with the full Security Rule. This means the video platform vendor must have a signed BAA, the platform must provide end-to-end encryption, and session recordings must be stored in a HIPAA-compliant environment.

OCR is actively auditing telehealth compliance. The investigation focus includes: which platform is being used, whether a BAA exists, how session recordings are stored, and whether the practice has conducted a risk analysis that covers telehealth-specific risks.

The most common violations:

Using standard Zoom (not Zoom for Healthcare) without a BAA. This was widespread during the pandemic and many practices never transitioned.

Storing session recordings in Google Drive, iCloud, or Dropbox — consumer cloud storage without a BAA. Every recording stored in a non-compliant location is unsecured ePHI.

Using FaceTime, WhatsApp, or standard video calling for clinical sessions. These platforms have no HIPAA relationship with healthcare practices. There is no BAA available. Their use for clinical telehealth is a violation.

Conducting sessions from devices shared with family members or household members, without a documented device policy and without encryption and password protection.

A real compliance scenario:

A therapist switched to Zoom in 2020 under the emergency enforcement discretion, recorded sessions for supervision purposes, and stored recordings in a personal Google Drive folder. In 2026, this practice has years of stored recordings in a non-compliant location, no BAA with Zoom (using a standard account), and no documented telehealth security policy. Every session conducted over that period represents potential exposure. Every recording in that Google Drive is unsecured ePHI.

What to do: Audit your telehealth platform today. Verify BAA status. If using standard Zoom, upgrade to Zoom for Healthcare and execute the BAA. If storing recordings in consumer cloud storage, migrate to a HIPAA-compliant alternative (Google Workspace with BAA, Microsoft 365 with BAA, or EHR-integrated storage) and document the migration.

See our complete telehealth compliance guide →

---

Violation 3: Missing or Inadequate Security Risk Analysis

Citation: §164.308(a)(1)(ii)(A)

The Security Risk Analysis is the most commonly cited deficiency in OCR enforcement actions across all healthcare specialties — and for solo therapy practices, it is almost universally missing or inadequate.

A solo therapist using SimplePractice, Zoom for Healthcare, and a personal laptop to conduct her practice is running a covered entity with at least four ePHI systems: the EHR, the telehealth platform, the device, and any backup or cloud storage. Each requires assessment in the SRA. The threats to each — device loss, platform compromise, unauthorized access, cloud breach — must be documented. The controls in place and the residual risks must be recorded. A Risk Management Plan must exist for addressing high-priority risks.

Most solo therapists have not completed this analysis. Many who have completed it did so using a template or the HHS free tool and filed the output without implementing the identified controls. Either approach, in an OCR investigation, represents a compliance failure.

What elevates this violation:

The Risk Analysis Initiative has established that OCR will pursue enforcement against practices of any size for inadequate SRA implementation. In several enforcement actions, OCR specifically noted that the covered entity had attempted a risk analysis — using the HHS tool or a template — without implementing a risk management plan for the findings. OCR treated the attempted analysis as evidence that the practice knew about the obligation, elevating the violation toward willful neglect.

What to do: Conduct a current, documented Security Risk Analysis that specifically covers your telehealth platform, your EHR, your devices, your communication channels, and any cloud storage. Document your findings. Create a Risk Management Plan with specific remediation steps. Update the analysis when anything in your technology stack changes.

---

Violation 4: Disclosures Without Authorization in Group Practice Settings

Citation: §164.502 and §164.514

Group practices and practices with supervisory relationships produce a specific violation pattern that solo practitioners do not: disclosures of client information within the practice without proper authorization or without adequate minimum necessary controls.

The supervision disclosure problem:

Clinical supervision frequently involves discussion of specific clients — their presenting concerns, their progress, their responses to treatment. When that discussion includes client identifiers (name, recognizable details, combinations of information that could identify the client), it constitutes a use of PHI that must comply with HIPAA's minimum necessary standard and your privacy policies.

Supervision groups in which multiple clinicians discuss each other's clients raise additional issues: each participant's exposure to another clinician's client information must be governed by appropriate policies. If clients have not authorized disclosure to the supervision group, and the discussion includes identifying information, the disclosure is potentially unauthorized.

The trainee and associate access problem:

Graduate trainees and supervised associates require access to client records to perform their supervised clinical work. HIPAA requires access to be limited to the minimum necessary for each individual's role. A trainee working with three specific clients should have access to those clients' records — not to the full caseload of the practice.

In many group practices, everyone gets the same access level for convenience. This is a direct violation of the access control and minimum necessary requirements. When a trainee or supervised associate leaves the practice, their access must be immediately revoked.

What to do: Establish clear policies for supervision disclosures — what information can be shared in supervision contexts, what identifiers must be removed, and what authorization (if any) clients have provided for supervision use of their information. Implement role-based access controls that limit each workforce member to the records they need. Conduct access reviews when anyone leaves the practice.

---

Violation 5: Personal Device Use for Clinical Communication

Citation: §164.312(e)(2)(ii) and §164.530(c)

The most pervasive daily violation in therapy practices is also the most normalized: texting clients from personal phones, using personal email for appointment communication and clinical follow-up, and messaging clients through consumer apps.

A therapist who texts appointment reminders from her iPhone is transmitting client identifiers — name, appointment date, potentially appointment type — through standard SMS, which is not encrypted and is not HIPAA-compliant. If that iPhone is lost or stolen and the messages are not wiped, the entire history of client communication is a potential breach.

The scenario most therapists have not thought through: a therapist texts a client about their "next session on Thursday." The client responds with a question about a medication they are taking. The therapist answers from her personal phone. That exchange — on a non-encrypted, non-HIPAA-compliant platform, without a BAA with the carrier — is a violation. The content, the identifiers, and the clinical information combine to create ePHI. The transmission is unsecured.

What elevates this violation for behavioral health:

The specific sensitivity of behavioral health communication makes this violation more damaging when it occurs. A text message exchange about a missed appointment at a dental office reveals that someone is a dental patient. A text message exchange about a missed therapy session, a crisis response, or a medication adjustment reveals that someone is receiving mental health treatment — information that the patient may have disclosed to no one outside the clinical relationship.

What to do: Implement a HIPAA-compliant secure messaging platform for all client communication involving ePHI. Train yourself and any staff that personal device texting and standard email are not approved channels for clinical communication. Document the policy and acknowledge it in writing.

---

Violation 6: The 42 CFR Part 2 Trap

Citation: 42 CFR Part 2 (federal substance abuse confidentiality regulations)

This is a violation that exists entirely outside of standard HIPAA — and that most compliance guides written for therapists never address.

If your practice treats substance use disorders — addiction, alcohol use disorder, opioid dependency, co-occurring disorders — your records are subject to 42 CFR Part 2, a separate federal confidentiality framework with stricter disclosure rules than HIPAA.

Under Part 2:

• Substance use disorder treatment records generally cannot be disclosed without patient consent — even to other treating providers, even in most emergencies
• Information disclosed with consent carries a mandatory prohibition on re-disclosure by the recipient
• Standard court orders that compel HIPAA disclosures do not automatically override Part 2 protections
• Insurance companies requesting records for utilization review must have specific Part 2-compliant consent, not just a standard HIPAA authorization

The common violation scenario:

A therapist treats a client for anxiety and co-occurring alcohol use disorder. The client's primary care physician requests records to coordinate care. The therapist sends records under a standard HIPAA treatment authorization. The records include documentation of the alcohol use disorder treatment. That disclosure violates 42 CFR Part 2 — the standard HIPAA authorization was not sufficient.

The enforcement reality:

Part 2 violations can be reported to the Substance Abuse and Mental Health Services Administration (SAMHSA) as well as OCR. Penalties are significant. More importantly, the ethical and legal exposure from unauthorized disclosure of substance abuse treatment records — given the potential for employment, legal, and personal consequences for affected patients — creates liability that extends well beyond HIPAA fines.

What to do: Know which of your clients are receiving treatment that implicates Part 2. Obtain Part 2-compliant consent (separate from standard HIPAA authorization) before disclosing their records for any purpose. Include the required prohibition notice in all consented disclosures. Train yourself and any staff on the distinction between standard HIPAA records and Part 2-protected records.

---

The Pattern Across All Six Violations

Behavioral health practices face the same foundational compliance challenge as every other specialty: compliance treated as a documentation exercise rather than an operational reality. The binder is filed. The telehealth platform is not compliant. The consultation group discusses clients by name without a written policy. The personal phone is used for appointment reminders. The risk analysis was completed in 2022 and never updated.

What makes behavioral health distinctive is the specific harm that flows from these violations. A breach of therapy records does not just expose insurance IDs and billing information. It exposes diagnoses, session content, and disclosures that patients trusted their therapist to protect with the same confidentiality as the therapeutic relationship itself.

The OCR enforcement consequences are the same as other healthcare specialties. The patient consequences are not.

---

What to Do Right Now

If your practice has any of the gaps described in this post, the free Patient Protect risk assessment will show you exactly where you stand across the categories that matter most — including the telehealth, psychotherapy notes, and access control issues most common in behavioral health enforcement actions.

See how Patient Protect addresses these violations →

Read the complete compliance guide for therapy practices →

See real enforcement cases and fine amounts →

Track breach intelligence in your area →

---

This post is based on publicly available data from the HHS Office for Civil Rights enforcement database, OCR breach portal, SAMHSA guidance on 42 CFR Part 2, and HHS guidance documents, as of April 2026. This document is provided for informational purposes and does not constitute legal advice.