What to Do If You Think You Violated HIPAA (Step-by-Step for Therapists)

Most therapists do not think about HIPAA breaches until something happens.

An email goes to the wrong client.
A message includes more information than it should.
A name shows up where it wasn’t supposed to.

Now you are stuck trying to figure out:

Did this count as a breach?
Do I need to report it?
What am I supposed to do next?

This is where most providers get stuck.

The Mistake Most Therapists Make

Most therapists wait. They try to figure it out later, assume it is probably not a big deal, and move on without documenting anything in the moment. That is where things start to break down, because decisions are being made without a clear process and without any record of how the situation was handled. HIPAA breach response is not just about what happened, it is about what you can demonstrate afterward if your actions are ever reviewed.

What HIPAA Actually Requires

Under the HIPAA Breach Notification Rule, providers are required to:

  • assess the situation
  • determine whether a breach occurred
  • complete notifications if required
  • maintain documentation that supports every decision

Not every mistake is a breach, but every situation involving potential exposure of Protected Health Information still needs to be evaluated and documented. What gets reviewed is not intention, it is what was done, when it was done, and how it was documented, which is why having a clear process matters in these situations.

For reporting requirements and timelines, refer to the HHS breach reporting guidance.

When Does a HIPAA Breach Need to Be Reported?

When a potential breach is identified, the next step is determining whether it meets the definition of a reportable breach. This decision is based on a risk assessment, not just the fact that something happened. Providers are expected to evaluate the nature of the information involved, who received it, whether it was actually accessed or viewed, and the extent to which any risk has been mitigated.

If the assessment determines there is a low probability that the information was compromised, the situation may not be considered a reportable breach. If that standard is not met, notification requirements apply.

What About the 60-Day Rule?

Under federal HIPAA requirements, breaches must be reported without unreasonable delay and no later than 60 days after discovery. That 60-day timeframe is an outer limit, not a recommended waiting period.

In practice, delays can create additional risk, especially if documentation is incomplete or decisions are not clearly supported. The expectation is that providers assess and act as soon as reasonably possible based on the information available.

Common Situations Therapists Run Into

These are the types of situations that create uncertainty:

  • Sending an email to the wrong client
  • Including identifying details in a message or voicemail
  • A lost or unsecured device
  • A telehealth or platform issue
  • A document shared with the wrong person

Not all of these automatically rise to the level of a breach.

But every one of them still requires assessment and, more importantly, documentation.

This is where having a clear process becomes critical.

HIPAA breach response flow showing steps to assess, document, and respond to a potential breach

Where Most Providers Get Stuck

The issue is not that therapists do not care about compliance. The issue is that they do not have a clear process for how to assess and respond when something actually happens. Without that structure, providers are left trying to make decisions in the moment without knowing what factors to consider or how to document their reasoning, which is where mistakes and gaps tend to occur.

Most providers:

  • are unsure how to assess risk
  • do not know what factors to consider
  • delay decisions because they are uncertain
  • fail to document their reasoning
  • rely on memory instead of structured documentation

That creates exposure.

The Part No One Talks About

When situations like this are reviewed, the outcome is not based on what you meant to do. It is based on what you can show, and your documentation is what supports your decisions. Without it, even a situation that could have been managed appropriately can become a larger issue if your reasoning and actions cannot be clearly supported.

What to Do First (If You Think You Made a HIPAA Mistake)

Pause and identify exactly what happened.
Gather the relevant details, including what was shared, who received it, and how it occurred.
Start documenting immediately. Do not wait until later.
Assess whether the information was actually compromised.
Determine whether the situation meets the definition of a breach.
Document your decision and the reasoning behind it.

Why This Is So Difficult in Practice

Most therapists were never taught how to do this. They were taught to protect client information, follow HIPAA, and be careful, but they were not taught what to do when something goes wrong. That gap is where most compliance issues occur, not because providers are careless, but because they were never given a clear process to follow.

If You Do Not Have a Process

If you do not have a structured way to assess and document a potential breach, you are relying on memory, assumptions, and incomplete documentation. That becomes a problem if your actions are ever reviewed and you cannot clearly show how you assessed the situation or why you made the decisions you did.

A Structured Approach Matters

This is where having a defined system changes everything, because it gives you a clear way to move through the situation instead of trying to figure it out as you go. Instead of guessing, you have a process. Instead of trying to reconstruct what happened later, you are documenting it in real time. Instead of hoping you made the right decision, you can clearly support it with documentation that shows how the situation was handled.

Stay Updated on Compliance Changes

Compliance expectations are constantly evolving, and most providers don’t hear about changes until they become a problem.

If you want clear, practical updates you can actually use, you can join my email list below.

If You Need a Clear Process

The HIPAA Breach Response & Documentation System is designed to guide what to do when a potential breach occurs.

It provides a structured way to:

  • assess the situation
  • determine next steps
  • document decisions
  • create a clear, defensible record

If you have ever found yourself unsure what to do in these situations, this is the piece most providers are missing because it provides a clear, structured way to respond and document what happened.

View the HIPAA Breach Response & Documentation System

Sources – Federal HIPAA Guidance

This article is based on federal HIPAA requirements and guidance from the U.S. Department of Health & Human Services.

About the Author
Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3

Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™, where she helps therapists and group practices implement practical, audit-ready HIPAA and state-specific compliance systems.

Drawing from direct experience in clinical practice and compliance consulting, Samantha specializes in translating complex federal and state regulations into clear, usable policies, tools, and workflows designed specifically for mental health providers.

Learn more about her work with mental health practices.

Samantha Schalk, LMSW-C, LMSW-M, founder of Guardian Clinical Essentials
Related HIPAA Resources

If you want to better understand how these issues connect to your practice, these may be helpful:

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.

Cookie Policy