Are you in a constant state of non-compliance?
Most Therapists Aren’t HIPAA Compliant — And Don’t Even Know It
Secure EHRs aren’t enough. If you don’t have written HIPAA policies and documented safeguards, you’re out of compliance — and at legal risk.
Why Most Providers Miss the Mark
Most mental health providers — especially those in solo or group private practice — were never formally taught the full scope of HIPAA compliance. Graduate programs might mention HIPAA, but they rarely explain what’s legally required to run a practice.
There’s no centralized government checklist. Most providers believe using a secure EHR or signing a few BAAs is enough.
It’s not.
HIPAA is a complex federal law that requires dozens of written policies, training records, risk assessments, and documentation logs — all of which you are expected to maintain, even if no one ever told you.
Who Needs HIPAA Policies?
If you’re any of the following, AND you electronically transmit HIPAA-covered data you’re a “covered entity” and legally required to follow HIPAA:
Therapists or counselors in private practice
Practice owners offering in-person, telehealth, or hybrid care
Clinical supervisors reviewing documentation
Admin staff or contractors with access to PHI
You didn’t avoid fines because you were compliant — you avoided them because no one reported you. Yet.
What HIPAA Law Actually Requires
While HIPAA doesn’t use the phrase “HIPAA Manual,” the law does require written, up-to-date compliance policies and documentation.
REGULATION | WHAT IT REQUIRES |
HIPAA Privacy Rule (45 CFR §164.530) | Written privacy policies & procedures |
HIPAA Security Rule (45 CFR §164.316) | Documented safeguards & protocols |
HITECH Act | Breach response documentation |
OCR Audit Protocol | Written logs, training, BAAs, and assessments |
HHS.gov | Ongoing documentation, not one-time efforts |
Cue up the Compliance
What You Risk Without Written Policies
RISK | WHAT HAPPENED | LEGAL CONSEQUENCES |
❌ No Written Policies | Assumed noncompliance | $100–$50,000 per violation |
❌ No Staff Training Logs | Failed audits | OCR & Medicaid penalties |
❌ Missing BAAs | Breach liability | Shared legal responsibility |
❌ Outdated Consents | Disclosure risks | Lawsuits or board complaints |
❌ No Risk Assessment | Non-defensible | Large federal fines |
❌ Using Tools w/o BAAs (e.g., Google Drive) | PHI exposure | Illegal use of cloud storage |
❌ False Sense of Compliance | “EHR = Compliance” myth | Audit failure |
What a HIPAA Manual Should Include
✅ Privacy Rule Policies
✅ Security Rule Protocols
✅ Breach Notification Procedures
✅ Business Associate Agreements (BAAs)
✅ Risk Assessment + Mitigation Plan
✅ Access & Authorization Protocols
✅ Staff Training Logs & Sanction Policy
✅ Incident Response Procedures
✅ Individual Rights Policies
✅ Documentation Logs + Retention Policy
No fluff. No filler. Just everything HHS expects — already written for you.
Real Fines. Real Providers.
$30,000 Fine
In 2023, a small psychiatric practice in New Jersey was fined $30,000 by HHS OCR after responding to negative online reviews by publicly disclosing patients’ mental health diagnoses and treatment details. OCR also found that the clinic lacked proper HIPAA policies, procedures, and breach notification protocols.
$50,000 Fine
A small psychiatric office was fined for lacking a compliant Privacy Notice and not having written privacy policies.
$225,000 Fine
A behavioral health provider in Texas was fined $225,000 by HHS OCR in 2025 after patient discharge summaries containing ePHI were publicly accessible online. OCR also found that the provider had failed to conduct a proper risk analysis and lacked necessary security policies and procedures.
$25,000 Fine
A group psychiatric practice in California was fined $25,000 by HHS OCR after failing to provide a patient’s requested medical records in a timely manner and not issuing a written explanation when withholding psychotherapy notes. (Year: 2020)
$100,000 Fine
A solo practitioner was fined after failing to conduct a risk assessment or maintain written documentation.
$40,000 Fine
A mental health provider in North Carolina was fined $40,000 by HHS OCR in 2024 after failing to implement audit controls, incident response, and privacy policies related to PHI disclosures.
